basePath: /api consumes: - application/json definitions: AVScan: properties: paths: items: minLength: 1 type: string type: array type: enum: - full - quick - resource title: Type type: string required: - type type: object AbstractPersistence: properties: '@timestamp': format: date-time title: '@timestamp' type: string accountrun: minLength: 1 title: Accountrun type: string action_type: minLength: 1 title: Action type type: string agent: $ref: '#/definitions/DataAgent' application_name: minLength: 1 title: Application name type: string arguments: minLength: 1 title: Arguments type: string author: minLength: 1 title: Author type: string binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' clsid_description: minLength: 1 title: Clsid description type: string clsid_name: minLength: 1 title: Clsid name type: string clsid_timestamp: format: date-time title: Clsid timestamp type: string command: minLength: 1 title: Command type: string comment: minLength: 1 title: Comment type: string controlset: minLength: 1 title: Controlset type: string creation_date: format: date-time title: Creation date type: string description: minLength: 1 title: Description type: string display_name: minLength: 1 title: Display name type: string dll: minLength: 1 title: Dll type: string dll_main: minLength: 1 title: Dll main type: string enabled: title: Enabled type: boolean filename: minLength: 1 title: Filename type: string fullpathname: minLength: 1 title: Fullpathname type: string hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string image_path: minLength: 1 title: Image path type: string inprochandler: minLength: 1 title: Inprochandler type: string inprochandler32: minLength: 1 title: Inprochandler32 type: string inprochandler32_timestamp: format: date-time title: Inprochandler32 timestamp type: string inprochandler_timestamp: format: date-time title: Inprochandler timestamp type: string inprocserver: minLength: 1 title: Inprocserver type: string inprocserver32: minLength: 1 title: Inprocserver32 type: string inprocserver32_timestamp: format: date-time title: Inprocserver32 timestamp type: string inprocserver_timestamp: format: date-time title: Inprocserver timestamp type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer lastrun: minLength: 1 title: Lastrun type: string localserver: minLength: 1 title: Localserver type: string localserver32: minLength: 1 title: Localserver32 type: string localserver32_timestamp: format: date-time title: Localserver32 timestamp type: string localserver_timestamp: format: date-time title: Localserver timestamp type: string location: minLength: 1 title: Location type: string mainfile_binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' name: minLength: 1 title: Name type: string parameter_timestamp: minLength: 1 title: Parameter timestamp type: string path: minLength: 1 title: Path type: string principal_id: minLength: 1 title: Principal id type: string run_level: minLength: 1 title: Run level type: string security_descriptor: minLength: 1 title: Security descriptor type: string service_name: minLength: 1 title: Service name type: string service_start: title: Service start type: integer service_start_str: minLength: 1 title: Service start str type: string service_type: title: Service type type: integer service_type_str: minLength: 1 title: Service type str type: string short_name: minLength: 1 title: Short name type: string target_arguments: minLength: 1 title: Target arguments type: string target_path: minLength: 1 title: Target path type: string task_parameters: minLength: 1 title: Task parameters type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string treatas: minLength: 1 title: Treatas type: string treatas_timestamp: format: date-time title: Treatas timestamp type: string triggers: minLength: 1 title: Triggers type: string uri: minLength: 1 title: Uri type: string user_id: minLength: 1 title: User id type: string username: minLength: 1 title: Username type: string uuid: minLength: 1 title: Uuid type: string value: minLength: 1 title: Value type: string working_directory: minLength: 1 title: Working directory type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - accountrun - action_type - agent - application_name - arguments - author - binaryinfo - clsid_description - clsid_name - clsid_timestamp - command - comment - controlset - creation_date - description - display_name - dll - dll_main - enabled - filename - fullpathname - hidden - id - image_path - inprochandler - inprochandler32 - inprochandler32_timestamp - inprochandler_timestamp - inprocserver - inprocserver32 - inprocserver32_timestamp - inprocserver_timestamp - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - lastrun - localserver - localserver32 - localserver32_timestamp - localserver_timestamp - location - mainfile_binaryinfo - name - parameter_timestamp - path - principal_id - run_level - security_descriptor - service_name - service_start - service_start_str - service_type - service_type_str - short_name - target_arguments - target_path - task_parameters - tenant - timestamp - treatas - treatas_timestamp - triggers - uri - user_id - username - uuid - value - working_directory - wow64 type: object AbstractTimeline: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string access: title: Access type: integer access_str: minLength: 1 title: Access str type: string additional_data: items: minLength: 1 type: string type: array address: minLength: 1 title: Address type: string agent: $ref: '#/definitions/InnerAgent' aggregation_key: minLength: 1 title: Aggregation key type: string alert_subtype: minLength: 1 title: Alert subtype type: string alert_time: format: date-time title: Alert time type: string alert_type: minLength: 1 title: Alert type type: string alert_unique_id: minLength: 1 title: Alert unique id type: string ancestors: minLength: 1 title: Ancestors type: string app_name: minLength: 1 title: App name type: string app_zone_id: minLength: 1 title: App zone id type: string application: minLength: 1 title: Application type: string auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string cdhash: minLength: 1 title: Cdhash type: string codesigning_flags: title: Codesigning flags type: integer codesigning_flags_str: minLength: 1 title: Codesigning flags str type: string comm_port_tamper: $ref: '#/definitions/CommPortTamper' commandline: minLength: 1 title: Commandline type: string computer_name: minLength: 1 title: Computer name type: string confidence: minLength: 1 title: Confidence type: string confidence_int: title: Confidence int type: integer conn_type: title: Conn type type: integer connection_closed_time: format: date-time title: Connection closed time type: string connection_start_time: format: date-time title: Connection start time type: string connection_successful: title: Connection successful type: boolean connection_unique_id: minLength: 1 title: Connection unique id type: string consumer: minLength: 1 title: Consumer type: string content_name: minLength: 1 title: Content name type: string create_disposition: title: Create disposition type: integer create_disposition_str: minLength: 1 title: Create disposition str type: string create_options: title: Create options type: integer create_options_str: minLength: 1 title: Create options str type: string create_time: format: date-time title: Create time type: string current_directory: minLength: 1 title: Current directory type: string daddr: minLength: 1 title: Daddr type: string data_string_added: items: minLength: 1 type: string type: array data_string_removed: items: minLength: 1 type: string type: array date: format: date-time title: Date type: string date_closed: format: date-time title: Date closed type: string date_deisolated: format: date-time title: Date deisolated type: string date_false_positive: format: date-time title: Date false positive type: string date_investigating: format: date-time title: Date investigating type: string date_isolated: format: date-time title: Date isolated type: string date_new: format: date-time title: Date new type: string db_product_name: minLength: 1 title: Db product name type: string db_vendor_name: minLength: 1 title: Db vendor name type: string desired_access: title: Desired access type: integer desired_access_str: minLength: 1 title: Desired access str type: string destination: $ref: '#/definitions/ECSDestination' destination_path: minLength: 1 title: Destination path type: string details: minLength: 1 title: Details type: string details_amsi_scan: $ref: '#/definitions/DetailAmsiScan' details_connection: $ref: '#/definitions/DetailConnection' details_dns_resolution: $ref: '#/definitions/DetailDnsResolution' details_file: $ref: '#/definitions/DetailFile' details_library: $ref: '#/definitions/DetailLibrary' details_linux_filesystem_event: $ref: '#/definitions/DetailLinuxFilesystemEvent' details_macos_filesystem_event: $ref: '#/definitions/DetailMacosFilesystemEvent' details_named_pipe_connected: $ref: '#/definitions/DetailNamedPipeConnected' details_named_pipe_created: $ref: '#/definitions/DetailNamedPipeCreated' details_network_listen: $ref: '#/definitions/DetailNetworkListen' details_powershell: $ref: '#/definitions/DetailPowershell' details_primary_token_change: $ref: '#/definitions/DetailPrimaryTokenChange' details_process_access: $ref: '#/definitions/DetailProcessAccess' details_process_tamper: $ref: '#/definitions/DetailProcessTamper' details_raw_device_access: $ref: '#/definitions/DetailRawDeviceAccess' details_raw_socket_creation: $ref: '#/definitions/DetailRawSocketCreation' details_registry: $ref: '#/definitions/DetailRegistry' details_remotethread: $ref: '#/definitions/DetailRemoteThread' details_url_request: $ref: '#/definitions/DetailUrlRequest' details_usb_device: $ref: '#/definitions/DetailsUsbDeviceEvent' details_windows_filesystem_event: $ref: '#/definitions/DetailWindowsFilesystemEvent' detection_date: format: date-time title: Detection date type: string detection_origin: minLength: 1 title: Detection origin type: string detection_timestamp: format: date-time title: Detection timestamp type: string device_class: minLength: 1 title: Device class type: string device_name: minLength: 1 title: Device name type: string device_product_name: minLength: 1 title: Device product name type: string device_protocol: minLength: 1 title: Device protocol type: string device_subclass: minLength: 1 title: Device subclass type: string device_vendor_name: minLength: 1 title: Device vendor name type: string direction: minLength: 1 title: Direction type: string dnames: items: minLength: 1 type: string type: array dport: title: Dport type: integer driverload: $ref: '#/definitions/InnerDriverLoad' dse_tamper: $ref: '#/definitions/DseTamper' egid: title: Egid type: integer egroup: minLength: 1 title: Egroup type: string enabled: title: Enabled type: boolean error_msg: minLength: 1 title: Error msg type: string etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' euid: title: Euid type: integer eusername: minLength: 1 title: Eusername type: string event_date: format: date-time title: Event date type: string event_id: title: Event id type: integer event_path: minLength: 1 title: Event path type: string event_session: $ref: '#/definitions/SessionInfo' event_type: minLength: 1 title: Event type type: string eventlog: $ref: '#/definitions/InnerEventLog' execution: title: Execution type: integer fake_parent_commandline: minLength: 1 title: Fake parent commandline type: string fake_parent_image: minLength: 1 title: Fake parent image type: string fake_parent_unique_id: minLength: 1 title: Fake parent unique id type: string fake_ppid: title: Fake ppid type: integer family: title: Family type: integer favorite_id: format: uuid title: Favorite id type: string x-nullable: true filter: minLength: 1 title: Filter type: string first_bytes: minLength: 1 title: First bytes type: string gid: title: Gid type: integer grandparent_commandline: minLength: 1 title: Grandparent commandline type: string grandparent_image: minLength: 1 title: Grandparent image type: string grandparent_integrity_level: minLength: 1 title: Grandparent integrity level type: string grandparent_unique_id: minLength: 1 title: Grandparent unique id type: string group: minLength: 1 title: Group type: string group_event: $ref: '#/definitions/InnerGroupEvent' group_id: minLength: 1 title: Group id type: string group_name: minLength: 1 title: Group name type: string groups: $ref: '#/definitions/InnerGroup' hash: title: Hash type: integer hashes: $ref: '#/definitions/Hashes' hive_path: minLength: 1 title: Hive path type: string hlai_binaries_benchmark_data: $ref: '#/definitions/HlaiBinariesBenchmarkData' hlai_scripts_benchmark_data: $ref: '#/definitions/HlaiScriptsBenchmarkData' host: minLength: 1 title: Host type: string id: minLength: 1 title: Id type: string image_base: title: Image base type: integer image_base_address: title: Image base address type: integer image_name: minLength: 1 title: Image name type: string imagebase: title: Imagebase type: integer imagename: minLength: 1 title: Imagename type: string imagepath: minLength: 1 title: Imagepath type: string imagesize: title: Imagesize type: integer inbound_quota: title: Inbound quota type: integer incoming_bytes: title: Incoming bytes type: integer incomplete: title: Incomplete type: boolean ingestion_date: format: date-time title: Ingestion date type: string initiated: title: Initiated type: boolean integrity_level: minLength: 1 title: Integrity level type: string ip_addresses: items: minLength: 1 type: string type: array is_ipv6: title: Is ipv6 type: boolean is_platform_binary: title: Is platform binary type: boolean job_id: minLength: 1 title: Job id type: string kernel_callback: $ref: '#/definitions/KernelCallback' keywords: items: minLength: 1 type: string type: array kind: minLength: 1 title: Kind type: string last_modifier_id: title: Last modifier id type: integer last_seen: format: date-time title: Last seen type: string last_status_update_is_automatic: title: Last status update is automatic type: boolean last_update: format: date-time title: Last update type: string last_writer_package_family_name: minLength: 1 title: Last writer package family name type: string level: minLength: 1 title: Level type: string level_int: title: Level int type: integer library_path: minLength: 1 title: Library path type: string library_type: minLength: 1 title: Library type type: string linux: $ref: '#/definitions/AuthenticationLoginLinux' log_name: minLength: 1 title: Log name type: string log_type: minLength: 1 title: Log type type: string logonid: title: Logonid type: integer macos: $ref: '#/definitions/AuthenticationLoginMacos' maturity: minLength: 1 title: Maturity type: string maximum_instances: title: Maximum instances type: integer member_id: minLength: 1 title: Member id type: string member_name: minLength: 1 title: Member name type: string memfd_name: minLength: 1 title: Memfd name type: string method: minLength: 1 title: Method type: string missing_related_process: title: Missing related process type: boolean mitre_cells: items: minLength: 1 type: string type: array mode: title: Mode type: integer mode_str: minLength: 1 title: Mode str type: string msg: minLength: 1 title: Msg type: string name: minLength: 1 title: Name type: string named_pipe_type: title: Named pipe type type: integer namespace: minLength: 1 title: Namespace type: string network: $ref: '#/definitions/InnerNetwork' new_name: minLength: 1 title: New name type: string new_thread_id: title: New thread id type: integer new_user_name: minLength: 1 title: New user name type: string object_type: minLength: 1 title: Object type type: string old_mode: title: Old mode type: integer old_mode_str: minLength: 1 title: Old mode str type: string operation: minLength: 1 title: Operation type: string operation_type: minLength: 1 title: Operation type type: string outbound_quota: title: Outbound quota type: integer outgoing_bytes: title: Outgoing bytes type: integer parent_commandline: minLength: 1 title: Parent commandline type: string parent_image: minLength: 1 title: Parent image type: string parent_integrity_level: minLength: 1 title: Parent integrity level type: string parent_unique_id: minLength: 1 title: Parent unique id type: string password: minLength: 1 title: Password type: string path: minLength: 1 title: Path type: string pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/PEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer pid: title: Pid type: integer pipe_name: minLength: 1 title: Pipe name type: string pipe_operation: minLength: 1 title: Pipe operation type: string platform: minLength: 1 title: Platform type: string port: title: Port type: integer ppid: title: Ppid type: integer previous_details: minLength: 1 title: Previous details type: string process: $ref: '#/definitions/InnerProcess' process_commandline: minLength: 1 title: Process commandline type: string process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_entrypoint_file: minLength: 1 title: Process entrypoint file type: string process_entrypoint_memory: minLength: 1 title: Process entrypoint memory type: string process_header_file: minLength: 1 title: Process header file type: string process_header_memory: minLength: 1 title: Process header memory type: string process_id: title: Process id type: integer process_image_path: minLength: 1 title: Process image path type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_ptrace: $ref: '#/definitions/ECSProcessPtrace' process_session: $ref: '#/definitions/SessionInfo' process_unique_id: minLength: 1 title: Process unique id type: string product_id: minLength: 1 title: Product id type: string product_name: minLength: 1 title: Product name type: string protocol: title: Protocol type: integer provider_guid: minLength: 1 title: Provider guid type: string quarantine: title: Quarantine type: integer query: minLength: 1 title: Query type: string query_params: minLength: 1 title: Query params type: string query_type: minLength: 1 title: Query type type: string ransomguard_canary_data: $ref: '#/definitions/RansomguardCanaryData' ransomguard_detection_type: minLength: 1 title: Ransomguard detection type type: string ransomguard_heuristic_data: $ref: '#/definitions/RansomguardHeuristicData' record_number: title: Record number type: integer references: items: minLength: 1 type: string type: array referrer_url: minLength: 1 title: Referrer url type: string region_allocation_base: title: Region allocation base type: integer region_allocation_protect: title: Region allocation protect type: integer region_allocation_size: title: Region allocation size type: integer region_base_address: title: Region base address type: integer region_dump: minLength: 1 title: Region dump type: string region_dump_base: title: Region dump base type: integer region_protect: title: Region protect type: integer region_sha256: minLength: 1 title: Region sha256 type: string region_size: title: Region size type: integer region_state: title: Region state type: integer region_type: title: Region type type: integer registry_value_type: minLength: 1 title: Registry value type type: string requested_name: minLength: 1 title: Requested name type: string rule_content: minLength: 1 title: Rule content type: string rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string saddr: minLength: 1 title: Saddr type: string scheduled_task: $ref: '#/definitions/ECSScheduledTask' scheme: minLength: 1 title: Scheme type: string score: title: Score type: number script_block: minLength: 1 title: Script block type: string script_path: minLength: 1 title: Script path type: string serial_number: minLength: 1 title: Serial number type: string session: title: Session type: integer sgid: title: Sgid type: integer sgroup: minLength: 1 title: Sgroup type: string sha256: minLength: 1 title: Sha256 type: string sidewatch_detection_details: $ref: '#/definitions/SidewatchDetectionDetails' signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer sock_type: title: Sock type type: integer source: $ref: '#/definitions/ECSSource' source_address: minLength: 1 title: Source address type: string source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_domain_name: minLength: 1 title: Source domain name type: string source_image: minLength: 1 title: Source image type: string source_ip_address: minLength: 1 title: Source ip address type: string source_name: minLength: 1 title: Source name type: string source_process_guid: minLength: 1 title: Source process guid type: string source_process_id: title: Source process id type: integer source_process_unique_id: minLength: 1 title: Source process unique id type: string source_thread_id: title: Source thread id type: integer source_tid: title: Source tid type: integer source_url: minLength: 1 title: Source url type: string source_user: minLength: 1 title: Source user type: string source_user_id: minLength: 1 title: Source user id type: string source_user_name: minLength: 1 title: Source user name type: string source_username: minLength: 1 title: Source username type: string sport: title: Sport type: integer stack_trace: $ref: '#/definitions/ECSStackTrace' stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_full: minLength: 1 title: Stacktrace full type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string start_address: title: Start address type: integer start_address_string: minLength: 1 title: Start address string type: string start_function: minLength: 1 title: Start function type: string start_module: minLength: 1 title: Start module type: string start_module_base: title: Start module base type: integer status: minLength: 1 title: Status type: string status_msg: minLength: 1 title: Status msg type: string success: title: Success type: boolean suid: title: Suid type: integer susername: minLength: 1 title: Susername type: string tactic: minLength: 1 title: Tactic type: string tags: items: minLength: 1 type: string type: array tamper_flag: title: Tamper flag type: integer tamper_flag_as_str: minLength: 1 title: Tamper flag as str type: string target: $ref: '#/definitions/ECSTarget' target_domain: minLength: 1 title: Target domain type: string target_domain_name: minLength: 1 title: Target domain name type: string target_image: minLength: 1 title: Target image type: string target_object: minLength: 1 title: Target object type: string target_process_guid: minLength: 1 title: Target process guid type: string target_process_id: title: Target process id type: integer target_process_unique_id: minLength: 1 title: Target process unique id type: string target_thread_id: title: Target thread id type: integer target_user: minLength: 1 title: Target user type: string target_user_id: minLength: 1 title: Target user id type: string target_user_name: minLength: 1 title: Target user name type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string text_payload: minLength: 1 title: Text payload type: string text_records: items: minLength: 1 type: string type: array thread: $ref: '#/definitions/InnerInjectedThread' thread_dump: minLength: 1 title: Thread dump type: string thread_id: title: Thread id type: integer thread_sha256: minLength: 1 title: Thread sha256 type: string threat_key: minLength: 1 title: Threat key type: string threat_type: minLength: 1 title: Threat type type: string threat_values: items: minLength: 1 type: string type: array tid: title: Tid type: integer timestamp: format: date-time title: Timestamp type: string transport_protocol: minLength: 1 title: Transport protocol type: string transport_protocol_number: title: Transport protocol number type: integer type: minLength: 1 title: Type type: string uid: title: Uid type: integer url: minLength: 1 title: Url type: string url_zone: minLength: 1 title: Url zone type: string user: $ref: '#/definitions/EventUser' user_agent: minLength: 1 title: User agent type: string user_event: $ref: '#/definitions/InnerUserEvent' user_name: minLength: 1 title: User name type: string user_sid: minLength: 1 title: User sid type: string username: minLength: 1 title: Username type: string usersid: minLength: 1 title: Usersid type: string utc_time: format: date-time title: Utc time type: string vendor_id: minLength: 1 title: Vendor id type: string vendor_name: minLength: 1 title: Vendor name type: string whitelisted_by: items: $ref: '#/definitions/WhitelistedByData' type: array win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows: $ref: '#/definitions/AuthenticationLoginWindows' windows_service: $ref: '#/definitions/ECSWindowsService' wmi_event: $ref: '#/definitions/WmiEvent' written_file_size: title: Written file size type: integer zone_id: title: Zone id type: integer required: - '@event_create_date' - '@timestamp' - access - access_str - additional_data - address - agent - aggregation_key - alert_subtype - alert_time - alert_type - alert_unique_id - ancestors - app_name - app_zone_id - application - auth_status - auth_type - cdhash - codesigning_flags - codesigning_flags_str - comm_port_tamper - commandline - computer_name - confidence - confidence_int - conn_type - connection_closed_time - connection_start_time - connection_successful - connection_unique_id - consumer - content_name - create_disposition - create_disposition_str - create_options - create_options_str - create_time - current_directory - daddr - data_string_added - data_string_removed - date_closed - date_deisolated - date_false_positive - date_investigating - date_isolated - date_new - db_product_name - db_vendor_name - desired_access - desired_access_str - destination - destination_path - details - details_amsi_scan - details_connection - details_dns_resolution - details_file - details_library - details_linux_filesystem_event - details_macos_filesystem_event - details_named_pipe_connected - details_named_pipe_created - details_network_listen - details_powershell - details_primary_token_change - details_process_access - details_process_tamper - details_raw_device_access - details_raw_socket_creation - details_registry - details_remotethread - details_url_request - details_usb_device - details_windows_filesystem_event - detection_date - detection_origin - detection_timestamp - device_class - device_name - device_product_name - device_protocol - device_subclass - device_vendor_name - direction - dnames - dport - driverload - dse_tamper - egid - egroup - enabled - error_msg - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - euid - eusername - event_date - event_id - event_path - event_type - eventlog - execution - fake_parent_commandline - fake_parent_image - fake_parent_unique_id - fake_ppid - family - favorite_id - filter - first_bytes - gid - grandparent_commandline - grandparent_image - grandparent_integrity_level - grandparent_unique_id - group - group_event - group_id - group_name - groups - hash - hashes - hive_path - hlai_binaries_benchmark_data - hlai_scripts_benchmark_data - host - id - image_base - image_base_address - image_name - imagebase - imagename - imagepath - imagesize - inbound_quota - incoming_bytes - incomplete - ingestion_date - initiated - integrity_level - ip_addresses - is_ipv6 - is_platform_binary - job_id - kernel_callback - keywords - kind - last_modifier_id - last_seen - last_status_update_is_automatic - last_update - last_writer_package_family_name - level - level_int - library_path - library_type - linux - log_name - log_type - logonid - macos - maturity - maximum_instances - member_id - member_name - memfd_name - method - missing_related_process - mitre_cells - mode - mode_str - msg - name - named_pipe_type - namespace - network - new_name - new_thread_id - new_user_name - object_type - old_mode - old_mode_str - operation - operation_type - outbound_quota - outgoing_bytes - parent_commandline - parent_image - parent_integrity_level - parent_unique_id - password - path - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - pid - pipe_name - pipe_operation - platform - port - ppid - previous_details - process - process_commandline - process_duplicate_handle - process_entrypoint_file - process_entrypoint_memory - process_header_file - process_header_memory - process_id - process_image_path - process_imagename - process_name - process_ptrace - process_unique_id - product_id - product_name - protocol - provider_guid - quarantine - query - query_params - query_type - ransomguard_canary_data - ransomguard_detection_type - ransomguard_heuristic_data - record_number - references - referrer_url - region_allocation_base - region_allocation_protect - region_allocation_size - region_base_address - region_dump - region_dump_base - region_protect - region_sha256 - region_size - region_state - region_type - registry_value_type - requested_name - rule_content - rule_id - rule_name - saddr - scheduled_task - scheme - score - script_block - script_path - serial_number - session - sgid - sgroup - sha256 - signature_info - signed - size - sock_type - source - source_address - source_agent_hostname - source_agent_id - source_domain - source_domain_name - source_image - source_ip_address - source_name - source_process_guid - source_process_id - source_process_unique_id - source_thread_id - source_tid - source_url - source_user - source_user_id - source_user_name - source_username - sport - stack_trace - stacktrace - stacktrace_full - stacktrace_minimal - start_address - start_address_string - start_function - start_module - start_module_base - status - status_msg - success - suid - susername - tactic - tags - tamper_flag - tamper_flag_as_str - target - target_domain - target_domain_name - target_image - target_object - target_process_guid - target_process_id - target_process_unique_id - target_thread_id - target_user - target_user_id - target_user_name - target_username - technique - tenant - text_payload - text_records - thread - thread_dump - thread_id - thread_sha256 - threat_key - threat_type - threat_values - tid - timestamp - transport_protocol - transport_protocol_number - type - uid - url - url_zone - user - user_agent - user_event - user_name - user_sid - username - usersid - utc_time - vendor_id - vendor_name - whitelisted_by - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows - windows_service - wmi_event - written_file_size - zone_id type: object AcquireQuarantineFile: properties: local_id: format: uuid title: Local id type: string required: - local_id type: object AcquisitionPermissions: properties: capture_ram: enum: - disabled - read_only - read_write title: Capture ram type: string collect_raw_data: enum: - disabled - read_only - read_write title: Collect raw data type: string download_directory: enum: - disabled - read_only - read_write title: Download directory type: string download_file: enum: - disabled - read_only - read_write title: Download file type: string network_sniffer: enum: - disabled - read_only - read_write title: Network sniffer type: string parse_filesystem: enum: - disabled - read_only - read_write title: Parse filesystem type: string process_dumper: enum: - disabled - read_only - read_write title: Process dumper type: string required: - capture_ram - collect_raw_data - download_directory - download_file - network_sniffer - parse_filesystem - process_dumper type: object Action: properties: params: title: Params type: object value: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getEVT - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawHives - getRawPrefetch - getRawSystemHives - getRawUserHives - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan title: Value type: string required: - params - value type: object ActionRemediationPermissions: properties: acquisition: $ref: '#/definitions/AcquisitionPermissions' debug: $ref: '#/definitions/DebugPermissions' endpoint_isolation: title: Endpoint isolation type: boolean evidence: $ref: '#/definitions/EvidencePermissions' info: $ref: '#/definitions/InfoPermissions' persistence: $ref: '#/definitions/PersistencePermissions' remediation: $ref: '#/definitions/RemediationPermissions' scan: $ref: '#/definitions/ScanPermissions' required: - acquisition - debug - endpoint_isolation - evidence - info - persistence - remediation - scan type: object Actions: properties: block_on_agent: title: Block on agent type: boolean enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean quarantine_on_agent: title: Quarantine on agent type: boolean required: - block_on_agent - enabled - endpoint_detection - quarantine_on_agent type: object ActiveCve: properties: agent: $ref: '#/definitions/VulnerabilityAgent' cve: $ref: '#/definitions/Cve' vulnerable_installations: items: $ref: '#/definitions/ShortInstallationWithVersion' type: array required: - agent - cve - vulnerable_installations type: object ActiveCveListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/ActiveCve' type: array required: - count - results type: object ActiveDirectory: properties: auto_scan_interval: default: PT23H minLength: 1 title: Auto scan interval type: string base_dn: minLength: 1 title: Base dn type: string x-nullable: true bind_account_password: minLength: 1 title: Bind account password type: string x-nullable: true bind_account_username: minLength: 1 title: Bind account username type: string x-nullable: true connector_type: enum: - assemblyline - base - cape - connector_misp - export - export_elastic - export_s3 - export_secops - export_splunk - glimps - irma - ldap_auth - orion - proxy - thehive - virustotal readOnly: true title: Connector type type: string description: minLength: 1 title: Description type: string x-nullable: true domain: minLength: 1 title: Domain type: string x-nullable: true enable_auto_scan: default: true title: Enable auto scan type: boolean enable_group_creation: default: true title: Enable group creation type: boolean enable_unprotected_asset_detection: default: false title: Enable unprotected asset detection type: boolean enabled: default: false title: Enabled type: boolean id: minLength: 1 readOnly: true title: Id type: string last_modified: format: date-time readOnly: true title: Last modified type: string last_modifier: minLength: 1 readOnly: true title: Last modifier type: string missed_scans_before_delete: default: 4 minimum: 1 title: Missed scans before delete type: integer name: minLength: 1 title: Name type: string selected_agent: readOnly: true title: Selected agent type: string selected_agent_id: minLength: 1 title: Selected agent id type: string x-nullable: true selected_domain_controller_id: minLength: 1 title: Selected domain controller id type: string x-nullable: true status: $ref: '#/definitions/ConfigConnectorStatus' type: default: active_directory enum: - active_directory readOnly: true title: Type type: string use_bind_account: default: false title: Use bind account type: boolean use_ssl: default: false title: Use ssl type: boolean required: - name type: object x-nullable: true ActivePasswordResetLink: properties: created_at: format: date-time title: Created at type: string created_by: $ref: '#/definitions/HlSimpleUserSerializer' duration_minutes: title: Duration minutes type: integer expires_at: format: date-time title: Expires at type: string required: - created_at - created_by - duration_minutes - expires_at type: object ActiveUserbyIDs: properties: ids: items: type: string x-nullable: true type: array is_active: title: Is active type: boolean required: - ids - is_active type: object AddCommentThreat: properties: comment: minLength: 1 title: Comment type: string required: - comment type: object AddToQuarantine: properties: comment: title: Comment type: string values: items: $ref: '#/definitions/AddToQuarantineItem' type: array required: - values type: object AddToQuarantineItem: properties: file_path: minLength: 1 title: File path type: string required: - file_path type: object AdministrationPermissions: properties: can_change_global_settings: title: Can change global settings type: boolean can_download_agent_installer: title: Can download agent installer type: boolean monitoring: $ref: '#/definitions/MonitoringPermissions' roles: enum: - disabled - read_only - read_write title: Roles type: string users: enum: - disabled - read_only - read_write title: Users type: string required: - can_change_global_settings - can_download_agent_installer - monitoring - roles - users type: object AffectedApplication: properties: product: minLength: 1 title: Product type: string vendor: minLength: 1 title: Vendor type: string required: - product - vendor type: object Agent: properties: additional_info: $ref: '#/definitions/AgentAdditionalInfoValues' antivirus_is_up_to_date: readOnly: true title: Antivirus is up to date type: boolean antivirus_last_update_date: format: date-time readOnly: true title: Antivirus last update date type: string x-nullable: true antivirus_name: minLength: 1 readOnly: true title: Antivirus name type: string x-nullable: true antivirus_policy_revision: readOnly: true title: Antivirus policy revision type: integer x-nullable: true antivirus_rules_last_update_date: format: date-time readOnly: true title: Antivirus rules last update date type: string x-nullable: true antivirus_rules_version: minLength: 1 readOnly: true title: Antivirus rules version type: string x-nullable: true antivirus_version: minLength: 1 readOnly: true title: Antivirus version type: string x-nullable: true avg_av_cpu: readOnly: true title: Avg av cpu type: number x-nullable: true avg_av_memory: readOnly: true title: Avg av memory type: number x-nullable: true avg_cpu: readOnly: true title: Avg cpu type: number x-nullable: true avg_memory: readOnly: true title: Avg memory type: number x-nullable: true avg_system_cpu: readOnly: true title: Avg system cpu type: number x-nullable: true avg_system_memory: readOnly: true title: Avg system memory type: number x-nullable: true bitness: minLength: 1 readOnly: true title: Bitness type: string x-nullable: true boot_loop_protection_boot_count: readOnly: true title: Boot loop protection boot count type: integer x-nullable: true boot_loop_protection_end_date: format: date-time readOnly: true title: Boot loop protection end date type: string x-nullable: true cpu_count: readOnly: true title: Cpu count type: integer x-nullable: true cpu_frequency: readOnly: true title: Cpu frequency type: integer x-nullable: true description: minLength: 1 title: Description type: string x-nullable: true disk_count: readOnly: true title: Disk count type: integer distro_version_id: minLength: 1 readOnly: true title: Distro version id type: string x-nullable: true distroid: minLength: 1 readOnly: true title: Distroid type: string x-nullable: true dnsdomainname: minLength: 1 readOnly: true title: Dnsdomainname type: string x-nullable: true domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true domainname: minLength: 1 readOnly: true title: Domainname type: string x-nullable: true driver_enabled: readOnly: true title: Driver enabled type: boolean x-nullable: true driver_policy: readOnly: true title: Driver policy type: boolean x-nullable: true driver_version: minLength: 1 readOnly: true title: Driver version type: string x-nullable: true effective_antivirus_policy_id: minLength: 1 readOnly: true title: Effective antivirus policy id type: string x-nullable: true effective_antivirus_policy_revision: readOnly: true title: Effective antivirus policy revision type: integer x-nullable: true effective_correlation_revision: readOnly: true title: Effective correlation revision type: integer x-nullable: true effective_driver_blocklists_revision: readOnly: true title: Effective driver blocklists revision type: integer x-nullable: true effective_ioc_revision: readOnly: true title: Effective ioc revision type: integer x-nullable: true effective_sigma_revision: readOnly: true title: Effective sigma revision type: integer x-nullable: true effective_usb_device_control_revision: readOnly: true title: Effective usb device control revision type: integer x-nullable: true effective_whitelist_revision: readOnly: true title: Effective whitelist revision type: integer x-nullable: true effective_yara_revision: readOnly: true title: Effective yara revision type: integer x-nullable: true encrypted_disk_count: readOnly: true title: Encrypted disk count type: integer entra_device_id: minLength: 1 title: Entra device id type: string x-nullable: true entra_join_type: maximum: 2147483647 minimum: -2147483648 title: Entra join type type: integer x-nullable: true entra_tenant_id: minLength: 1 title: Entra tenant id type: string x-nullable: true external_ipaddress: minLength: 1 readOnly: true title: External ipaddress type: string x-nullable: true firstseen: format: date-time readOnly: true title: Firstseen type: string x-nullable: true group_count: title: Group count type: integer groups: items: $ref: '#/definitions/BasicGroup' readOnly: true type: array hardware_address: minLength: 1 readOnly: true title: Hardware address type: string x-nullable: true has_valid_password: readOnly: true title: Has valid password type: boolean host: minLength: 1 title: Host type: string x-nullable: true hostname: minLength: 1 readOnly: true title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string installdate: minLength: 1 readOnly: true title: Installdate type: string x-nullable: true ipaddress: minLength: 1 readOnly: true title: Ipaddress type: string x-nullable: true ipmask: minLength: 1 readOnly: true title: Ipmask type: string x-nullable: true is_ppl_antimalware: readOnly: true title: Is ppl antimalware type: boolean x-nullable: true isolation_policy: readOnly: true title: Isolation policy type: boolean x-nullable: true isolation_state: readOnly: true title: Isolation state type: boolean x-nullable: true last_upgrade_attempt: format: date-time readOnly: true title: Last upgrade attempt type: string x-nullable: true last_upgrade_success: format: date-time readOnly: true title: Last upgrade success type: string x-nullable: true lastseen: format: date-time readOnly: true title: Lastseen type: string x-nullable: true lastseen_error: format: date-time readOnly: true title: Lastseen error type: string x-nullable: true lastseen_warning: format: date-time readOnly: true title: Lastseen warning type: string x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true machine_account_sid: minLength: 1 title: Machine account sid type: string x-nullable: true machine_boottime: format: date-time readOnly: true title: Machine boottime type: string x-nullable: true machine_serial: minLength: 1 readOnly: true title: Machine serial type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' os_install_date: format: date-time readOnly: true title: Os install date type: string osbuild: readOnly: true title: Osbuild type: integer x-nullable: true osid: minLength: 1 readOnly: true title: Osid type: string x-nullable: true osmajor: readOnly: true title: Osmajor type: integer x-nullable: true osminor: readOnly: true title: Osminor type: integer x-nullable: true osproducttype: minLength: 1 readOnly: true title: Osproducttype type: string x-nullable: true osrevision: readOnly: true title: Osrevision type: integer x-nullable: true ostype: minLength: 1 readOnly: true title: Ostype type: string x-nullable: true osversion: minLength: 1 readOnly: true title: Osversion type: string x-nullable: true pinned_version: minLength: 1 readOnly: true title: Pinned version type: string x-nullable: true policy: $ref: '#/definitions/PolicyLight' policy_set: $ref: '#/definitions/PolicySetLight' port: maximum: 2147483647 minimum: -2147483648 title: Port type: integer x-nullable: true producttype: minLength: 1 readOnly: true title: Producttype type: string x-nullable: true protocol: maximum: 2147483647 minimum: -2147483648 title: Protocol type: integer x-nullable: true proxy_host: minLength: 1 title: Proxy host type: string x-nullable: true proxy_port: maximum: 2147483647 minimum: -2147483648 title: Proxy port type: integer x-nullable: true proxy_protocol: maximum: 2147483647 minimum: -2147483648 title: Proxy protocol type: integer x-nullable: true public_server_signature: minLength: 1 title: Public server signature type: string x-nullable: true quarantine_last_update: format: date-time readOnly: true title: Quarantine last update type: string x-nullable: true refresh_properties_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh properties status type: string x-nullable: true refresh_quarantine_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh quarantine status type: string x-nullable: true rollback_version: minLength: 1 readOnly: true title: Rollback version type: string x-nullable: true run_policy_automation: title: Run policy automation type: boolean x-nullable: true servicepack: minLength: 1 readOnly: true title: Servicepack type: string x-nullable: true should_change_id: readOnly: true title: Should change id type: boolean starttime: format: date-time readOnly: true title: Starttime type: string status: enum: - access_denied - idle - offline - online readOnly: true title: Status type: string subnet: $ref: '#/definitions/SimpleSubnet' task_statuses: additionalProperties: additionalProperties: type: boolean type: object readOnly: true title: Task statuses type: object telemetry: additionalProperties: type: string x-nullable: true readOnly: true title: Telemetry type: object telemetry_last_update: format: date-time readOnly: true title: Telemetry last update type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string total_memory: readOnly: true title: Total memory type: number x-nullable: true uninstall_status: readOnly: true title: Uninstall status type: integer x-nullable: true update_method: maximum: 2147483647 minimum: -2147483648 title: Update method type: integer x-nullable: true update_status: readOnly: true title: Update status type: integer x-nullable: true upgrade_consecutive_fail_count: readOnly: true title: Upgrade consecutive fail count type: integer x-nullable: true upgrade_failure_reason: minLength: 1 readOnly: true title: Upgrade failure reason type: string x-nullable: true upgrade_status: enum: - agent_lost - canceled - done - failed - in_progress - pending readOnly: true title: Upgrade status type: string x-nullable: true vdi_mode: enum: - hostname - mac - mac_and_hostname - unknown readOnly: true title: Vdi mode type: string vdi_salt: minLength: 1 title: Vdi salt type: string x-nullable: true version: minLength: 1 readOnly: true title: Version type: string x-nullable: true windows_groups_last_update: format: date-time readOnly: true title: Windows groups last update type: string x-nullable: true windows_users_last_update: format: date-time readOnly: true title: Windows users last update type: string x-nullable: true required: - id type: object AgentActionData: properties: policy_change: $ref: '#/definitions/PolicyUpdateData' policy_update: $ref: '#/definitions/PolicyUpdateData' version_update: $ref: '#/definitions/VersionUpdateData' type: object AgentActionHistory: properties: action_data: $ref: '#/definitions/AgentActionData' action_type: enum: - policy_change - policy_update - version_update title: Action type type: string agents: items: format: uuid type: string type: array uniqueItems: true creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid title: Id type: string required: - action_data - action_type - agents - id type: object AgentAdditionalInfoValues: properties: additional_info1: minLength: 1 title: Additional info1 type: string x-nullable: true additional_info2: minLength: 1 title: Additional info2 type: string x-nullable: true additional_info3: minLength: 1 title: Additional info3 type: string x-nullable: true additional_info4: minLength: 1 title: Additional info4 type: string x-nullable: true type: object AgentAdditionalInfos: properties: additional_infos: items: type: string maxItems: 4 minItems: 1 type: array required: - additional_infos type: object AgentApplication: properties: active: readOnly: true title: Active type: boolean app_type: minLength: 1 readOnly: true title: App type type: string x-nullable: true cpe_prefix: minLength: 1 readOnly: true title: Cpe prefix type: string x-nullable: true description: minLength: 1 readOnly: true title: Description type: string x-nullable: true first_seen: format: date-time readOnly: true title: First seen type: string first_version: minLength: 1 readOnly: true title: First version type: string id: format: uuid readOnly: true title: Id type: string installation_count: readOnly: true title: Installation count type: integer installation_date: format: date-time readOnly: true title: Installation date type: string last_seen: format: date-time readOnly: true title: Last seen type: string last_version: minLength: 1 readOnly: true title: Last version type: string name: minLength: 1 readOnly: true title: Name type: string ostype: minLength: 1 readOnly: true title: Ostype type: string package_manager: enum: - apt - pacman - rpm - unspecified readOnly: true title: Package manager type: string x-nullable: true publisher: minLength: 1 readOnly: true title: Publisher type: string x-nullable: true type: object AgentAutoUpgradeAllChannels: properties: latest: minLength: 1 title: Latest type: string stable: minLength: 1 title: Stable type: string required: - latest - stable type: object AgentAutoUpgradeChannel: properties: version: minLength: 1 title: Version type: string required: - version type: object AgentCleaning: properties: clean_jobs: default: false title: Clean jobs type: boolean jobs_max_days: default: 60 minimum: 1 title: Jobs max days type: integer type: object AgentDashboardAgentsStat: properties: access_denied: title: Access denied type: integer access_denied_percent: title: Access denied percent type: number idle: title: Idle type: integer idle_percent: title: Idle percent type: number isolate: title: Isolate type: integer isolate_percent: title: Isolate percent type: number isolated: title: Isolated type: integer isolated_percent: title: Isolated percent type: number offline: title: Offline type: integer offline_percent: title: Offline percent type: number online: title: Online type: integer online_percent: title: Online percent type: number total: title: Total type: integer required: - access_denied - access_denied_percent - idle - idle_percent - isolate - isolate_percent - isolated - isolated_percent - offline - offline_percent - online - online_percent - total type: object AgentDashboardJobsStat: properties: error: title: Error type: integer error_percent: title: Error percent type: number finished: title: Finished type: integer finished_percent: title: Finished percent type: number total: title: Total type: integer total_jobs: title: Total jobs type: integer working: title: Working type: integer working_percent: title: Working percent type: number required: - error - error_percent - finished - finished_percent - total - total_jobs - working - working_percent type: object AgentDashboardStat: properties: agents: $ref: '#/definitions/AgentDashboardAgentsStat' binaries: title: Binaries type: integer data: title: Data type: integer jobs: $ref: '#/definitions/AgentDashboardJobsStat' versions: additionalProperties: type: integer title: Versions type: object required: - agents - binaries - data - jobs - versions type: object AgentDatasetsStat: properties: datasets: items: $ref: '#/definitions/Data' type: array labels: items: type: string x-nullable: true type: array required: - datasets - labels type: object AgentDetail: properties: additional_info: $ref: '#/definitions/AgentAdditionalInfoValues' antivirus_is_up_to_date: readOnly: true title: Antivirus is up to date type: boolean antivirus_last_update_date: format: date-time readOnly: true title: Antivirus last update date type: string x-nullable: true antivirus_name: minLength: 1 readOnly: true title: Antivirus name type: string x-nullable: true antivirus_policy_revision: readOnly: true title: Antivirus policy revision type: integer x-nullable: true antivirus_rules_last_update_date: format: date-time readOnly: true title: Antivirus rules last update date type: string x-nullable: true antivirus_rules_version: minLength: 1 readOnly: true title: Antivirus rules version type: string x-nullable: true antivirus_version: minLength: 1 readOnly: true title: Antivirus version type: string x-nullable: true application_count: readOnly: true title: Application count type: integer avg_av_cpu: readOnly: true title: Avg av cpu type: number x-nullable: true avg_av_memory: readOnly: true title: Avg av memory type: number x-nullable: true avg_cpu: readOnly: true title: Avg cpu type: number x-nullable: true avg_memory: readOnly: true title: Avg memory type: number x-nullable: true avg_system_cpu: readOnly: true title: Avg system cpu type: number x-nullable: true avg_system_memory: readOnly: true title: Avg system memory type: number x-nullable: true bitness: minLength: 1 readOnly: true title: Bitness type: string x-nullable: true boot_loop_protection_boot_count: readOnly: true title: Boot loop protection boot count type: integer x-nullable: true boot_loop_protection_end_date: format: date-time readOnly: true title: Boot loop protection end date type: string x-nullable: true cpu_count: readOnly: true title: Cpu count type: integer x-nullable: true cpu_frequency: readOnly: true title: Cpu frequency type: integer x-nullable: true description: minLength: 1 title: Description type: string x-nullable: true disk_count: readOnly: true title: Disk count type: integer distro_version_id: minLength: 1 readOnly: true title: Distro version id type: string x-nullable: true distroid: minLength: 1 readOnly: true title: Distroid type: string x-nullable: true dnsdomainname: minLength: 1 readOnly: true title: Dnsdomainname type: string x-nullable: true domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true domainname: minLength: 1 readOnly: true title: Domainname type: string x-nullable: true driver_enabled: readOnly: true title: Driver enabled type: boolean x-nullable: true driver_policy: readOnly: true title: Driver policy type: boolean x-nullable: true driver_version: minLength: 1 readOnly: true title: Driver version type: string x-nullable: true effective_antivirus_policy_id: minLength: 1 readOnly: true title: Effective antivirus policy id type: string x-nullable: true effective_antivirus_policy_revision: readOnly: true title: Effective antivirus policy revision type: integer x-nullable: true effective_antivirus_profile_id: readOnly: true title: Effective antivirus profile id type: string effective_antivirus_profile_revision: readOnly: true title: Effective antivirus profile revision type: integer effective_correlation_revision: readOnly: true title: Effective correlation revision type: integer x-nullable: true effective_device_control_policy_id: minLength: 1 readOnly: true title: Effective device control policy id type: string x-nullable: true effective_device_control_policy_revision: readOnly: true title: Effective device control policy revision type: integer x-nullable: true effective_driver_blocklists_revision: readOnly: true title: Effective driver blocklists revision type: integer x-nullable: true effective_fim_policy_id: minLength: 1 readOnly: true title: Effective fim policy id type: string x-nullable: true effective_fim_policy_revision: readOnly: true title: Effective fim policy revision type: integer x-nullable: true effective_firewall_policy_id: minLength: 1 readOnly: true title: Effective firewall policy id type: string x-nullable: true effective_firewall_policy_revision: readOnly: true title: Effective firewall policy revision type: integer x-nullable: true effective_ioc_revision: readOnly: true title: Effective ioc revision type: integer x-nullable: true effective_policy_id: minLength: 1 readOnly: true title: Effective policy id type: string x-nullable: true effective_policy_revision: readOnly: true title: Effective policy revision type: integer x-nullable: true effective_sigma_revision: readOnly: true title: Effective sigma revision type: integer x-nullable: true effective_usb_device_control_revision: readOnly: true title: Effective usb device control revision type: integer x-nullable: true effective_whitelist_revision: readOnly: true title: Effective whitelist revision type: integer x-nullable: true effective_yara_revision: readOnly: true title: Effective yara revision type: integer x-nullable: true encrypted_disk_count: readOnly: true title: Encrypted disk count type: integer entra_device_id: minLength: 1 title: Entra device id type: string x-nullable: true entra_join_type: maximum: 2147483647 minimum: -2147483648 title: Entra join type type: integer x-nullable: true entra_tenant_id: minLength: 1 title: Entra tenant id type: string x-nullable: true external_ipaddress: minLength: 1 readOnly: true title: External ipaddress type: string x-nullable: true firstseen: format: date-time readOnly: true title: Firstseen type: string x-nullable: true group_count: title: Group count type: integer groups: items: $ref: '#/definitions/BasicGroup' readOnly: true type: array hardware_address: minLength: 1 readOnly: true title: Hardware address type: string x-nullable: true has_valid_password: readOnly: true title: Has valid password type: boolean hostname: minLength: 1 readOnly: true title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string installation_config: readOnly: true title: Installation config type: object installdate: minLength: 1 readOnly: true title: Installdate type: string x-nullable: true interface_count: readOnly: true title: Interface count type: integer ipaddress: minLength: 1 readOnly: true title: Ipaddress type: string x-nullable: true ipmask: minLength: 1 readOnly: true title: Ipmask type: string x-nullable: true is_obsolete: readOnly: true title: Is obsolete type: boolean is_ppl_antimalware: readOnly: true title: Is ppl antimalware type: boolean x-nullable: true isolation_policy: readOnly: true title: Isolation policy type: boolean x-nullable: true isolation_state: readOnly: true title: Isolation state type: boolean x-nullable: true last_upgrade_attempt: format: date-time readOnly: true title: Last upgrade attempt type: string x-nullable: true last_upgrade_success: format: date-time readOnly: true title: Last upgrade success type: string x-nullable: true lastseen: format: date-time readOnly: true title: Lastseen type: string x-nullable: true lastseen_error: format: date-time readOnly: true title: Lastseen error type: string x-nullable: true lastseen_warning: format: date-time readOnly: true title: Lastseen warning type: string x-nullable: true latest_vulnscan_date: format: date-time readOnly: true title: Latest vulnscan date type: string x-nullable: true local_admin_count: readOnly: true title: Local admin count type: integer local_group_count: readOnly: true title: Local group count type: integer local_user_count: readOnly: true title: Local user count type: integer machine_account_sid: minLength: 1 title: Machine account sid type: string x-nullable: true machine_boottime: format: date-time readOnly: true title: Machine boottime type: string x-nullable: true machine_serial: minLength: 1 readOnly: true title: Machine serial type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' os_install_date: format: date-time readOnly: true title: Os install date type: string osbuild: readOnly: true title: Osbuild type: integer x-nullable: true osid: minLength: 1 readOnly: true title: Osid type: string x-nullable: true osmajor: readOnly: true title: Osmajor type: integer x-nullable: true osminor: readOnly: true title: Osminor type: integer x-nullable: true osproducttype: minLength: 1 readOnly: true title: Osproducttype type: string x-nullable: true osrevision: readOnly: true title: Osrevision type: integer x-nullable: true ostype: minLength: 1 readOnly: true title: Ostype type: string x-nullable: true osversion: minLength: 1 readOnly: true title: Osversion type: string x-nullable: true pinned_version: minLength: 1 readOnly: true title: Pinned version type: string x-nullable: true policy: $ref: '#/definitions/PolicyAgentDetails' policy_set: $ref: '#/definitions/PolicySetPolicies' producttype: minLength: 1 readOnly: true title: Producttype type: string x-nullable: true quarantine_file_count: readOnly: true title: Quarantine file count type: integer quarantine_last_update: format: date-time readOnly: true title: Quarantine last update type: string x-nullable: true refresh_properties_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh properties status type: string x-nullable: true refresh_quarantine_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh quarantine status type: string x-nullable: true rollback_version: minLength: 1 readOnly: true title: Rollback version type: string x-nullable: true run_policy_automation: title: Run policy automation type: boolean x-nullable: true servicepack: minLength: 1 readOnly: true title: Servicepack type: string x-nullable: true should_change_id: default: false readOnly: true title: Should change id type: boolean starttime: format: date-time readOnly: true title: Starttime type: string status: enum: - access_denied - idle - offline - online readOnly: true title: Status type: string subnet: $ref: '#/definitions/SimpleSubnet' task_statuses: additionalProperties: additionalProperties: type: boolean type: object readOnly: true title: Task statuses type: object telemetry: additionalProperties: type: string x-nullable: true readOnly: true title: Telemetry type: object telemetry_last_update: format: date-time readOnly: true title: Telemetry last update type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string total_memory: readOnly: true title: Total memory type: number x-nullable: true uninstall_status: readOnly: true title: Uninstall status type: integer x-nullable: true update_status: readOnly: true title: Update status type: integer x-nullable: true upgrade_consecutive_fail_count: readOnly: true title: Upgrade consecutive fail count type: integer x-nullable: true upgrade_failure_reason: minLength: 1 readOnly: true title: Upgrade failure reason type: string x-nullable: true upgrade_status: enum: - agent_lost - canceled - done - failed - in_progress - pending readOnly: true title: Upgrade status type: string x-nullable: true vdi_mode: enum: - hostname - mac - mac_and_hostname - unknown readOnly: true title: Vdi mode type: string version: minLength: 1 readOnly: true title: Version type: string x-nullable: true windows_groups_last_update: format: date-time readOnly: true title: Windows groups last update type: string x-nullable: true windows_users_last_update: format: date-time readOnly: true title: Windows users last update type: string x-nullable: true required: - id type: object AgentDiagnostic: properties: '@timestamp': format: date-time title: '@timestamp' type: string additional_info: minLength: 1 title: Additional info type: string agent: $ref: '#/definitions/DataAgent' description: minLength: 1 title: Description type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string result_type: title: Result type type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - additional_info - agent - description - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - result_type - tenant type: object AgentDisk: properties: fs_type: minLength: 1 readOnly: true title: Fs type type: string id: format: uuid readOnly: true title: Id type: string is_encrypted: readOnly: true title: Is encrypted type: boolean x-nullable: true is_removable: readOnly: true title: Is removable type: boolean x-nullable: true label: minLength: 1 readOnly: true title: Label type: string x-nullable: true mount_point: minLength: 1 readOnly: true title: Mount point type: string size_free: maximum: 9223372036854775807 minimum: -9223372036854775808 readOnly: true title: Size free type: integer x-nullable: true size_total: maximum: 9223372036854775807 minimum: -9223372036854775808 readOnly: true title: Size total type: integer x-nullable: true size_used: maximum: 9223372036854775807 minimum: -9223372036854775808 readOnly: true title: Size used type: integer x-nullable: true size_used_percent: readOnly: true title: Size used percent type: number type: object AgentDownloadFileQuery: properties: filename: minLength: 1 title: Filename type: string required: - filename type: object AgentEdit: properties: boot_loop_protection_boot_count: maximum: 2147483647 minimum: -2147483648 title: Boot loop protection boot count type: integer x-nullable: true boot_loop_protection_end_date: format: date-time title: Boot loop protection end date type: string x-nullable: true description: minLength: 1 title: Description type: string x-nullable: true driver_policy: title: Driver policy type: boolean x-nullable: true effective_correlation_revision: maximum: 9223372036854775807 minimum: 0 title: Effective correlation revision type: integer x-nullable: true effective_driver_blocklists_revision: maximum: 9223372036854775807 minimum: 0 title: Effective driver blocklists revision type: integer x-nullable: true effective_ioc_revision: maximum: 9223372036854775807 minimum: 0 title: Effective ioc revision type: integer x-nullable: true effective_sigma_revision: maximum: 9223372036854775807 minimum: 0 title: Effective sigma revision type: integer x-nullable: true effective_usb_device_control_revision: maximum: 9223372036854775807 minimum: 0 title: Effective usb device control revision type: integer x-nullable: true effective_whitelist_revision: maximum: 9223372036854775807 minimum: 0 title: Effective whitelist revision type: integer x-nullable: true effective_yara_revision: maximum: 9223372036854775807 minimum: 0 title: Effective yara revision type: integer x-nullable: true entra_device_id: minLength: 1 title: Entra device id type: string x-nullable: true entra_join_type: maximum: 2147483647 minimum: -2147483648 title: Entra join type type: integer x-nullable: true entra_tenant_id: minLength: 1 title: Entra tenant id type: string x-nullable: true host: minLength: 1 title: Host type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string isolation_policy: title: Isolation policy type: boolean x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true machine_account_sid: minLength: 1 title: Machine account sid type: string x-nullable: true machine_serial: minLength: 1 title: Machine serial type: string x-nullable: true new_group_ids: items: minLength: 1 type: string type: array pinned_version: minLength: 1 title: Pinned version type: string x-nullable: true policy_id: minLength: 1 title: Policy id type: string policy_set: format: uuid title: Policy set type: string x-nullable: true port: maximum: 2147483647 minimum: -2147483648 title: Port type: integer x-nullable: true protocol: maximum: 2147483647 minimum: -2147483648 title: Protocol type: integer x-nullable: true proxy_host: minLength: 1 title: Proxy host type: string x-nullable: true proxy_port: maximum: 2147483647 minimum: -2147483648 title: Proxy port type: integer x-nullable: true proxy_protocol: maximum: 2147483647 minimum: -2147483648 title: Proxy protocol type: integer x-nullable: true public_server_signature: minLength: 1 title: Public server signature type: string x-nullable: true quarantine_last_update: format: date-time title: Quarantine last update type: string x-nullable: true refresh_properties_status: enum: - ERROR - requesting_agent - update_processing - update_queued title: Refresh properties status type: string x-nullable: true refresh_quarantine_status: enum: - ERROR - requesting_agent - update_processing - update_queued title: Refresh quarantine status type: string x-nullable: true requested_version: minLength: 1 title: Requested version type: string x-nullable: true rollback_version: minLength: 1 title: Rollback version type: string x-nullable: true run_policy_automation: title: Run policy automation type: boolean x-nullable: true should_change_id: title: Should change id type: boolean subnet: format: uuid title: Subnet type: string x-nullable: true task_statuses: additionalProperties: additionalProperties: type: boolean type: object readOnly: true title: Task statuses type: object telemetry: additionalProperties: type: string x-nullable: true readOnly: true title: Telemetry type: object telemetry_last_update: format: date-time title: Telemetry last update type: string x-nullable: true update_method: maximum: 2147483647 minimum: -2147483648 title: Update method type: integer x-nullable: true vdi_mode: maximum: 2147483647 minimum: -2147483648 title: Vdi mode type: integer x-nullable: true vdi_salt: minLength: 1 title: Vdi salt type: string x-nullable: true windows_groups_last_update: format: date-time title: Windows groups last update type: string x-nullable: true windows_users_last_update: format: date-time title: Windows users last update type: string x-nullable: true type: object AgentIdList: properties: agent_ids: items: format: uuid type: string type: array version: minLength: 1 title: Version type: string required: - agent_ids type: object AgentIdListOrAll: properties: agent_ids: default: [] items: format: uuid type: string type: array all: default: false title: All type: boolean type: object AgentInstallation: properties: additional_info: $ref: '#/definitions/AgentAdditionalInfoValues' application: format: uuid readOnly: true title: Application type: string first_seen: format: date-time readOnly: true title: First seen type: string id: format: uuid readOnly: true title: Id type: string installation_date: format: date-time readOnly: true title: Installation date type: string x-nullable: true installed_as_dependency: readOnly: true title: Installed as dependency type: boolean x-nullable: true installed_for: minLength: 1 readOnly: true title: Installed for type: string x-nullable: true last_seen: format: date-time readOnly: true title: Last seen type: string source_package_name: minLength: 1 readOnly: true title: Source package name type: string x-nullable: true source_package_version: minLength: 1 readOnly: true title: Source package version type: string x-nullable: true status: enum: - installed - uninstalled - updated readOnly: true title: Status type: string version: minLength: 1 readOnly: true title: Version type: string x-nullable: true version_array: items: maximum: 2147483647 minimum: -2147483648 title: Version array type: integer readOnly: true type: array x-nullable: true type: object AgentIsolation: properties: policy_not_allowed: items: $ref: '#/definitions/MinimalAgentInfo' type: array requested: items: $ref: '#/definitions/MinimalAgentInfo' type: array unrequested: items: $ref: '#/definitions/MinimalAgentInfo' type: array unsupported: items: $ref: '#/definitions/MinimalAgentInfo' type: array required: - requested - unrequested type: object AgentJobInstance: properties: creationtime: format: date-time title: Creationtime type: string job_instance_id: minLength: 1 title: Job instance id type: string required: - creationtime - job_instance_id type: object AgentJobInstanceStatus: properties: action: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan title: Action type: string id: minLength: 1 title: Id type: string status: enum: - canceled - done - error - injecting - request_cancel - running - waiting - waiting_injection - writing title: Status type: string task_id: title: Task id type: integer required: - action - id - status - task_id type: object AgentLog: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string action: minLength: 1 title: Action type: string agent_id: format: uuid title: Agent id type: string date: format: date-time title: Date type: string hostname: minLength: 1 title: Hostname type: string id: minLength: 1 title: Id type: string job_id: minLength: 1 title: Job id type: string job_instance_id: minLength: 1 title: Job instance id type: string level: minLength: 1 title: Level type: string log_type: minLength: 1 title: Log type type: string message: minLength: 1 title: Message type: string tenant: minLength: 1 title: Tenant type: string x-nullable: true worker: title: Worker type: boolean required: - id - log_type type: object AgentLogFile: properties: contents: minLength: 1 title: Contents type: string creation_date: format: date-time title: Creation date type: string x-nullable: true download_date: format: date-time title: Download date type: string id: readOnly: true title: ID type: integer modification_date: format: date-time title: Modification date type: string x-nullable: true size: maximum: 9223372036854775807 minimum: 0 title: Size type: integer required: - contents - download_date - size type: object AgentLogFileQuery: properties: file_kind: description: |- Which file to operate on: * 0: self-upgrade.log * 1: setupapi.app.log enum: - 0 - 1 title: File kind type: integer required: - file_kind type: object AgentNetInterface: properties: addresses_ipv4: items: minLength: 1 type: string readOnly: true type: array addresses_ipv6: items: minLength: 1 type: string readOnly: true type: array guid: readOnly: true title: Guid type: string x-nullable: true hardware_address: readOnly: true title: Hardware address type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string is_favorite_interface: readOnly: true title: Is favorite interface type: boolean name: minLength: 1 readOnly: true title: Name type: string oui_vendor: readOnly: true title: Oui vendor type: string x-nullable: true type: object AgentOrGroupListSimple: properties: agent_ids: default: [] items: format: uuid type: string type: array all: default: false title: All type: boolean group_ids: default: [] items: minLength: 1 type: string type: array type: object AgentOsData: properties: label: minLength: 1 title: Label type: string value: title: Value type: integer required: - label - value type: object AgentOsStat: properties: osproducttype: items: $ref: '#/definitions/AgentOsData' type: array producttype: items: $ref: '#/definitions/AgentOsData' type: array required: - osproducttype - producttype type: object AgentPassword: properties: creation_date: format: date-time readOnly: true title: Creation date type: string enabled: title: Enabled type: boolean id: readOnly: true title: ID type: integer last_auth_date: format: date-time readOnly: true title: Last auth date type: string x-nullable: true password: minLength: 6 title: Password type: string preferred: title: Preferred type: boolean x-nullable: true total_auth: readOnly: true title: Total auth type: integer required: - password type: object AgentPasswordUpdate: properties: creation_date: format: date-time readOnly: true title: Creation date type: string enabled: title: Enabled type: boolean id: readOnly: true title: ID type: integer last_auth_date: format: date-time readOnly: true title: Last auth date type: string x-nullable: true password: minLength: 6 title: Password type: string preferred: title: Preferred type: boolean total_auth: readOnly: true title: Total auth type: integer required: - password type: object AgentPoliciesStat: properties: binary_download_enabled: title: Binary download enabled type: integer count: title: Count type: integer driver_enabled: title: Driver enabled type: integer driver_policy: title: Driver policy type: integer feature_callback_tampering: title: Feature callback tampering type: integer hlai_alert_and_block: title: Hlai alert and block type: integer hlai_alert_only: title: Hlai alert only type: integer hlai_off: title: Hlai off type: integer hlai_scan_libraries: title: Hlai scan libraries type: integer hlai_skip_signed_ms: title: Hlai skip signed ms type: integer hlai_skip_signed_others: title: Hlai skip signed others type: integer hlai_written_executable: title: Hlai written executable type: integer isolation_policy: title: Isolation policy type: integer isolation_state: title: Isolation state type: integer library_download_enabled: title: Library download enabled type: integer linux_self_protection: title: Linux self protection type: integer linux_use_isolation: title: Linux use isolation type: integer loglevel: $ref: '#/definitions/LogLevelStat' macos_use_isolation: title: Macos use isolation type: integer ransomguard_alert_and_block: title: Ransomguard alert and block type: integer ransomguard_alert_only: title: Ransomguard alert only type: integer ransomguard_off: title: Ransomguard off type: integer self_protection: title: Self protection type: integer sigma_alert_and_block: title: Sigma alert and block type: integer sigma_alert_only: title: Sigma alert only type: integer sigma_off: title: Sigma off type: integer telemetry_alerts_limit: title: Telemetry alerts limit type: integer telemetry_amsi_scan: title: Telemetry amsi scan type: integer telemetry_amsi_scan_limit: title: Telemetry amsi scan limit type: integer telemetry_authentication: title: Telemetry authentication type: integer telemetry_authentication_limit: title: Telemetry authentication limit type: integer telemetry_dns_resolution: title: Telemetry dns resolution type: integer telemetry_dns_resolution_limit: title: Telemetry dns resolution limit type: integer telemetry_driverload: title: Telemetry driverload type: integer telemetry_driverload_limit: title: Telemetry driverload limit type: integer telemetry_file: title: Telemetry file type: integer telemetry_file_download_limit: title: Telemetry file download limit type: integer telemetry_file_limit: title: Telemetry file limit type: integer telemetry_library_load: title: Telemetry library load type: integer telemetry_library_load_limit: title: Telemetry library load limit type: integer telemetry_log: title: Telemetry log type: integer telemetry_log_limit: title: Telemetry log limit type: integer telemetry_named_pipe: title: Telemetry named pipe type: integer telemetry_named_pipe_limit: title: Telemetry named pipe limit type: integer telemetry_network: title: Telemetry network type: integer telemetry_network_limit: title: Telemetry network limit type: integer telemetry_network_listen: title: Telemetry network listen type: integer telemetry_network_listen_limit: title: Telemetry network listen limit type: integer telemetry_powershell: title: Telemetry powershell type: integer telemetry_powershell_limit: title: Telemetry powershell limit type: integer telemetry_process: title: Telemetry process type: integer telemetry_process_access: title: Telemetry process access type: integer telemetry_process_access_limit: title: Telemetry process access limit type: integer telemetry_process_limit: title: Telemetry process limit type: integer telemetry_process_tamper: title: Telemetry process tamper type: integer telemetry_process_tamper_limit: title: Telemetry process tamper limit type: integer telemetry_raw_device_access: title: Telemetry raw device access type: integer telemetry_raw_device_access_limit: title: Telemetry raw device access limit type: integer telemetry_raw_socket_creation: title: Telemetry raw socket creation type: integer telemetry_raw_socket_creation_limit: title: Telemetry raw socket creation limit type: integer telemetry_registry: title: Telemetry registry type: integer telemetry_registry_limit: title: Telemetry registry limit type: integer telemetry_remotethread: title: Telemetry remotethread type: integer telemetry_remotethread_limit: title: Telemetry remotethread limit type: integer telemetry_scheduled_tasks: title: Telemetry scheduled tasks type: integer telemetry_scheduled_tasks_limit: title: Telemetry scheduled tasks limit type: integer telemetry_service: title: Telemetry service type: integer telemetry_service_limit: title: Telemetry service limit type: integer telemetry_url_request: title: Telemetry url request type: integer telemetry_url_request_limit: title: Telemetry url request limit type: integer telemetry_usb_activity: title: Telemetry usb activity type: integer telemetry_usb_activity_limit: title: Telemetry usb activity limit type: integer telemetry_user_group: title: Telemetry user group type: integer telemetry_user_group_limit: title: Telemetry user group limit type: integer telemetry_wmi_event: title: Telemetry wmi event type: integer telemetry_wmi_event_limit: title: Telemetry wmi event limit type: integer thread_download_enabled: title: Thread download enabled type: integer use_isolation: title: Use isolation type: integer windows_self_protection: title: Windows self protection type: integer windows_use_isolation: title: Windows use isolation type: integer required: - binary_download_enabled - count - driver_enabled - driver_policy - feature_callback_tampering - hlai_alert_and_block - hlai_alert_only - hlai_off - hlai_scan_libraries - hlai_skip_signed_ms - hlai_skip_signed_others - hlai_written_executable - isolation_policy - isolation_state - library_download_enabled - linux_self_protection - linux_use_isolation - loglevel - macos_use_isolation - ransomguard_alert_and_block - ransomguard_alert_only - ransomguard_off - self_protection - sigma_alert_and_block - sigma_alert_only - sigma_off - telemetry_alerts_limit - telemetry_amsi_scan - telemetry_amsi_scan_limit - telemetry_authentication - telemetry_authentication_limit - telemetry_dns_resolution - telemetry_dns_resolution_limit - telemetry_driverload - telemetry_driverload_limit - telemetry_file - telemetry_file_download_limit - telemetry_file_limit - telemetry_library_load - telemetry_library_load_limit - telemetry_log - telemetry_log_limit - telemetry_named_pipe - telemetry_named_pipe_limit - telemetry_network - telemetry_network_limit - telemetry_network_listen - telemetry_network_listen_limit - telemetry_powershell - telemetry_powershell_limit - telemetry_process - telemetry_process_access - telemetry_process_access_limit - telemetry_process_limit - telemetry_process_tamper - telemetry_process_tamper_limit - telemetry_raw_device_access - telemetry_raw_device_access_limit - telemetry_raw_socket_creation - telemetry_raw_socket_creation_limit - telemetry_registry - telemetry_registry_limit - telemetry_remotethread - telemetry_remotethread_limit - telemetry_scheduled_tasks - telemetry_scheduled_tasks_limit - telemetry_service - telemetry_service_limit - telemetry_url_request - telemetry_url_request_limit - telemetry_usb_activity - telemetry_usb_activity_limit - telemetry_user_group - telemetry_user_group_limit - telemetry_wmi_event - telemetry_wmi_event_limit - thread_download_enabled - use_isolation - windows_self_protection - windows_use_isolation type: object AgentPolicyIdAndName: properties: agent_policy_id: format: uuid title: Agent policy id type: string agent_policy_name: minLength: 1 title: Agent policy name type: string required: - agent_policy_id - agent_policy_name type: object AgentResource: properties: agent_id: minLength: 1 title: Agent id type: string av_cpu: description: CPU average for this minute for the AV process title: Av cpu type: number av_memory: description: RAM usage (in bytes) for the AV process title: Av memory type: integer cpu: description: CPU average for this minute title: Cpu type: number date: description: Date for which the resources were taken format: date-time title: Date type: string date_received: format: date-time title: Date received type: string id: minLength: 1 title: Id type: string job: description: Was a job running during this minute title: Job type: boolean memory: description: Memory taken by the agent (in bytes) title: Memory type: integer system_cpu: description: System wide CPU average for this minute title: System cpu type: number system_memory: description: System wide RAM usage (in bytes) title: System memory type: integer telemetry: description: |- Legacy value of the telemetry at this minute. Only has the low 64 bits. title: Telemetry type: integer telemetry_str: description: |- Value of the telemetry at this minute. Encoded as a numeric decimal string to allow for infinite precision. minLength: 1 title: Telemetry str type: string tenant: minLength: 1 title: Tenant type: string required: - agent_id - av_cpu - av_memory - cpu - date - date_received - id - job - memory - system_cpu - system_memory - telemetry - telemetry_str - tenant type: object AgentSelfProtectionPassword: properties: password: minLength: 1 title: Password type: string required: - password type: object AgentSelfProtectionPasswordQuery: properties: seqnum: title: Seqnum type: integer required: - seqnum type: object AgentVersion: properties: version: minLength: 1 title: Version type: string type: object AgentVulnerabilitiesAggregation: properties: domainname: minLength: 1 title: Domainname type: string x-nullable: true hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string lastseen: format: date-time title: Lastseen type: string x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true nb_critical_level: title: Nb critical level type: integer nb_high_level: title: Nb high level type: integer nb_low_level: title: Nb low level type: integer nb_medium_level: title: Nb medium level type: integer nb_vulnerabilities: title: Nb vulnerabilities type: integer osproducttype: minLength: 1 title: Osproducttype type: string x-nullable: true ostype: minLength: 1 title: Ostype type: string x-nullable: true osversion: minLength: 1 title: Osversion type: string x-nullable: true status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Status type: string version: minLength: 1 title: Version type: string x-nullable: true required: - nb_critical_level - nb_high_level - nb_low_level - nb_medium_level - nb_vulnerabilities type: object AgentVulnerabilitiesAggregationListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/AgentVulnerabilitiesAggregation' type: array required: - count - results type: object AgentVulnerabilitiesListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/AgentVulnerability' type: array required: - count - results type: object AgentVulnerability: properties: cvss_metric_base_score: title: Cvss metric base score type: number cvss_metric_exploitability_score: title: Cvss metric exploitability score type: number cvss_metric_impact_score: title: Cvss metric impact score type: number cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string cvss_metric_vector_string: minLength: 1 title: Cvss metric vector string type: string cvss_metric_version: minLength: 1 title: Cvss metric version type: string description: minLength: 1 title: Description type: string detection_date: format: date-time title: Detection date type: string hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string last_modified: format: date-time title: Last modified type: string published: format: date-time title: Published type: string source_identifier: minLength: 1 title: Source identifier type: string required: - cvss_metric_base_score - cvss_metric_exploitability_score - cvss_metric_impact_score - cvss_metric_vector_string - cvss_metric_version - description - detection_date - id - last_modified - published - source_identifier type: object AgentVulnerabilityPerReport: properties: cve_id: minLength: 1 title: Cve id type: string cvss_metric_base_score: title: Cvss metric base score type: number cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string report_id: format: uuid title: Report id type: string report_name: minLength: 1 title: Report name type: string required: - cve_id - cvss_metric_base_score - report_id - report_name type: object AgentVulnerabilityPerReportListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/AgentVulnerabilityPerReport' type: array required: - count - results type: object AgentWindowsLocalGroup: properties: child_groups: items: $ref: '#/definitions/SimpleWindowsGroup' readOnly: true type: array x-nullable: true comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string kind: enum: - domain_local_group - global_group - local_group - well_known_group readOnly: true title: Kind type: string last_update: format: date-time readOnly: true title: Last update type: string local_users: items: $ref: '#/definitions/AgentWindowsSimpleLocalUser' readOnly: true type: array name: minLength: 1 readOnly: true title: Name type: string parent_group: $ref: '#/definitions/SimpleWindowsGroup' remote_users: items: $ref: '#/definitions/WindowsRemoteUser' readOnly: true type: array sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true user_count: readOnly: true title: User count type: integer type: object AgentWindowsLocalUser: properties: account_disabled: readOnly: true title: Account disabled type: boolean bad_password_count: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Bad password count type: integer comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string flags: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Flags type: integer x-nullable: true full_name: minLength: 1 readOnly: true title: Full name type: string x-nullable: true groups: items: $ref: '#/definitions/WindowsSimpleLocalGroup' readOnly: true type: array id: minLength: 1 readOnly: true title: Id type: string last_logon: format: date-time readOnly: true title: Last logon type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true num_logons: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Num logons type: integer password_doesnt_expire: readOnly: true title: Password doesnt expire type: boolean password_expired: readOnly: true title: Password expired type: boolean password_last_set: format: date-time readOnly: true title: Password last set type: string x-nullable: true privilege_level: enum: - 0 - 1 - 2 readOnly: true title: Privilege level type: integer rid: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Rid type: integer x-nullable: true sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true type: object AgentWindowsQfe: properties: caption: minLength: 1 readOnly: true title: Caption type: string x-nullable: true description: minLength: 1 readOnly: true title: Description type: string x-nullable: true hot_fix_id: minLength: 1 readOnly: true title: Hot fix id type: string id: format: uuid readOnly: true title: Id type: string installed_by: minLength: 1 readOnly: true title: Installed by type: string x-nullable: true installed_on: format: date-time readOnly: true title: Installed on type: string x-nullable: true type: object AgentWindowsSimpleLocalUser: properties: account_disabled: readOnly: true title: Account disabled type: boolean bad_password_count: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Bad password count type: integer comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string flags: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Flags type: integer x-nullable: true full_name: minLength: 1 readOnly: true title: Full name type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string last_logon: format: date-time readOnly: true title: Last logon type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true num_logons: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Num logons type: integer password_doesnt_expire: readOnly: true title: Password doesnt expire type: boolean password_expired: readOnly: true title: Password expired type: boolean password_last_set: format: date-time readOnly: true title: Password last set type: string x-nullable: true privilege_level: enum: - 0 - 1 - 2 readOnly: true title: Privilege level type: integer rid: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Rid type: integer x-nullable: true sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true type: object AgentsAffectedByVuln: properties: detection_date: format: date-time title: Detection date type: string domainname: minLength: 1 title: Domainname type: string x-nullable: true groups: items: type: string type: array uniqueItems: true hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string lastseen: format: date-time title: Lastseen type: string x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true osproducttype: minLength: 1 title: Osproducttype type: string x-nullable: true ostype: minLength: 1 title: Ostype type: string x-nullable: true osversion: minLength: 1 title: Osversion type: string x-nullable: true status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Status type: string version: minLength: 1 title: Version type: string x-nullable: true required: - detection_date - groups type: object AgentsAffectedByVulnListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/AgentsAffectedByVuln' type: array required: - count - results type: object AggFIMFileModificationByAgent: properties: agent: $ref: '#/definitions/MinimalAgentInfoWithOS' highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string modifications_accepted_count: readOnly: true title: Modifications accepted count type: integer modifications_count: readOnly: true title: Modifications count type: integer modifications_not_reviewed_count: readOnly: true title: Modifications not reviewed count type: integer modifications_rejected_count: readOnly: true title: Modifications rejected count type: integer report_date: format: date-time readOnly: true title: Report date type: string result: enum: - changes detected - no changes detected readOnly: true title: Result type: string type: object AggFIMFileModificationByPath: properties: agg_key: minLength: 1 readOnly: true title: Agg key type: string current_entry_type: enum: - directory - file readOnly: true title: Current entry type type: string endpoints_count: readOnly: true title: Endpoints count type: integer fim_policy: $ref: '#/definitions/MinimalFIMPolicy' highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string modifications_accepted_count: readOnly: true title: Modifications accepted count type: integer modifications_count: readOnly: true title: Modifications count type: integer modifications_not_reviewed_count: readOnly: true title: Modifications not reviewed count type: integer modifications_rejected_count: readOnly: true title: Modifications rejected count type: integer path: minLength: 1 readOnly: true title: Path type: string type: enum: - content - creation - deletion - error - initialization - metadata - metadata and content - type change readOnly: true title: Type type: string type: object AggregationAlert: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent_count: title: Agent count type: integer agents: items: $ref: '#/definitions/ReducedAgent' type: array alert_subtype: minLength: 1 title: Alert subtype type: string alert_type: enum: - cape - correlation - device_control - driver - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara title: Alert type type: string av_detection_details: $ref: '#/definitions/AntivirusDetectionDetails' bpf: $ref: '#/definitions/ECSBpf' byovd_detection_details: $ref: '#/definitions/ByovdDetectionDetails' comm_port_tamper: $ref: '#/definitions/CommPortTamper' confidence: minLength: 1 title: Confidence type: string confidence_int: title: Confidence int type: integer count: title: Count type: integer date_closed: format: date-time title: Date closed type: string date_deisolated: format: date-time title: Date deisolated type: string date_false_positive: format: date-time title: Date false positive type: string date_investigating: format: date-time title: Date investigating type: string date_isolated: format: date-time title: Date isolated type: string date_new: format: date-time title: Date new type: string destination: $ref: '#/definitions/ECSDestination' details_amsi_scan: $ref: '#/definitions/DetailAmsiScan' details_connection: $ref: '#/definitions/DetailConnection' details_dns_resolution: $ref: '#/definitions/DetailDnsResolution' details_file: $ref: '#/definitions/DetailFile' details_library: $ref: '#/definitions/DetailLibrary' details_linux_filesystem_event: $ref: '#/definitions/DetailLinuxFilesystemEvent' details_macos_filesystem_event: $ref: '#/definitions/DetailMacosFilesystemEvent' details_named_pipe_connected: $ref: '#/definitions/DetailNamedPipeConnected' details_named_pipe_created: $ref: '#/definitions/DetailNamedPipeCreated' details_network_listen: $ref: '#/definitions/DetailNetworkListen' details_powershell: $ref: '#/definitions/DetailPowershell' details_primary_token_change: $ref: '#/definitions/DetailPrimaryTokenChange' details_process_access: $ref: '#/definitions/DetailProcessAccess' details_process_tamper: $ref: '#/definitions/DetailProcessTamper' details_raw_device_access: $ref: '#/definitions/DetailRawDeviceAccess' details_raw_socket_creation: $ref: '#/definitions/DetailRawSocketCreation' details_registry: $ref: '#/definitions/DetailRegistry' details_remotethread: $ref: '#/definitions/DetailRemoteThread' details_url_request: $ref: '#/definitions/DetailUrlRequest' details_usb_device_event: $ref: '#/definitions/DetailsUsbDeviceEvent' details_windows_filesystem_event: $ref: '#/definitions/DetailWindowsFilesystemEvent' detection: $ref: '#/definitions/AlertDetection' detection_origin: minLength: 1 title: Detection origin type: string driverload: $ref: '#/definitions/InnerDriverLoad' dse_tamper: $ref: '#/definitions/DseTamper' etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' event: $ref: '#/definitions/ECSEvent' event_session: $ref: '#/definitions/SessionInfo' eventlog: $ref: '#/definitions/InnerEventLog' execution: title: Execution type: integer firewall_self_protection: $ref: '#/definitions/FirewallSelfProtection' first_seen: format: date-time title: First seen type: string group_event: $ref: '#/definitions/InnerGroupEvent' groups: $ref: '#/definitions/InnerGroup' hlai_binaries_benchmark_data: $ref: '#/definitions/HlaiBinariesBenchmarkData' hlai_scripts_benchmark_data: $ref: '#/definitions/HlaiScriptsBenchmarkData' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string job_id: minLength: 1 title: Job id type: string kernel_callback: $ref: '#/definitions/KernelCallback' last_modifier_id: title: Last modifier id type: integer last_seen: format: date-time title: Last seen type: string last_status_update_is_automatic: title: Last status update is automatic type: boolean last_update: format: date-time title: Last update type: string level: minLength: 1 title: Level type: string level_int: title: Level int type: integer mitre_cells: items: minLength: 1 type: string type: array msg: minLength: 1 title: Msg type: string network: $ref: '#/definitions/InnerNetwork' origin_stack: $ref: '#/definitions/OriginStack' process: $ref: '#/definitions/InnerProcess' process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_ptrace: $ref: '#/definitions/ECSProcessPtrace' process_session: $ref: '#/definitions/SessionInfo' quarantine: title: Quarantine type: integer quarantined_files: items: $ref: '#/definitions/QuarantinedFile' type: array ransomguard_canary_data: $ref: '#/definitions/RansomguardCanaryData' ransomguard_detection_type: minLength: 1 title: Ransomguard detection type type: string ransomguard_heuristic_data: $ref: '#/definitions/RansomguardHeuristicData' references: items: minLength: 1 type: string type: array rule_content: minLength: 1 title: Rule content type: string rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string scheduled_task: $ref: '#/definitions/ECSScheduledTask' sidewatch_detection_details: $ref: '#/definitions/SidewatchDetectionDetails' source: $ref: '#/definitions/ECSSource' stack_trace: $ref: '#/definitions/ECSStackTrace' status: minLength: 1 title: Status type: string status_history: items: $ref: '#/definitions/AlertStatusHistory' type: array tags: items: minLength: 1 type: string type: array target: $ref: '#/definitions/ECSTarget' tenant: minLength: 1 title: Tenant type: string thread: $ref: '#/definitions/InnerInjectedThread' unique_endpoint: title: Unique endpoint type: integer user: $ref: '#/definitions/ECSUser' user_event: $ref: '#/definitions/InnerUserEvent' win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows_service: $ref: '#/definitions/ECSWindowsService' wmi_event: $ref: '#/definitions/WmiEvent' required: - '@event_create_date' - '@timestamp' - agent_count - agents - alert_subtype - alert_type - bpf - confidence - confidence_int - count - date_closed - date_deisolated - date_false_positive - date_investigating - date_isolated - date_new - destination - detection - detection_origin - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - event - execution - first_seen - group_event - id - image_name - job_id - last_modifier_id - last_seen - last_status_update_is_automatic - last_update - level - level_int - mitre_cells - msg - process_duplicate_handle - process_ptrace - quarantine - ransomguard_detection_type - references - rule_content - rule_id - rule_name - scheduled_task - source - stack_trace - status - tags - target - tenant - unique_endpoint - user - user_event - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service type: object AggregationAlertDetail: properties: alert: $ref: '#/definitions/AggregationAlert' binary_available: title: Binary available type: boolean current_rules_data: items: additionalProperties: type: string x-nullable: true type: object type: array process_unique_id: minLength: 1 title: Process unique id type: string sigma_raw_rule: $ref: '#/definitions/SigmaRule' yara_raw_rule: $ref: '#/definitions/YaraFile' required: - alert - binary_available type: object Alert: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/IndexedInnerAgent' aggregation_key: minLength: 1 title: Aggregation key type: string alert_subtype: minLength: 1 title: Alert subtype type: string alert_time: format: date-time title: Alert time type: string alert_type: enum: - cape - correlation - device_control - driver - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara title: Alert type type: string alert_unique_id: minLength: 1 title: Alert unique id type: string av_detection_details: $ref: '#/definitions/AntivirusDetectionDetails' bpf: $ref: '#/definitions/ECSBpf' byovd_detection_details: $ref: '#/definitions/ByovdDetectionDetails' comm_port_tamper: $ref: '#/definitions/CommPortTamper' confidence: minLength: 1 title: Confidence type: string confidence_int: title: Confidence int type: integer correlation: $ref: '#/definitions/CorrelationInfo' date_closed: format: date-time title: Date closed type: string date_deisolated: format: date-time title: Date deisolated type: string date_false_positive: format: date-time title: Date false positive type: string date_investigating: format: date-time title: Date investigating type: string date_isolated: format: date-time title: Date isolated type: string date_new: format: date-time title: Date new type: string destination: $ref: '#/definitions/ECSDestination' details_amsi_scan: $ref: '#/definitions/DetailAmsiScan' details_connection: $ref: '#/definitions/DetailConnection' details_dns_resolution: $ref: '#/definitions/DetailDnsResolution' details_file: $ref: '#/definitions/DetailFile' details_library: $ref: '#/definitions/DetailLibrary' details_linux_filesystem_event: $ref: '#/definitions/DetailLinuxFilesystemEvent' details_macos_filesystem_event: $ref: '#/definitions/DetailMacosFilesystemEvent' details_named_pipe_connected: $ref: '#/definitions/DetailNamedPipeConnected' details_named_pipe_created: $ref: '#/definitions/DetailNamedPipeCreated' details_network_listen: $ref: '#/definitions/DetailNetworkListen' details_powershell: $ref: '#/definitions/DetailPowershell' details_primary_token_change: $ref: '#/definitions/DetailPrimaryTokenChange' details_process_access: $ref: '#/definitions/DetailProcessAccess' details_process_tamper: $ref: '#/definitions/DetailProcessTamper' details_raw_device_access: $ref: '#/definitions/DetailRawDeviceAccess' details_raw_socket_creation: $ref: '#/definitions/DetailRawSocketCreation' details_registry: $ref: '#/definitions/DetailRegistry' details_remotethread: $ref: '#/definitions/DetailRemoteThread' details_url_request: $ref: '#/definitions/DetailUrlRequest' details_usb_device_event: $ref: '#/definitions/DetailsUsbDeviceEvent' details_windows_filesystem_event: $ref: '#/definitions/DetailWindowsFilesystemEvent' detection: $ref: '#/definitions/AlertDetection' detection_date: format: date-time title: Detection date type: string detection_origin: minLength: 1 title: Detection origin type: string detection_timestamp: description: date of the alert creation, reported by the agent. format: date-time title: Detection timestamp type: string driverload: $ref: '#/definitions/InnerDriverLoad' dse_tamper: $ref: '#/definitions/DseTamper' etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' event: $ref: '#/definitions/ECSEvent' event_session: $ref: '#/definitions/SessionInfo' eventlog: $ref: '#/definitions/InnerEventLog' execution: title: Execution type: integer firewall_self_protection: $ref: '#/definitions/FirewallSelfProtection' group_event: $ref: '#/definitions/InnerGroupEvent' groups: $ref: '#/definitions/InnerGroup' hlai_binaries_benchmark_data: $ref: '#/definitions/HlaiBinariesBenchmarkData' hlai_scripts_benchmark_data: $ref: '#/definitions/HlaiScriptsBenchmarkData' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string ingestion_date: format: date-time title: Ingestion date type: string job_id: minLength: 1 title: Job id type: string kernel_callback: $ref: '#/definitions/KernelCallback' last_modifier_id: title: Last modifier id type: integer last_seen: format: date-time title: Last seen type: string last_status_update_is_automatic: title: Last status update is automatic type: boolean last_update: format: date-time title: Last update type: string level: minLength: 1 title: Level type: string level_int: title: Level int type: integer log_type: minLength: 1 title: Log type type: string maturity: minLength: 1 title: Maturity type: string missing_related_process: title: Missing related process type: boolean mitre_cells: items: minLength: 1 type: string type: array msg: minLength: 1 title: Msg type: string network: $ref: '#/definitions/InnerNetwork' origin_stack: $ref: '#/definitions/OriginStack' process: $ref: '#/definitions/InnerProcess' process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_ptrace: $ref: '#/definitions/ECSProcessPtrace' process_session: $ref: '#/definitions/SessionInfo' quarantine: title: Quarantine type: integer quarantined_files: items: $ref: '#/definitions/QuarantinedFile' type: array ransomguard_canary_data: $ref: '#/definitions/RansomguardCanaryData' ransomguard_detection_type: minLength: 1 title: Ransomguard detection type type: string ransomguard_heuristic_data: $ref: '#/definitions/RansomguardHeuristicData' references: items: minLength: 1 type: string type: array rule_content: minLength: 1 title: Rule content type: string rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string scheduled_task: $ref: '#/definitions/ECSScheduledTask' score: title: Score type: number sidewatch_detection_details: $ref: '#/definitions/SidewatchDetectionDetails' source: $ref: '#/definitions/ECSSource' stack_trace: $ref: '#/definitions/ECSStackTrace' status: minLength: 1 title: Status type: string status_history: items: $ref: '#/definitions/AlertStatusHistory' type: array tags: items: minLength: 1 type: string type: array target: $ref: '#/definitions/ECSTarget' tenant: minLength: 1 title: Tenant type: string thread: $ref: '#/definitions/InnerInjectedThread' threat_key: minLength: 1 title: Threat key type: string threat_type: minLength: 1 title: Threat type type: string threat_values: items: minLength: 1 type: string type: array user: $ref: '#/definitions/ECSUser' user_event: $ref: '#/definitions/InnerUserEvent' username: minLength: 1 title: Username type: string whitelisted_by: items: $ref: '#/definitions/WhitelistedByData' type: array win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows_service: $ref: '#/definitions/ECSWindowsService' wmi_event: $ref: '#/definitions/WmiEvent' required: - '@event_create_date' - '@timestamp' - aggregation_key - alert_subtype - alert_time - alert_type - alert_unique_id - bpf - confidence - confidence_int - date_closed - date_deisolated - date_false_positive - date_investigating - date_isolated - date_new - destination - detection - detection_date - detection_origin - detection_timestamp - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - event - execution - group_event - id - image_name - ingestion_date - job_id - last_modifier_id - last_seen - last_status_update_is_automatic - last_update - level - level_int - log_type - maturity - missing_related_process - mitre_cells - msg - process_duplicate_handle - process_ptrace - quarantine - ransomguard_detection_type - references - rule_content - rule_id - rule_name - scheduled_task - score - source - stack_trace - status - tags - target - tenant - threat_key - threat_type - threat_values - user - user_event - username - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service type: object AlertAggregateResponse: properties: analytics: $ref: '#/definitions/AnalyticObject' data: items: type: integer type: array labels: items: minLength: 1 type: string type: array matrix: items: minLength: 1 type: string type: array matrix_v2: items: $ref: '#/definitions/MatrixTactic' type: array required: - analytics - data - labels - matrix - matrix_v2 type: object AlertDetection: properties: file_hashes: $ref: '#/definitions/Hashes' file_path: minLength: 1 title: File path type: string required: - file_hashes - file_path type: object AlertField: properties: name: minLength: 1 title: Name type: string type: minLength: 1 title: Type type: string required: - name - type type: object AlertStatusHistory: properties: action: enum: - add_comment - closed - created - status_update - whitelist_applied - whitelist_unapplied title: Action type: string comment: minLength: 1 title: Comment type: string x-nullable: true from_status: enum: - closed - false_positive - investigating - new title: From status type: string x-nullable: true timestamp: format: date-time title: Timestamp type: string to_status: enum: - closed - false_positive - investigating - new title: To status type: string x-nullable: true username: minLength: 1 title: Username type: string x-nullable: true whitelist_id: minLength: 1 title: Whitelist id type: string x-nullable: true whitelist_revision: title: Whitelist revision type: integer x-nullable: true required: - action - timestamp type: object AlertStatusHistoryList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/AlertStatusHistory' type: array required: - count - results type: object AlertType: properties: potential_malware: default: 0 title: Potential malware type: integer suspicious_behaviour: default: 0 title: Suspicious behaviour type: integer type: object AlertWithDynamicFields: properties: agent: $ref: '#/definitions/IndexedInnerAgentDynamicFields' agent_not_found: title: Agent not found type: boolean alert: $ref: '#/definitions/Alert' binary_available: title: Binary available type: boolean correlation_raw_rule: $ref: '#/definitions/CorrelationRule' current_rules_data: items: additionalProperties: type: string x-nullable: true type: object type: array process_unique_id: minLength: 1 title: Process unique id type: string sigma_raw_rule: $ref: '#/definitions/SigmaRule' yara_raw_rule: $ref: '#/definitions/YaraFile' required: - agent - agent_not_found - alert - binary_available type: object AllAction: properties: IOCScan: $ref: '#/definitions/IOCScan' agentDiagnostic: additionalProperties: type: string x-nullable: true title: Agentdiagnostic type: object agentMinidump: additionalProperties: type: string x-nullable: true title: Agentminidump type: object avScan: $ref: '#/definitions/AVScan' collectRAWEvidences: $ref: '#/definitions/CollectRawEvidences' deleteScheduledTask: items: $ref: '#/definitions/DeleteScheduledTask' type: array deleteService: items: $ref: '#/definitions/DeleteService' type: array downloadDirectory: items: $ref: '#/definitions/DownloadDirectory' type: array downloadFile: items: $ref: '#/definitions/DownloadFile' type: array filepathDeleter: items: $ref: '#/definitions/FilepathDeleter' type: array getHives: $ref: '#/definitions/GetHives' getLoadedDriverList: additionalProperties: type: string x-nullable: true title: Getloadeddriverlist type: object getNetworkShare: additionalProperties: type: string x-nullable: true title: Getnetworkshare type: object getPipeList: additionalProperties: type: string x-nullable: true title: Getpipelist type: object getPrefetch: additionalProperties: type: string x-nullable: true title: Getprefetch type: object getProcessList: $ref: '#/definitions/Processes' getQFE: additionalProperties: type: string x-nullable: true title: Getqfe type: object getRawWMI: additionalProperties: type: string x-nullable: true title: Getrawwmi type: object getScheduledTasks: additionalProperties: type: string x-nullable: true title: Getscheduledtasks type: object getSessions: additionalProperties: type: string x-nullable: true title: Getsessions type: object getStartupFileList: additionalProperties: type: string x-nullable: true title: Getstartupfilelist type: object getWMI: additionalProperties: type: string x-nullable: true title: Getwmi type: object knownProcessFinderKiller: items: $ref: '#/definitions/KnownProcessFinderKiller' type: array listDirectory: items: $ref: '#/definitions/ListDirectory' type: array memoryDumper: additionalProperties: type: string x-nullable: true title: Memorydumper type: object networkDiscovery: items: $ref: '#/definitions/NetworkDiscoveryParam' type: array networkSniffer: $ref: '#/definitions/NetworkSniffer' parseFilesystem: $ref: '#/definitions/ParseFileSystem' persistanceScanner: additionalProperties: type: string x-nullable: true title: Persistancescanner type: object processDumper: $ref: '#/definitions/DumpProcess' profileMemory: additionalProperties: type: string x-nullable: true title: Profilememory type: object quarantineAcquireFile: items: $ref: '#/definitions/AcquireQuarantineFile' type: array quarantineAdd: $ref: '#/definitions/AddToQuarantine' quarantineDelete: items: $ref: '#/definitions/DeleteFromQuarantine' type: array quarantineRestore: items: $ref: '#/definitions/RestoreFromQuarantine' type: array registryOperation: $ref: '#/definitions/RemediationRegops' searchProcessDumper: $ref: '#/definitions/SearchDumpProcess' wildcardProcessFinderKiller: $ref: '#/definitions/WildcardProcessFinderKiller' yaraScan: $ref: '#/definitions/YaraScan' type: object AllConfig: properties: agent_cleaning: $ref: '#/definitions/AgentCleaning' agent_passwords: items: $ref: '#/definitions/AgentPassword' type: array alerter_ioc: $ref: '#/definitions/IOCConfig' assemblyline: $ref: '#/definitions/GetAssemblyline' cape: $ref: '#/definitions/GetCape' collector: $ref: '#/definitions/Collector' connector_misp: $ref: '#/definitions/GetMisp' customization: $ref: '#/definitions/Customization' downloader: $ref: '#/definitions/Downloader' es_ilm_indices__policies: $ref: '#/definitions/ESILMIndicesPolicies' es_indices__replicas: $ref: '#/definitions/ESIndicesReplicas' export: $ref: '#/definitions/GetExport' export_elastic: $ref: '#/definitions/GetExportElastic' export_s3: $ref: '#/definitions/GetExportS3' export_secops: $ref: '#/definitions/GetExportSecops' export_splunk: $ref: '#/definitions/GetExportSplunk' glimps: $ref: '#/definitions/GetGlimps' hibou: $ref: '#/definitions/Hibou' irma: $ref: '#/definitions/GetIrma' ldap_auth: $ref: '#/definitions/GetLDAPAuth' mfa: $ref: '#/definitions/MFA' network_discovery: $ref: '#/definitions/NetWDiscovery' new_threat_aggregation: $ref: '#/definitions/NewThreatAggregation' orion: $ref: '#/definitions/GetOrion' password_security: $ref: '#/definitions/PasswordSecurity' proxy: $ref: '#/definitions/GetProxy' ransomguard: $ref: '#/definitions/Ransomguard' ransomguard_heuristic: $ref: '#/definitions/RansomguardHeuristic' remote_shell: $ref: '#/definitions/RemoteShell' security: $ref: '#/definitions/Security' sidewatch: $ref: '#/definitions/Sidewatch' thehive: $ref: '#/definitions/GetThehive' threat_intelligence: $ref: '#/definitions/ThreatIntelligence' threat_status_binding: $ref: '#/definitions/ThreatStatusBinding' virustotal: $ref: '#/definitions/GetVirusTotal' required: - agent_cleaning - alerter_ioc - assemblyline - cape - collector - connector_misp - customization - downloader - es_ilm_indices__policies - es_indices__replicas - export - glimps - hibou - irma - ldap_auth - mfa - network_discovery - new_threat_aggregation - orion - password_security - proxy - ransomguard - ransomguard_heuristic - remote_shell - security - sidewatch - thehive - threat_intelligence - threat_status_binding - virustotal type: object AllConfigSection: properties: active_directory: items: $ref: '#/definitions/ActiveDirectory' type: array x-nullable: true entra_id: items: $ref: '#/definitions/EntraId' type: array x-nullable: true network_discovery: $ref: '#/definitions/NetworkDiscoveryConfig' type: object AllConfigSectionDownload: properties: config: $ref: '#/definitions/AllConfigSection' version: minLength: 1 title: Version type: string required: - config type: object AmCache: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' amcache_type: minLength: 1 title: Amcache type type: string appxpackagefullname: minLength: 1 title: Appxpackagefullname type: string binarytype: minLength: 1 title: Binarytype type: string binfileversion: minLength: 1 title: Binfileversion type: string binproductversion: minLength: 1 title: Binproductversion type: string bundlemanifestpath: minLength: 1 title: Bundlemanifestpath type: string compiledate: format: date-time title: Compiledate type: string id: minLength: 1 title: Id type: string install_date: format: date-time title: Install date type: string installdatefromlinkfile: format: date-time title: Installdatefromlinkfile type: string installmethod: minLength: 1 title: Installmethod type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer language: title: Language type: integer linkdate: format: date-time title: Linkdate type: string lowercaselongpath: minLength: 1 title: Lowercaselongpath type: string manifestpath: minLength: 1 title: Manifestpath type: string name: minLength: 1 title: Name type: string originalfilename: minLength: 1 title: Originalfilename type: string packagefullname: minLength: 1 title: Packagefullname type: string programid: minLength: 1 title: Programid type: string publisher: minLength: 1 title: Publisher type: string registrykeypath: minLength: 1 title: Registrykeypath type: string rootdirpath: minLength: 1 title: Rootdirpath type: string sha1: minLength: 1 title: Sha1 type: string size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string type: minLength: 1 title: Type type: string uninstalldate: format: date-time title: Uninstalldate type: string uninstallstring: minLength: 1 title: Uninstallstring type: string version: minLength: 1 title: Version type: string required: - '@timestamp' - agent - amcache_type - appxpackagefullname - binarytype - binfileversion - binproductversion - bundlemanifestpath - compiledate - id - install_date - installdatefromlinkfile - installmethod - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - language - linkdate - lowercaselongpath - manifestpath - name - originalfilename - packagefullname - programid - publisher - registrykeypath - rootdirpath - sha1 - size - tenant - type - uninstalldate - uninstallstring - version type: object AmsiScan: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' app_name: minLength: 1 title: App name type: string application: enum: - dotnet - jscript - office_vba - other - powershell - vbscript - vss - wmi title: Application type: string content_name: minLength: 1 title: Content name type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string tenant: minLength: 1 title: Tenant type: string text_payload: minLength: 1 title: Text payload type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - app_name - application - content_name - groups - id - log_type - pid - process_image_path - process_unique_id - tenant - text_payload - utc_time type: object AnalysisStatus: properties: analysis_status: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: Analysis status type: integer file_availability: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: File availability type: integer type: object AnalyticKeyObject: properties: rule_name: minLength: 1 title: Rule name type: string required: - rule_name type: object AnalyticObject: properties: doc_count: title: Doc count type: integer key: $ref: '#/definitions/AnalyticKeyObject' required: - doc_count - key type: object AntivirusDetectionDetails: properties: crc64: title: Crc64 type: integer file_size: title: File size type: integer file_type: minLength: 1 title: File type type: string hashes: $ref: '#/definitions/Hashes' ikarus_version: minLength: 1 title: Ikarus version type: string kind: minLength: 1 title: Kind type: string path: minLength: 1 title: Path type: string pe_info: $ref: '#/definitions/IndexedPEInfo' signature_id: title: Signature id type: integer signature_info: $ref: '#/definitions/SignatureInfo' signature_name: minLength: 1 title: Signature name type: string vdb_version: title: Vdb version type: integer required: - crc64 - file_size - file_type - hashes - ikarus_version - kind - path - pe_info - signature_id - signature_info - signature_name - vdb_version type: object AntivirusScan: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' detection_time: format: date-time title: Detection time type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string path: minLength: 1 title: Path type: string remediation_success: title: Remediation success type: boolean tenant: minLength: 1 title: Tenant type: string threat_id: minLength: 1 title: Threat id type: string threat_status: title: Threat status type: integer required: - '@timestamp' - agent - detection_time - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - path - remediation_success - tenant - threat_id - threat_status type: object AppCertDll: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string path: minLength: 1 title: Path type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string required: - '@timestamp' - agent - binaryinfo - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - path - tenant - timestamp type: object AppCompatInstalledSDB: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' app_install_timestamp: format: date-time title: App install timestamp type: string app_write_timestamp: format: date-time title: App write timestamp type: string appname: minLength: 1 title: Appname type: string database_description: minLength: 1 title: Database description type: string database_path: minLength: 1 title: Database path type: string database_type: minLength: 1 title: Database type type: string datatable_install_timestamp: minLength: 1 title: Datatable install timestamp type: string guid: minLength: 1 title: Guid type: string id: minLength: 1 title: Id type: string installed_name: minLength: 1 title: Installed name type: string installed_write_timestamp: format: date-time title: Installed write timestamp type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer md5: minLength: 1 title: Md5 type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string tenant: minLength: 1 title: Tenant type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - app_install_timestamp - app_write_timestamp - appname - database_description - database_path - database_type - datatable_install_timestamp - guid - id - installed_name - installed_write_timestamp - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - md5 - sha1 - sha256 - tenant - wow64 type: object AppInitDll: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - timestamp - username - value - wow64 type: object AppLocationCreate: properties: filter_args: minLength: 1 title: Filter args type: string x-nullable: true location_type: enum: - AGENT_DETAIL - AGENT_HOST_PROPERTIES_APPLICATION_DETAIL - AGENT_HOST_PROPERTIES_APPLICATION_LIST - AGENT_HOST_PROPERTIES_DISK_DETAIL - AGENT_HOST_PROPERTIES_DISK_LIST - AGENT_HOST_PROPERTIES_GROUP_DETAIL - AGENT_HOST_PROPERTIES_GROUP_LIST - AGENT_HOST_PROPERTIES_NETWORK_INTERFACE_DETAIL - AGENT_HOST_PROPERTIES_NETWORK_INTERFACE_LIST - AGENT_HOST_PROPERTIES_USER_DETAIL - AGENT_HOST_PROPERTIES_USER_LIST - AGENT_HOST_PROPERTIES_WINDOWS_UPDATE_DETAIL - AGENT_HOST_PROPERTIES_WINDOWS_UPDATE_LIST - AGENT_LIST - HOST_PROPERTIES_APPLICATION_LIST - HOST_PROPERTIES_LOCAL_GROUP_LIST - HOST_PROPERTIES_LOCAL_USER_LIST - HOST_PROPERTIES_SUBNETWORK_LIST - HOST_PROPERTIES_WINDOWS_UPDATE_LIST - POLICY_DETAIL - SECURITY_EVENT_LIST - SECURITY_EVENT_PROCESS_TREE - SECURITY_EVENT_RULE - SECURITY_EVENT_STATIC_ANALYSIS - SECURITY_EVENT_SUMMARY - SECURITY_EVENT_TIMELINE - TELEMETRY_AUTHENTICATION_LINUX_LIST - TELEMETRY_AUTHENTICATION_MACOS_LIST - TELEMETRY_AUTHENTICATION_WINDOWS_LIST - TELEMETRY_BINARY_LIST - TELEMETRY_DNS_RESOLUTION_LIST - TELEMETRY_DRIVER_LOAD_LIST - TELEMETRY_EVENT_LOG_LIST - TELEMETRY_FILE_DOWNLOAD_LIST - TELEMETRY_FILE_LIST - TELEMETRY_INJECTED_THREAD_LIST - TELEMETRY_LIBRARY_LOAD_LIST - TELEMETRY_NAMED_PIPE_LIST - TELEMETRY_NETWORK_LIST - TELEMETRY_NETWORK_LISTEN_LIST - TELEMETRY_POWERSHELL_DETAIL - TELEMETRY_POWERSHELL_LIST - TELEMETRY_PROCESS_ACCESS_LIST - TELEMETRY_PROCESS_GRAPH_DETAIL - TELEMETRY_PROCESS_LIST - TELEMETRY_PROCESS_TAMPER_LIST - TELEMETRY_RAW_DEVICE_ACCESS_LIST - TELEMETRY_RAW_SOCKET_CREATION_LIST - TELEMETRY_REGISTRY_LIST - TELEMETRY_REMOTE_THREAD_LIST - TELEMETRY_TIMELINE_LIST - TELEMETRY_URL_REQUEST_LIST - TELEMETRY_WMI_EVENT_LIST - THREAT_ENDPOINTS - THREAT_INTELLIGENCE_DRIVER_BLOCK_LIST_DETAIL - THREAT_INTELLIGENCE_IOC_DETAIL - THREAT_INTELLIGENCE_SIGMA_DETAIL - THREAT_INTELLIGENCE_YARA_DETAIL - THREAT_LIST - THREAT_RULES - THREAT_SUMMARY - THREAT_USERS - VULNERABILITIES_BY_APP - VULNERABILITIES_BY_CVE - VULNERABILITIES_BY_ENDPOINT - VULNERABILITIES_OVERVIEW title: Location type type: string object_id: minLength: 1 title: Object id type: string x-nullable: true section_id: minLength: 1 title: Section id type: string x-nullable: true required: - location_type type: object AppLocationRead: properties: api_list_endpoint: readOnly: true title: Api list endpoint type: string x-nullable: true api_retrieve_endpoint: readOnly: true title: Api retrieve endpoint type: string x-nullable: true context_type: enum: - llm_data_request - llm_response - user_provided readOnly: true title: Context type type: string filter_args: minLength: 1 readOnly: true title: Filter args type: string x-nullable: true llm_request_trace_id: description: for LLM data requests, the ID of the request provided by the LLM connector. It is unique and logged to help tracing. minLength: 1 readOnly: true title: Llm request trace id type: string x-nullable: true location_type: enum: - AGENT_DETAIL - AGENT_HOST_PROPERTIES_APPLICATION_DETAIL - AGENT_HOST_PROPERTIES_APPLICATION_LIST - AGENT_HOST_PROPERTIES_DISK_DETAIL - AGENT_HOST_PROPERTIES_DISK_LIST - AGENT_HOST_PROPERTIES_GROUP_DETAIL - AGENT_HOST_PROPERTIES_GROUP_LIST - AGENT_HOST_PROPERTIES_NETWORK_INTERFACE_DETAIL - AGENT_HOST_PROPERTIES_NETWORK_INTERFACE_LIST - AGENT_HOST_PROPERTIES_USER_DETAIL - AGENT_HOST_PROPERTIES_USER_LIST - AGENT_HOST_PROPERTIES_WINDOWS_UPDATE_DETAIL - AGENT_HOST_PROPERTIES_WINDOWS_UPDATE_LIST - AGENT_LIST - HOST_PROPERTIES_APPLICATION_LIST - HOST_PROPERTIES_LOCAL_GROUP_LIST - HOST_PROPERTIES_LOCAL_USER_LIST - HOST_PROPERTIES_SUBNETWORK_LIST - HOST_PROPERTIES_WINDOWS_UPDATE_LIST - POLICY_DETAIL - SECURITY_EVENT_LIST - SECURITY_EVENT_PROCESS_TREE - SECURITY_EVENT_RULE - SECURITY_EVENT_STATIC_ANALYSIS - SECURITY_EVENT_SUMMARY - SECURITY_EVENT_TIMELINE - TELEMETRY_AUTHENTICATION_LINUX_LIST - TELEMETRY_AUTHENTICATION_MACOS_LIST - TELEMETRY_AUTHENTICATION_WINDOWS_LIST - TELEMETRY_BINARY_LIST - TELEMETRY_DNS_RESOLUTION_LIST - TELEMETRY_DRIVER_LOAD_LIST - TELEMETRY_EVENT_LOG_LIST - TELEMETRY_FILE_DOWNLOAD_LIST - TELEMETRY_FILE_LIST - TELEMETRY_INJECTED_THREAD_LIST - TELEMETRY_LIBRARY_LOAD_LIST - TELEMETRY_NAMED_PIPE_LIST - TELEMETRY_NETWORK_LIST - TELEMETRY_NETWORK_LISTEN_LIST - TELEMETRY_POWERSHELL_DETAIL - TELEMETRY_POWERSHELL_LIST - TELEMETRY_PROCESS_ACCESS_LIST - TELEMETRY_PROCESS_GRAPH_DETAIL - TELEMETRY_PROCESS_LIST - TELEMETRY_PROCESS_TAMPER_LIST - TELEMETRY_RAW_DEVICE_ACCESS_LIST - TELEMETRY_RAW_SOCKET_CREATION_LIST - TELEMETRY_REGISTRY_LIST - TELEMETRY_REMOTE_THREAD_LIST - TELEMETRY_TIMELINE_LIST - TELEMETRY_URL_REQUEST_LIST - TELEMETRY_WMI_EVENT_LIST - THREAT_ENDPOINTS - THREAT_INTELLIGENCE_DRIVER_BLOCK_LIST_DETAIL - THREAT_INTELLIGENCE_IOC_DETAIL - THREAT_INTELLIGENCE_SIGMA_DETAIL - THREAT_INTELLIGENCE_YARA_DETAIL - THREAT_LIST - THREAT_RULES - THREAT_SUMMARY - THREAT_USERS - VULNERABILITIES_BY_APP - VULNERABILITIES_BY_CVE - VULNERABILITIES_BY_ENDPOINT - VULNERABILITIES_OVERVIEW readOnly: true title: Location type type: string object_id: minLength: 1 readOnly: true title: Object id type: string x-nullable: true section_id: minLength: 1 readOnly: true title: Section id type: string x-nullable: true type: object AppSettingsJson: properties: app_settings: title: App settings type: object required: - app_settings type: object AppStatistics: properties: active_installations: readOnly: true title: Active installations type: integer app_type: minLength: 1 readOnly: true title: App type type: string x-nullable: true cpe_prefix: minLength: 1 readOnly: true title: Cpe prefix type: string x-nullable: true description: minLength: 1 readOnly: true title: Description type: string x-nullable: true first_installation_date: format: date-time readOnly: true title: First installation date type: string first_seen: format: date-time readOnly: true title: First seen type: string id: format: uuid readOnly: true title: Id type: string last_installation_date: format: date-time readOnly: true title: Last installation date type: string last_seen: format: date-time readOnly: true title: Last seen type: string most_used_version: minLength: 1 readOnly: true title: Most used version type: string most_used_version_count: readOnly: true title: Most used version count type: integer name: minLength: 1 readOnly: true title: Name type: string newest_version: minLength: 1 readOnly: true title: Newest version type: string oldest_version: minLength: 1 readOnly: true title: Oldest version type: string ostype: minLength: 1 readOnly: true title: Ostype type: string publisher: minLength: 1 readOnly: true title: Publisher type: string x-nullable: true total_installations: readOnly: true title: Total installations type: integer type: object ApplicationProtocol: properties: http: $ref: '#/definitions/ApplicationProtocolHttp' name: minLength: 1 title: Name type: string ssh: $ref: '#/definitions/ApplicationProtocolSsh' tls: $ref: '#/definitions/ApplicationProtocolTls' required: - http - name - ssh - tls type: object ApplicationProtocolHttp: properties: content_length: title: Content length type: integer content_type: minLength: 1 title: Content type type: string non_standard_headers: items: $ref: '#/definitions/KeyValueDoc' type: array request_cookies: minLength: 1 title: Request cookies type: string request_host: minLength: 1 title: Request host type: string request_method: minLength: 1 title: Request method type: string request_path: minLength: 1 title: Request path type: string request_referer: minLength: 1 title: Request referer type: string request_user_agent: minLength: 1 title: Request user agent type: string response_code: title: Response code type: integer response_last_modified: minLength: 1 title: Response last modified type: string response_server: minLength: 1 title: Response server type: string version: minLength: 1 title: Version type: string required: - content_length - content_type - non_standard_headers - request_cookies - request_host - request_method - request_path - request_referer - request_user_agent - response_code - response_last_modified - response_server - version type: object ApplicationProtocolSsh: properties: comments: minLength: 1 title: Comments type: string proto_version: minLength: 1 title: Proto version type: string server_fingerprint: minLength: 1 title: Server fingerprint type: string server_pubkey_and_cert_algo: minLength: 1 title: Server pubkey and cert algo type: string software_version: minLength: 1 title: Software version type: string required: - comments - proto_version - server_fingerprint - server_pubkey_and_cert_algo - software_version type: object ApplicationProtocolTls: properties: client_hello_alpn: items: minLength: 1 type: string type: array client_hello_sni: minLength: 1 title: Client hello sni type: string ja3_fingerprint: minLength: 1 title: Ja3 fingerprint type: string ja3_raw_text: minLength: 1 title: Ja3 raw text type: string ja3n_fingerprint: minLength: 1 title: Ja3n fingerprint type: string ja3n_raw_text: minLength: 1 title: Ja3n raw text type: string ja3s_fingerprint: minLength: 1 title: Ja3s fingerprint type: string ja3s_raw_text: minLength: 1 title: Ja3s raw text type: string ja4: minLength: 1 title: Ja4 type: string ja4_raw_text: minLength: 1 title: Ja4 raw text type: string server_alpn: minLength: 1 title: Server alpn type: string server_certificates: items: $ref: '#/definitions/Info' type: array tls_version: minLength: 1 title: Tls version type: string required: - client_hello_alpn - client_hello_sni - ja3_fingerprint - ja3_raw_text - ja3n_fingerprint - ja3n_raw_text - ja3s_fingerprint - ja3s_raw_text - ja4 - ja4_raw_text - server_alpn - server_certificates - tls_version type: object ApplicationVulnerabilitiesAggregationListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/VulnerableApplicationWithCountAggregation' type: array required: - count - results type: object Artefact: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' artefact_type: minLength: 1 title: Artefact type type: string date: format: date-time title: Date type: string download_status: title: Download status type: integer id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer longname: minLength: 1 title: Longname type: string msg: minLength: 1 title: Msg type: string origin_stack: $ref: '#/definitions/OriginStack' sha256: minLength: 1 title: Sha256 type: string shortname: minLength: 1 title: Shortname type: string size: title: Size type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - '@timestamp' - agent - artefact_type - date - download_status - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - longname - msg - sha256 - shortname - size type: object AssemblylineScan: properties: scan_date: format: date-time title: Scan date type: string required: - scan_date type: object AssetCompatibilityHistory: properties: creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string modifier: $ref: '#/definitions/HlSimpleUserSerializer' new_compatibility: enum: - compatible - uncompatible - unknown readOnly: true title: New compatibility type: string old_compatibility: enum: - compatible - uncompatible - unknown readOnly: true title: Old compatibility type: string required: - modifier type: object AssetOSHistory: properties: creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string modifier: $ref: '#/definitions/HlSimpleUserSerializer' new_os: enum: - linux - macos - unknown - windows readOnly: true title: New os type: string old_os: enum: - linux - macos - unknown - windows readOnly: true title: Old os type: string required: - modifier type: object AuditLog: properties: '@timestamp': format: date-time title: '@timestamp' type: string action_title: minLength: 1 title: Action title type: string id: minLength: 1 title: Id type: string ip_address: minLength: 1 title: Ip address type: string log_creation_date: description: creation date of the log format: date-time title: Log creation date type: string log_description: description: humanized sentence to explain to the user what have be done minLength: 1 title: Log description type: string log_object: minLength: 1 title: Log object type: string log_slug: description: define wich action has been audited minLength: 1 title: Log slug type: string request_content: minLength: 1 title: Request content type: string request_method: minLength: 1 title: Request method type: string request_path: minLength: 1 title: Request path type: string response_content: minLength: 1 title: Response content type: string response_status_code: minLength: 1 title: Response status code type: string response_status_text: minLength: 1 title: Response status text type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string user_agent: minLength: 1 title: User agent type: string user_roles: items: minLength: 1 type: string type: array username: description: username of the user who made the action minLength: 1 title: Username type: string required: - '@timestamp' - action_title - id - ip_address - log_creation_date - log_description - log_slug - request_content - request_method - request_path - response_content - response_status_code - response_status_text - tenant - timestamp - user_agent - username type: object AuthenticationLinux: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string linux: $ref: '#/definitions/AuthenticationLoginLinux' log_type: minLength: 1 title: Log type type: string macos: $ref: '#/definitions/AuthenticationLoginMacos' msg: minLength: 1 title: Msg type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_commandline: minLength: 1 title: Process commandline type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string source_address: minLength: 1 title: Source address type: string source_address_geoip: $ref: '#/definitions/GeoIP' source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_user: minLength: 1 title: Source user type: string source_username: minLength: 1 title: Source username type: string success: title: Success type: boolean tactic: minLength: 1 title: Tactic type: string target_domain: minLength: 1 title: Target domain type: string target_user: minLength: 1 title: Target user type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string windows: $ref: '#/definitions/AuthenticationLoginWindows' required: - '@event_create_date' - '@timestamp' - agent - auth_status - auth_type - event_type - groups - id - linux - log_type - macos - msg - pid - process_commandline - process_imagename - process_name - process_unique_id - source_address - source_address_geoip - source_agent_hostname - source_agent_id - source_domain - source_user - source_username - success - tactic - target_domain - target_user - target_username - technique - tenant - utc_time - windows type: object AuthenticationLogin: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string linux: $ref: '#/definitions/AuthenticationLoginLinux' log_type: minLength: 1 title: Log type type: string macos: $ref: '#/definitions/AuthenticationLoginMacos' msg: minLength: 1 title: Msg type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_commandline: minLength: 1 title: Process commandline type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string source_address: minLength: 1 title: Source address type: string source_address_geoip: $ref: '#/definitions/GeoIP' source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_user: minLength: 1 title: Source user type: string source_username: minLength: 1 title: Source username type: string success: title: Success type: boolean tactic: minLength: 1 title: Tactic type: string target_domain: minLength: 1 title: Target domain type: string target_user: minLength: 1 title: Target user type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string windows: $ref: '#/definitions/AuthenticationLoginWindows' required: - '@event_create_date' - '@timestamp' - agent - auth_status - auth_type - event_type - groups - id - linux - log_type - macos - msg - pid - process_commandline - process_imagename - process_name - process_unique_id - source_address - source_address_geoip - source_agent_hostname - source_agent_id - source_domain - source_user - source_username - success - tactic - target_domain - target_user - target_username - technique - tenant - utc_time - windows type: object AuthenticationLoginLinux: properties: target_gid: title: Target gid type: integer target_group: minLength: 1 title: Target group type: string target_uid: title: Target uid type: integer tty: minLength: 1 title: Tty type: string required: - target_gid - target_group - target_uid - tty type: object AuthenticationLoginMacos: properties: auto_unlock_type: minLength: 1 title: Auto unlock type type: string graphical_session_id: title: Graphical session id type: integer login_type: minLength: 1 title: Login type type: string open_directory_db_path: minLength: 1 title: Open directory db path type: string open_directory_node_name: minLength: 1 title: Open directory node name type: string open_directory_record_name: minLength: 1 title: Open directory record name type: string open_directory_record_type: minLength: 1 title: Open directory record type type: string open_ssh_login_result: minLength: 1 title: Open ssh login result type: string screensharing_authentication_type: minLength: 1 title: Screensharing authentication type type: string screensharing_existing_session: title: Screensharing existing session type: boolean screensharing_viewer_appleid: minLength: 1 title: Screensharing viewer appleid type: string token_id: minLength: 1 title: Token id type: string token_kerberos_principal: minLength: 1 title: Token kerberos principal type: string token_pubkey_hash: minLength: 1 title: Token pubkey hash type: string touch_id_mode: minLength: 1 title: Touch id mode type: string uid: title: Uid type: integer required: - auto_unlock_type - graphical_session_id - login_type - open_directory_db_path - open_directory_node_name - open_directory_record_name - open_directory_record_type - open_ssh_login_result - screensharing_authentication_type - screensharing_existing_session - screensharing_viewer_appleid - token_id - token_kerberos_principal - token_pubkey_hash - touch_id_mode - uid type: object AuthenticationLoginWindows: properties: authentication_package_name: minLength: 1 title: Authentication package name type: string event_id: title: Event id type: integer event_title: minLength: 1 title: Event title type: string failure_reason: minLength: 1 title: Failure reason type: string ip_address: minLength: 1 title: Ip address type: string ip_port: minLength: 1 title: Ip port type: string logon_guid: minLength: 1 title: Logon guid type: string logon_process_name: minLength: 1 title: Logon process name type: string logon_title: minLength: 1 title: Logon title type: string logon_type: title: Logon type type: integer process_name: minLength: 1 title: Process name type: string source_logon_id: title: Source logon id type: integer source_sid: minLength: 1 title: Source sid type: string status: title: Status type: integer sub_status: title: Sub status type: integer target_logon_id: title: Target logon id type: integer target_sid: minLength: 1 title: Target sid type: string workstation_name: minLength: 1 title: Workstation name type: string required: - authentication_package_name - event_id - event_title - failure_reason - ip_address - ip_port - logon_guid - logon_process_name - logon_title - logon_type - process_name - source_logon_id - source_sid - status - sub_status - target_logon_id - target_sid - workstation_name type: object AuthenticationLogout: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string linux: $ref: '#/definitions/AuthenticationLogoutLinux' log_type: minLength: 1 title: Log type type: string macos: $ref: '#/definitions/AuthenticationLogoutMacos' origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_commandline: minLength: 1 title: Process commandline type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string source_address: minLength: 1 title: Source address type: string source_address_geoip: $ref: '#/definitions/GeoIP' source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_user: minLength: 1 title: Source user type: string source_username: minLength: 1 title: Source username type: string success: title: Success type: boolean tactic: minLength: 1 title: Tactic type: string target_domain: minLength: 1 title: Target domain type: string target_user: minLength: 1 title: Target user type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string windows: $ref: '#/definitions/AuthenticationLogoutWindows' required: - '@event_create_date' - '@timestamp' - agent - auth_status - auth_type - event_type - groups - id - linux - log_type - macos - pid - process_commandline - process_imagename - process_name - process_unique_id - source_address - source_address_geoip - source_agent_hostname - source_agent_id - source_domain - source_user - source_username - success - tactic - target_domain - target_user - target_username - technique - tenant - utc_time - windows type: object AuthenticationLogoutLinux: properties: target_gid: title: Target gid type: integer target_group: minLength: 1 title: Target group type: string target_uid: title: Target uid type: integer tty: minLength: 1 title: Tty type: string required: - target_gid - target_group - target_uid - tty type: object AuthenticationLogoutMacos: properties: graphical_session_id: title: Graphical session id type: integer logout_type: minLength: 1 title: Logout type type: string screensharing_viewer_appleid: minLength: 1 title: Screensharing viewer appleid type: string uid: title: Uid type: integer required: - graphical_session_id - logout_type - screensharing_viewer_appleid - uid type: object AuthenticationLogoutWindows: properties: event_id: title: Event id type: integer event_title: minLength: 1 title: Event title type: string logon_title: minLength: 1 title: Logon title type: string logon_type: title: Logon type type: integer target_logon_id: title: Target logon id type: integer target_sid: minLength: 1 title: Target sid type: string required: - event_id - event_title - logon_title - logon_type - target_logon_id - target_sid type: object AuthenticationMacos: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string linux: $ref: '#/definitions/AuthenticationLoginLinux' log_type: minLength: 1 title: Log type type: string macos: $ref: '#/definitions/AuthenticationLoginMacos' msg: minLength: 1 title: Msg type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_commandline: minLength: 1 title: Process commandline type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string source_address: minLength: 1 title: Source address type: string source_address_geoip: $ref: '#/definitions/GeoIP' source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_user: minLength: 1 title: Source user type: string source_username: minLength: 1 title: Source username type: string success: title: Success type: boolean tactic: minLength: 1 title: Tactic type: string target_domain: minLength: 1 title: Target domain type: string target_user: minLength: 1 title: Target user type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string windows: $ref: '#/definitions/AuthenticationLoginWindows' required: - '@event_create_date' - '@timestamp' - agent - auth_status - auth_type - event_type - groups - id - linux - log_type - macos - msg - pid - process_commandline - process_imagename - process_name - process_unique_id - source_address - source_address_geoip - source_agent_hostname - source_agent_id - source_domain - source_user - source_username - success - tactic - target_domain - target_user - target_username - technique - tenant - utc_time - windows type: object AuthenticationWindows: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' auth_status: minLength: 1 title: Auth status type: string auth_type: minLength: 1 title: Auth type type: string event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string linux: $ref: '#/definitions/AuthenticationLoginLinux' log_type: minLength: 1 title: Log type type: string macos: $ref: '#/definitions/AuthenticationLoginMacos' msg: minLength: 1 title: Msg type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_commandline: minLength: 1 title: Process commandline type: string process_imagename: minLength: 1 title: Process imagename type: string process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string source_address: minLength: 1 title: Source address type: string source_address_geoip: $ref: '#/definitions/GeoIP' source_agent_hostname: minLength: 1 title: Source agent hostname type: string source_agent_id: minLength: 1 title: Source agent id type: string source_domain: minLength: 1 title: Source domain type: string source_user: minLength: 1 title: Source user type: string source_username: minLength: 1 title: Source username type: string success: title: Success type: boolean tactic: minLength: 1 title: Tactic type: string target_domain: minLength: 1 title: Target domain type: string target_user: minLength: 1 title: Target user type: string target_username: minLength: 1 title: Target username type: string technique: minLength: 1 title: Technique type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string windows: $ref: '#/definitions/AuthenticationLoginWindows' required: - '@event_create_date' - '@timestamp' - agent - auth_status - auth_type - event_type - groups - id - linux - log_type - macos - msg - pid - process_commandline - process_imagename - process_name - process_unique_id - source_address - source_address_geoip - source_agent_hostname - source_agent_id - source_domain - source_user - source_username - success - tactic - target_domain - target_user - target_username - technique - tenant - utc_time - windows type: object Authentihashes: properties: sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string required: - sha1 - sha256 type: object AutoNotification: properties: comment: minLength: 1 title: Comment type: string group_ids: minLength: 1 title: Group ids type: string hash: minLength: 1 title: Hash type: string id: minLength: 1 title: Id type: string last_modifier_id: title: Last modifier id type: integer last_update: format: date-time title: Last update type: string name: minLength: 1 title: Name type: string priority: title: Priority type: integer recipients: items: $ref: '#/definitions/AutoNotificationRecipient' minItems: 1 type: array rules: items: $ref: '#/definitions/AutoNotificationRule' minItems: 1 type: array required: - comment - group_ids - hash - id - last_modifier_id - last_update - name - priority - recipients - rules type: object AutoNotificationRecipient: properties: addr: minLength: 1 pattern: (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]) title: Addr type: string contact_type: minLength: 1 pattern: mail$ title: Contact type type: string required: - addr - contact_type type: object AutoNotificationRule: properties: case_insensitive: title: Case insensitive type: boolean field: minLength: 1 title: Field type: string operator: minLength: 1 title: Operator type: string value: minLength: 1 title: Value type: string required: - case_insensitive - field - operator - value type: object BaseClass: properties: base_class: maxLength: 2 minLength: 1 pattern: ^[0-9,A-F]{2}$ title: Base class type: string id: format: uuid title: Id type: string protocol: maxLength: 2 pattern: ^[0-9,A-F]{2}$ title: Protocol type: string x-nullable: true sub_class: maxLength: 2 pattern: ^[0-9,A-F]{2}$ title: Sub class type: string x-nullable: true required: - base_class type: object BaseComment: properties: comment: minLength: 1 title: Comment type: string required: - comment type: object BasicGroup: properties: display_name: readOnly: true title: Display name type: string id: minLength: 1 readOnly: true title: Id type: string name: minLength: 1 readOnly: true title: Name type: string type: object BasicRole: properties: id: format: uuid readOnly: true title: Id type: string name: maxLength: 150 minLength: 1 title: Name type: string required: - name type: object BatchAgentList: properties: hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string jobs: items: $ref: '#/definitions/AgentJobInstanceStatus' type: array ostype: minLength: 1 title: Ostype type: string x-nullable: true osversion: minLength: 1 title: Osversion type: string x-nullable: true status: enum: - access_denied - idle - offline - online readOnly: true title: Status type: string required: - jobs type: object BatchCreate: properties: description: minLength: 1 title: Description type: string jobs: description: There is a limit of 1 key for the dictionaries/objects in the job list. items: $ref: '#/definitions/AllAction' type: array source: $ref: '#/definitions/BatchSource' targets: $ref: '#/definitions/BatchTarget' template: title: Template type: string title: minLength: 1 title: Title type: string type: object BatchDuplicate: properties: change_targets: default: false title: Change targets type: boolean description: minLength: 1 title: Description type: string targets: $ref: '#/definitions/BatchTarget' title: minLength: 1 title: Title type: string type: object BatchEdit: properties: archived: title: Archived type: boolean creationtime: format: date-time readOnly: true title: Creationtime type: string creator: readOnly: true title: Creator type: integer x-nullable: true description: title: Description type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string source_id: minLength: 1 readOnly: true title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat readOnly: true title: Source type type: string x-nullable: true template: readOnly: true title: Template type: string x-nullable: true title: title: Title type: string x-nullable: true type: object BatchList: properties: agent_count: minimum: 0 title: Agent count type: integer archived: title: Archived type: boolean creationtime: format: date-time title: Creationtime type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' description: title: Description type: string x-nullable: true endpoint_username: maxLength: 4096 minLength: 1 title: Endpoint username type: string x-nullable: true id: minLength: 1 title: Id type: string is_scheduled: title: Is scheduled type: boolean jobs: items: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan type: string type: array x-nullable: true source_id: minLength: 1 title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat title: Source type type: string x-nullable: true status: $ref: '#/definitions/BatchStats' template: title: Template type: string x-nullable: true title: title: Title type: string x-nullable: true required: - agent_count - creator - jobs - status type: object BatchRetrieve: properties: agent_count: minimum: 0 title: Agent count type: integer archived: title: Archived type: boolean creationtime: format: date-time title: Creationtime type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' description: title: Description type: string x-nullable: true endpoint_username: maxLength: 4096 minLength: 1 title: Endpoint username type: string x-nullable: true id: minLength: 1 title: Id type: string is_scheduled: title: Is scheduled type: boolean source_id: minLength: 1 title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat title: Source type type: string x-nullable: true status: $ref: '#/definitions/BatchStats' tasks: items: $ref: '#/definitions/Task' readOnly: true type: array template: title: Template type: string x-nullable: true title: title: Title type: string x-nullable: true required: - agent_count - status type: object BatchSelect: properties: batch_ids: items: type: string type: array uniqueItems: true required: - batch_ids type: object BatchSource: description: The job will be automatically launched on all related agents of the provided source. If provided, the source must have at least one related agent. properties: id: minLength: 1 title: Id type: string type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - security_event - threat title: Type type: string required: - id - type type: object BatchStats: properties: canceled: minimum: 0 title: Canceled type: integer done: minimum: 0 title: Done type: integer error: minimum: 0 title: Error type: integer injecting: minimum: 0 title: Injecting type: integer running: minimum: 0 title: Running type: integer total: minimum: 0 title: Total type: integer waiting: minimum: 0 title: Waiting type: integer required: - canceled - done - error - injecting - running - total - waiting type: object BatchTarget: description: If provided, must resolve to at least one agent. properties: agent_ids: items: format: uuid type: string type: array uniqueItems: true group_ids: items: type: string type: array uniqueItems: true type: object BatchTemplateCreate: properties: description: minLength: 1 title: Description type: string jobs: description: There is a limit of 1 key for the dictionaries/objects in the job list. items: $ref: '#/definitions/AllAction' type: array title: minLength: 1 title: Title type: string required: - jobs type: object BatchTemplateCreateFromBatch: properties: batch: title: Batch type: string description: minLength: 1 title: Description type: string title: minLength: 1 title: Title type: string required: - batch type: object BatchTemplateEdit: properties: description: minLength: 1 title: Description type: string jobs: description: There is a limit of 1 key for the dictionaries/objects in the job list. items: $ref: '#/definitions/AllAction' type: array title: minLength: 1 title: Title type: string type: object BatchTemplateJobRetrieve: properties: action: $ref: '#/definitions/AllAction' id: minLength: 1 title: Id type: string task_id: maximum: 2147483647 minimum: -2147483648 title: Task id type: integer required: - action - task_id type: object BatchTemplateRetrieve: properties: creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true id: minLength: 1 title: Id type: string jobs: items: $ref: '#/definitions/BatchTemplateJobRetrieve' type: array last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string title: title: Title type: string x-nullable: true required: - jobs - last_modifier type: object BinariesRetention: properties: binaries_max_age: minLength: 1 title: Binaries max age type: string x-nullable: true binaries_max_size: minLength: 1 title: Binaries max size type: string x-nullable: true type: object Binary: properties: approximate_last_seen: format: date-time title: Approximate last seen type: string assemblyline: $ref: '#/definitions/AssemblylineScan' cape: $ref: '#/definitions/CapeScan' downloaded: title: Downloaded type: integer downloaded_date: format: date-time title: Downloaded date type: string file_type: minLength: 1 title: File type type: string first_seen: format: date-time title: First seen type: string glimps: $ref: '#/definitions/GlimpsScan' groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' hibou: $ref: '#/definitions/HibouScan' hlai: $ref: '#/definitions/HlaiScan' id: minLength: 1 title: Id type: string irma: $ref: '#/definitions/Irma' names: items: minLength: 1 type: string type: array origin_stack: $ref: '#/definitions/OriginStack' orion: $ref: '#/definitions/OrionScan' ostype: minLength: 1 title: Ostype type: string paths: items: minLength: 1 type: string type: array pe_info: $ref: '#/definitions/PEInfo' signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string virustotal: $ref: '#/definitions/VirusTotal' yara: $ref: '#/definitions/DocYaraScanSerializer' required: - approximate_last_seen - assemblyline - cape - downloaded - downloaded_date - file_type - first_seen - glimps - groups - hashes - hibou - hlai - id - irma - names - orion - ostype - paths - pe_info - signature_info - signed - size - tenant - virustotal - yara type: object BinaryInfo: properties: downloaded: title: Downloaded type: boolean filesize: title: Filesize type: integer md5: minLength: 1 title: Md5 type: string pe_company_name: minLength: 1 title: Pe company name type: string pe_file_description: minLength: 1 title: Pe file description type: string pe_file_version: minLength: 1 title: Pe file version type: string pe_imphash: minLength: 1 title: Pe imphash type: string pe_internal_name: minLength: 1 title: Pe internal name type: string pe_legal_copyright: minLength: 1 title: Pe legal copyright type: string pe_original_filename: minLength: 1 title: Pe original filename type: string pe_product_name: minLength: 1 title: Pe product name type: string pe_product_version: minLength: 1 title: Pe product version type: string pe_timestamp: minLength: 1 title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer perms: minLength: 1 title: Perms type: string root_display_name: minLength: 1 title: Root display name type: string root_issuer_name: minLength: 1 title: Root issuer name type: string root_serial_number: minLength: 1 title: Root serial number type: string root_thumbprint: minLength: 1 title: Root thumbprint type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string signed: title: Signed type: boolean signed_authenticode: title: Signed authenticode type: boolean signed_catalog: title: Signed catalog type: boolean signer_display_name: minLength: 1 title: Signer display name type: string signer_issuer_name: minLength: 1 title: Signer issuer name type: string signer_serial_number: minLength: 1 title: Signer serial number type: string signer_thumbprint: minLength: 1 title: Signer thumbprint type: string required: - downloaded - filesize - md5 - pe_company_name - pe_file_description - pe_file_version - pe_imphash - pe_internal_name - pe_legal_copyright - pe_original_filename - pe_product_name - pe_product_version - pe_timestamp - pe_timestamp_int - perms - root_display_name - root_issuer_name - root_serial_number - root_thumbprint - sha1 - sha256 - signed - signed_authenticode - signed_catalog - signer_display_name - signer_issuer_name - signer_serial_number - signer_thumbprint type: object BinaryInfoWithPath: properties: binaryinfo: $ref: '#/definitions/BinaryInfo' filename: minLength: 1 title: Filename type: string fullpath: minLength: 1 title: Fullpath type: string fullpath_cmdline: minLength: 1 title: Fullpath cmdline type: string linux_filename: minLength: 1 title: Linux filename type: string linux_fullpath: minLength: 1 title: Linux fullpath type: string linux_fullpath_cmdline: minLength: 1 title: Linux fullpath cmdline type: string required: - binaryinfo - filename - fullpath - fullpath_cmdline - linux_filename - linux_fullpath - linux_fullpath_cmdline type: object BootSector: properties: data: minLength: 1 title: Data type: string offset: title: Offset type: integer required: - data - offset type: object Bootkit: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' boot_hash: minLength: 1 title: Boot hash type: string boot_type: minLength: 1 title: Boot type type: string comment: minLength: 1 title: Comment type: string error_string: minLength: 1 title: Error string type: string id: minLength: 1 title: Id type: string is_suspicious: minLength: 1 title: Is suspicious type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - boot_hash - boot_type - comment - error_string - id - is_suspicious - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant type: object BulkCreateFIMPathExclusion: properties: path_exclusions: default: [] items: $ref: '#/definitions/CreateFIMPathExclusionSerializerForBulk' type: array type: object BulkCreateFIMPathInclusion: properties: path_inclusions: default: [] items: $ref: '#/definitions/CreateFIMPathInclusionSerializerForBulk' type: array type: object BulkCreateUsbRule: properties: rules: items: $ref: '#/definitions/UsbRule' type: array required: - rules type: object BulkDeleteFIMPathExclusion: properties: path_exclusions: default: [] items: format: uuid type: string type: array type: object BulkDeleteFIMPathInclusion: properties: path_inclusions: default: [] items: format: uuid type: string type: array type: object BulkDeleteHLAVPathExclusion: properties: path_exclusions: default: [] items: format: uuid type: string type: array type: object BulkUpdateFIMFileModification: properties: file_modifications: default: [] items: $ref: '#/definitions/SingleUpdateFIMFileModification' type: array type: object BulkUpdateFIMPathExclusion: properties: path_exclusions: default: [] items: $ref: '#/definitions/UpdateFIMPathExclusionSerializerForBulk' type: array type: object BulkUpdateFIMPathInclusion: properties: path_inclusions: default: [] items: $ref: '#/definitions/UpdateFIMPathInclusionSerializerForBulk' type: array type: object BulkUpdateFIMReportByAgent: properties: modifications_by_agent: default: [] items: $ref: '#/definitions/UpdateFIMReportByAgent' type: array type: object BulkUpdateFIMReportByPath: properties: modifications_by_path: default: [] items: $ref: '#/definitions/UpdateFIMReportByPath' type: array type: object Bundle: properties: enabled_permissions: default: [] items: enum: - administration_agent_installers - administration_global_settings - administration_role_edit - administration_role_view - administration_user_edit - administration_user_view - attack_surface_network_discovery_edit - attack_surface_network_discovery_view - attack_surface_vulnerability_edit - attack_surface_vulnerability_view - data_exploration_file_download - data_exploration_investigation_edit - data_exploration_investigation_view - data_exploration_search - data_exploration_telemetry - data_exploration_visualization - detection_sec_event_edit - detection_sec_event_view - detection_threat_edit - detection_threat_view - detection_view_experimental - endpoint_agent_lifecycle - endpoint_lifecycle - endpoint_management_edit - endpoint_management_view - endpoint_policy_edit - endpoint_policy_view - job_acquisition_capture_ram_edit - job_acquisition_capture_ram_view - job_acquisition_collect_raw_data_edit - job_acquisition_collect_raw_data_view - job_acquisition_download_directory_edit - job_acquisition_download_directory_view - job_acquisition_download_file_edit - job_acquisition_download_file_view - job_acquisition_network_sniffer_edit - job_acquisition_network_sniffer_view - job_acquisition_parse_filesystem_edit - job_acquisition_parse_filesystem_view - job_acquisition_process_dumper_edit - job_acquisition_process_dumper_view - job_debug_agent_diagnostic_edit - job_debug_agent_diagnostic_view - job_debug_minidump_edit - job_debug_minidump_view - job_debug_profile_memory_edit - job_debug_profile_memory_view - job_evidence_prefetch_edit - job_evidence_prefetch_view - job_info_drivers_edit - job_info_drivers_view - job_info_list_directory_contents_edit - job_info_list_directory_contents_view - job_info_network_shares_edit - job_info_network_shares_view - job_info_pip_list_edit - job_info_pip_list_view - job_info_processes_edit - job_info_processes_view - job_info_sessions_edit - job_info_sessions_view - job_info_windows_kb_edit - job_info_windows_kb_view - job_persistence_linux_persistence_edit - job_persistence_linux_persistence_view - job_persistence_registry_edit - job_persistence_registry_view - job_persistence_scheduled_tasks_edit - job_persistence_scheduled_tasks_view - job_persistence_startup_files_edit - job_persistence_startup_files_view - job_persistence_wmi_edit - job_persistence_wmi_view - job_remediation_file_deletion_edit - job_remediation_file_deletion_view - job_remediation_process_kill_edit - job_remediation_process_kill_view - job_remediation_quarantine_files_edit - job_remediation_quarantine_files_view - job_remediation_registry_operation_edit - job_remediation_registry_operation_view - job_remediation_scheduled_task_deletion_edit - job_remediation_scheduled_task_deletion_view - job_remediation_service_deletion_edit - job_remediation_service_deletion_view - job_scan_antivirus_scan_edit - job_scan_antivirus_scan_view - job_scan_ioc_scan_edit - job_scan_ioc_scan_view - job_scan_yara_scan_edit - job_scan_yara_scan_view - llm_chat_send_messages - llm_chat_view_messages - misc_api_documentation - misc_product_documentation - monitoring_agent_logs - monitoring_ui - protection_antivirus_edit - protection_antivirus_view - protection_device_control_edit - protection_device_control_view - protection_fim_edit - protection_fim_view - protection_firewall_edit - protection_firewall_view - remediation_isolation - remote_shell_command_cat - remote_shell_command_cd - remote_shell_command_chmod - remote_shell_command_chown - remote_shell_command_cp - remote_shell_command_env - remote_shell_command_filehash - remote_shell_command_listmount - remote_shell_command_mkdir - remote_shell_command_mv - remote_shell_command_pwd - remote_shell_command_run - remote_shell_command_set - remote_shell_command_stat - remote_shell_command_unset - remote_shell_executable_edit - remote_shell_executable_view - remote_shell_session_edit - remote_shell_session_view - threat_intelligence_edit - threat_intelligence_experimental - threat_intelligence_view - threat_intelligence_whitelist_edit - threat_intelligence_whitelist_view type: string type: array enabled_sec_events: default: [] items: enum: - all - assemblyline - base - cape - correlation - device_control - driver - glimps - hibou - hlai - hlaiscripts - hurukaiav - ioc - irma - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara type: string type: array name: enum: - default - epp title: Name type: string required: - name type: object ByovdDetectionDetails: properties: detection_kind: enum: - block_list - heuristic_allowlist - unspecified title: Detection kind type: string heuristic_metadata: $ref: '#/definitions/ByovdHeuristicMetadata' required: - detection_kind type: object ByovdHeuristicMetadata: properties: detection_flags: items: enum: - manual_registry_service_creation - network_driver_location - neutral_driver_path - suspicious_driver_initial_path - suspicious_driver_path - unsigned_file_creation_process - unsigned_service_creation_process - unspecified - untrusted_file_creation_process - untrusted_service_creation_process type: string type: array file_creation_path: minLength: 1 title: File creation path type: string file_creation_process_image_path: minLength: 1 title: File creation process image path type: string file_creation_process_unique_id: minLength: 1 title: File creation process unique id type: string registry_service_details: minLength: 1 title: Registry service details type: string registry_service_process_image_path: minLength: 1 title: Registry service process image path type: string registry_service_process_unique_id: minLength: 1 title: Registry service process unique id type: string registry_service_target_object: minLength: 1 title: Registry service target object type: string service_process_image_path: minLength: 1 title: Service process image path type: string service_process_unique_id: minLength: 1 title: Service process unique id type: string required: - detection_flags - file_creation_path - file_creation_process_image_path - file_creation_process_unique_id - registry_service_details - registry_service_process_image_path - registry_service_process_unique_id - registry_service_target_object - service_process_image_path - service_process_unique_id type: object CDNDownload: properties: status: enum: - downloaded - not_downloaded - requested title: Status type: string required: - status type: object CLSID: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' clsid_description: minLength: 1 title: Clsid description type: string clsid_name: minLength: 1 title: Clsid name type: string clsid_timestamp: format: date-time title: Clsid timestamp type: string id: minLength: 1 title: Id type: string inprochandler: minLength: 1 title: Inprochandler type: string inprochandler32: minLength: 1 title: Inprochandler32 type: string inprochandler32_timestamp: format: date-time title: Inprochandler32 timestamp type: string inprochandler_timestamp: format: date-time title: Inprochandler timestamp type: string inprocserver: minLength: 1 title: Inprocserver type: string inprocserver32: minLength: 1 title: Inprocserver32 type: string inprocserver32_timestamp: format: date-time title: Inprocserver32 timestamp type: string inprocserver_timestamp: format: date-time title: Inprocserver timestamp type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer localserver: minLength: 1 title: Localserver type: string localserver32: minLength: 1 title: Localserver32 type: string localserver32_timestamp: format: date-time title: Localserver32 timestamp type: string localserver_timestamp: format: date-time title: Localserver timestamp type: string tenant: minLength: 1 title: Tenant type: string treatas: minLength: 1 title: Treatas type: string treatas_timestamp: format: date-time title: Treatas timestamp type: string username: minLength: 1 title: Username type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - clsid_description - clsid_name - clsid_timestamp - id - inprochandler - inprochandler32 - inprochandler32_timestamp - inprochandler_timestamp - inprocserver - inprocserver32 - inprocserver32_timestamp - inprocserver_timestamp - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - localserver - localserver32 - localserver32_timestamp - localserver_timestamp - tenant - treatas - treatas_timestamp - username - wow64 type: object Callback: properties: array_entry_value: minLength: 1 title: Array entry value type: string original_callback: minLength: 1 title: Original callback type: string routine_status: title: Routine status type: integer tampered_callback: minLength: 1 title: Tampered callback type: string required: - array_entry_value - original_callback - routine_status - tampered_callback type: object Capability: properties: tactic_name: minLength: 1 title: Tactic name type: string techniques: items: $ref: '#/definitions/CapabilityTechnique' type: array required: - tactic_name - techniques type: object CapabilityTechnique: properties: description: minLength: 1 title: Description type: string details: items: minLength: 1 type: string type: array technique_id: minLength: 1 title: Technique id type: string required: - description - details - technique_id type: object CapeScan: properties: detections: minLength: 1 title: Detections type: string external_link: minLength: 1 title: External link type: string scan_date: format: date-time title: Scan date type: string task_id: minLength: 1 title: Task id type: string required: - detections - external_link - scan_date - task_id type: object ChangePrimaryMethodValidator: properties: code: minLength: 1 title: Code type: string method: enum: - app title: Method type: string required: - code - method type: object Characteristics: properties: data: minLength: 1 title: Data type: string description: minLength: 1 title: Description type: string identifier: minLength: 1 title: Identifier type: string label: minLength: 1 title: Label type: string type: minLength: 1 title: Type type: string required: - data - description - identifier - label - type type: object Chat: properties: archived: title: Archived type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string public: title: Public type: boolean requests: items: $ref: '#/definitions/InnerChatRequest' type: array title: minLength: 1 title: Title type: string x-nullable: true user: $ref: '#/definitions/HlSimpleUserSerializer' required: - requests type: object ChatFeedback: properties: comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string request: format: uuid title: Request type: string score: maximum: 1.0 minimum: -1.0 title: Score type: number x-nullable: true submitted: readOnly: true title: Submitted type: boolean required: - request type: object ChatList: properties: archived: title: Archived type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string first_context: $ref: '#/definitions/AppLocationRead' id: format: uuid readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string public: title: Public type: boolean title: minLength: 1 title: Title type: string x-nullable: true user: $ref: '#/definitions/HlSimpleUserSerializer' required: - first_context type: object ChatRequest: properties: conversation_id: minLength: 1 title: Conversation id type: string creation_date: format: date-time readOnly: true title: Creation date type: string enforce_tool: description: Force the LLM to use a specific tool enum: - agent_list - analyze_security_event - driver_block_list - ioc - powershell - security_event_list - sigma - threat_list - yara readOnly: true title: Enforce tool type: string x-nullable: true feedback: $ref: '#/definitions/InnerChatFeedback' id: format: uuid readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string locations: items: $ref: '#/definitions/AppLocationRead' type: array message: title: Message type: string permissions: items: minLength: 1 type: string type: array permissions_checksum: minLength: 1 title: Permissions checksum type: string response: minLength: 1 readOnly: true title: Response type: string x-nullable: true response_error_code: enum: - context_too_long - empty_response - failed_to_fetch_data - history_processing_error - http_error - internal_error - no_auth_token - no_error - no_user_id - timeout - transport_error - unknown_error - unknown_location readOnly: true title: Response error code type: string response_failed: readOnly: true title: Response failed type: boolean response_finished: readOnly: true title: Response finished type: boolean response_urls: description: List of external URLs that are relevant to the response items: minLength: 1 title: Response urls type: string readOnly: true type: array x-nullable: true steps: description: List of steps the LLM went through to answer the request items: minLength: 1 title: Steps type: string readOnly: true type: array x-nullable: true user: $ref: '#/definitions/HlSimpleUserSerializer' required: - locations type: object CircuitBreaker: properties: agent: format: uuid readOnly: true title: Agent type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string ostype: minLength: 1 readOnly: true title: Ostype type: string upgrade_date: format: date-time readOnly: true title: Upgrade date type: string upgrade_version: minLength: 1 readOnly: true title: Upgrade version type: string type: object CircuitBreakerLightAgent: properties: hostname: minLength: 1 readOnly: true title: Hostname type: string id: minLength: 1 readOnly: true title: Id type: string type: object CircuitBreakerReset: properties: ostype: enum: - linux - macos - windows title: Ostype type: string required: - ostype type: object CircuitBreakerState: properties: agents_failure_lost: items: $ref: '#/definitions/CircuitBreakerLightAgent' readOnly: true type: array agents_failure_same_version: items: $ref: '#/definitions/CircuitBreakerLightAgent' readOnly: true type: array blocking: title: Blocking type: boolean blocking_date: format: date-time title: Blocking date type: string x-nullable: true blocking_description: minLength: 1 title: Blocking description type: string x-nullable: true blocking_reason: minLength: 1 title: Blocking reason type: string x-nullable: true blocking_threshold: readOnly: true title: Blocking threshold type: integer x-nullable: true upgrade_sent: readOnly: true title: Upgrade sent type: integer upgrade_success: readOnly: true title: Upgrade success type: integer required: - blocking - blocking_date - blocking_description - blocking_reason type: object x-nullable: true CircuitBreakerStats: properties: enabled: readOnly: true title: Enabled type: boolean linux: $ref: '#/definitions/CircuitBreakerState' macos: $ref: '#/definitions/CircuitBreakerState' upgrade_delay: readOnly: true title: Upgrade delay type: integer windows: $ref: '#/definitions/CircuitBreakerState' required: - linux - macos - windows type: object ClientGetProfile: properties: headers: items: minLength: 1 type: string type: array metadata: items: minLength: 1 type: string type: array parameters: items: minLength: 1 type: string type: array required: - headers - metadata - parameters type: object ClientPostProfile: properties: headers: items: minLength: 1 type: string type: array output: items: minLength: 1 type: string type: array parameters: items: minLength: 1 type: string type: array session_id: items: minLength: 1 type: string type: array required: - headers - output - parameters - session_id type: object CobaltConf: properties: b_cfg_caution: title: B cfg caution type: boolean b_proc_inject_min_alloc_size: title: B proc inject min alloc size type: integer b_proc_inject_start_rwx: title: B proc inject start rwx type: boolean b_proc_inject_use_rwx: title: B proc inject use rwx type: boolean b_stage_cleanup: title: B stage cleanup type: boolean b_uses_cookies: title: B uses cookies type: boolean beacon_type: items: minLength: 1 type: string type: array c2_server: minLength: 1 title: C2 server type: string crypto_scheme: title: Crypto scheme type: integer dns_beaconing: minLength: 1 title: Dns beaconing type: string dns_get_type_a: minLength: 1 title: Dns get type a type: string dns_get_type_aaaa: minLength: 1 title: Dns get type aaaa type: string dns_get_type_txt: minLength: 1 title: Dns get type txt type: string dns_idle: minLength: 1 title: Dns idle type: string dns_put_metadata: minLength: 1 title: Dns put metadata type: string dns_put_output: minLength: 1 title: Dns put output type: string dns_resolver: minLength: 1 title: Dns resolver type: string dns_sleep: title: Dns sleep type: integer dns_strategy: minLength: 1 title: Dns strategy type: string dns_strategy_fail_seconds: title: Dns strategy fail seconds type: integer dns_strategy_fail_x: title: Dns strategy fail x type: integer dns_strategy_rotate_seconds: title: Dns strategy rotate seconds type: integer headers_to_remove: minLength: 1 title: Headers to remove type: string host_header: minLength: 1 title: Host header type: string http_get_client: $ref: '#/definitions/ClientGetProfile' http_get_verb: minLength: 1 title: Http get verb type: string http_post_chunk: title: Http post chunk type: integer http_post_client: $ref: '#/definitions/ClientPostProfile' http_post_uri: minLength: 1 title: Http post uri type: string http_post_verb: minLength: 1 title: Http post verb type: string jitter: title: Jitter type: integer kill_date: minLength: 1 title: Kill date type: string malleable_c2_instructions: items: minLength: 1 type: string type: array max_dns: title: Max dns type: integer max_get_size: title: Max get size type: integer obfuscate_sections_info: minLength: 1 title: Obfuscate sections info type: string pipe_name: minLength: 1 title: Pipe name type: string port: title: Port type: integer proc_inject_allocation_method: minLength: 1 title: Proc inject allocation method type: string proc_inject_execute: items: minLength: 1 type: string type: array proc_inject_execute_custom: minLength: 1 title: Proc inject execute custom type: string proc_inject_prepend_append_x64: minLength: 1 title: Proc inject prepend append x64 type: string proc_inject_prepend_append_x86: minLength: 1 title: Proc inject prepend append x86 type: string proc_inject_stub: minLength: 1 title: Proc inject stub type: string proxy_behavior: minLength: 1 title: Proxy behavior type: string proxy_config: minLength: 1 title: Proxy config type: string proxy_password: minLength: 1 title: Proxy password type: string proxy_user: minLength: 1 title: Proxy user type: string public_key: minLength: 1 title: Public key type: string public_key_md5: minLength: 1 title: Public key md5 type: string retry_duration: title: Retry duration type: integer retry_increase_attempts: title: Retry increase attempts type: integer retry_max_attempts: title: Retry max attempts type: integer sleep_time: title: Sleep time type: integer smb_frame_header: minLength: 1 title: Smb frame header type: string spawn_to: minLength: 1 title: Spawn to type: string spawnto_x64: minLength: 1 title: Spawnto x64 type: string spawnto_x86: minLength: 1 title: Spawnto x86 type: string ssh_banner: minLength: 1 title: Ssh banner type: string ssh_host: minLength: 1 title: Ssh host type: string ssh_password_plaintext: minLength: 1 title: Ssh password plaintext type: string ssh_password_pubkey: minLength: 1 title: Ssh password pubkey type: string ssh_port: title: Ssh port type: integer ssh_username: minLength: 1 title: Ssh username type: string tcp_frame_header: minLength: 1 title: Tcp frame header type: string user_agent: minLength: 1 title: User agent type: string watermark: title: Watermark type: integer watermark_hash: minLength: 1 title: Watermark hash type: string required: - b_cfg_caution - b_proc_inject_min_alloc_size - b_proc_inject_start_rwx - b_proc_inject_use_rwx - b_stage_cleanup - b_uses_cookies - beacon_type - c2_server - crypto_scheme - dns_beaconing - dns_get_type_a - dns_get_type_aaaa - dns_get_type_txt - dns_idle - dns_put_metadata - dns_put_output - dns_resolver - dns_sleep - dns_strategy - dns_strategy_fail_seconds - dns_strategy_fail_x - dns_strategy_rotate_seconds - headers_to_remove - host_header - http_get_client - http_get_verb - http_post_chunk - http_post_client - http_post_uri - http_post_verb - jitter - kill_date - malleable_c2_instructions - max_dns - max_get_size - obfuscate_sections_info - pipe_name - port - proc_inject_allocation_method - proc_inject_execute - proc_inject_execute_custom - proc_inject_prepend_append_x64 - proc_inject_prepend_append_x86 - proc_inject_stub - proxy_behavior - proxy_config - proxy_password - proxy_user - public_key - public_key_md5 - retry_duration - retry_increase_attempts - retry_max_attempts - sleep_time - smb_frame_header - spawn_to - spawnto_x64 - spawnto_x86 - ssh_banner - ssh_host - ssh_password_plaintext - ssh_password_pubkey - ssh_port - ssh_username - tcp_frame_header - user_agent - watermark - watermark_hash type: object CodeLogin: properties: code: minLength: 1 title: Code type: string ephemeral_token: minLength: 1 title: Ephemeral token type: string required: - code - ephemeral_token type: object CollectRawEvidences: properties: evt: title: Evt type: boolean fs: title: Fs type: boolean hives: title: Hives type: boolean logs: title: Logs type: boolean mft: title: Mft type: boolean prefetch: title: Prefetch type: boolean usn: title: Usn type: boolean type: object Collector: properties: allow_auto_update_by_policy: default: false title: Allow auto update by policy type: boolean auto_update_agents_per_minute: default: 15 minimum: 0 title: Auto update agents per minute type: integer enforce_agent_password: default: true title: Enforce agent password type: boolean show_agent_passwords_config_page: default: true title: Show agent passwords config page type: boolean type: object CommPortTamper: properties: comm_port_status: title: Comm port status type: integer eventtime_datetime: format: date-time title: Eventtime datetime type: string required: - comm_port_status - eventtime_datetime type: object Comment: properties: author_id: readOnly: true title: Author id type: integer author_username: readOnly: true title: Author username type: string comment: minLength: 1 title: Comment type: string datetime: format: date-time title: Datetime type: string id: format: uuid readOnly: true title: Id type: string last_modified_date: format: date-time readOnly: true title: Last modified date type: string resource: enum: - alert - case title: Resource type: string resource_id: minLength: 1 title: Resource id type: string required: - comment - datetime - resource_id type: object CommentResponse: properties: comments: items: $ref: '#/definitions/Comment' type: array required: - comments type: object ConfigConnectorStatus: properties: extra: title: Extra type: object last_check_date: format: date-time title: Last check date type: string x-nullable: true last_error: minLength: 1 title: Last error type: string x-nullable: true value: enum: - error - online - unknown title: Value type: string type: object x-nullable: true ConfigDownload: properties: config: $ref: '#/definitions/AllConfig' config_sections: $ref: '#/definitions/AllConfigSection' version: minLength: 1 title: Version type: string required: - config - version type: object Connection: properties: connection_state: minLength: 1 title: Connection state type: string dst_addr: minLength: 1 title: Dst addr type: string dst_port: title: Dst port type: integer ip_version: minLength: 1 title: Ip version type: string protocol: minLength: 1 title: Protocol type: string src_addr: minLength: 1 title: Src addr type: string src_port: title: Src port type: integer required: - connection_state - dst_addr - dst_port - ip_version - protocol - src_addr - src_port type: object ConnectorTest: properties: status: $ref: '#/definitions/ConfigConnectorStatus' required: - status type: object ControlVariousValues: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string value: minLength: 1 title: Value type: string required: - '@timestamp' - agent - binaryinfo - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - value type: object Conversation: properties: creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string requests: items: $ref: '#/definitions/InnerRequest' type: array required: - id - requests type: object CorrelationEvent: properties: event_id: minLength: 1 title: Event id type: string is_standalone_rule: title: Is standalone rule type: boolean rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string timestamp: format: date-time title: Timestamp type: string required: - event_id - is_standalone_rule - rule_id - rule_name - timestamp type: object CorrelationInfo: properties: end_timestamp: format: date-time title: End timestamp type: string events: items: $ref: '#/definitions/CorrelationEvent' type: array group_by_fields: items: $ref: '#/definitions/KeyValueDoc' type: array is_group_by_process: title: Is group by process type: boolean start_timestamp: format: date-time title: Start timestamp type: string value_count_values: items: minLength: 1 type: string type: array required: - end_timestamp - events - group_by_fields - is_group_by_process - start_timestamp - value_count_values type: object CorrelationPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/CorrelationRule' type: array source: $ref: '#/definitions/CorrelationSource' required: - count - results type: object CorrelationRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string inner_correlation: items: $ref: '#/definitions/InnerCorrelationRule' readOnly: true type: array inner_rule_counts: $ref: '#/definitions/InnerRuleCounts' inner_sigma: items: $ref: '#/definitions/InnerSigmaRule' readOnly: true type: array is_valid: readOnly: true title: Is valid type: boolean last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_dependencies: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string silent: title: Silent type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer required: - content - name - source_id type: object CorrelationRuleLinkedToCorrelationRuleResponse: properties: code: default: unknown_error enum: - linked_correlation_rule - unknown_error title: Code type: string correlation_rule: $ref: '#/definitions/SimpleCorrelationRuleAndSourceSerializer' details: minLength: 1 title: Details type: string linked_correlation: items: $ref: '#/definitions/SimpleCorrelationRuleAndSourceSerializer' type: array required: - correlation_rule - details - linked_correlation type: object CorrelationRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/CorrelationRulesetRule' type: array source: $ref: '#/definitions/CorrelationSource' required: - count - results type: object CorrelationRulesetResponse: properties: actions: $ref: '#/definitions/Actions' rule_ids: items: minLength: 1 type: string type: array set_default: title: Set default type: boolean source: $ref: '#/definitions/CorrelationRulesetSource' state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - rule_ids - set_default - source - state type: object CorrelationRulesetRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: readOnly: true title: Block on agent type: boolean content: minLength: 1 readOnly: true title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: readOnly: true title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: readOnly: true title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Global state type: string hl_status: enum: - experimental - stable - testing readOnly: true title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string inner_correlation: items: $ref: '#/definitions/InnerCorrelationRule' readOnly: true type: array inner_rule_counts: $ref: '#/definitions/InnerRuleCounts' inner_sigma: items: $ref: '#/definitions/InnerSigmaRule' readOnly: true type: array is_valid: readOnly: true title: Is valid type: boolean last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: readOnly: true title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak readOnly: true title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_dependencies: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium readOnly: true title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string ruleset_rule: $ref: '#/definitions/RulesetRuleSerializer' ruleset_rule_default: readOnly: true title: Ruleset rule default type: boolean silent: readOnly: true title: Silent type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string state: enum: - alert - backend_alert - block - default - disabled - quarantine readOnly: true title: State type: string synchronization_status: format: uuid readOnly: true title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer type: object CorrelationRulesetSource: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string new_rule_state: default: default enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer ruleset_source: $ref: '#/definitions/RulesetSourceSerializer' ruleset_source_rule_default: $ref: '#/definitions/RulesetSourceRuleDefaultSerializer' state: default: default enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object CorrelationSource: properties: block_on_agent: title: Block on agent type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object CreateAntivirusPolicy: properties: antivirus_slug: enum: - hurukaiav - windowsdefender title: Antivirus slug type: string description: title: Description type: string x-nullable: true hurukaiav: $ref: '#/definitions/HlAntivirus' id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string windowsdefender: $ref: '#/definitions/WindowsDefender' required: - antivirus_slug - name type: object CreateCorrelationRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string inner_correlation: items: $ref: '#/definitions/InnerCorrelationRule' readOnly: true type: array inner_rule_counts: $ref: '#/definitions/InnerRuleCounts' inner_sigma: items: $ref: '#/definitions/InnerSigmaRule' readOnly: true type: array is_valid: readOnly: true title: Is valid type: boolean last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true overwrite: default: false title: Overwrite type: boolean quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_dependencies: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string silent: title: Silent type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer required: - content - name - source_id type: object CreateFIMPathExclusionSerializerForBulk: properties: os_type: enum: - linux - macos - windows title: Os type type: string path: minLength: 1 title: Path type: string path_type: enum: - directory - file - recursive_directory title: Path type type: string required: - os_type - path - path_type type: object CreateFIMPathInclusionSerializerForBulk: properties: criticality: enum: - critical - high - low - medium title: Criticality type: string os_type: enum: - linux - macos - windows title: Os type type: string path: minLength: 1 title: Path type: string path_type: enum: - directory - file - recursive_directory title: Path type type: string scan_type: enum: - content - metadata - metadata and content title: Scan type type: string required: - criticality - os_type - path - path_type - scan_type type: object CreateFIMPolicy: properties: description: title: Description type: string x-nullable: true id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string periodicity: $ref: '#/definitions/CreateSchedule' required: - name - periodicity type: object CreateFirewallNetwork: properties: description: title: Description type: string x-nullable: true name: maxLength: 256 title: Name type: string x-nullable: true type: object CreateFirewallPolicy: properties: default_profile_id: format: uuid title: Default profile id type: string description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object CreateFirewallRule: properties: action: enum: - Allow - Drop - Reject title: Action type: string description: title: Description type: string x-nullable: true direction: enum: - Both - In - Out title: Direction type: string enabled: title: Enabled type: boolean id: format: uuid title: Id type: string ip_version: enum: - Both - IPv4 - IPv6 title: Ip version type: string local_application: maxLength: 256 title: Local application type: string x-nullable: true local_ip: $ref: '#/definitions/FirewallIp' local_ports: items: $ref: '#/definitions/FirewallPort' type: array name: maxLength: 256 title: Name type: string x-nullable: true profile_id: format: uuid title: Profile id type: string protocol: enum: - ICMP - IPV6_ICMP - TCP - UDP title: Protocol type: string x-nullable: true remote_ip: $ref: '#/definitions/FirewallIp' remote_ports: items: $ref: '#/definitions/FirewallPort' type: array required: - profile_id type: object CreateRuleResponse: properties: status: items: $ref: '#/definitions/_UploadStatus' type: array type: object CreateSchedule: properties: end_at: format: date-time title: End at type: string x-nullable: true execution_time: format: date-time title: Execution time type: string x-nullable: true repeat_every: $ref: '#/definitions/ScheduleRepeat' week_days: items: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 title: Week days type: integer type: array required: - execution_time - repeat_every type: object CreateTemporaryWhitelistRule: properties: comment: title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid title: Correlation rule id type: string x-nullable: true criteria: items: $ref: '#/definitions/CreateWhitelistRuleCriteria' type: array enabled: title: Enabled type: boolean expiration_date: format: date-time title: Expiration date type: string x-nullable: true security_event_from_status: default: - new items: enum: - closed - false_positive - investigating - new type: string type: array security_event_new_status: enum: - closed - false_positive - investigating title: Security event new status type: string sigma_rule_id: title: Sigma rule id type: string x-nullable: true target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory title: Target type: string required: - criteria - security_event_new_status type: object CreateVulnerabilityPolicy: properties: assigned_endpoint_policy_ids: items: minLength: 1 type: string type: array x-nullable: true description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object CreateWhitelistRule: properties: apply_retroactively: default: false title: Apply retroactively type: boolean comment: title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid title: Correlation rule id type: string x-nullable: true criteria: items: $ref: '#/definitions/CreateWhitelistRuleCriteria' type: array enabled: title: Enabled type: boolean expiration_date: format: date-time title: Expiration date type: string x-nullable: true security_event_from_status: default: - new items: enum: - closed - false_positive - investigating - new type: string type: array security_event_new_status: default: false_positive enum: - closed - false_positive - investigating title: Security event new status type: string sigma_rule_id: title: Sigma rule id type: string x-nullable: true target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory title: Target type: string required: - criteria type: object CreateWhitelistRuleCriteria: properties: case_insensitive: default: false title: Case insensitive type: boolean field: minLength: 1 title: Field type: string operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard title: Operator type: string sub_criteria: items: $ref: '#/definitions/WhitelistRuleSubCriterion' type: array x-nullable: true value: title: Value type: string required: - field type: object CredentialProvider: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_description: minLength: 1 title: Clsid description type: string clsid_details: $ref: '#/definitions/CLSID' clsid_name: minLength: 1 title: Clsid name type: string clsid_timestamp: format: date-time title: Clsid timestamp type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string type: minLength: 1 title: Type type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_description - clsid_details - clsid_name - clsid_timestamp - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - type - wow64 type: object Customization: properties: stack_name: title: Stack name type: string x-nullable: true type: object Cve: properties: cvss_metric_base_score: title: Cvss metric base score type: number cvss_metric_exploitability_score: title: Cvss metric exploitability score type: number cvss_metric_impact_score: title: Cvss metric impact score type: number cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string cvss_metric_vector_string: minLength: 1 title: Cvss metric vector string type: string cvss_metric_version: minLength: 1 title: Cvss metric version type: string description: minLength: 1 title: Description type: string hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string last_modified: format: date-time title: Last modified type: string published: format: date-time title: Published type: string source_identifier: minLength: 1 title: Source identifier type: string required: - cvss_metric_base_score - cvss_metric_exploitability_score - cvss_metric_impact_score - cvss_metric_vector_string - cvss_metric_version - description - id - last_modified - published - source_identifier type: object CveDetails: properties: affected_applications: items: $ref: '#/definitions/AffectedApplication' readOnly: true type: array cvss_metric_base_score: title: Cvss metric base score type: number cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string description: minLength: 1 title: Description type: string hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string last_modified: format: date-time title: Last modified type: string nb_impacted_endpoints: title: Nb impacted endpoints type: integer published: format: date-time title: Published type: string source_identifier: minLength: 1 title: Source identifier type: string required: - cvss_metric_base_score - description - id - last_modified - nb_impacted_endpoints - published - source_identifier type: object CveId: properties: id: minLength: 1 title: Id type: string required: - id type: object CveIdList: properties: ids: items: minLength: 1 type: string type: array required: - ids type: object CveUpdateVisibility: properties: cve_ids: items: minLength: 1 type: string type: array hidden: title: Hidden type: boolean required: - cve_ids - hidden type: object CveVulnerabilitiesAggregation: properties: applications: items: $ref: '#/definitions/ShortInstallation' type: array cvss_metric_base_score: title: Cvss metric base score type: integer cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string description: minLength: 1 title: Description type: string hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string last_modified: format: date-time title: Last modified type: string nb_endpoints: title: Nb endpoints type: integer published: format: date-time title: Published type: string required: - applications - cvss_metric_base_score - description - hidden - id - last_modified - nb_endpoints - published type: object CveVulnerabilitiesAggregationForEndpoint: properties: cvss_metric_base_score: title: Cvss metric base score type: integer cvss_metric_severity: enum: - CRITICAL - HIGH - LOW - MEDIUM - NONE readOnly: true title: Cvss metric severity type: string id: minLength: 1 title: Id type: string nb_endpoints: title: Nb endpoints type: integer required: - cvss_metric_base_score - id - nb_endpoints type: object CveVulnerabilitiesAggregationListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/CveVulnerabilitiesAggregation' type: array required: - count - results type: object CyberKillChain: properties: command_and_control: default: 0 title: Command and control type: integer exploitation: default: 0 title: Exploitation type: integer impacts: default: 0 title: Impacts type: integer installation: default: 0 title: Installation type: integer intrusion: default: 0 title: Intrusion type: integer type: object DNSResolution: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string ip_addresses: items: minLength: 1 type: string type: array log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string query_type: minLength: 1 title: Query type type: string raw_windows_resolver_results: minLength: 1 title: Raw windows resolver results type: string requested_name: minLength: 1 title: Requested name type: string status: minLength: 1 title: Status type: string tenant: minLength: 1 title: Tenant type: string text_records: items: minLength: 1 type: string type: array username: minLength: 1 title: Username type: string required: - '@event_create_date' - '@timestamp' - agent - groups - id - ip_addresses - log_type - pid - process_image_path - process_unique_id - query_type - raw_windows_resolver_results - requested_name - status - tenant - text_records - username type: object DailyStat: properties: count: default: 0 title: Count type: integer date: title: Date type: integer results: $ref: '#/definitions/DailyStatResult' required: - date - results type: object DailyStatLevel: properties: critical: default: 0 title: Critical type: integer high: default: 0 title: High type: integer low: default: 0 title: Low type: integer medium: default: 0 title: Medium type: integer type: object DailyStatResult: properties: level: $ref: '#/definitions/DailyStatLevel' status: $ref: '#/definitions/DailyStatStatus' required: - level - status type: object DailyStatStatus: properties: closed: default: 0 title: Closed type: integer investigate: default: 0 title: Investigate type: integer new: default: 0 title: New type: integer type: object DailyStats: properties: count: default: 0 title: Count type: integer stats: items: $ref: '#/definitions/DailyStat' type: array required: - stats type: object Data: properties: data: items: type: string x-nullable: true type: array required: - data type: object DataAgent: properties: additional_info: $ref: '#/definitions/InnerAgentAdditionalInfo' agentid: minLength: 1 title: Agentid type: string distroid: minLength: 1 title: Distroid type: string domainname: minLength: 1 title: Domainname type: string hostname: minLength: 1 title: Hostname type: string osmajor: title: Osmajor type: integer osminor: title: Osminor type: integer osproducttype: minLength: 1 title: Osproducttype type: string ostype: minLength: 1 title: Ostype type: string producttype: minLength: 1 title: Producttype type: string required: - additional_info - agentid - distroid - domainname - hostname - osmajor - osminor - osproducttype - ostype - producttype type: object DataExplorationPermissions: properties: can_browse_and_manage: title: Can browse and manage type: boolean can_download_files: title: Can download files type: boolean can_use_search: title: Can use search type: boolean can_view_telemetry: title: Can view telemetry type: boolean investigations: enum: - disabled - read_only - read_write title: Investigations type: string required: - can_browse_and_manage - can_download_files - can_use_search - can_view_telemetry - investigations type: object DebugPermissions: properties: profile_memory: enum: - disabled - read_only - read_write title: Profile memory type: string required: - profile_memory type: object DeleteFIM: properties: ids: items: format: uuid type: string type: array required: - ids type: object DeleteFromQuarantine: properties: values: items: $ref: '#/definitions/DeleteFromQuarantineItem' type: array required: - values type: object DeleteFromQuarantineItem: properties: local_id: format: uuid title: Local id type: string original_file_path: minLength: 1 title: Original file path type: string original_hash: minLength: 1 title: Original hash type: string type: object DeleteScheduledTask: properties: schtask_uri: minLength: 1 title: Schtask uri type: string required: - schtask_uri type: object DeleteService: properties: service_name: minLength: 1 title: Service name type: string required: - service_name type: object DeleteSourceItemsBody: properties: ids: items: format: uuid type: string type: array required: - ids type: object DeleteVulnerabilityPolicies: properties: ids: items: format: uuid type: string type: array required: - ids type: object DetailAmsiScan: properties: app_name: minLength: 1 title: App name type: string application: enum: - dotnet - jscript - office_vba - other - powershell - vbscript - vss - wmi title: Application type: string content_name: minLength: 1 title: Content name type: string event_time: format: date-time title: Event time type: string text_payload: minLength: 1 title: Text payload type: string required: - app_name - application - content_name - event_time - text_payload type: object DetailConnection: properties: DestinationIp: minLength: 1 title: Destinationip type: string DestinationPort: title: Destinationport type: integer Initiated: title: Initiated type: boolean Protocol: minLength: 1 title: Protocol type: string ProtocolNumber: title: Protocolnumber type: integer SourceIp: minLength: 1 title: Sourceip type: string SourcePort: title: Sourceport type: integer connection_closed_time: format: date-time title: Connection closed time type: string connection_start_time: format: date-time title: Connection start time type: string connection_successful: title: Connection successful type: boolean connection_unique_id: minLength: 1 title: Connection unique id type: string incoming_bytes: title: Incoming bytes type: integer incoming_protocol: $ref: '#/definitions/ApplicationProtocol' kind: minLength: 1 title: Kind type: string outgoing_bytes: title: Outgoing bytes type: integer outgoing_protocol: $ref: '#/definitions/ApplicationProtocol' required: - DestinationIp - DestinationPort - Initiated - Protocol - ProtocolNumber - SourceIp - SourcePort - connection_closed_time - connection_start_time - connection_successful - connection_unique_id - incoming_bytes - incoming_protocol - kind - outgoing_bytes - outgoing_protocol type: object DetailDnsResolution: properties: ip_addresses: items: minLength: 1 type: string type: array query_type: minLength: 1 title: Query type type: string raw_windows_resolver_results: minLength: 1 title: Raw windows resolver results type: string requested_name: minLength: 1 title: Requested name type: string status: minLength: 1 title: Status type: string text_records: items: minLength: 1 type: string type: array required: - ip_addresses - query_type - raw_windows_resolver_results - requested_name - status - text_records type: object DetailFIMFileModification: properties: agent: $ref: '#/definitions/MinimalAgentInfo' creation_date: format: date-time readOnly: true title: Creation date type: string current_access_mode: readOnly: true title: Current access mode type: integer x-nullable: true current_entry_type: enum: - directory - file readOnly: true title: Current entry type type: string current_gid: readOnly: true title: Current gid type: integer x-nullable: true current_hash: minLength: 1 readOnly: true title: Current hash type: string x-nullable: true current_last_change_time: format: date-time readOnly: true title: Current last change time type: string x-nullable: true current_last_modification_time: format: date-time readOnly: true title: Current last modification time type: string x-nullable: true current_size: readOnly: true title: Current size type: integer x-nullable: true current_uid: readOnly: true title: Current uid type: integer x-nullable: true fim_policy: $ref: '#/definitions/MinimalFIMPolicy' highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string id: format: uuid readOnly: true title: Id type: string last_modifier: readOnly: true title: Last modifier type: integer x-nullable: true last_scan_with_changes: format: date-time readOnly: true title: Last scan with changes type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string ostype: enum: - linux - macos - windows readOnly: true title: Ostype type: string path: minLength: 1 readOnly: true title: Path type: string previous_access_mode: readOnly: true title: Previous access mode type: integer x-nullable: true previous_entry_type: enum: - directory - file readOnly: true title: Previous entry type type: string previous_gid: readOnly: true title: Previous gid type: integer x-nullable: true previous_hash: minLength: 1 readOnly: true title: Previous hash type: string x-nullable: true previous_last_change_time: format: date-time readOnly: true title: Previous last change time type: string x-nullable: true previous_last_modification_time: format: date-time readOnly: true title: Previous last modification time type: string x-nullable: true previous_size: readOnly: true title: Previous size type: integer x-nullable: true previous_uid: readOnly: true title: Previous uid type: integer x-nullable: true report_id: format: uuid title: Report id type: string status: enum: - accepted - not reviewed - rejected readOnly: true title: Status type: string type: enum: - content - creation - deletion - error - initialization - metadata - metadata and content - type change readOnly: true title: Type type: string required: - report_id type: object DetailFIMPolicy: properties: agent_policies: items: $ref: '#/definitions/MinimalPolicy' readOnly: true type: array description: minLength: 1 readOnly: true title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid readOnly: true title: Id type: string name: minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' periodicity: $ref: '#/definitions/Schedule' revision: readOnly: true title: Revision type: integer rule_highest_level: enum: - critical - high - low - medium readOnly: true title: Rule highest level type: string required: - periodicity type: object DetailFIMReport: properties: agents: items: $ref: '#/definitions/MinimalAgentInfo' readOnly: true type: array covered_endpoints_count: readOnly: true title: Covered endpoints count type: integer critical_level_count: readOnly: true title: Critical level count type: integer fim_policy: $ref: '#/definitions/MinimalFIMPolicy' high_level_count: readOnly: true title: High level count type: integer highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string id: format: uuid readOnly: true title: Id type: string last_modification_date: format: date-time readOnly: true title: Last modification date type: string x-nullable: true last_modifier: readOnly: true title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string low_level_count: readOnly: true title: Low level count type: integer medium_level_count: readOnly: true title: Medium level count type: integer modifications_accepted_count: readOnly: true title: Modifications accepted count type: integer modifications_count: readOnly: true title: Modifications count type: integer modifications_not_reviewed_count: readOnly: true title: Modifications not reviewed count type: integer modifications_rejected_count: readOnly: true title: Modifications rejected count type: integer modified_endpoints_count: readOnly: true title: Modified endpoints count type: integer modified_path_count: readOnly: true title: Modified path count type: integer name: minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' report_date: format: date-time readOnly: true title: Report date type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - fim_policy type: object DetailFile: properties: stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target_filename: minLength: 1 title: Target filename type: string required: - stacktrace - stacktrace_minimal - target_filename type: object DetailFirewallNetwork: properties: blocks: items: $ref: '#/definitions/FirewallNetworkBlock' type: array blocks_count: readOnly: true title: Blocks count type: integer description: title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer firewall_policies: items: $ref: '#/definitions/MinimalFirewallPolicy' readOnly: true type: array id: format: uuid title: Id type: string name: maxLength: 256 title: Name type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' policies_count: readOnly: true title: Policies count type: integer rules_count: readOnly: true title: Rules count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string type: object DetailFirewallPolicy: properties: agent_policy: items: $ref: '#/definitions/MinimalPolicy' type: array default_profile: $ref: '#/definitions/FirewallProfile' description: title: Description type: string x-nullable: true id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string network_to_profile: items: $ref: '#/definitions/ProfileToNetwork' type: array origin_stack: $ref: '#/definitions/OriginStack' revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object DetailFirewallProfile: properties: default_incoming_action: enum: - Allow - Drop - Reject title: Default incoming action type: string default_outgoing_action: enum: - Allow - Drop - Reject title: Default outgoing action type: string description: title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer firewall_policies: items: $ref: '#/definitions/MinimalFirewallPolicy' readOnly: true type: array id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' policies_count: readOnly: true title: Policies count type: integer rules: items: $ref: '#/definitions/DetailFirewallRule' type: array rules_count: readOnly: true title: Rules count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object DetailFirewallRule: properties: action: enum: - Allow - Drop - Reject title: Action type: string description: title: Description type: string x-nullable: true direction: enum: - Both - In - Out title: Direction type: string enabled: title: Enabled type: boolean id: format: uuid title: Id type: string index: maximum: 2147483647 minimum: 0 title: Index type: integer ip_version: enum: - Both - IPv4 - IPv6 title: Ip version type: string local_application: maxLength: 256 title: Local application type: string x-nullable: true local_ip: $ref: '#/definitions/FirewallIp' local_ports: items: $ref: '#/definitions/FirewallPort' type: array name: maxLength: 256 title: Name type: string x-nullable: true profile_id: format: uuid title: Profile id type: string protocol: enum: - ICMP - IPV6_ICMP - TCP - UDP title: Protocol type: string x-nullable: true remote_ip: $ref: '#/definitions/FirewallIp' remote_ports: items: $ref: '#/definitions/FirewallPort' type: array required: - index - profile_id type: object DetailLibrary: properties: dotnet_info: $ref: '#/definitions/DotnetInfo' hashes: $ref: '#/definitions/Hashes' image_loaded: minLength: 1 title: Image loaded type: string library_type: minLength: 1 title: Library type type: string pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/IndexedPEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string required: - dotnet_info - hashes - image_loaded - library_type - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - signature_info - signed - size - stacktrace - stacktrace_minimal type: object DetailLinuxFilesystemEvent: properties: gid: title: Gid type: integer kind: minLength: 1 title: Kind type: string mode_octal: minLength: 1 title: Mode octal type: string mode_pretty: minLength: 1 title: Mode pretty type: string old_mode_octal: minLength: 1 title: Old mode octal type: string old_mode_pretty: minLength: 1 title: Old mode pretty type: string path: minLength: 1 title: Path type: string permissions: minLength: 1 title: Permissions type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target: minLength: 1 title: Target type: string target_filename: minLength: 1 title: Target filename type: string uid: title: Uid type: integer written_file_hashes: $ref: '#/definitions/Hashes' written_file_size: title: Written file size type: integer written_file_type: enum: - 7z - asp - chm - cmd - compound_file_binary_format - eicar - elf - hta - js - jsp - lnk - mach-o - pdf - pe - perl - php - plist - powershell - python - rar - reg - ruby - sct - shell_script - unknown - url - vbs - windows_script_file - zip title: Written file type type: string required: - gid - kind - mode_octal - mode_pretty - old_mode_octal - old_mode_pretty - path - permissions - stacktrace - stacktrace_minimal - target - target_filename - uid - written_file_hashes - written_file_size - written_file_type type: object DetailMacosFilesystemEvent: properties: gid: title: Gid type: integer kind: minLength: 1 title: Kind type: string mode_octal: minLength: 1 title: Mode octal type: string mode_pretty: minLength: 1 title: Mode pretty type: string old_mode_octal: minLength: 1 title: Old mode octal type: string old_mode_pretty: minLength: 1 title: Old mode pretty type: string path: minLength: 1 title: Path type: string permissions: minLength: 1 title: Permissions type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target: minLength: 1 title: Target type: string target_filename: minLength: 1 title: Target filename type: string uid: title: Uid type: integer written_file_hashes: $ref: '#/definitions/Hashes' written_file_size: title: Written file size type: integer written_file_type: enum: - 7z - asp - chm - cmd - compound_file_binary_format - eicar - elf - hta - js - jsp - lnk - mach-o - pdf - pe - perl - php - plist - powershell - python - rar - reg - ruby - sct - shell_script - unknown - url - vbs - windows_script_file - zip title: Written file type type: string required: - gid - kind - mode_octal - mode_pretty - old_mode_octal - old_mode_pretty - path - permissions - stacktrace - stacktrace_minimal - target - target_filename - uid - written_file_hashes - written_file_size - written_file_type type: object DetailNamedPipeConnected: properties: pipename: minLength: 1 title: Pipename type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target_process: $ref: '#/definitions/InnerProcess' required: - pipename - stacktrace - stacktrace_minimal - target_process type: object DetailNamedPipeCreated: properties: desiredaccess: title: Desiredaccess type: integer inboundquota: title: Inboundquota type: integer maximuminstances: title: Maximuminstances type: integer namedpipetype: title: Namedpipetype type: integer outboundquota: title: Outboundquota type: integer pipename: minLength: 1 title: Pipename type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string required: - desiredaccess - inboundquota - maximuminstances - namedpipetype - outboundquota - pipename - stacktrace - stacktrace_minimal type: object DetailNetworkListen: properties: address: minLength: 1 title: Address type: string port: title: Port type: integer protocol: minLength: 1 title: Protocol type: string protocol_number: title: Protocol number type: integer required: - address - port - protocol - protocol_number type: object DetailPowershell: properties: PowershellCommand: minLength: 1 title: Powershellcommand type: string PowershellScriptPath: minLength: 1 title: Powershellscriptpath type: string hashes: $ref: '#/definitions/HashesWithoutImphash' sha256: minLength: 1 title: Sha256 type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean required: - PowershellCommand - PowershellScriptPath - hashes - sha256 - signature_info - signed type: object DetailPrimaryTokenChange: properties: new_integrity_level: minLength: 1 title: New integrity level type: string new_integrity_level_int: title: New integrity level int type: integer new_user_sid: minLength: 1 title: New user sid type: string new_username: minLength: 1 title: New username type: string source_process_image_path: minLength: 1 title: Source process image path type: string source_process_pid: title: Source process pid type: integer source_process_unique_id: minLength: 1 title: Source process unique id type: string required: - new_integrity_level - new_integrity_level_int - new_user_sid - new_username - source_process_image_path - source_process_pid - source_process_unique_id type: object DetailProcessAccess: properties: CallTrace: minLength: 1 title: Calltrace type: string GrantedAccess: minLength: 1 title: Grantedaccess type: string GrantedAccessStr: minLength: 1 title: Grantedaccessstr type: string SourceImage: minLength: 1 title: Sourceimage type: string SourceProcessGUID: minLength: 1 title: Sourceprocessguid type: string SourceProcessId: title: Sourceprocessid type: integer TargetCommandLine: minLength: 1 title: Targetcommandline type: string TargetImage: minLength: 1 title: Targetimage type: string TargetProcessGUID: minLength: 1 title: Targetprocessguid type: string TargetProcessId: title: Targetprocessid type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string required: - CallTrace - GrantedAccess - GrantedAccessStr - SourceImage - SourceProcessGUID - SourceProcessId - TargetCommandLine - TargetImage - TargetProcessGUID - TargetProcessId - stacktrace - stacktrace_minimal type: object DetailProcessTamper: properties: imagebaseaddress: title: Imagebaseaddress type: integer process_entrypoint_file: minLength: 1 title: Process entrypoint file type: string process_entrypoint_memory: minLength: 1 title: Process entrypoint memory type: string process_header_file: minLength: 1 title: Process header file type: string process_header_memory: minLength: 1 title: Process header memory type: string tamperflag: title: Tamperflag type: integer type: minLength: 1 title: Type type: string required: - imagebaseaddress - process_entrypoint_file - process_entrypoint_memory - process_header_file - process_header_memory - tamperflag - type type: object DetailRawDeviceAccess: properties: desired_access: title: Desired access type: integer desired_access_str: minLength: 1 title: Desired access str type: string device: minLength: 1 title: Device type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string required: - desired_access - desired_access_str - device - stacktrace - stacktrace_minimal type: object DetailRawSocketCreation: properties: family: title: Family type: integer protocol: title: Protocol type: integer sock_type: title: Sock type type: integer required: - family - protocol - sock_type type: object DetailRegistry: properties: data_string_added: items: minLength: 1 type: string type: array data_string_removed: items: minLength: 1 type: string type: array details: minLength: 1 title: Details type: string event_type: minLength: 1 title: Event type type: string hive_path: minLength: 1 title: Hive path type: string previous_details: minLength: 1 title: Previous details type: string registry_value_type: minLength: 1 title: Registry value type type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target_object: minLength: 1 title: Target object type: string required: - data_string_added - data_string_removed - details - event_type - hive_path - previous_details - registry_value_type - stacktrace - stacktrace_minimal - target_object type: object DetailRemoteThread: properties: new_thread_id: title: New thread id type: integer source_pid: title: Source pid type: integer source_process: minLength: 1 title: Source process type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string start_address: title: Start address type: integer start_function: minLength: 1 title: Start function type: string start_module: minLength: 1 title: Start module type: string target_pid: title: Target pid type: integer target_process: minLength: 1 title: Target process type: string required: - new_thread_id - source_pid - source_process - stacktrace - stacktrace_minimal - start_address - start_function - start_module - target_pid - target_process type: object DetailUrlRequest: properties: event_time: format: date-time title: Event time type: string host: minLength: 1 title: Host type: string url: minLength: 1 title: Url type: string user_agent: minLength: 1 title: User agent type: string verb: minLength: 1 title: Verb type: string required: - event_time - host - url - user_agent - verb type: object DetailUsbInterface: properties: alternate_setting: minLength: 1 title: Alternate setting type: string interface_class: minLength: 1 title: Interface class type: string interface_description: minLength: 1 title: Interface description type: string interface_number: minLength: 1 title: Interface number type: string interface_protocol: minLength: 1 title: Interface protocol type: string interface_subclass: minLength: 1 title: Interface subclass type: string required: - alternate_setting - interface_class - interface_description - interface_number - interface_protocol - interface_subclass type: object DetailVulnerabilityPolicy: properties: agent_policies: items: $ref: '#/definitions/MinimalPolicy' type: array description: title: Description type: string x-nullable: true id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object DetailWindowsFilesystemEvent: properties: app_zone_id: minLength: 1 title: App zone id type: string create_disposition: title: Create disposition type: integer create_disposition_str: minLength: 1 title: Create disposition str type: string create_options: title: Create options type: integer create_options_str: minLength: 1 title: Create options str type: string first_bytes: minLength: 1 title: First bytes type: string kind: minLength: 1 title: Kind type: string last_writer_package_family_name: minLength: 1 title: Last writer package family name type: string path: minLength: 1 title: Path type: string referrer_url: minLength: 1 title: Referrer url type: string source_ip_address: minLength: 1 title: Source ip address type: string source_url: minLength: 1 title: Source url type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target: minLength: 1 title: Target type: string target_filename: minLength: 1 title: Target filename type: string url_zone: minLength: 1 title: Url zone type: string written_file_hashes: $ref: '#/definitions/Hashes' written_file_pe_info: $ref: '#/definitions/PEInfo' written_file_signatures: $ref: '#/definitions/SignatureInfo' written_file_size: title: Written file size type: integer written_file_type: enum: - 7z - asp - chm - cmd - compound_file_binary_format - eicar - elf - hta - js - jsp - lnk - mach-o - pdf - pe - perl - php - plist - powershell - python - rar - reg - ruby - sct - shell_script - unknown - url - vbs - windows_script_file - zip title: Written file type type: string zone_id: title: Zone id type: integer required: - app_zone_id - create_disposition - create_disposition_str - create_options - create_options_str - first_bytes - kind - last_writer_package_family_name - path - referrer_url - source_ip_address - source_url - stacktrace - stacktrace_minimal - target - target_filename - url_zone - written_file_hashes - written_file_pe_info - written_file_signatures - written_file_size - written_file_type - zone_id type: object DetailsUsbDeviceEvent: properties: db_product_name: minLength: 1 title: Db product name type: string db_vendor_name: minLength: 1 title: Db vendor name type: string device_class: minLength: 1 title: Device class type: string device_product_name: minLength: 1 title: Device product name type: string device_protocol: minLength: 1 title: Device protocol type: string device_subclass: minLength: 1 title: Device subclass type: string device_vendor_name: minLength: 1 title: Device vendor name type: string event_type: minLength: 1 title: Event type type: string interfaces: items: $ref: '#/definitions/DetailUsbInterface' type: array product_id: minLength: 1 title: Product id type: string product_name: minLength: 1 title: Product name type: string serial_number: minLength: 1 title: Serial number type: string vendor_id: minLength: 1 title: Vendor id type: string vendor_name: minLength: 1 title: Vendor name type: string required: - db_product_name - db_vendor_name - device_class - device_product_name - device_protocol - device_subclass - device_vendor_name - event_type - interfaces - product_id - product_name - serial_number - vendor_id - vendor_name type: object DetectionPermissions: properties: can_view_experimental_security_events: title: Can view experimental security events type: boolean security_events: enum: - disabled - read_only - read_write title: Security events type: string threats: enum: - disabled - read_only - read_write title: Threats type: string required: - can_view_experimental_security_events - security_events - threats type: object DeviceBootSectors: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' device_path: minLength: 1 title: Device path type: string id: minLength: 1 title: Id type: string ipl: $ref: '#/definitions/BootSector' item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer mbr: $ref: '#/definitions/BootSector' tenant: minLength: 1 title: Tenant type: string vbr: $ref: '#/definitions/BootSector' required: - '@timestamp' - agent - device_path - id - ipl - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - mbr - tenant - vbr type: object DeviceControlPolicy: properties: agent_policies: items: $ref: '#/definitions/MinimalPolicy' readOnly: true type: array creation_date: format: date-time readOnly: true title: Creation date type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' default_action: enum: - allow - block title: Default action type: string description: title: Description type: string x-nullable: true id: format: uuid title: Id type: string is_dry_run_mode_enabled: default: false title: Is dry run mode enabled type: boolean last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' revision: readOnly: true title: Revision type: integer security_event_level: enum: - critical - high - low - medium title: Security event level type: string tenant: minLength: 1 readOnly: true title: Tenant type: string usb_rules_count: readOnly: true title: Usb rules count type: integer required: - name type: object Diagnostic: properties: date_created: description: Datetime field when the task result was created in UTC format: date-time readOnly: true title: Created DateTime type: string date_done: description: Datetime field when the task was completed in UTC format: date-time readOnly: true title: Completed DateTime type: string filename: readOnly: true title: Filename type: string x-nullable: true result: description: The data returned by the task. Use content_encoding and content_type fields to read. minLength: 1 readOnly: true title: Result Data type: string x-nullable: true status: description: Current state of the task being run enum: - FAILURE - PENDING - RECEIVED - RETRY - REVOKED - STARTED - SUCCESS title: Task State type: string task_args: description: JSON representation of the positional arguments used with the task minLength: 1 title: Task Positional Arguments type: string x-nullable: true task_id: description: Celery ID for the Task that was run maxLength: 255 minLength: 1 title: Task ID type: string required: - task_id type: object DiagnosticFilename: properties: filename: minLength: 1 pattern: (.+\.)((tgz$)|(tar\.gz$)) title: Filename type: string type: object DiagnosticLatestList: properties: count: title: Count type: integer latest: $ref: '#/definitions/Diagnostic' results: items: $ref: '#/definitions/Diagnostic' type: array required: - count - latest - results type: object DiagnosticList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/Diagnostic' type: array required: - count - results type: object DiagnosticRunResponse: properties: filename: minLength: 1 title: Filename type: string status: minLength: 1 title: Status type: string required: - filename - status type: object DisableCveBulk: properties: disabled_ids: items: minLength: 1 type: string type: array required: - disabled_ids type: object DocProcessesSerializer: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' ancestors: minLength: 1 title: Ancestors type: string cdhash: minLength: 1 title: Cdhash type: string codesigning_flags: title: Codesigning flags type: integer codesigning_flags_str: minLength: 1 title: Codesigning flags str type: string commandline: minLength: 1 title: Commandline type: string create_time: format: date-time title: Create time type: string current_directory: minLength: 1 title: Current directory type: string egid: title: Egid type: integer egroup: minLength: 1 title: Egroup type: string enabled: title: Enabled type: boolean error_msg: minLength: 1 title: Error msg type: string euid: title: Euid type: integer eusername: minLength: 1 title: Eusername type: string fake_parent_commandline: minLength: 1 title: Fake parent commandline type: string fake_parent_image: minLength: 1 title: Fake parent image type: string fake_parent_unique_id: minLength: 1 title: Fake parent unique id type: string fake_ppid: title: Fake ppid type: integer gid: title: Gid type: integer grandparent_commandline: minLength: 1 title: Grandparent commandline type: string grandparent_image: minLength: 1 title: Grandparent image type: string grandparent_integrity_level: minLength: 1 title: Grandparent integrity level type: string grandparent_unique_id: minLength: 1 title: Grandparent unique id type: string group: minLength: 1 title: Group type: string groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string integrity_level: minLength: 1 title: Integrity level type: string is_platform_binary: title: Is platform binary type: boolean kube_details: $ref: '#/definitions/KubeProcessInfo' level: minLength: 1 title: Level type: string lnk_info: $ref: '#/definitions/LnkInfo' log_type: minLength: 1 title: Log type type: string logonid: title: Logonid type: integer memfd_name: minLength: 1 title: Memfd name type: string origin_stack: $ref: '#/definitions/OriginStack' parent_commandline: minLength: 1 title: Parent commandline type: string parent_image: minLength: 1 title: Parent image type: string parent_integrity_level: minLength: 1 title: Parent integrity level type: string parent_unique_id: minLength: 1 title: Parent unique id type: string pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/PEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer pid: title: Pid type: integer ppid: title: Ppid type: integer process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string session: title: Session type: integer sgid: title: Sgid type: integer sgroup: minLength: 1 title: Sgroup type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string status: title: Status type: integer status_msg: minLength: 1 title: Status msg type: string suid: title: Suid type: integer susername: minLength: 1 title: Susername type: string tenant: minLength: 1 title: Tenant type: string uid: title: Uid type: integer username: minLength: 1 title: Username type: string usersid: minLength: 1 title: Usersid type: string required: - '@event_create_date' - '@timestamp' - agent - ancestors - cdhash - codesigning_flags - codesigning_flags_str - commandline - create_time - current_directory - egid - egroup - enabled - error_msg - euid - eusername - fake_parent_commandline - fake_parent_image - fake_parent_unique_id - fake_ppid - gid - grandparent_commandline - grandparent_image - grandparent_integrity_level - grandparent_unique_id - group - groups - hashes - id - image_name - integrity_level - is_platform_binary - kube_details - level - lnk_info - log_type - logonid - memfd_name - parent_commandline - parent_image - parent_integrity_level - parent_unique_id - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - pid - ppid - process_name - process_unique_id - session - sgid - sgroup - signature_info - signed - size - stacktrace - stacktrace_minimal - status - status_msg - suid - susername - tenant - uid - username - usersid type: object DocYaraScanSerializer: properties: match_count: title: Match count type: integer matched_rules: items: $ref: '#/definitions/YaraRule' type: array rule_revision: title: Rule revision type: integer score: title: Score type: integer required: - match_count - matched_rules - rule_revision - score type: object DotnetInfo: properties: appdomain_id: title: Appdomain id type: integer assembly_culture: minLength: 1 title: Assembly culture type: string assembly_flags: title: Assembly flags type: integer assembly_flags_str: minLength: 1 title: Assembly flags str type: string assembly_name: minLength: 1 title: Assembly name type: string assembly_token: minLength: 1 title: Assembly token type: string assembly_version: minLength: 1 title: Assembly version type: string fully_qualified_assembly_name: minLength: 1 title: Fully qualified assembly name type: string managed_pdb_path: minLength: 1 title: Managed pdb path type: string module_flags: title: Module flags type: integer module_flags_str: minLength: 1 title: Module flags str type: string module_native_path: minLength: 1 title: Module native path type: string native_pdb_path: minLength: 1 title: Native pdb path type: string required: - appdomain_id - assembly_culture - assembly_flags - assembly_flags_str - assembly_name - assembly_token - assembly_version - fully_qualified_assembly_name - managed_pdb_path - module_flags - module_flags_str - module_native_path - native_pdb_path type: object DownloadDirectory: properties: directory: minLength: 1 title: Directory type: string recursive: title: Recursive type: boolean required: - directory - recursive type: object DownloadFile: properties: auto_analyze: default: false title: Auto analyze type: boolean filename: minLength: 1 title: Filename type: string required: - filename type: object DownloadInstallerAvailability: properties: status: title: Status type: boolean required: - status type: object DownloadRequest: properties: auto_analyze: default: false title: Auto analyze type: boolean tenant: minLength: 1 title: Tenant type: string x-nullable: true type: object DownloadRequestResponse: properties: file_availability: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: File availability type: integer message: default: "" minLength: 1 title: Message type: string type: object Downloader: properties: allow_signed_microsoft: default: true title: Allow signed microsoft type: boolean allow_signed_third_party: default: true title: Allow signed third party type: boolean allow_unsigned: default: true title: Allow unsigned type: boolean enabled: default: false title: Enabled type: boolean max_download_size_per_hour: minimum: 0 title: Max download size per hour type: integer x-nullable: true max_size_per_binary: minimum: 0 title: Max size per binary type: integer x-nullable: true type: object Driver: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' fullpathname: minLength: 1 title: Fullpathname type: string id: minLength: 1 title: Id type: string imagebase: title: Imagebase type: number imagesize: title: Imagesize type: integer ispresent: title: Ispresent type: boolean item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - binaryinfo - fullpathname - id - imagebase - imagesize - ispresent - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant type: object DriverBlocklist: properties: block_on_agent: title: Block on agent type: boolean comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true source: title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer type: enum: - filename - filepath - hash title: Type type: string value: minLength: 1 title: Value type: string required: - source - type - value type: object DriverBlocklistRulesetRule: properties: block_on_agent: readOnly: true title: Block on agent type: boolean comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: readOnly: true title: Enabled type: boolean endpoint_detection: readOnly: true title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Global state type: string hl_status: enum: - experimental - stable - testing readOnly: true title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string origin_stack_id: maxLength: 64 minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: readOnly: true title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak readOnly: true title: Rule confidence override type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium readOnly: true title: Rule level override type: string x-nullable: true ruleset_rule: $ref: '#/definitions/RulesetRuleSerializer' ruleset_rule_default: readOnly: true title: Ruleset rule default type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string state: enum: - alert - backend_alert - block - default - disabled - quarantine readOnly: true title: State type: string type: enum: - filename - filepath - hash readOnly: true title: Type type: string value: minLength: 1 readOnly: true title: Value type: string type: object DriverBlocklistRulesetSource: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer driver_count: default: 0 readOnly: true title: Driver count type: integer driver_experimental_count: default: 0 readOnly: true title: Driver experimental count type: integer driver_stable_count: default: 0 readOnly: true title: Driver stable count type: integer driver_testing_count: default: 0 readOnly: true title: Driver testing count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string new_rule_state: default: default enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer ruleset_source: $ref: '#/definitions/RulesetSourceSerializer' ruleset_source_rule_default: $ref: '#/definitions/RulesetSourceRuleDefaultSerializer' state: default: default enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string required: - name type: object DriverBlocklistSource: properties: block_on_agent: title: Block on agent type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string driver_count: default: 0 readOnly: true title: Driver count type: integer driver_experimental_count: default: 0 readOnly: true title: Driver experimental count type: integer driver_stable_count: default: 0 readOnly: true title: Driver stable count type: integer driver_testing_count: default: 0 readOnly: true title: Driver testing count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer required: - name type: object DriverLoad: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' id: minLength: 1 title: Id type: string imagebase: title: Imagebase type: integer imagename: minLength: 1 title: Imagename type: string imagepath: minLength: 1 title: Imagepath type: string imagesize: title: Imagesize type: integer log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/PEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - '@event_create_date' - '@timestamp' - agent - groups - hashes - id - imagebase - imagename - imagepath - imagesize - log_type - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - signature_info - signed - size - tenant type: object DryRunResponse: properties: count: title: Count type: integer has_more: title: Has more type: boolean required: - count - has_more type: object DseTamper: properties: driver_blocked: title: Driver blocked type: boolean dse_new_value: title: Dse new value type: integer dse_new_value_str: minLength: 1 title: Dse new value str type: string dse_old_value: title: Dse old value type: integer dse_old_value_str: minLength: 1 title: Dse old value str type: string dse_variable_type_str: minLength: 1 title: Dse variable type str type: string eventtime_datetime: format: date-time title: Eventtime datetime type: string is_restored: title: Is restored type: boolean required: - driver_blocked - dse_new_value - dse_new_value_str - dse_old_value - dse_old_value_str - dse_variable_type_str - eventtime_datetime - is_restored type: object DumpProcess: properties: process_unique_id: minLength: 1 title: Process unique id type: string required: - process_unique_id type: object DuplicateRuleset: properties: description: title: Description type: string name: maxLength: 128 minLength: 1 title: Name type: string required: - name type: object DynamicAnalysis: properties: behavior: $ref: '#/definitions/DynamicAnalysisBehavior' debug: $ref: '#/definitions/DynamicAnalysisDebug' dropped: items: $ref: '#/definitions/DynamicAnalysisFile' type: array id: minLength: 1 title: Id type: string info: $ref: '#/definitions/DynamicAnalysisInfo' malscore: title: Malscore type: number malstatus: minLength: 1 title: Malstatus type: string network: $ref: '#/definitions/DynamicAnalysisNetwork' signatures: items: $ref: '#/definitions/DynamicAnalysisSignaturesItem' type: array statistics: $ref: '#/definitions/DynamicAnalysisStatistics' suricata: $ref: '#/definitions/DynamicAnalysisSuricata' target: $ref: '#/definitions/DynamicAnalysisTarget' ttps: items: $ref: '#/definitions/DynamicAnalysisTtpsItem' type: array required: - behavior - debug - dropped - id - info - malscore - malstatus - network - signatures - statistics - suricata - target - ttps type: object DynamicAnalysisBehavior: properties: enhanced: items: $ref: '#/definitions/DynamicAnalysisBehaviorEnhancedItem' type: array processes: items: $ref: '#/definitions/DynamicAnalysisBehaviorProcessesItem' type: array processtree: items: $ref: '#/definitions/DynamicAnalysisBehaviorProcesstreeItem' type: array summary: $ref: '#/definitions/DynamicAnalysisBehaviorSummary' required: - enhanced - processes - processtree - summary type: object DynamicAnalysisBehaviorEnhancedData: properties: file: minLength: 1 title: File type: string required: - file type: object DynamicAnalysisBehaviorEnhancedItem: properties: data: $ref: '#/definitions/DynamicAnalysisBehaviorEnhancedData' eid: title: Eid type: integer event: minLength: 1 title: Event type: string object: minLength: 1 title: Object type: string timestamp: format: date-time title: Timestamp type: string required: - data - eid - event - object - timestamp type: object DynamicAnalysisBehaviorProcessesCallsArgumentsItem: properties: name: minLength: 1 title: Name type: string value: minLength: 1 title: Value type: string required: - name - value type: object DynamicAnalysisBehaviorProcessesCallsItem: properties: api: minLength: 1 title: Api type: string arguments: items: $ref: '#/definitions/DynamicAnalysisBehaviorProcessesCallsArgumentsItem' type: array caller: minLength: 1 title: Caller type: string category: minLength: 1 title: Category type: string id: title: Id type: integer parentcaller: minLength: 1 title: Parentcaller type: string pretty_return: minLength: 1 title: Pretty return type: string repeated: title: Repeated type: integer status: title: Status type: boolean thread_id: minLength: 1 title: Thread id type: string timestamp: minLength: 1 title: Timestamp type: string required: - api - arguments - caller - category - id - parentcaller - pretty_return - repeated - status - thread_id - timestamp type: object DynamicAnalysisBehaviorProcessesEnviron: properties: CommandLine: minLength: 1 title: Commandline type: string ComputerName: minLength: 1 title: Computername type: string MachineGUID: minLength: 1 title: Machineguid type: string ProductName: minLength: 1 title: Productname type: string RegisteredOrganization: minLength: 1 title: Registeredorganization type: string RegisteredOwner: minLength: 1 title: Registeredowner type: string SystemVolumeGUID: minLength: 1 title: Systemvolumeguid type: string SystemVolumeSerialNumber: minLength: 1 title: Systemvolumeserialnumber type: string TempPath: minLength: 1 title: Temppath type: string UserName: minLength: 1 title: Username type: string WindowsPath: minLength: 1 title: Windowspath type: string required: - CommandLine - ComputerName - MachineGUID - ProductName - RegisteredOrganization - RegisteredOwner - SystemVolumeGUID - SystemVolumeSerialNumber - TempPath - UserName - WindowsPath type: object DynamicAnalysisBehaviorProcessesItem: properties: calls: items: $ref: '#/definitions/DynamicAnalysisBehaviorProcessesCallsItem' type: array environ: $ref: '#/definitions/DynamicAnalysisBehaviorProcessesEnviron' first_seen: format: date-time title: First seen type: string module_path: minLength: 1 title: Module path type: string parent_id: title: Parent id type: integer process_id: title: Process id type: integer process_name: minLength: 1 title: Process name type: string threads: items: minLength: 1 type: string type: array required: - calls - environ - first_seen - module_path - parent_id - process_id - process_name - threads type: object DynamicAnalysisBehaviorProcesstreeEnviron: properties: CommandLine: minLength: 1 title: Commandline type: string ComputerName: minLength: 1 title: Computername type: string MachineGUID: minLength: 1 title: Machineguid type: string ProductName: minLength: 1 title: Productname type: string RegisteredOrganization: minLength: 1 title: Registeredorganization type: string RegisteredOwner: minLength: 1 title: Registeredowner type: string SystemVolumeGUID: minLength: 1 title: Systemvolumeguid type: string SystemVolumeSerialNumber: minLength: 1 title: Systemvolumeserialnumber type: string TempPath: minLength: 1 title: Temppath type: string UserName: minLength: 1 title: Username type: string WindowsPath: minLength: 1 title: Windowspath type: string required: - CommandLine - ComputerName - MachineGUID - ProductName - RegisteredOrganization - RegisteredOwner - SystemVolumeGUID - SystemVolumeSerialNumber - TempPath - UserName - WindowsPath type: object DynamicAnalysisBehaviorProcesstreeItem: properties: environ: $ref: '#/definitions/DynamicAnalysisBehaviorProcesstreeEnviron' module_path: minLength: 1 title: Module path type: string name: minLength: 1 title: Name type: string parent_id: title: Parent id type: integer pid: title: Pid type: integer threads: items: minLength: 1 type: string type: array required: - environ - module_path - name - parent_id - pid - threads type: object DynamicAnalysisBehaviorSummary: properties: delete_files: items: minLength: 1 type: string type: array files: items: minLength: 1 type: string type: array keys: items: minLength: 1 type: string type: array mutexes: items: minLength: 1 type: string type: array read_keys: items: minLength: 1 type: string type: array required: - delete_files - files - keys - mutexes - read_keys type: object DynamicAnalysisDebug: properties: log: minLength: 1 title: Log type: string required: - log type: object DynamicAnalysisFile: properties: cape_type: minLength: 1 title: Cape type type: string cape_type_code: title: Cape type code type: integer crc32: minLength: 1 title: Crc32 type: string guest_paths: minLength: 1 title: Guest paths type: string md5: minLength: 1 title: Md5 type: string name: minLength: 1 title: Name type: string path: minLength: 1 title: Path type: string pe: $ref: '#/definitions/DynamicAnalysisFilePe' pid: minLength: 1 title: Pid type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string sha3_384: minLength: 1 title: Sha3 384 type: string sha512: minLength: 1 title: Sha512 type: string size: title: Size type: integer ssdeep: minLength: 1 title: Ssdeep type: string strings: items: minLength: 1 type: string type: array tlsh: minLength: 1 title: Tlsh type: string trid: items: minLength: 1 type: string type: array type: minLength: 1 title: Type type: string required: - cape_type - cape_type_code - crc32 - guest_paths - md5 - name - path - pe - pid - sha1 - sha256 - sha3_384 - sha512 - size - ssdeep - strings - tlsh - trid - type type: object DynamicAnalysisFilePe: properties: actual_checksum: minLength: 1 title: Actual checksum type: string dirents: items: $ref: '#/definitions/DynamicAnalysisFilePeDirentsItem' type: array entrypoint: minLength: 1 title: Entrypoint type: string ep_bytes: minLength: 1 title: Ep bytes type: string exported_dll_name: minLength: 1 title: Exported dll name type: string exports: items: $ref: '#/definitions/DynamicAnalysisPeExportsItem' type: array guest_signers: $ref: '#/definitions/DynamicAnalysisPeGuestSigners' icon: minLength: 1 title: Icon type: string icon_dhash: minLength: 1 title: Icon dhash type: string icon_fuzzy: minLength: 1 title: Icon fuzzy type: string icon_hash: minLength: 1 title: Icon hash type: string imagebase: minLength: 1 title: Imagebase type: string imphash: minLength: 1 title: Imphash type: string imported_dll_count: title: Imported dll count type: integer imports: $ref: '#/definitions/DynamicAnalysisFilePeImports' osversion: minLength: 1 title: Osversion type: string overlay: $ref: '#/definitions/DynamicAnalysisFilePeOverlay' reported_checksum: minLength: 1 title: Reported checksum type: string resources: items: $ref: '#/definitions/DynamicAnalysisFilePeResourcesItem' type: array sections: items: $ref: '#/definitions/DynamicAnalysisFilePeSectionsItem' type: array timestamp: format: date-time title: Timestamp type: string versioninfo: items: $ref: '#/definitions/DynamicAnalysisFilePeVersioninfoItem' type: array required: - actual_checksum - dirents - entrypoint - ep_bytes - exported_dll_name - exports - guest_signers - icon - icon_dhash - icon_fuzzy - icon_hash - imagebase - imphash - imported_dll_count - imports - osversion - overlay - reported_checksum - resources - sections - timestamp - versioninfo type: object DynamicAnalysisFilePeDirentsItem: properties: name: minLength: 1 title: Name type: string size: minLength: 1 title: Size type: string virtual_address: minLength: 1 title: Virtual address type: string required: - name - size - virtual_address type: object DynamicAnalysisFilePeImports: properties: ADVAPI32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' COMCTL32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' GDI32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' KERNEL32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' SHELL32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' USER32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' VERSION: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' ole32: $ref: '#/definitions/DynamicAnalysisFilePeImportsDllImports' required: - ADVAPI32 - COMCTL32 - GDI32 - KERNEL32 - SHELL32 - USER32 - VERSION - ole32 type: object DynamicAnalysisFilePeImportsAddressName: properties: address: minLength: 1 title: Address type: string name: minLength: 1 title: Name type: string required: - address - name type: object DynamicAnalysisFilePeImportsDllImports: properties: dll: minLength: 1 title: Dll type: string imports: items: $ref: '#/definitions/DynamicAnalysisFilePeImportsAddressName' type: array required: - dll - imports type: object DynamicAnalysisFilePeOverlay: properties: offset: minLength: 1 title: Offset type: string size: minLength: 1 title: Size type: string required: - offset - size type: object DynamicAnalysisFilePeResourcesItem: properties: entropy: minLength: 1 title: Entropy type: string language: minLength: 1 title: Language type: string name: minLength: 1 title: Name type: string offset: minLength: 1 title: Offset type: string size: minLength: 1 title: Size type: string sublanguage: minLength: 1 title: Sublanguage type: string required: - entropy - language - name - offset - size - sublanguage type: object DynamicAnalysisFilePeSectionsItem: properties: characteristics: minLength: 1 title: Characteristics type: string characteristics_raw: minLength: 1 title: Characteristics raw type: string entropy: minLength: 1 title: Entropy type: string name: minLength: 1 title: Name type: string raw_address: minLength: 1 title: Raw address type: string size_of_data: minLength: 1 title: Size of data type: string virtual_address: minLength: 1 title: Virtual address type: string virtual_size: minLength: 1 title: Virtual size type: string required: - characteristics - characteristics_raw - entropy - name - raw_address - size_of_data - virtual_address - virtual_size type: object DynamicAnalysisFilePeVersioninfoItem: properties: name: minLength: 1 title: Name type: string value: minLength: 1 title: Value type: string required: - name - value type: object DynamicAnalysisInfo: properties: category: minLength: 1 title: Category type: string custom: minLength: 1 title: Custom type: string duration: title: Duration type: integer ended: format: date-time title: Ended type: string id: title: Id type: integer machine: $ref: '#/definitions/DynamicAnalysisInfoMachine' options: $ref: '#/definitions/DynamicAnalysisInfoOptions' package: minLength: 1 title: Package type: string route: minLength: 1 title: Route type: string started: format: date-time title: Started type: string timeout: title: Timeout type: boolean user_id: title: User id type: integer version: minLength: 1 title: Version type: string required: - category - custom - duration - ended - id - machine - options - package - route - started - timeout - user_id - version type: object DynamicAnalysisInfoMachine: properties: id: title: Id type: integer label: minLength: 1 title: Label type: string manager: minLength: 1 title: Manager type: string name: minLength: 1 title: Name type: string platform: minLength: 1 title: Platform type: string shutdown_on: format: date-time title: Shutdown on type: string started_on: format: date-time title: Started on type: string status: minLength: 1 title: Status type: string required: - id - label - manager - name - platform - shutdown_on - started_on - status type: object DynamicAnalysisInfoOptions: properties: import_reconstruction: minLength: 1 title: Import reconstruction type: string procmemdump: minLength: 1 title: Procmemdump type: string unpacker: minLength: 1 title: Unpacker type: string required: - import_reconstruction - procmemdump - unpacker type: object DynamicAnalysisNetwork: properties: pcap_sha256: minLength: 1 title: Pcap sha256 type: string tcp: items: $ref: '#/definitions/DynamicAnalysisNetworkTcpItem' type: array udp: items: $ref: '#/definitions/DynamicAnalysisNetworkUdpItem' type: array required: - pcap_sha256 - tcp - udp type: object DynamicAnalysisNetworkTcpItem: properties: dport: title: Dport type: integer dst: minLength: 1 title: Dst type: string offset: title: Offset type: integer sport: title: Sport type: integer src: minLength: 1 title: Src type: string time: title: Time type: number required: - dport - dst - offset - sport - src - time type: object DynamicAnalysisNetworkUdpItem: properties: dport: title: Dport type: integer dst: minLength: 1 title: Dst type: string offset: title: Offset type: integer sport: title: Sport type: integer src: minLength: 1 title: Src type: string time: title: Time type: number required: - dport - dst - offset - sport - src - time type: object DynamicAnalysisPeExportsItem: properties: address: minLength: 1 title: Address type: string name: minLength: 1 title: Name type: string ordinal: title: Ordinal type: integer required: - address - name - ordinal type: object DynamicAnalysisPeGuestSigners: properties: aux_signers: items: $ref: '#/definitions/DynamicAnalysisPeGuestSignersAuxSignersItem' type: array aux_timestamp: minLength: 1 title: Aux timestamp type: string aux_valid: title: Aux valid type: boolean required: - aux_signers - aux_timestamp - aux_valid type: object DynamicAnalysisPeGuestSignersAuxSignersItem: properties: expires: format: date-time title: Expires type: string issued_by: minLength: 1 title: Issued by type: string issued_to: minLength: 1 title: Issued to type: string name: minLength: 1 title: Name type: string sha1: minLength: 1 title: Sha1 type: string required: - expires - issued_by - issued_to - name - sha1 type: object DynamicAnalysisSignaturesDataItem: properties: cid: title: Cid type: integer pid: title: Pid type: integer type: minLength: 1 title: Type type: string required: - cid - pid - type type: object DynamicAnalysisSignaturesItem: properties: alert: title: Alert type: boolean categories: items: minLength: 1 type: string type: array confidence: title: Confidence type: integer data: items: $ref: '#/definitions/DynamicAnalysisSignaturesDataItem' type: array description: minLength: 1 title: Description type: string name: minLength: 1 title: Name type: string severity: title: Severity type: integer weight: title: Weight type: integer required: - alert - categories - confidence - data - description - name - severity - weight type: object DynamicAnalysisStatistics: properties: processing: items: $ref: '#/definitions/DynamicAnalysisStatisticsItem' type: array reporting: items: $ref: '#/definitions/DynamicAnalysisStatisticsItem' type: array signatures: items: $ref: '#/definitions/DynamicAnalysisStatisticsItem' type: array required: - processing - reporting - signatures type: object DynamicAnalysisStatisticsItem: properties: name: minLength: 1 title: Name type: string time: title: Time type: number required: - name - time type: object DynamicAnalysisSuricata: properties: alerts: items: $ref: '#/definitions/DynamicAnalysisSuricataAlertsItem' type: array eve_log_full_path: minLength: 1 title: Eve log full path type: string required: - alerts - eve_log_full_path type: object DynamicAnalysisSuricataAlertsItem: properties: category: minLength: 1 title: Category type: string dstip: minLength: 1 title: Dstip type: string dstport: title: Dstport type: integer gid: title: Gid type: integer protocol: minLength: 1 title: Protocol type: string rev: title: Rev type: integer severity: title: Severity type: integer sid: title: Sid type: integer signature: minLength: 1 title: Signature type: string srcip: minLength: 1 title: Srcip type: string srcport: title: Srcport type: integer timestamp: format: date-time title: Timestamp type: string required: - category - dstip - dstport - gid - protocol - rev - severity - sid - signature - srcip - srcport - timestamp type: object DynamicAnalysisTarget: properties: category: minLength: 1 title: Category type: string file: $ref: '#/definitions/DynamicAnalysisFile' required: - category - file type: object DynamicAnalysisTtpsItem: properties: mbcs: items: minLength: 1 type: string type: array signature: minLength: 1 title: Signature type: string ttps: items: minLength: 1 type: string type: array required: - mbcs - signature - ttps type: object ECSBpf: properties: expected_attach_type_id: title: Expected attach type id type: integer expected_attach_type_str: minLength: 1 title: Expected attach type str type: string flags_id: title: Flags id type: integer flags_str: minLength: 1 title: Flags str type: string hooked_function_name: minLength: 1 title: Hooked function name type: string instruction_count: title: Instruction count type: integer memory_dump: minLength: 1 title: Memory dump type: string name: minLength: 1 title: Name type: string operation: minLength: 1 title: Operation type: string type_id: title: Type id type: integer type_str: minLength: 1 title: Type str type: string required: - expected_attach_type_id - expected_attach_type_str - flags_id - flags_str - hooked_function_name - instruction_count - memory_dump - name - operation - type_id - type_str type: object ECSContainer: properties: id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string namespace: minLength: 1 title: Namespace type: string required: - id - name - namespace type: object ECSDestination: properties: process: $ref: '#/definitions/ECSProcess' required: - process type: object ECSEtwTiKeInsertQueueApc: properties: apc_argument_1: title: Apc argument 1 type: integer apc_argument_1_function: minLength: 1 title: Apc argument 1 function type: string apc_argument_1_module: minLength: 1 title: Apc argument 1 module type: string apc_routine: title: Apc routine type: integer apc_routine_function: minLength: 1 title: Apc routine function type: string apc_routine_module: minLength: 1 title: Apc routine module type: string target_thread_alertable: title: Target thread alertable type: boolean required: - apc_argument_1 - apc_argument_1_function - apc_argument_1_module - apc_routine - apc_routine_function - apc_routine_module - target_thread_alertable type: object ECSEtwTiNtAllocateVirtualMemory: properties: allocation_type: title: Allocation type type: integer allocation_type_str: minLength: 1 title: Allocation type str type: string base_address: title: Base address type: integer protection_mask: title: Protection mask type: integer protection_mask_str: minLength: 1 title: Protection mask str type: string region_size: title: Region size type: integer required: - allocation_type - allocation_type_str - base_address - protection_mask - protection_mask_str - region_size type: object ECSEtwTiNtMapViewOfSection: properties: allocation_type: title: Allocation type type: integer allocation_type_str: minLength: 1 title: Allocation type str type: string base_address: title: Base address type: integer protection_mask: title: Protection mask type: integer protection_mask_str: minLength: 1 title: Protection mask str type: string view_size: title: View size type: integer required: - allocation_type - allocation_type_str - base_address - protection_mask - protection_mask_str - view_size type: object ECSEtwTiNtProtectVirtualMemory: properties: base_address: title: Base address type: integer base_address_function: minLength: 1 title: Base address function type: string base_address_module: minLength: 1 title: Base address module type: string previous_protection_mask: title: Previous protection mask type: integer previous_protection_mask_str: minLength: 1 title: Previous protection mask str type: string protection_mask: title: Protection mask type: integer protection_mask_str: minLength: 1 title: Protection mask str type: string region_size: title: Region size type: integer required: - base_address - base_address_function - base_address_module - previous_protection_mask - previous_protection_mask_str - protection_mask - protection_mask_str - region_size type: object ECSEtwTiNtReadWriteVirtualMemory: properties: base_address: title: Base address type: integer base_address_function: minLength: 1 title: Base address function type: string base_address_module: minLength: 1 title: Base address module type: string length: title: Length type: integer required: - base_address - base_address_function - base_address_module - length type: object ECSEtwTiNtSetContextThread: properties: context_flags: title: Context flags type: integer context_flags_str: minLength: 1 title: Context flags str type: string context_mask: title: Context mask type: integer frame_ptr_address: title: Frame ptr address type: integer frame_ptr_function: minLength: 1 title: Frame ptr function type: string frame_ptr_module: minLength: 1 title: Frame ptr module type: string instruction_ptr_address: title: Instruction ptr address type: integer instruction_ptr_function: minLength: 1 title: Instruction ptr function type: string instruction_ptr_module: minLength: 1 title: Instruction ptr module type: string reg0_address: title: Reg0 address type: integer reg0_function: minLength: 1 title: Reg0 function type: string reg0_module: minLength: 1 title: Reg0 module type: string reg1_address: title: Reg1 address type: integer reg1_function: minLength: 1 title: Reg1 function type: string reg1_module: minLength: 1 title: Reg1 module type: string reg2_address: title: Reg2 address type: integer reg2_function: minLength: 1 title: Reg2 function type: string reg2_module: minLength: 1 title: Reg2 module type: string reg3_address: title: Reg3 address type: integer reg4_address: title: Reg4 address type: integer reg5_address: title: Reg5 address type: integer reg6_address: title: Reg6 address type: integer reg6_function: minLength: 1 title: Reg6 function type: string reg6_module: minLength: 1 title: Reg6 module type: string reg7_address: title: Reg7 address type: integer reg7_function: minLength: 1 title: Reg7 function type: string reg7_module: minLength: 1 title: Reg7 module type: string stack_ptr_address: title: Stack ptr address type: integer stack_ptr_function: minLength: 1 title: Stack ptr function type: string stack_ptr_module: minLength: 1 title: Stack ptr module type: string required: - context_flags - context_flags_str - context_mask - frame_ptr_address - frame_ptr_function - frame_ptr_module - instruction_ptr_address - instruction_ptr_function - instruction_ptr_module - reg0_address - reg0_function - reg0_module - reg1_address - reg1_function - reg1_module - reg2_address - reg2_function - reg2_module - reg3_address - reg4_address - reg5_address - reg6_address - reg6_function - reg6_module - reg7_address - reg7_function - reg7_module - stack_ptr_address - stack_ptr_function - stack_ptr_module type: object ECSEvent: properties: category: minLength: 1 title: Category type: string created: format: date-time title: Created type: string kind: minLength: 1 title: Kind type: string type: minLength: 1 title: Type type: string required: - category - created - kind - type type: object ECSProcess: properties: entity_id: minLength: 1 title: Entity id type: string executable: minLength: 1 title: Executable type: string pid: title: Pid type: integer required: - entity_id - executable - pid type: object ECSProcessDuplicateHandle: properties: access: title: Access type: integer access_str: minLength: 1 title: Access str type: string is_self_destination: title: Is self destination type: boolean stack_trace: $ref: '#/definitions/ECSStackTrace' tid: title: Tid type: integer required: - access - access_str - is_self_destination - stack_trace - tid type: object ECSProcessPtrace: properties: options: title: Options type: integer options_str: minLength: 1 title: Options str type: string request: title: Request type: integer request_str: minLength: 1 title: Request str type: string target_is_child: title: Target is child type: boolean required: - options - options_str - request - request_str - target_is_child type: object ECSScheduledTask: properties: actions: items: $ref: '#/definitions/ECSScheduledTaskAction' type: array client_process_id: title: Client process id type: integer first_action_commandline: minLength: 1 title: First action commandline type: string is_remote: title: Is remote type: boolean number_of_actions: title: Number of actions type: integer number_of_triggers: title: Number of triggers type: integer operation: minLength: 1 title: Operation type: string path: minLength: 1 title: Path type: string principal: $ref: '#/definitions/ECSScheduledTaskPrincipal' priority: title: Priority type: integer process_image: minLength: 1 title: Process image type: string rpc_call_locality: title: Rpc call locality type: integer settings: $ref: '#/definitions/ECSScheduledTaskSettings' source_logon_id: title: Source logon id type: integer spawned_process_pid: title: Spawned process pid type: integer task_content: minLength: 1 title: Task content type: string task_name: minLength: 1 title: Task name type: string triggers: items: $ref: '#/definitions/ECSScheduledTaskTrigger' type: array required: - actions - client_process_id - first_action_commandline - is_remote - number_of_actions - number_of_triggers - operation - path - principal - priority - process_image - rpc_call_locality - settings - source_logon_id - spawned_process_pid - task_content - task_name - triggers type: object ECSScheduledTaskAction: properties: arguments: minLength: 1 title: Arguments type: string class_id: minLength: 1 title: Class id type: string command: minLength: 1 title: Command type: string command_line: minLength: 1 title: Command line type: string context: minLength: 1 title: Context type: string data: minLength: 1 title: Data type: string type: minLength: 1 title: Type type: string working_directory: minLength: 1 title: Working directory type: string required: - arguments - class_id - command - command_line - context - data - type - working_directory type: object ECSScheduledTaskPrincipal: properties: group_id: minLength: 1 title: Group id type: string logon_type: minLength: 1 title: Logon type type: string run_level: minLength: 1 title: Run level type: string user_id: minLength: 1 title: User id type: string required: - group_id - logon_type - run_level - user_id type: object ECSScheduledTaskSettings: properties: enabled: title: Enabled type: boolean execution_time_limit: minLength: 1 title: Execution time limit type: string hidden: title: Hidden type: boolean priority: title: Priority type: integer required: - enabled - execution_time_limit - hidden - priority type: object ECSScheduledTaskTrigger: properties: days_interval: title: Days interval type: integer days_of_month: items: type: integer type: array days_of_week: items: minLength: 1 type: string type: array delay: minLength: 1 title: Delay type: string enabled: title: Enabled type: boolean end_boundary: format: date-time title: End boundary type: string execution_time_limit: minLength: 1 title: Execution time limit type: string id: minLength: 1 title: Id type: string matching_element: minLength: 1 title: Matching element type: string month_days_of_week: items: minLength: 1 type: string type: array months: items: minLength: 1 type: string type: array number_of_occurrences: title: Number of occurrences type: integer period_of_occurrence: minLength: 1 title: Period of occurrence type: string random_delay: minLength: 1 title: Random delay type: string repeat_duration: minLength: 1 title: Repeat duration type: string repeat_interval: minLength: 1 title: Repeat interval type: string schedule_months: items: minLength: 1 type: string type: array start_boundary: format: date-time title: Start boundary type: string state_change: minLength: 1 title: State change type: string stop_at_duration_end: title: Stop at duration end type: boolean subscription: minLength: 1 title: Subscription type: string type: minLength: 1 title: Type type: string user_id: minLength: 1 title: User id type: string value_queries: items: minLength: 1 type: string type: array weeks: items: type: integer type: array weeks_interval: title: Weeks interval type: integer required: - days_interval - days_of_month - days_of_week - delay - enabled - end_boundary - execution_time_limit - id - matching_element - month_days_of_week - months - number_of_occurrences - period_of_occurrence - random_delay - repeat_duration - repeat_interval - schedule_months - start_boundary - state_change - stop_at_duration_end - subscription - type - user_id - value_queries - weeks - weeks_interval type: object ECSSource: properties: process: $ref: '#/definitions/ECSProcess' required: - process type: object ECSStackTrace: properties: full: minLength: 1 title: Full type: string minimal: minLength: 1 title: Minimal type: string raw: minLength: 1 title: Raw type: string required: - full - minimal - raw type: object ECSTarget: properties: process: $ref: '#/definitions/ECSProcess' required: - process type: object ECSTelemetry: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' container: $ref: '#/definitions/ECSContainer' destination: $ref: '#/definitions/ECSDestination' etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' event: $ref: '#/definitions/ECSEvent' group: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' process: $ref: '#/definitions/ECSProcess' process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_ptrace: $ref: '#/definitions/ECSProcessPtrace' scheduled_task: $ref: '#/definitions/ECSScheduledTask' source: $ref: '#/definitions/ECSSource' stack_trace: $ref: '#/definitions/ECSStackTrace' target: $ref: '#/definitions/ECSTarget' tenant: minLength: 1 title: Tenant type: string user: $ref: '#/definitions/ECSUser' win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows_service: $ref: '#/definitions/ECSWindowsService' required: - '@event_create_date' - '@timestamp' - agent - container - destination - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - event - group - id - log_type - process - process_duplicate_handle - process_ptrace - scheduled_task - source - stack_trace - target - tenant - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service type: object ECSUser: properties: domain: minLength: 1 title: Domain type: string id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - domain - id - name type: object ECSWin32kGetAsyncKeyState: properties: background_call_count: title: Background call count type: integer ms_since_last_keyevent: title: Ms since last keyevent type: integer required: - background_call_count - ms_since_last_keyevent type: object ECSWin32kRegisterRawInputDevices: properties: flags: title: Flags type: integer flags_str: minLength: 1 title: Flags str type: string return_value: title: Return value type: integer start_address_allocation_protection: minLength: 1 title: Start address allocation protection type: string start_module_name: minLength: 1 title: Start module name type: string thread_info_flags: minLength: 1 title: Thread info flags type: string usage_id: title: Usage id type: integer usage_id_str: minLength: 1 title: Usage id str type: string usage_page: title: Usage page type: integer usage_page_str: minLength: 1 title: Usage page str type: string visible_windows_count: title: Visible windows count type: integer windows_count: title: Windows count type: integer required: - flags - flags_str - return_value - start_address_allocation_protection - start_module_name - thread_info_flags - usage_id - usage_id_str - usage_page - usage_page_str - visible_windows_count - windows_count type: object ECSWin32kSetWindowsHookEx: properties: filter_type: title: Filter type type: integer filter_type_str: minLength: 1 title: Filter type str type: string hook_function: minLength: 1 title: Hook function type: string hook_library: minLength: 1 title: Hook library type: string return_value: title: Return value type: integer required: - filter_type - filter_type_str - hook_function - hook_library - return_value type: object ECSWindowsService: properties: account: minLength: 1 title: Account type: string commandline: minLength: 1 title: Commandline type: string control_code_id: title: Control code id type: integer control_code_str: minLength: 1 title: Control code str type: string is_remote_operation: title: Is remote operation type: boolean name: minLength: 1 title: Name type: string operation: minLength: 1 title: Operation type: string start_type_id: title: Start type id type: integer start_type_str: minLength: 1 title: Start type str type: string type_id: title: Type id type: integer type_str: minLength: 1 title: Type str type: string required: - account - commandline - control_code_id - control_code_str - is_remote_operation - name - operation - start_type_id - start_type_str - type_id - type_str type: object ESILMIndicesPolicies: properties: alert__delete__max_count: minimum: 2 title: Alert delete max count type: integer x-nullable: true alert__delete__min_age: default: 90d minLength: 1 title: Alert delete min age type: string alert__hot__max_age: default: 30d minLength: 1 title: Alert hot max age type: string alert__hot__max_size: default: 50GB minLength: 1 title: Alert hot max size type: string alert_subevent__delete__max_count: minimum: 2 title: Alert subevent delete max count type: integer x-nullable: true alert_subevent__delete__min_age: default: 90d minLength: 1 title: Alert subevent delete min age type: string alert_subevent__hot__max_age: default: 30d minLength: 1 title: Alert subevent hot max age type: string alert_subevent__hot__max_size: default: 50GB minLength: 1 title: Alert subevent hot max size type: string auditlog__delete__max_count: minimum: 2 title: Auditlog delete max count type: integer x-nullable: true auditlog__delete__min_age: default: 180d minLength: 1 title: Auditlog delete min age type: string auditlog__hot__max_age: default: 30d minLength: 1 title: Auditlog hot max age type: string auditlog__hot__max_size: default: 50GB minLength: 1 title: Auditlog hot max size type: string experimental_alert__delete__max_count: minimum: 2 title: Experimental alert delete max count type: integer x-nullable: true experimental_alert__delete__min_age: default: 90d minLength: 1 title: Experimental alert delete min age type: string experimental_alert__hot__max_age: default: 30d minLength: 1 title: Experimental alert hot max age type: string experimental_alert__hot__max_size: default: 50GB minLength: 1 title: Experimental alert hot max size type: string hl-hlaimaliciousfile__delete__max_count: minimum: 2 title: Hl-hlaimaliciousfile delete max count type: integer x-nullable: true hl-hlaimaliciousfile__delete__min_age: default: 90d minLength: 1 title: Hl-hlaimaliciousfile delete min age type: string hl-hlaimaliciousfile__hot__max_age: default: 30d minLength: 1 title: Hl-hlaimaliciousfile hot max age type: string hl-hlaimaliciousfile__hot__max_size: default: 50GB minLength: 1 title: Hl-hlaimaliciousfile hot max size type: string hl-network_discovery__delete__max_count: minimum: 2 title: Hl-network discovery delete max count type: integer x-nullable: true hl-network_discovery__delete__min_age: default: 90d minLength: 1 title: Hl-network discovery delete min age type: string hl-network_discovery__hot__max_age: default: 30d minLength: 1 title: Hl-network discovery hot max age type: string hl-network_discovery__hot__max_size: default: 50GB minLength: 1 title: Hl-network discovery hot max size type: string log-agent-agentlog__delete__max_count: minimum: 2 title: Log-agent-agentlog delete max count type: integer x-nullable: true log-agent-agentlog__delete__min_age: default: 90d minLength: 1 title: Log-agent-agentlog delete min age type: string log-agent-agentlog__hot__max_age: default: 30d minLength: 1 title: Log-agent-agentlog hot max age type: string log-agent-agentlog__hot__max_size: default: 50GB minLength: 1 title: Log-agent-agentlog hot max size type: string log-agent-amsi_scan__delete__max_count: minimum: 2 title: Log-agent-amsi scan delete max count type: integer x-nullable: true log-agent-amsi_scan__delete__min_age: default: 90d minLength: 1 title: Log-agent-amsi scan delete min age type: string log-agent-amsi_scan__hot__max_age: default: 30d minLength: 1 title: Log-agent-amsi scan hot max age type: string log-agent-amsi_scan__hot__max_size: default: 50GB minLength: 1 title: Log-agent-amsi scan hot max size type: string log-agent-authentication__delete__max_count: minimum: 2 title: Log-agent-authentication delete max count type: integer x-nullable: true log-agent-authentication__delete__min_age: default: 90d minLength: 1 title: Log-agent-authentication delete min age type: string log-agent-authentication__hot__max_age: default: 30d minLength: 1 title: Log-agent-authentication hot max age type: string log-agent-authentication__hot__max_size: default: 50GB minLength: 1 title: Log-agent-authentication hot max size type: string log-agent-dns-resolution__delete__max_count: minimum: 2 title: Log-agent-dns-resolution delete max count type: integer x-nullable: true log-agent-dns-resolution__delete__min_age: default: 90d minLength: 1 title: Log-agent-dns-resolution delete min age type: string log-agent-dns-resolution__hot__max_age: default: 30d minLength: 1 title: Log-agent-dns-resolution hot max age type: string log-agent-dns-resolution__hot__max_size: default: 50GB minLength: 1 title: Log-agent-dns-resolution hot max size type: string log-agent-driverload__delete__max_count: minimum: 2 title: Log-agent-driverload delete max count type: integer x-nullable: true log-agent-driverload__delete__min_age: default: 90d minLength: 1 title: Log-agent-driverload delete min age type: string log-agent-driverload__hot__max_age: default: 30d minLength: 1 title: Log-agent-driverload hot max age type: string log-agent-driverload__hot__max_size: default: 50GB minLength: 1 title: Log-agent-driverload hot max size type: string log-agent-ecs_telemetries_normal__delete__max_count: minimum: 2 title: Log-agent-ecs telemetries normal delete max count type: integer x-nullable: true log-agent-ecs_telemetries_normal__delete__min_age: default: 90d minLength: 1 title: Log-agent-ecs telemetries normal delete min age type: string log-agent-ecs_telemetries_normal__hot__max_age: default: 30d minLength: 1 title: Log-agent-ecs telemetries normal hot max age type: string log-agent-ecs_telemetries_normal__hot__max_size: default: 50GB minLength: 1 title: Log-agent-ecs telemetries normal hot max size type: string log-agent-eventlog__delete__max_count: minimum: 2 title: Log-agent-eventlog delete max count type: integer x-nullable: true log-agent-eventlog__delete__min_age: default: 90d minLength: 1 title: Log-agent-eventlog delete min age type: string log-agent-eventlog__hot__max_age: default: 30d minLength: 1 title: Log-agent-eventlog hot max age type: string log-agent-eventlog__hot__max_size: default: 50GB minLength: 1 title: Log-agent-eventlog hot max size type: string log-agent-file__delete__max_count: minimum: 2 title: Log-agent-file delete max count type: integer x-nullable: true log-agent-file__delete__min_age: default: 90d minLength: 1 title: Log-agent-file delete min age type: string log-agent-file__hot__max_age: default: 30d minLength: 1 title: Log-agent-file hot max age type: string log-agent-file__hot__max_size: default: 50GB minLength: 1 title: Log-agent-file hot max size type: string log-agent-group_event__delete__max_count: minimum: 2 title: Log-agent-group event delete max count type: integer x-nullable: true log-agent-group_event__delete__min_age: default: 90d minLength: 1 title: Log-agent-group event delete min age type: string log-agent-group_event__hot__max_age: default: 30d minLength: 1 title: Log-agent-group event hot max age type: string log-agent-group_event__hot__max_size: default: 50GB minLength: 1 title: Log-agent-group event hot max size type: string log-agent-injectedthread__delete__max_count: minimum: 2 title: Log-agent-injectedthread delete max count type: integer x-nullable: true log-agent-injectedthread__delete__min_age: default: 90d minLength: 1 title: Log-agent-injectedthread delete min age type: string log-agent-injectedthread__hot__max_age: default: 30d minLength: 1 title: Log-agent-injectedthread hot max age type: string log-agent-injectedthread__hot__max_size: default: 50GB minLength: 1 title: Log-agent-injectedthread hot max size type: string log-agent-library_load__delete__max_count: minimum: 2 title: Log-agent-library load delete max count type: integer x-nullable: true log-agent-library_load__delete__min_age: default: 90d minLength: 1 title: Log-agent-library load delete min age type: string log-agent-library_load__hot__max_age: default: 30d minLength: 1 title: Log-agent-library load hot max age type: string log-agent-library_load__hot__max_size: default: 50GB minLength: 1 title: Log-agent-library load hot max size type: string log-agent-named_pipe__delete__max_count: minimum: 2 title: Log-agent-named pipe delete max count type: integer x-nullable: true log-agent-named_pipe__delete__min_age: default: 90d minLength: 1 title: Log-agent-named pipe delete min age type: string log-agent-named_pipe__hot__max_age: default: 30d minLength: 1 title: Log-agent-named pipe hot max age type: string log-agent-named_pipe__hot__max_size: default: 50GB minLength: 1 title: Log-agent-named pipe hot max size type: string log-agent-network__delete__max_count: minimum: 2 title: Log-agent-network delete max count type: integer x-nullable: true log-agent-network__delete__min_age: default: 90d minLength: 1 title: Log-agent-network delete min age type: string log-agent-network__hot__max_age: default: 30d minLength: 1 title: Log-agent-network hot max age type: string log-agent-network__hot__max_size: default: 50GB minLength: 1 title: Log-agent-network hot max size type: string log-agent-network_listen__delete__max_count: minimum: 2 title: Log-agent-network listen delete max count type: integer x-nullable: true log-agent-network_listen__delete__min_age: default: 90d minLength: 1 title: Log-agent-network listen delete min age type: string log-agent-network_listen__hot__max_age: default: 30d minLength: 1 title: Log-agent-network listen hot max age type: string log-agent-network_listen__hot__max_size: default: 50GB minLength: 1 title: Log-agent-network listen hot max size type: string log-agent-powershell__delete__max_count: minimum: 2 title: Log-agent-powershell delete max count type: integer x-nullable: true log-agent-powershell__delete__min_age: default: 90d minLength: 1 title: Log-agent-powershell delete min age type: string log-agent-powershell__hot__max_age: default: 30d minLength: 1 title: Log-agent-powershell hot max age type: string log-agent-powershell__hot__max_size: default: 50GB minLength: 1 title: Log-agent-powershell hot max size type: string log-agent-process__delete__max_count: minimum: 2 title: Log-agent-process delete max count type: integer x-nullable: true log-agent-process__delete__min_age: default: 90d minLength: 1 title: Log-agent-process delete min age type: string log-agent-process__hot__max_age: default: 30d minLength: 1 title: Log-agent-process hot max age type: string log-agent-process__hot__max_size: default: 50GB minLength: 1 title: Log-agent-process hot max size type: string log-agent-process_access__delete__max_count: minimum: 2 title: Log-agent-process access delete max count type: integer x-nullable: true log-agent-process_access__delete__min_age: default: 90d minLength: 1 title: Log-agent-process access delete min age type: string log-agent-process_access__hot__max_age: default: 30d minLength: 1 title: Log-agent-process access hot max age type: string log-agent-process_access__hot__max_size: default: 50GB minLength: 1 title: Log-agent-process access hot max size type: string log-agent-process_tamper__delete__max_count: minimum: 2 title: Log-agent-process tamper delete max count type: integer x-nullable: true log-agent-process_tamper__delete__min_age: default: 90d minLength: 1 title: Log-agent-process tamper delete min age type: string log-agent-process_tamper__hot__max_age: default: 30d minLength: 1 title: Log-agent-process tamper hot max age type: string log-agent-process_tamper__hot__max_size: default: 50GB minLength: 1 title: Log-agent-process tamper hot max size type: string log-agent-raw_device_access__delete__max_count: minimum: 2 title: Log-agent-raw device access delete max count type: integer x-nullable: true log-agent-raw_device_access__delete__min_age: default: 90d minLength: 1 title: Log-agent-raw device access delete min age type: string log-agent-raw_device_access__hot__max_age: default: 30d minLength: 1 title: Log-agent-raw device access hot max age type: string log-agent-raw_device_access__hot__max_size: default: 50GB minLength: 1 title: Log-agent-raw device access hot max size type: string log-agent-raw_socket_creation__delete__max_count: minimum: 2 title: Log-agent-raw socket creation delete max count type: integer x-nullable: true log-agent-raw_socket_creation__delete__min_age: default: 90d minLength: 1 title: Log-agent-raw socket creation delete min age type: string log-agent-raw_socket_creation__hot__max_age: default: 30d minLength: 1 title: Log-agent-raw socket creation hot max age type: string log-agent-raw_socket_creation__hot__max_size: default: 50GB minLength: 1 title: Log-agent-raw socket creation hot max size type: string log-agent-registry__delete__max_count: minimum: 2 title: Log-agent-registry delete max count type: integer x-nullable: true log-agent-registry__delete__min_age: default: 90d minLength: 1 title: Log-agent-registry delete min age type: string log-agent-registry__hot__max_age: default: 30d minLength: 1 title: Log-agent-registry hot max age type: string log-agent-registry__hot__max_size: default: 50GB minLength: 1 title: Log-agent-registry hot max size type: string log-agent-remotethread__delete__max_count: minimum: 2 title: Log-agent-remotethread delete max count type: integer x-nullable: true log-agent-remotethread__delete__min_age: default: 90d minLength: 1 title: Log-agent-remotethread delete min age type: string log-agent-remotethread__hot__max_age: default: 30d minLength: 1 title: Log-agent-remotethread hot max age type: string log-agent-remotethread__hot__max_size: default: 50GB minLength: 1 title: Log-agent-remotethread hot max size type: string log-agent-url_request__delete__max_count: minimum: 2 title: Log-agent-url request delete max count type: integer x-nullable: true log-agent-url_request__delete__min_age: default: 90d minLength: 1 title: Log-agent-url request delete min age type: string log-agent-url_request__hot__max_age: default: 30d minLength: 1 title: Log-agent-url request hot max age type: string log-agent-url_request__hot__max_size: default: 50GB minLength: 1 title: Log-agent-url request hot max size type: string log-agent-usb_activity__delete__max_count: minimum: 2 title: Log-agent-usb activity delete max count type: integer x-nullable: true log-agent-usb_activity__delete__min_age: default: 90d minLength: 1 title: Log-agent-usb activity delete min age type: string log-agent-usb_activity__hot__max_age: default: 30d minLength: 1 title: Log-agent-usb activity hot max age type: string log-agent-usb_activity__hot__max_size: default: 50GB minLength: 1 title: Log-agent-usb activity hot max size type: string log-agent-user_event__delete__max_count: minimum: 2 title: Log-agent-user event delete max count type: integer x-nullable: true log-agent-user_event__delete__min_age: default: 90d minLength: 1 title: Log-agent-user event delete min age type: string log-agent-user_event__hot__max_age: default: 30d minLength: 1 title: Log-agent-user event hot max age type: string log-agent-user_event__hot__max_size: default: 50GB minLength: 1 title: Log-agent-user event hot max size type: string log-agent-wmi_event__delete__max_count: minimum: 2 title: Log-agent-wmi event delete max count type: integer x-nullable: true log-agent-wmi_event__delete__min_age: default: 90d minLength: 1 title: Log-agent-wmi event delete min age type: string log-agent-wmi_event__hot__max_age: default: 30d minLength: 1 title: Log-agent-wmi event hot max age type: string log-agent-wmi_event__hot__max_size: default: 50GB minLength: 1 title: Log-agent-wmi event hot max size type: string resource__delete__max_count: minimum: 2 title: Resource delete max count type: integer x-nullable: true resource__delete__min_age: default: 3d minLength: 1 title: Resource delete min age type: string resource__hot__max_age: default: 1d minLength: 1 title: Resource hot max age type: string resource__hot__max_size: default: 50GB minLength: 1 title: Resource hot max size type: string whitelist-stats__delete__max_count: minimum: 2 title: Whitelist-stats delete max count type: integer x-nullable: true whitelist-stats__delete__min_age: default: 180d minLength: 1 title: Whitelist-stats delete min age type: string whitelist-stats__hot__max_age: default: 30d minLength: 1 title: Whitelist-stats hot max age type: string whitelist-stats__hot__max_size: default: 50GB minLength: 1 title: Whitelist-stats hot max size type: string type: object ESIndicesReplicas: properties: agg-alert: default: 1 minimum: 0 title: Agg-alert type: integer alert: default: 1 minimum: 0 title: Alert type: integer alert_subevent: default: 1 minimum: 0 title: Alert subevent type: integer auditlog: default: 1 minimum: 0 title: Auditlog type: integer experimental_alert: default: 1 minimum: 0 title: Experimental alert type: integer hl-binary: default: 3 minimum: 0 title: Hl-binary type: integer hl-case: default: 1 minimum: 0 title: Hl-case type: integer hl-config: default: 3 minimum: 0 title: Hl-config type: integer hl-externals: default: 3 minimum: 0 title: Hl-externals type: integer hl-hlaimaliciousfile: default: 1 minimum: 0 title: Hl-hlaimaliciousfile type: integer hl-investigation: default: 3 minimum: 0 title: Hl-investigation type: integer hl-library: default: 3 minimum: 0 title: Hl-library type: integer hl-log: default: 3 minimum: 0 title: Hl-log type: integer hl-migration: default: 3 minimum: 0 title: Hl-migration type: integer hl-network_discovery: default: 1 minimum: 0 title: Hl-network discovery type: integer hl-threaddump: default: 3 minimum: 0 title: Hl-threaddump type: integer hl-threat_intelligence: default: 3 minimum: 0 title: Hl-threat intelligence type: integer log-agent-agentlog: default: 1 minimum: 0 title: Log-agent-agentlog type: integer log-agent-amsi_scan: default: 1 minimum: 0 title: Log-agent-amsi scan type: integer log-agent-authentication: default: 1 minimum: 0 title: Log-agent-authentication type: integer log-agent-dns-resolution: default: 1 minimum: 0 title: Log-agent-dns-resolution type: integer log-agent-driverload: default: 1 minimum: 0 title: Log-agent-driverload type: integer log-agent-ecs_telemetries_normal: default: 1 minimum: 0 title: Log-agent-ecs telemetries normal type: integer log-agent-eventlog: default: 1 minimum: 0 title: Log-agent-eventlog type: integer log-agent-file: default: 1 minimum: 0 title: Log-agent-file type: integer log-agent-group_event: default: 1 minimum: 0 title: Log-agent-group event type: integer log-agent-injectedthread: default: 1 minimum: 0 title: Log-agent-injectedthread type: integer log-agent-library_load: default: 1 minimum: 0 title: Log-agent-library load type: integer log-agent-named_pipe: default: 1 minimum: 0 title: Log-agent-named pipe type: integer log-agent-network: default: 1 minimum: 0 title: Log-agent-network type: integer log-agent-network_listen: default: 1 minimum: 0 title: Log-agent-network listen type: integer log-agent-powershell: default: 1 minimum: 0 title: Log-agent-powershell type: integer log-agent-process: default: 1 minimum: 0 title: Log-agent-process type: integer log-agent-process_access: default: 1 minimum: 0 title: Log-agent-process access type: integer log-agent-process_tamper: default: 1 minimum: 0 title: Log-agent-process tamper type: integer log-agent-raw_device_access: default: 1 minimum: 0 title: Log-agent-raw device access type: integer log-agent-raw_socket_creation: default: 1 minimum: 0 title: Log-agent-raw socket creation type: integer log-agent-registry: default: 1 minimum: 0 title: Log-agent-registry type: integer log-agent-remotethread: default: 1 minimum: 0 title: Log-agent-remotethread type: integer log-agent-url_request: default: 1 minimum: 0 title: Log-agent-url request type: integer log-agent-usb_activity: default: 1 minimum: 0 title: Log-agent-usb activity type: integer log-agent-user_event: default: 1 minimum: 0 title: Log-agent-user event type: integer log-agent-wmi_event: default: 1 minimum: 0 title: Log-agent-wmi event type: integer resource: default: 1 minimum: 0 title: Resource type: integer whitelist-stats: default: 1 minimum: 0 title: Whitelist-stats type: integer type: object Edges: properties: class_name: minLength: 1 title: Class name type: string source: minLength: 1 title: Source type: string target: minLength: 1 title: Target type: string required: - class_name - source - target type: object EditAntivirusPolicy: properties: antivirus_slug: enum: - hurukaiav - windowsdefender title: Antivirus slug type: string description: title: Description type: string x-nullable: true hurukaiav: $ref: '#/definitions/HlAntivirus' id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string windowsdefender: $ref: '#/definitions/WindowsDefender' required: - antivirus_slug - name type: object EditAssemblyline: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean url: minLength: 1 title: Url type: string x-nullable: true user: minLength: 1 title: User type: string x-nullable: true yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object EditBody: properties: comment: minLength: 1 title: Comment type: string id: minLength: 1 title: Id type: string required: - comment - id type: object EditCape: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object EditExportElastic: properties: basic_auth_password: minLength: 1 title: Basic auth password type: string x-nullable: true basic_auth_username: minLength: 1 title: Basic auth username type: string x-nullable: true enabled: default: false title: Enabled type: boolean hmac_header: minLength: 1 title: Hmac header type: string x-nullable: true hmac_prefix: minLength: 1 title: Hmac prefix type: string x-nullable: true hmac_secret: minLength: 1 title: Hmac secret type: string x-nullable: true http_header_name: minLength: 1 title: Http header name type: string x-nullable: true http_header_value: minLength: 1 title: Http header value type: string x-nullable: true logs: default: [] items: enum: - alert - amsi_scan - driverload - eventlog - file - group_event - injectedthread - library_load - named_pipe - network_listen - powershell - process - process_access - process_tamper - raw_device_access - registry - remotethread - url_request - usb_activity - user_event - wmi_event type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean url: minLength: 1 title: Url type: string x-nullable: true use_basic_auth: default: false title: Use basic auth type: boolean use_hmac: default: false title: Use hmac type: boolean use_http_header: default: false title: Use http header type: boolean type: object EditExportSecops: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean logs: default: [] items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean url: minLength: 1 title: Url type: string x-nullable: true webhook_access_key: minLength: 1 title: Webhook access key type: string x-nullable: true type: object EditExportSplunk: properties: enabled: default: false title: Enabled type: boolean logs: default: [] items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean token: minLength: 1 title: Token type: string x-nullable: true url: minLength: 1 title: Url type: string x-nullable: true type: object EditGlimps: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object EditIrma: properties: auto_query: default: false title: Auto query type: boolean enabled: default: false title: Enabled type: boolean irma_url_api: minLength: 1 title: Irma url api type: string x-nullable: true skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean type: object EditMisp: properties: enabled: default: false title: Enabled type: boolean ids_only: default: false title: Ids only type: boolean key: minLength: 1 title: Key type: string x-nullable: true poll_interval: default: 15 minimum: 0 title: Poll interval type: integer pull_ioc: default: false title: Pull ioc type: boolean pull_sigma: default: false title: Pull sigma type: boolean pull_whitelist: default: true title: Pull whitelist type: boolean pull_yara: default: false title: Pull yara type: boolean sigma_override: default: false title: Sigma override type: boolean target_ioc_source: default: misp_ioc minLength: 1 title: Target ioc source type: string target_sigma_source: default: misp_sigma minLength: 1 title: Target sigma source type: string target_yara_source: default: misp_yara minLength: 1 title: Target yara source type: string tls_verify: default: false title: Tls verify type: boolean url: minLength: 1 title: Url type: string x-nullable: true type: object EditOrion: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer minimal_level: default: severe enum: - high - low - medium - safe - severe title: Minimal level type: string ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean visibility: default: private enum: - group - private - public title: Visibility type: string yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object EditProxy: properties: enabled: default: false title: Enabled type: boolean http: minLength: 1 title: Http type: string x-nullable: true https: minLength: 1 title: Https type: string x-nullable: true type: object EditThehive: properties: admin_api_key: minLength: 1 title: Admin api key type: string x-nullable: true api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean type: object EditVirusTotal: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true auto_query: default: false title: Auto query type: boolean enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object EditWhitelistRule: properties: apply_retroactively: default: false title: Apply retroactively type: boolean comment: title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid title: Correlation rule id type: string x-nullable: true enabled: title: Enabled type: boolean expiration_date: format: date-time title: Expiration date type: string x-nullable: true security_event_from_status: default: - new items: enum: - closed - false_positive - investigating - new type: string type: array security_event_new_status: default: false_positive enum: - closed - false_positive - investigating title: Security event new status type: string sigma_rule_id: title: Sigma rule id type: string x-nullable: true target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory title: Target type: string type: object ElfExport: properties: export_type: minLength: 1 title: Export type type: string name: minLength: 1 title: Name type: string required: - export_type - name type: object ElfReport: properties: elf_class: minLength: 1 title: Elf class type: string elf_object_type: minLength: 1 title: Elf object type type: string endian: minLength: 1 title: Endian type: string exports: items: $ref: '#/definitions/ElfExport' type: array interpreter: minLength: 1 title: Interpreter type: string sections: items: $ref: '#/definitions/ElfSection' type: array required: - elf_class - elf_object_type - endian - exports - interpreter - sections type: object ElfSection: properties: address: title: Address type: integer entropy: title: Entropy type: number md5: minLength: 1 title: Md5 type: string name: minLength: 1 title: Name type: string offset: title: Offset type: integer section_type: minLength: 1 title: Section type type: string size: title: Size type: integer required: - address - entropy - md5 - name - offset - section_type - size type: object EnableCveBulk: properties: enabled_ids: items: minLength: 1 type: string type: array failed_to_enable_ids: items: minLength: 1 type: string type: array required: - enabled_ids - failed_to_enable_ids type: object EndpointsPermissions: properties: agent_lifecycle: title: Agent lifecycle type: boolean agents: enum: - disabled - read_only - read_write title: Agents type: string endpoint_lifecycle: title: Endpoint lifecycle type: boolean policies: enum: - disabled - read_only - read_write title: Policies type: string required: - agent_lifecycle - agents - endpoint_lifecycle - policies type: object EntraId: properties: authority_url: minLength: 1 title: Authority url type: string x-nullable: true auto_scan_interval: default: PT23H minLength: 1 title: Auto scan interval type: string client_id: minLength: 1 title: Client id type: string x-nullable: true client_secret: minLength: 1 title: Client secret type: string x-nullable: true connector_type: enum: - assemblyline - base - cape - connector_misp - export - export_elastic - export_s3 - export_secops - export_splunk - glimps - irma - ldap_auth - orion - proxy - thehive - virustotal readOnly: true title: Connector type type: string description: minLength: 1 title: Description type: string x-nullable: true directory_name: minLength: 1 title: Directory name type: string x-nullable: true enable_auto_scan: default: true title: Enable auto scan type: boolean enable_group_creation: default: true title: Enable group creation type: boolean enable_unprotected_asset_detection: default: false title: Enable unprotected asset detection type: boolean enabled: default: false title: Enabled type: boolean id: minLength: 1 readOnly: true title: Id type: string last_modified: format: date-time readOnly: true title: Last modified type: string last_modifier: minLength: 1 readOnly: true title: Last modifier type: string missed_scans_before_delete: default: 4 minimum: 1 title: Missed scans before delete type: integer name: minLength: 1 title: Name type: string status: $ref: '#/definitions/ConfigConnectorStatus' tenant_id: minLength: 1 title: Tenant id type: string x-nullable: true type: default: entra_id enum: - entra_id readOnly: true title: Type type: string required: - name type: object x-nullable: true Environment: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string required: - '@timestamp' - agent - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value type: object EventLog: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string computer_name: minLength: 1 title: Computer name type: string event_data: items: $ref: '#/definitions/KeyValueDoc' type: array event_date: format: date-time title: Event date type: string event_id: title: Event id type: integer id: minLength: 1 title: Id type: string keywords: items: minLength: 1 type: string type: array level: minLength: 1 title: Level type: string log_name: minLength: 1 title: Log name type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_id: title: Process id type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string provider_guid: minLength: 1 title: Provider guid type: string record_number: title: Record number type: integer source_name: minLength: 1 title: Source name type: string thread_id: title: Thread id type: integer type: minLength: 1 title: Type type: string user: $ref: '#/definitions/EventUser' user_data: items: $ref: '#/definitions/KeyValueDoc' type: array required: - '@event_create_date' - '@timestamp' - computer_name - event_data - event_date - event_id - id - keywords - level - log_name - log_type - pid - process_id - process_image_path - process_unique_id - provider_guid - record_number - source_name - thread_id - type - user - user_data type: object EventStackTrace: properties: enabled_events: default: 0 minimum: 0 title: Enabled events type: integer x-nullable: true type: object EventUser: properties: domain: minLength: 1 title: Domain type: string identifier: minLength: 1 title: Identifier type: string name: minLength: 1 title: Name type: string type: minLength: 1 title: Type type: string required: - domain - identifier - name - type type: object EvidencePermissions: properties: prefetch: enum: - disabled - read_only - read_write title: Prefetch type: string required: - prefetch type: object Exception: properties: component: minLength: 1 title: Component type: string x-nullable: true count: description: Exception counter title: Count type: integer firstseen: description: Date of the first exception of this kind format: date-time title: Firstseen type: string hash: minLength: 1 title: Hash type: string x-nullable: true id: minLength: 1 title: Id type: string lastseen: description: Date of the last exception of this kind format: date-time title: Lastseen type: string tenant: minLength: 1 title: Tenant type: string x-nullable: true traceback: minLength: 1 title: Traceback type: string x-nullable: true required: - count - firstseen - id - lastseen type: object ExperimentalAlert: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/IndexedInnerAgent' aggregation_key: minLength: 1 title: Aggregation key type: string alert_subtype: minLength: 1 title: Alert subtype type: string alert_time: format: date-time title: Alert time type: string alert_type: enum: - cape - correlation - device_control - driver - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara title: Alert type type: string alert_unique_id: minLength: 1 title: Alert unique id type: string av_detection_details: $ref: '#/definitions/AntivirusDetectionDetails' bpf: $ref: '#/definitions/ECSBpf' byovd_detection_details: $ref: '#/definitions/ByovdDetectionDetails' comm_port_tamper: $ref: '#/definitions/CommPortTamper' confidence: minLength: 1 title: Confidence type: string confidence_int: title: Confidence int type: integer correlation: $ref: '#/definitions/CorrelationInfo' date_closed: format: date-time title: Date closed type: string date_deisolated: format: date-time title: Date deisolated type: string date_false_positive: format: date-time title: Date false positive type: string date_investigating: format: date-time title: Date investigating type: string date_isolated: format: date-time title: Date isolated type: string date_new: format: date-time title: Date new type: string destination: $ref: '#/definitions/ECSDestination' details_amsi_scan: $ref: '#/definitions/DetailAmsiScan' details_connection: $ref: '#/definitions/DetailConnection' details_dns_resolution: $ref: '#/definitions/DetailDnsResolution' details_file: $ref: '#/definitions/DetailFile' details_library: $ref: '#/definitions/DetailLibrary' details_linux_filesystem_event: $ref: '#/definitions/DetailLinuxFilesystemEvent' details_macos_filesystem_event: $ref: '#/definitions/DetailMacosFilesystemEvent' details_named_pipe_connected: $ref: '#/definitions/DetailNamedPipeConnected' details_named_pipe_created: $ref: '#/definitions/DetailNamedPipeCreated' details_network_listen: $ref: '#/definitions/DetailNetworkListen' details_powershell: $ref: '#/definitions/DetailPowershell' details_primary_token_change: $ref: '#/definitions/DetailPrimaryTokenChange' details_process_access: $ref: '#/definitions/DetailProcessAccess' details_process_tamper: $ref: '#/definitions/DetailProcessTamper' details_raw_device_access: $ref: '#/definitions/DetailRawDeviceAccess' details_raw_socket_creation: $ref: '#/definitions/DetailRawSocketCreation' details_registry: $ref: '#/definitions/DetailRegistry' details_remotethread: $ref: '#/definitions/DetailRemoteThread' details_url_request: $ref: '#/definitions/DetailUrlRequest' details_usb_device_event: $ref: '#/definitions/DetailsUsbDeviceEvent' details_windows_filesystem_event: $ref: '#/definitions/DetailWindowsFilesystemEvent' detection: $ref: '#/definitions/AlertDetection' detection_date: format: date-time title: Detection date type: string detection_origin: minLength: 1 title: Detection origin type: string detection_timestamp: format: date-time title: Detection timestamp type: string driverload: $ref: '#/definitions/InnerDriverLoad' dse_tamper: $ref: '#/definitions/DseTamper' etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' event: $ref: '#/definitions/ECSEvent' event_session: $ref: '#/definitions/SessionInfo' eventlog: $ref: '#/definitions/InnerEventLog' execution: title: Execution type: integer firewall_self_protection: $ref: '#/definitions/FirewallSelfProtection' group_event: $ref: '#/definitions/InnerGroupEvent' groups: $ref: '#/definitions/InnerGroup' hlai_binaries_benchmark_data: $ref: '#/definitions/HlaiBinariesBenchmarkData' hlai_scripts_benchmark_data: $ref: '#/definitions/HlaiScriptsBenchmarkData' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string ingestion_date: format: date-time title: Ingestion date type: string job_id: minLength: 1 title: Job id type: string kernel_callback: $ref: '#/definitions/KernelCallback' last_modifier_id: title: Last modifier id type: integer last_seen: format: date-time title: Last seen type: string last_status_update_is_automatic: title: Last status update is automatic type: boolean last_update: format: date-time title: Last update type: string level: minLength: 1 title: Level type: string level_int: title: Level int type: integer log_type: minLength: 1 title: Log type type: string maturity: minLength: 1 title: Maturity type: string missing_related_process: title: Missing related process type: boolean mitre_cells: items: minLength: 1 type: string type: array msg: minLength: 1 title: Msg type: string network: $ref: '#/definitions/InnerNetwork' origin_stack: $ref: '#/definitions/OriginStack' process: $ref: '#/definitions/InnerProcess' process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_ptrace: $ref: '#/definitions/ECSProcessPtrace' process_session: $ref: '#/definitions/SessionInfo' quarantine: title: Quarantine type: integer quarantined_files: items: $ref: '#/definitions/QuarantinedFile' type: array ransomguard_canary_data: $ref: '#/definitions/RansomguardCanaryData' ransomguard_detection_type: minLength: 1 title: Ransomguard detection type type: string ransomguard_heuristic_data: $ref: '#/definitions/RansomguardHeuristicData' references: items: minLength: 1 type: string type: array rule_content: minLength: 1 title: Rule content type: string rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string scheduled_task: $ref: '#/definitions/ECSScheduledTask' score: title: Score type: number sidewatch_detection_details: $ref: '#/definitions/SidewatchDetectionDetails' source: $ref: '#/definitions/ECSSource' stack_trace: $ref: '#/definitions/ECSStackTrace' status: minLength: 1 title: Status type: string status_history: items: $ref: '#/definitions/AlertStatusHistory' type: array tags: items: minLength: 1 type: string type: array target: $ref: '#/definitions/ECSTarget' tenant: minLength: 1 title: Tenant type: string thread: $ref: '#/definitions/InnerInjectedThread' threat_key: minLength: 1 title: Threat key type: string threat_type: minLength: 1 title: Threat type type: string threat_values: items: minLength: 1 type: string type: array user: $ref: '#/definitions/ECSUser' user_event: $ref: '#/definitions/InnerUserEvent' username: minLength: 1 title: Username type: string whitelisted_by: items: $ref: '#/definitions/WhitelistedByData' type: array win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows_service: $ref: '#/definitions/ECSWindowsService' wmi_event: $ref: '#/definitions/WmiEvent' required: - '@event_create_date' - '@timestamp' - aggregation_key - alert_subtype - alert_time - alert_type - alert_unique_id - bpf - confidence - confidence_int - date_closed - date_deisolated - date_false_positive - date_investigating - date_isolated - date_new - destination - detection - detection_date - detection_origin - detection_timestamp - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - event - execution - group_event - id - image_name - ingestion_date - job_id - last_modifier_id - last_seen - last_status_update_is_automatic - last_update - level - level_int - log_type - maturity - missing_related_process - mitre_cells - msg - process_duplicate_handle - process_ptrace - quarantine - ransomguard_detection_type - references - rule_content - rule_id - rule_name - scheduled_task - score - source - stack_trace - status - tags - target - tenant - threat_key - threat_type - threat_values - user - user_event - username - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service type: object ExtractedFilesNode: properties: analysis_status: title: Analysis status type: integer binary_available: title: Binary available type: boolean contains_malware_configuration: title: Contains malware configuration type: boolean document_available: title: Document available type: boolean extracted: items: minLength: 1 type: string type: array sha256: minLength: 1 title: Sha256 type: string required: - analysis_status - binary_available - contains_malware_configuration - document_available - extracted - sha256 type: object ExtractedFilesTree: properties: tree: items: $ref: '#/definitions/ExtractedFilesNode' type: array required: - tree type: object ExtractedSpecialCategory: properties: category: minLength: 1 title: Category type: string count: title: Count type: integer strings: items: $ref: '#/definitions/ExtractedSpecialString' type: array required: - category - count - strings type: object ExtractedSpecialString: properties: encoding: minLength: 1 title: Encoding type: string offset: title: Offset type: integer string: minLength: 1 title: String type: string required: - encoding - offset - string type: object ExtractedString: properties: category: minLength: 1 title: Category type: string encoding: minLength: 1 title: Encoding type: string id: minLength: 1 title: Id type: string sha256: minLength: 1 title: Sha256 type: string string: minLength: 1 title: String type: string string_offset: title: String offset type: integer required: - category - encoding - id - sha256 - string - string_offset type: object FIMFileModificationPerLevelStatsResponse: properties: count: title: Count type: integer label: enum: - critical - high - low - medium title: Label type: string required: - count - label type: object FIMFileModificationPerTypeStatsResponse: properties: count: title: Count type: integer label: enum: - content - creation - deletion - error - initialization - metadata - metadata and content - type change title: Label type: string required: - count - label type: object FIMPolicyDuplicateQuery: properties: description: minLength: 1 title: Description type: string name: maxLength: 256 minLength: 1 title: Name type: string periodicity: $ref: '#/definitions/CreateSchedule' required: - name type: object FIMReportStatsResponse: properties: modifications_accepted_count: title: Modifications accepted count type: integer modifications_not_reviewed_count: title: Modifications not reviewed count type: integer modifications_rejected_count: title: Modifications rejected count type: integer report_processed_count: title: Report processed count type: integer required: - modifications_accepted_count - modifications_not_reviewed_count - modifications_rejected_count - report_processed_count type: object FIMStatsResponse: properties: count: title: Count type: integer label: minLength: 1 title: Label type: string required: - count - label type: object FeatureFlags: properties: FEATURE_UNPROTECTED_ASSETS: readOnly: true title: Feature unprotected assets type: boolean FF_AMSI: readOnly: true title: Ff amsi type: boolean FF_CHOCARD_AGENT: readOnly: true title: Ff chocard agent type: boolean FF_CLASSIC_AGGREGATOR: readOnly: true title: Ff classic aggregator type: boolean FF_CONDOR_PDF: readOnly: true title: Ff condor pdf type: boolean FF_CONDOR_VBA: readOnly: true title: Ff condor vba type: boolean FF_CONSOLE_UPGRADE: readOnly: true title: Ff console upgrade type: boolean FF_CORNEILLE: readOnly: true title: Ff corneille type: boolean FF_CORNEILLE_QUERY: readOnly: true title: Ff corneille query type: boolean FF_CORRELATION_ENGINE: readOnly: true title: Ff correlation engine type: boolean FF_DEBUG_JOB: readOnly: true title: Ff debug job type: boolean FF_DEFAULT_CONFIDENCE_RULESETS: readOnly: true title: Ff default confidence rulesets type: boolean FF_DOCUMENTS_AUTO_DOWNLOAD: readOnly: true title: Ff documents auto download type: boolean FF_FIM: readOnly: true title: Ff fim type: boolean FF_FIREWALL: readOnly: true title: Ff firewall type: boolean FF_GRAFANA: readOnly: true title: Ff grafana type: boolean FF_HLAI_WRITTEN_EXE: readOnly: true title: Ff hlai written exe type: boolean FF_IKARUS_THEME: readOnly: true title: Ff ikarus theme type: boolean FF_KUBE_SCANNING: readOnly: true title: Ff kube scanning type: boolean FF_LLM_CHAT: readOnly: true title: Ff llm chat type: boolean FF_LLM_ONE_SHOT_EXPLANATION: readOnly: true title: Ff llm one shot explanation type: boolean FF_MACOS_NETWORK_ISOLATION: readOnly: true title: Ff macos network isolation type: boolean FF_MACOS_NETWORK_TELEMETRIES: readOnly: true title: Ff macos network telemetries type: boolean FF_MT_ANTIVIRUS_POLICIES: readOnly: true title: Ff mt antivirus policies type: boolean FF_MT_CTI_RULESET: readOnly: true title: Ff mt cti ruleset type: boolean FF_MT_CTI_SOURCES_RULES: readOnly: true title: Ff mt cti sources rules type: boolean FF_MT_DEVICE_CONTROL_POLICIES: readOnly: true title: Ff mt device control policies type: boolean FF_MT_FIM_POLICIES: readOnly: true title: Ff mt fim policies type: boolean FF_MT_FIREWALL_POLICIES: readOnly: true title: Ff mt firewall policies type: boolean FF_MT_ROLES: readOnly: true title: Ff mt roles type: boolean FF_MT_THREATS: readOnly: true title: Ff mt threats type: boolean FF_NGAV_HURUKAI_ANTIVIRUS: readOnly: true title: Ff ngav hurukai antivirus type: boolean FF_NGAV_IKARUS_SIGQA: readOnly: true title: Ff ngav ikarus sigqa type: boolean FF_POLICY_SET: readOnly: true title: Ff policy set type: boolean FF_RANSOMGUARD_AUTO_BLACKLIST: readOnly: true title: Ff ransomguard auto blacklist type: boolean FF_REMOTE_SHELL: readOnly: true title: Ff remote shell type: boolean FF_REMOTE_SHELL_EXECUTABLE: readOnly: true title: Ff remote shell executable type: boolean FF_REMOTE_SHELL_STAFF_WRITE_ENABLED: readOnly: true title: Ff remote shell staff write enabled type: boolean FF_SUBNETV1: readOnly: true title: Ff subnetv1 type: boolean FF_SUBNETV2: readOnly: true title: Ff subnetv2 type: boolean FF_THREAT_AGGREGATOR: readOnly: true title: Ff threat aggregator type: boolean FF_USB_CONTROL: readOnly: true title: Ff usb control type: boolean FF_VULNERABILITY_SCANNING: readOnly: true title: Ff vulnerability scanning type: boolean FF_VULNERABILITY_SCANNING_LINUX: readOnly: true title: Ff vulnerability scanning linux type: boolean FF_YARA_ON_FILE: readOnly: true title: Ff yara on file type: boolean type: object Feedback: properties: comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string request: format: uuid title: Request type: string score: maximum: 1.0 minimum: -1.0 title: Score type: number x-nullable: true submitted: readOnly: true title: Submitted type: boolean required: - request type: object File: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' app_zone_id: minLength: 1 title: App zone id type: string create_disposition: title: Create disposition type: integer create_disposition_str: minLength: 1 title: Create disposition str type: string create_options: title: Create options type: integer create_options_str: minLength: 1 title: Create options str type: string destination_path: minLength: 1 title: Destination path type: string event_id: title: Event id type: integer event_path: minLength: 1 title: Event path type: string first_bytes: minLength: 1 title: First bytes type: string gid: title: Gid type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string last_writer_package_family_name: minLength: 1 title: Last writer package family name type: string log_type: minLength: 1 title: Log type type: string mode: title: Mode type: integer mode_str: minLength: 1 title: Mode str type: string old_mode: title: Old mode type: integer old_mode_str: minLength: 1 title: Old mode str type: string operation: minLength: 1 title: Operation type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string referrer_url: minLength: 1 title: Referrer url type: string source_ip_address: minLength: 1 title: Source ip address type: string source_url: minLength: 1 title: Source url type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string tenant: minLength: 1 title: Tenant type: string tid: title: Tid type: integer uid: title: Uid type: integer url_zone: minLength: 1 title: Url zone type: string utc_time: format: date-time title: Utc time type: string written_file_size: title: Written file size type: integer zone_id: title: Zone id type: integer required: - '@event_create_date' - '@timestamp' - agent - app_zone_id - create_disposition - create_disposition_str - create_options - create_options_str - destination_path - event_id - event_path - first_bytes - gid - groups - id - last_writer_package_family_name - log_type - mode - mode_str - old_mode - old_mode_str - operation - pid - process_image_path - process_unique_id - referrer_url - source_ip_address - source_url - stacktrace - stacktrace_minimal - tenant - tid - uid - url_zone - utc_time - written_file_size - zone_id type: object FileAvailability: properties: downloaded: enum: - -1 - 0 - 1 - 2 - 3 - 255 readOnly: true title: Downloaded type: integer file_availability: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: File availability type: integer is_available: title: Is available type: boolean is_requestable: title: Is requestable type: boolean required: - is_available - is_requestable type: object FileDescriptor: properties: fd: title: Fd type: integer filepath: minLength: 1 title: Filepath type: string mode: minLength: 1 title: Mode type: string required: - fd - filepath - mode type: object FilepathDeleter: properties: filepath: minLength: 1 title: Filepath type: string required: - filepath type: object FilesBySource: properties: rules: items: $ref: '#/definitions/YaraInfo' type: array source: $ref: '#/definitions/YaraInfo' required: - rules - source type: object FirewallCodeDetailsResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - details type: object FirewallIp: properties: fqdn: maxLength: 256 title: Fqdn type: string x-nullable: true id: format: uuid title: Id type: string mask: maximum: 2147483647 minimum: -2147483648 title: Mask type: integer x-nullable: true origin: minLength: 1 title: Origin type: string x-nullable: true to: minLength: 1 title: To type: string x-nullable: true type: enum: - CIDR - FQDN - IP - RANGE title: Type type: string x-nullable: true type: object FirewallNetworkBlock: properties: associated_ip: $ref: '#/definitions/FirewallIp' id: format: uuid title: Id type: string interface_type: maximum: 2147483647 minimum: 0 title: Interface type type: integer x-nullable: true tunnel_type: maximum: 2147483647 minimum: 0 title: Tunnel type type: integer x-nullable: true type: object FirewallNetworkName: properties: name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object FirewallPolicyIdAndName: properties: firewall_policy_id: format: uuid title: Firewall policy id type: string firewall_policy_name: minLength: 1 title: Firewall policy name type: string required: - firewall_policy_id - firewall_policy_name type: object FirewallPolicyName: properties: name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object FirewallPort: properties: id: format: uuid title: Id type: string origin: maximum: 65535 minimum: 0 title: Origin type: integer to: maximum: 65535 minimum: 0 title: To type: integer x-nullable: true type: enum: - PORT - RANGE title: Type type: string x-nullable: true required: - origin type: object FirewallProfile: properties: default_incoming_action: enum: - Allow - Drop - Reject title: Default incoming action type: string default_outgoing_action: enum: - Allow - Drop - Reject title: Default outgoing action type: string description: title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' policies_count: readOnly: true title: Policies count type: integer rules_count: readOnly: true title: Rules count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object FirewallProfileName: properties: name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object FirewallRuleName: properties: name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object FirewallSelfProtection: properties: eventtime_datetime: format: date-time title: Eventtime datetime type: string filter_description: minLength: 1 title: Filter description type: string filter_id: title: Filter id type: integer filter_name: minLength: 1 title: Filter name type: string provider_description: minLength: 1 title: Provider description type: string provider_name: minLength: 1 title: Provider name type: string provider_service_name: minLength: 1 title: Provider service name type: string required: - eventtime_datetime - filter_description - filter_id - filter_name - provider_description - provider_name - provider_service_name type: object FullEventLog: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' computer_name: minLength: 1 title: Computer name type: string event_date: format: date-time title: Event date type: string event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string keywords: items: minLength: 1 type: string type: array level: minLength: 1 title: Level type: string log_name: minLength: 1 title: Log name type: string log_type: minLength: 1 title: Log type type: string pid: title: Pid type: integer process_id: title: Process id type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string provider_guid: minLength: 1 title: Provider guid type: string record_number: title: Record number type: integer source_name: minLength: 1 title: Source name type: string tenant: minLength: 1 title: Tenant type: string thread_id: title: Thread id type: integer type: minLength: 1 title: Type type: string user: $ref: '#/definitions/EventUser' required: - '@event_create_date' - '@timestamp' - agent - computer_name - event_date - event_id - groups - id - keywords - level - log_name - log_type - pid - process_id - process_image_path - process_unique_id - provider_guid - record_number - source_name - tenant - thread_id - type - user type: object GeoIP: properties: as_org: minLength: 1 title: As org type: string country_code: minLength: 1 title: Country code type: string country_name: minLength: 1 title: Country name type: string required: - as_org - country_code - country_name type: object GetAssemblyline: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true user: minLength: 1 title: User type: string x-nullable: true yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object GetCape: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object GetExport: properties: app_name: default: hurukai minLength: 1 title: App name type: string enabled: default: false title: Enabled type: boolean exclude_rule_content: default: false title: Exclude rule content type: boolean host: minLength: 1 title: Host type: string x-nullable: true logs: default: [] items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string type: array x-nullable: true port: maximum: 65535 minimum: 1 title: Port type: integer x-nullable: true protocol: enum: - ssl-tcp - tcp - udp title: Protocol type: string x-nullable: true rfc: enum: - rfc3164 - rfc5424 title: Rfc type: string x-nullable: true source_host: default: hurukai minLength: 1 title: Source host type: string ssl_cacert: minLength: 1 title: Ssl cacert type: string x-nullable: true ssl_cert: minLength: 1 title: Ssl cert type: string x-nullable: true ssl_key: minLength: 1 title: Ssl key type: string x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' structured_data: minLength: 1 title: Structured data type: string x-nullable: true type: object GetExportElastic: properties: basic_auth_password: minLength: 1 title: Basic auth password type: string x-nullable: true basic_auth_username: minLength: 1 title: Basic auth username type: string x-nullable: true enabled: default: false title: Enabled type: boolean hmac_header: minLength: 1 title: Hmac header type: string x-nullable: true hmac_prefix: minLength: 1 title: Hmac prefix type: string x-nullable: true hmac_secret: minLength: 1 title: Hmac secret type: string x-nullable: true http_header_name: minLength: 1 title: Http header name type: string x-nullable: true http_header_value: minLength: 1 title: Http header value type: string x-nullable: true logs: default: [] items: enum: - alert - amsi_scan - driverload - eventlog - file - group_event - injectedthread - library_load - named_pipe - network_listen - powershell - process - process_access - process_tamper - raw_device_access - registry - remotethread - url_request - usb_activity - user_event - wmi_event type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true use_basic_auth: default: false title: Use basic auth type: boolean use_hmac: default: false title: Use hmac type: boolean use_http_header: default: false title: Use http header type: boolean type: object GetExportS3: properties: access_key: minLength: 1 title: Access key type: string x-nullable: true bucket: minLength: 1 title: Bucket type: string x-nullable: true enabled: default: false title: Enabled type: boolean logs: default: [] items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string type: array x-nullable: true object_prefix: minLength: 1 title: Object prefix type: string x-nullable: true region: minLength: 1 title: Region type: string x-nullable: true secret_key: minLength: 1 title: Secret key type: string x-nullable: true ssl_cacert: minLength: 1 title: Ssl cacert type: string x-nullable: true ssl_cert: minLength: 1 title: Ssl cert type: string x-nullable: true ssl_key: minLength: 1 title: Ssl key type: string x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true type: object GetExportSecops: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean logs: default: [] items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true webhook_access_key: minLength: 1 title: Webhook access key type: string x-nullable: true type: object GetExportSplunk: properties: enabled: default: false title: Enabled type: boolean logs: default: [] items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string type: array x-nullable: true ssl_verify: default: false title: Ssl verify type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' token: minLength: 1 title: Token type: string x-nullable: true url: minLength: 1 title: Url type: string x-nullable: true type: object GetGlimps: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object GetHives: properties: bSystemHives: title: Bsystemhives type: boolean bUsersHives: title: Busershives type: boolean bWantSlowPlugins: title: Bwantslowplugins type: boolean required: - bSystemHives - bUsersHives - bWantSlowPlugins type: object GetIrma: properties: auto_query: default: false title: Auto query type: boolean enabled: default: false title: Enabled type: boolean irma_url_api: minLength: 1 title: Irma url api type: string x-nullable: true skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' type: object GetLDAPAuth: properties: active_directory_domain: title: Active directory domain type: string x-nullable: true base_dn: minLength: 1 title: Base dn type: string x-nullable: true ca_certifications: minLength: 1 title: Ca certifications type: string x-nullable: true client_private_key: minLength: 1 title: Client private key type: string x-nullable: true client_public_key: minLength: 1 title: Client public key type: string x-nullable: true default_group: format: uuid title: Default group type: string x-nullable: true enabled: default: false title: Enabled type: boolean host: minLength: 1 title: Host type: string x-nullable: true port: maximum: 65535 minimum: 1 title: Port type: integer x-nullable: true search_account_password: minLength: 1 title: Search account password type: string x-nullable: true search_account_username: minLength: 1 title: Search account username type: string x-nullable: true status: $ref: '#/definitions/ConfigConnectorStatus' type: default: active_directory minLength: 1 title: Type type: string use_client_side_certs: default: false title: Use client side certs type: boolean use_tls: default: false title: Use tls type: boolean user_field_id: default: sAMAccountName minLength: 1 title: User field id type: string user_object_class: default: person minLength: 1 title: User object class type: string validate_server_certificate: title: Validate server certificate type: boolean required: - validate_server_certificate type: object GetMaintenanceNotice: properties: description: minLength: 1 readOnly: true title: Description type: string x-nullable: true end_date: format: date-time readOnly: true title: End date type: string title: minLength: 1 readOnly: true title: Title type: string x-nullable: true type: object GetMisp: properties: enabled: default: false title: Enabled type: boolean ids_only: default: false title: Ids only type: boolean key: minLength: 1 title: Key type: string x-nullable: true poll_interval: default: 15 minimum: 0 title: Poll interval type: integer pull_ioc: default: false title: Pull ioc type: boolean pull_sigma: default: false title: Pull sigma type: boolean pull_whitelist: default: true title: Pull whitelist type: boolean pull_yara: default: false title: Pull yara type: boolean sigma_override: default: false title: Sigma override type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' target_ioc_source: default: misp_ioc minLength: 1 title: Target ioc source type: string target_sigma_source: default: misp_sigma minLength: 1 title: Target sigma source type: string target_yara_source: default: misp_yara minLength: 1 title: Target yara source type: string tls_verify: default: false title: Tls verify type: boolean url: minLength: 1 title: Url type: string x-nullable: true type: object GetOrion: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer minimal_level: default: severe enum: - high - low - medium - safe - severe title: Minimal level type: string ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean visibility: default: private enum: - group - private - public title: Visibility type: string yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object GetProxy: properties: enabled: default: false title: Enabled type: boolean http: minLength: 1 title: Http type: string x-nullable: true https: minLength: 1 title: Https type: string x-nullable: true status: $ref: '#/definitions/ConfigConnectorStatus' type: object GetThehive: properties: admin_api_key: minLength: 1 title: Admin api key type: string x-nullable: true api_key: minLength: 1 title: Api key type: string x-nullable: true enabled: default: false title: Enabled type: boolean skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' url: minLength: 1 title: Url type: string x-nullable: true validate_server_certificate: default: false title: Validate server certificate type: boolean type: object GetVirusTotal: properties: api_key: minLength: 1 title: Api key type: string x-nullable: true auto_query: default: false title: Auto query type: boolean enabled: default: false title: Enabled type: boolean events_limit: default: false title: Events limit type: boolean events_limit_value: minimum: 1 title: Events limit value type: integer x-nullable: true hlai_alert: default: false title: Hlai alert type: boolean hlai_alert_level: default: medium enum: - critical - high - informational - low - medium title: Hlai alert level type: string ioc_alert: default: false title: Ioc alert type: boolean ioc_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ioc alert level type: string limit_report_date: default: 7 minimum: 0 title: Limit report date type: integer ransom_alert: default: false title: Ransom alert type: boolean ransom_alert_level: default: medium enum: - critical - high - informational - low - medium title: Ransom alert level type: string scan_only_sec_events: default: false title: Scan only sec events type: boolean sigma_alert: default: false title: Sigma alert type: boolean sigma_alert_level: default: medium enum: - critical - high - informational - low - medium title: Sigma alert level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean status: $ref: '#/definitions/ConfigConnectorStatus' yara_alert: default: false title: Yara alert type: boolean yara_alert_level: default: medium enum: - critical - high - informational - low - medium title: Yara alert level type: string type: object GetWhitelistRule: properties: comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid title: Correlation rule id type: string x-nullable: true correlation_rule_name: minLength: 1 readOnly: true title: Correlation rule name type: string creation_date: format: date-time readOnly: true title: Creation date type: string criteria: items: $ref: '#/definitions/GetWhitelistRuleCriteria' type: array criteria_list: items: minLength: 1 type: string readOnly: true type: array enabled: readOnly: true title: Enabled type: boolean expiration_date: format: date-time title: Expiration date type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string is_applying: default: false title: Is applying type: boolean is_reverted: readOnly: true title: Is reverted type: boolean last_disabled_by: $ref: '#/definitions/HlSimpleUserSerializer' last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_retroactivity: format: date-time readOnly: true title: Last retroactivity type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true orphan: default: false readOnly: true title: Orphan type: boolean provided_by_hlab: readOnly: true title: Provided by hlab type: boolean sigma_rule_id: title: Sigma rule id type: string x-nullable: true sigma_rule_name: minLength: 1 readOnly: true title: Sigma rule name type: string target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory title: Target type: string usage_count_last_7_days: readOnly: true title: Usage count last 7 days type: integer required: - criteria - last_modifier type: object GetWhitelistRuleCriteria: properties: case_insensitive: default: false title: Case insensitive type: boolean field: minLength: 1 title: Field type: string id: format: uuid title: Id type: string operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard title: Operator type: string sub_criteria: items: $ref: '#/definitions/WhitelistRuleSubCriterion' type: array x-nullable: true value: title: Value type: string required: - field type: object GlimpsScan: properties: external_link: minLength: 1 title: External link type: string is_malware: title: Is malware type: boolean malwares: items: minLength: 1 type: string type: array scan_date: format: date-time title: Scan date type: string score: title: Score type: integer required: - external_link - is_malware - malwares - scan_date - score type: object Group: properties: agent_count: readOnly: true title: Agent count type: integer description: title: Description type: string x-nullable: true display_name: minLength: 1 title: Display name type: string id: minLength: 1 readOnly: true title: Id type: string name: minLength: 1 title: Name type: string read_only: readOnly: true title: Read only type: boolean roles: items: $ref: '#/definitions/BasicRole' readOnly: true type: array source: enum: - active_directory - entra_id - user readOnly: true title: Source type: string source_name: minLength: 1 readOnly: true title: Source name type: string x-nullable: true required: - name type: object GroupEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' group_id: minLength: 1 title: Group id type: string group_name: minLength: 1 title: Group name type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string member_id: minLength: 1 title: Member id type: string member_name: minLength: 1 title: Member name type: string operation_type: minLength: 1 title: Operation type type: string origin_stack: $ref: '#/definitions/OriginStack' source_domain_name: minLength: 1 title: Source domain name type: string source_user_id: minLength: 1 title: Source user id type: string source_user_name: minLength: 1 title: Source user name type: string target_domain_name: minLength: 1 title: Target domain name type: string tenant: minLength: 1 title: Tenant type: string windows: $ref: '#/definitions/GroupEventWindows' required: - '@event_create_date' - '@timestamp' - agent - group_id - group_name - groups - id - log_type - member_id - member_name - operation_type - source_domain_name - source_user_id - source_user_name - target_domain_name - tenant - windows type: object GroupEventWindows: properties: new_group_type: minLength: 1 title: New group type type: string old_group_type: minLength: 1 title: Old group type type: string privilege_list: minLength: 1 title: Privilege list type: string sam_account_name: minLength: 1 title: Sam account name type: string sid_history: minLength: 1 title: Sid history type: string source_logon_id: title: Source logon id type: integer required: - new_group_type - old_group_type - privilege_list - sam_account_name - sid_history - source_logon_id type: object GroupsOIDCProvider: properties: group: maxLength: 256 minLength: 1 title: Group type: string priority: maximum: 2147483647 minimum: 1 title: Priority type: integer role: title: Role type: string x-nullable: true required: - group - priority type: object x-nullable: true Handle: properties: access_mask: title: Access mask type: integer object_name: minLength: 1 title: Object name type: string object_type: minLength: 1 title: Object type type: string value: title: Value type: integer required: - access_mask - object_name - object_type - value type: object Hashes: properties: imphash: minLength: 1 title: Imphash type: string md5: minLength: 1 title: Md5 type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string required: - imphash - md5 - sha1 - sha256 type: object HashesWithoutImphash: properties: md5: minLength: 1 title: Md5 type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string required: - md5 - sha1 - sha256 type: object Hibou: properties: enabled: default: false title: Enabled type: boolean experimental: default: true title: Experimental type: boolean minimal_level: default: critical enum: - critical - disabled - high - low - medium title: Minimal level type: string skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean type: object HibouCharacteristic: properties: data: minLength: 1 title: Data type: string description: minLength: 1 title: Description type: string identifier: minLength: 1 title: Identifier type: string label: minLength: 1 title: Label type: string type: minLength: 1 title: Type type: string value: title: Value type: number required: - data - description - identifier - label - type - value type: object HibouScan: properties: characteristics: items: $ref: '#/definitions/HibouCharacteristic' type: array score: title: Score type: number version: minLength: 1 title: Version type: string required: - characteristics - score - version type: object HighlightFeature: properties: creation_date: format: date title: Creation date type: string description: minLength: 1 title: Description type: string id: readOnly: true title: ID type: integer more_detail_url: minLength: 1 title: More detail url type: string x-nullable: true picture_url: minLength: 1 title: Picture url type: string x-nullable: true release: minLength: 1 title: Release type: string slug: format: slug maxLength: 50 minLength: 1 pattern: ^[-a-zA-Z0-9_]+$ title: Slug type: string title: minLength: 1 title: Title type: string required: - creation_date - description - release - slug - title type: object HistoryRecord: properties: action: enum: - add_comment - level_update - status_update - threat_closed - threat_created - threat_force_created - threat_reopened_by_aggregation - threat_reopened_by_status title: Action type: string comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true from_level: enum: - critical - high - low - medium readOnly: true title: From level type: string x-nullable: true from_status: enum: - closed - false_positive - investigating - new readOnly: true title: From status type: string x-nullable: true timestamp: format: date-time title: Timestamp type: string to_level: enum: - critical - high - low - medium readOnly: true title: To level type: string x-nullable: true to_status: enum: - closed - false_positive - investigating - new readOnly: true title: To status type: string x-nullable: true username: minLength: 1 readOnly: true title: Username type: string required: - action - timestamp type: object HistoryRecordList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/HistoryRecord' type: array required: - count - results type: object HlAntivirus: properties: detection_mode: maximum: 2147483647 minimum: -2147483648 title: Detection mode type: integer enable_pua_detection: title: Enable pua detection type: boolean x-nullable: true enable_sigqa: title: Enable sigqa type: boolean x-nullable: true enable_usb_scan: title: Enable usb scan type: boolean x-nullable: true endpoint_user_can_run_scans: title: Endpoint user can run scans type: boolean x-nullable: true full_scan_schedule: $ref: '#/definitions/Schedule' id: format: uuid readOnly: true title: Id type: string max_filesize: maximum: 9223372036854775807 minimum: -9223372036854775808 title: Max filesize type: integer x-nullable: true maximum_usb_size: minimum: 1 title: Maximum usb size type: integer x-nullable: true path_exclusions: items: $ref: '#/definitions/PathExclusion' type: array quick_scan_schedule: $ref: '#/definitions/Schedule' replace_windows_defender: title: Replace windows defender type: boolean x-nullable: true scan_file_download: title: Scan file download type: boolean x-nullable: true scan_file_written_executable: title: Scan file written executable type: boolean x-nullable: true scan_libraries: title: Scan libraries type: boolean x-nullable: true skip_microsoft_signatures: title: Skip microsoft signatures type: boolean x-nullable: true skip_other_signatures: title: Skip other signatures type: boolean x-nullable: true type: object x-nullable: true HlSimpleUserSerializer: properties: id: readOnly: true title: ID type: integer username: description: Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only. maxLength: 150 minLength: 1 pattern: ^[\w.@+-]+$ title: Username type: string required: - username type: object HlUserSerializer: properties: active_password_reset_link: $ref: '#/definitions/ActivePasswordResetLink' api_token: readOnly: true title: Api token type: string app_settings: title: App settings type: object created_by_sso: readOnly: true title: Created by sso type: string date_joined: format: date-time title: Date joined type: string enable_mfa: default: false title: Enable mfa type: boolean groups: items: type: integer type: array uniqueItems: true id: readOnly: true title: Id type: integer initial_mfa_state: readOnly: true title: Initial mfa state type: string is_active: default: true title: Is active type: boolean is_harfanglab_tech: readOnly: true title: Is harfanglab tech type: boolean last_login: format: date-time title: Last login type: string x-nullable: true mfa_enabled_globally: readOnly: true title: Mfa enabled globally type: boolean mfa_enabled_individually: readOnly: true title: Mfa enabled individually type: boolean mfa_is_enabled: readOnly: true title: Mfa is enabled type: string mfa_needs_activation: readOnly: true title: Mfa needs activation type: boolean password: minLength: 1 title: Password type: string permissions: items: $ref: '#/definitions/Permission' readOnly: true type: array roleId: format: uuid title: Roleid type: string role_count: readOnly: true title: Role count type: integer role_origin: $ref: '#/definitions/OriginStack' roles: items: $ref: '#/definitions/BasicRole' readOnly: true type: array set_harfanglab_tech: default: false title: Set harfanglab tech type: boolean tfa_is_activate: readOnly: true title: Tfa is activate type: boolean username: description: Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only. maxLength: 150 minLength: 1 pattern: ^[\w.@+-]+$ title: Username type: string required: - username type: object HlaiBinariesBenchmarkData: properties: condor_model_type: minLength: 1 title: Condor model type type: string condor_prediction: title: Condor prediction type: number condor_version: minLength: 1 title: Condor version type: string hibou_error: minLength: 1 title: Hibou error type: string hibou_prediction: title: Hibou prediction type: number hibou_version: minLength: 1 title: Hibou version type: string required: - condor_model_type - condor_prediction - condor_version - hibou_error - hibou_prediction - hibou_version type: object HlaiCharacteristic: properties: data: minLength: 1 title: Data type: string description: minLength: 1 title: Description type: string identifier: minLength: 1 title: Identifier type: string label: minLength: 1 title: Label type: string type: minLength: 1 title: Type type: string value: title: Value type: number required: - data - description - identifier - label - type - value type: object HlaiScan: properties: characteristics: items: $ref: '#/definitions/HlaiCharacteristic' type: array score: title: Score type: number version: minLength: 1 title: Version type: string required: - characteristics - score - version type: object HlaiScriptsBenchmarkData: properties: chocard_version: minLength: 1 title: Chocard version type: string required: - chocard_version type: object HostPropertiesOSSupport: properties: host_properties_type: minLength: 1 title: Host properties type type: string supported_os: items: minLength: 1 type: string type: array required: - host_properties_type - supported_os type: object IOC: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' found_file: minLength: 1 title: Found file type: string found_registry_key: minLength: 1 title: Found registry key type: string found_registry_path: minLength: 1 title: Found registry path type: string found_registry_value: minLength: 1 title: Found registry value type: string hit_type: minLength: 1 title: Hit type type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer search_value: minLength: 1 title: Search value type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - binaryinfo - found_file - found_registry_key - found_registry_path - found_registry_value - hit_type - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - search_value - tenant type: object IOCConfig: properties: enabled: default: false title: Enabled type: boolean skip_signed_microsoft: default: true title: Skip signed microsoft type: boolean skip_signed_third_party: default: true title: Skip signed third party type: boolean type: object IOCImportResponse: properties: messages: items: minLength: 1 type: string type: array success: title: Success type: boolean required: - messages - success type: object IOCRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean category: title: Category type: string x-nullable: true comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string info: title: Info type: string x-nullable: true last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer type: enum: - domain_name - filename - filepath - hash - ip_both - ip_dst - ip_src - url title: Type type: string value: minLength: 1 title: Value type: string required: - source_id - type - value type: object IOCRulesetRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: readOnly: true title: Block on agent type: boolean category: readOnly: true title: Category type: string x-nullable: true comment: readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string description: readOnly: true title: Description type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: readOnly: true title: Enabled type: boolean endpoint_detection: readOnly: true title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Global state type: string hl_status: enum: - experimental - stable - testing readOnly: true title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string info: readOnly: true title: Info type: string x-nullable: true last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: readOnly: true title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak readOnly: true title: Rule confidence override type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium readOnly: true title: Rule level override type: string x-nullable: true ruleset_rule: $ref: '#/definitions/RulesetRuleSerializer' ruleset_rule_default: readOnly: true title: Ruleset rule default type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string state: enum: - alert - backend_alert - block - default - disabled - quarantine readOnly: true title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string type: enum: - domain_name - filename - filepath - hash - ip_both - ip_dst - ip_src - url readOnly: true title: Type type: string value: minLength: 1 readOnly: true title: Value type: string type: object IOCRulesetSource: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string ioc_count: default: 0 readOnly: true title: Ioc count type: integer ioc_experimental_count: default: 0 readOnly: true title: Ioc experimental count type: integer ioc_stable_count: default: 0 readOnly: true title: Ioc stable count type: integer ioc_testing_count: default: 0 readOnly: true title: Ioc testing count type: integer last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string new_rule_state: default: default enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer ruleset_source: $ref: '#/definitions/RulesetSourceSerializer' ruleset_source_rule_default: $ref: '#/definitions/RulesetSourceRuleDefaultSerializer' state: default: default enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object IOCScan: properties: values: items: $ref: '#/definitions/IOCScanItem' type: array required: - values type: object IOCScanItem: properties: global: title: Global type: boolean size: title: Size type: integer x-nullable: true type: enum: - fileDateCreate - fileDateModify - filename - filepath - hash - path - peCompileDate - regex - registry title: Type type: string value: minLength: 1 title: Value type: string required: - global - type - value type: object IOCSource: properties: block_on_agent: title: Block on agent type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string ioc_count: default: 0 readOnly: true title: Ioc count type: integer ioc_experimental_count: default: 0 readOnly: true title: Ioc experimental count type: integer ioc_stable_count: default: 0 readOnly: true title: Ioc stable count type: integer ioc_testing_count: default: 0 readOnly: true title: Ioc testing count type: integer last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object IdComment: properties: id: minLength: 1 title: Id type: string required: - id type: object IdentityActiveDirectoryDevice: properties: details: $ref: '#/definitions/IdentityActiveDirectoryDeviceDetails' hostname: title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string sid: title: Sid type: string x-nullable: true required: - details type: object IdentityActiveDirectoryDeviceDetails: properties: dns_host_name: title: Dns host name type: string x-nullable: true primary_group_id: maximum: 2147483647 minimum: -2147483648 title: Primary group id type: integer x-nullable: true sam_account_name: title: Sam account name type: string x-nullable: true when_changed: format: date-time title: When changed type: string when_created: format: date-time title: When created type: string required: - when_changed - when_created type: object IdentityDevice: properties: active_directory_details: $ref: '#/definitions/IdentityActiveDirectoryDeviceDetails' entra_id_details: $ref: '#/definitions/IdentityEntraIdDeviceDetails' hostname: title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string sid: title: Sid type: string x-nullable: true required: - active_directory_details - entra_id_details type: object IdentityDomain: properties: id: format: uuid title: Id type: string type: object IdentityEntraIdDevice: properties: details: $ref: '#/definitions/IdentityEntraIdDeviceDetails' hostname: title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string sid: title: Sid type: string x-nullable: true required: - details type: object IdentityEntraIdDeviceDetails: properties: account_enabled: title: Account enabled type: boolean x-nullable: true device_id: title: Device id type: string x-nullable: true operating_system: title: Operating system type: string x-nullable: true trust_type: title: Trust type type: string x-nullable: true type: object IdentityOrganizationalUnit: properties: description: title: Description type: string x-nullable: true external_display_name: title: External display name type: string x-nullable: true id: format: uuid title: Id type: string name: title: Name type: string x-nullable: true type: object ImageFileExecutionOption: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer process_name: minLength: 1 title: Process name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string type: minLength: 1 title: Type type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - process_name - tenant - timestamp - type - username - value - wow64 type: object Import: properties: dll: minLength: 1 title: Dll type: string functions: items: minLength: 1 type: string type: array required: - dll - functions type: object IndexedEventUser: properties: domain: minLength: 1 title: Domain type: string identifier: minLength: 1 title: Identifier type: string name: minLength: 1 title: Name type: string type: minLength: 1 title: Type type: string required: - domain - identifier - name - type type: object IndexedInnerAgent: properties: additional_info: $ref: '#/definitions/IndexedInnerAgentAdditionalInfo' agentid: minLength: 1 title: Agentid type: string distroid: minLength: 1 title: Distroid type: string dnsdomainname: minLength: 1 title: Dnsdomainname type: string domain: minLength: 1 title: Domain type: string domainname: minLength: 1 title: Domainname type: string hostname: minLength: 1 title: Hostname type: string ipaddress: minLength: 1 title: Ipaddress type: string osproducttype: minLength: 1 title: Osproducttype type: string ostype: minLength: 1 title: Ostype type: string osversion: minLength: 1 title: Osversion type: string producttype: minLength: 1 title: Producttype type: string version: minLength: 1 title: Version type: string required: - additional_info - agentid - distroid - dnsdomainname - domain - domainname - hostname - ipaddress - osproducttype - ostype - osversion - producttype - version type: object IndexedInnerAgentAdditionalInfo: properties: additional_info1: minLength: 1 title: Additional info1 type: string additional_info2: minLength: 1 title: Additional info2 type: string additional_info3: minLength: 1 title: Additional info3 type: string additional_info4: minLength: 1 title: Additional info4 type: string required: - additional_info1 - additional_info2 - additional_info3 - additional_info4 type: object IndexedInnerAgentDynamicFields: properties: additional_info: $ref: '#/definitions/AgentAdditionalInfoValues' antivirus_is_up_to_date: readOnly: true title: Antivirus is up to date type: boolean antivirus_last_update_date: format: date-time readOnly: true title: Antivirus last update date type: string x-nullable: true antivirus_name: minLength: 1 readOnly: true title: Antivirus name type: string x-nullable: true antivirus_policy_revision: readOnly: true title: Antivirus policy revision type: integer x-nullable: true antivirus_rules_last_update_date: format: date-time readOnly: true title: Antivirus rules last update date type: string x-nullable: true antivirus_rules_version: minLength: 1 readOnly: true title: Antivirus rules version type: string x-nullable: true antivirus_version: minLength: 1 readOnly: true title: Antivirus version type: string x-nullable: true application_count: readOnly: true title: Application count type: integer avg_av_cpu: readOnly: true title: Avg av cpu type: number x-nullable: true avg_av_memory: readOnly: true title: Avg av memory type: number x-nullable: true avg_cpu: readOnly: true title: Avg cpu type: number x-nullable: true avg_memory: readOnly: true title: Avg memory type: number x-nullable: true avg_system_cpu: readOnly: true title: Avg system cpu type: number x-nullable: true avg_system_memory: readOnly: true title: Avg system memory type: number x-nullable: true bitness: minLength: 1 readOnly: true title: Bitness type: string x-nullable: true boot_loop_protection_boot_count: readOnly: true title: Boot loop protection boot count type: integer x-nullable: true boot_loop_protection_end_date: format: date-time readOnly: true title: Boot loop protection end date type: string x-nullable: true cpu_count: readOnly: true title: Cpu count type: integer x-nullable: true cpu_frequency: readOnly: true title: Cpu frequency type: integer x-nullable: true description: minLength: 1 title: Description type: string x-nullable: true disk_count: readOnly: true title: Disk count type: integer distro_version_id: minLength: 1 readOnly: true title: Distro version id type: string x-nullable: true distroid: minLength: 1 readOnly: true title: Distroid type: string x-nullable: true dnsdomainname: minLength: 1 readOnly: true title: Dnsdomainname type: string x-nullable: true domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true domainname: minLength: 1 readOnly: true title: Domainname type: string x-nullable: true driver_enabled: readOnly: true title: Driver enabled type: boolean x-nullable: true driver_policy: readOnly: true title: Driver policy type: boolean x-nullable: true driver_version: minLength: 1 readOnly: true title: Driver version type: string x-nullable: true effective_antivirus_policy_id: minLength: 1 readOnly: true title: Effective antivirus policy id type: string x-nullable: true effective_antivirus_policy_revision: readOnly: true title: Effective antivirus policy revision type: integer x-nullable: true effective_antivirus_profile_id: readOnly: true title: Effective antivirus profile id type: string effective_antivirus_profile_revision: readOnly: true title: Effective antivirus profile revision type: integer effective_correlation_revision: readOnly: true title: Effective correlation revision type: integer x-nullable: true effective_device_control_policy_id: minLength: 1 readOnly: true title: Effective device control policy id type: string x-nullable: true effective_device_control_policy_revision: readOnly: true title: Effective device control policy revision type: integer x-nullable: true effective_driver_blocklists_revision: readOnly: true title: Effective driver blocklists revision type: integer x-nullable: true effective_fim_policy_id: minLength: 1 readOnly: true title: Effective fim policy id type: string x-nullable: true effective_fim_policy_revision: readOnly: true title: Effective fim policy revision type: integer x-nullable: true effective_firewall_policy_id: minLength: 1 readOnly: true title: Effective firewall policy id type: string x-nullable: true effective_firewall_policy_revision: readOnly: true title: Effective firewall policy revision type: integer x-nullable: true effective_ioc_revision: readOnly: true title: Effective ioc revision type: integer x-nullable: true effective_policy_id: minLength: 1 readOnly: true title: Effective policy id type: string x-nullable: true effective_policy_revision: readOnly: true title: Effective policy revision type: integer x-nullable: true effective_sigma_revision: readOnly: true title: Effective sigma revision type: integer x-nullable: true effective_usb_device_control_revision: readOnly: true title: Effective usb device control revision type: integer x-nullable: true effective_whitelist_revision: readOnly: true title: Effective whitelist revision type: integer x-nullable: true effective_yara_revision: readOnly: true title: Effective yara revision type: integer x-nullable: true encrypted_disk_count: readOnly: true title: Encrypted disk count type: integer entra_device_id: minLength: 1 title: Entra device id type: string x-nullable: true entra_join_type: maximum: 2147483647 minimum: -2147483648 title: Entra join type type: integer x-nullable: true entra_tenant_id: minLength: 1 title: Entra tenant id type: string x-nullable: true external_ipaddress: minLength: 1 readOnly: true title: External ipaddress type: string x-nullable: true firstseen: format: date-time readOnly: true title: Firstseen type: string x-nullable: true group_count: title: Group count type: integer groups: items: $ref: '#/definitions/BasicGroup' readOnly: true type: array hardware_address: minLength: 1 readOnly: true title: Hardware address type: string x-nullable: true has_valid_password: readOnly: true title: Has valid password type: boolean hostname: minLength: 1 readOnly: true title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string installation_config: readOnly: true title: Installation config type: object installdate: minLength: 1 readOnly: true title: Installdate type: string x-nullable: true interface_count: readOnly: true title: Interface count type: integer ipaddress: minLength: 1 readOnly: true title: Ipaddress type: string x-nullable: true ipmask: minLength: 1 readOnly: true title: Ipmask type: string x-nullable: true is_obsolete: readOnly: true title: Is obsolete type: boolean is_ppl_antimalware: readOnly: true title: Is ppl antimalware type: boolean x-nullable: true isolation_policy: readOnly: true title: Isolation policy type: boolean x-nullable: true isolation_state: default: false title: Isolation state type: boolean last_upgrade_attempt: format: date-time readOnly: true title: Last upgrade attempt type: string x-nullable: true last_upgrade_success: format: date-time readOnly: true title: Last upgrade success type: string x-nullable: true lastseen: format: date-time readOnly: true title: Lastseen type: string x-nullable: true lastseen_error: format: date-time readOnly: true title: Lastseen error type: string x-nullable: true lastseen_warning: format: date-time readOnly: true title: Lastseen warning type: string x-nullable: true latest_vulnscan_date: format: date-time readOnly: true title: Latest vulnscan date type: string x-nullable: true local_admin_count: readOnly: true title: Local admin count type: integer local_group_count: readOnly: true title: Local group count type: integer local_user_count: readOnly: true title: Local user count type: integer machine_account_sid: minLength: 1 title: Machine account sid type: string x-nullable: true machine_boottime: format: date-time readOnly: true title: Machine boottime type: string x-nullable: true machine_serial: minLength: 1 readOnly: true title: Machine serial type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' os_install_date: format: date-time readOnly: true title: Os install date type: string osbuild: readOnly: true title: Osbuild type: integer x-nullable: true osid: minLength: 1 readOnly: true title: Osid type: string x-nullable: true osmajor: readOnly: true title: Osmajor type: integer x-nullable: true osminor: readOnly: true title: Osminor type: integer x-nullable: true osproducttype: minLength: 1 readOnly: true title: Osproducttype type: string x-nullable: true osrevision: readOnly: true title: Osrevision type: integer x-nullable: true ostype: minLength: 1 readOnly: true title: Ostype type: string x-nullable: true osversion: minLength: 1 readOnly: true title: Osversion type: string x-nullable: true pinned_version: minLength: 1 readOnly: true title: Pinned version type: string x-nullable: true policy: $ref: '#/definitions/PolicyAgentDetails' policy_set: $ref: '#/definitions/PolicySetPolicies' producttype: minLength: 1 readOnly: true title: Producttype type: string x-nullable: true quarantine_file_count: readOnly: true title: Quarantine file count type: integer quarantine_last_update: format: date-time readOnly: true title: Quarantine last update type: string x-nullable: true refresh_properties_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh properties status type: string x-nullable: true refresh_quarantine_status: enum: - ERROR - requesting_agent - update_processing - update_queued readOnly: true title: Refresh quarantine status type: string x-nullable: true rollback_version: minLength: 1 readOnly: true title: Rollback version type: string x-nullable: true run_policy_automation: title: Run policy automation type: boolean x-nullable: true servicepack: minLength: 1 readOnly: true title: Servicepack type: string x-nullable: true should_change_id: default: false readOnly: true title: Should change id type: boolean starttime: format: date-time readOnly: true title: Starttime type: string status: enum: - access_denied - idle - offline - online readOnly: true title: Status type: string subnet: $ref: '#/definitions/SimpleSubnet' task_statuses: additionalProperties: additionalProperties: type: boolean type: object readOnly: true title: Task statuses type: object telemetry: additionalProperties: type: string x-nullable: true readOnly: true title: Telemetry type: object telemetry_last_update: format: date-time readOnly: true title: Telemetry last update type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string total_memory: readOnly: true title: Total memory type: number x-nullable: true uninstall_status: readOnly: true title: Uninstall status type: integer x-nullable: true update_status: readOnly: true title: Update status type: integer x-nullable: true upgrade_consecutive_fail_count: readOnly: true title: Upgrade consecutive fail count type: integer x-nullable: true upgrade_failure_reason: minLength: 1 readOnly: true title: Upgrade failure reason type: string x-nullable: true upgrade_status: enum: - agent_lost - canceled - done - failed - in_progress - pending readOnly: true title: Upgrade status type: string x-nullable: true vdi_mode: enum: - hostname - mac - mac_and_hostname - unknown readOnly: true title: Vdi mode type: string version: minLength: 1 readOnly: true title: Version type: string x-nullable: true windows_groups_last_update: format: date-time readOnly: true title: Windows groups last update type: string x-nullable: true windows_users_last_update: format: date-time readOnly: true title: Windows users last update type: string x-nullable: true required: - id type: object IndexedKeyValueDoc: properties: key: minLength: 1 title: Key type: string value: minLength: 1 title: Value type: string required: - key - value type: object IndexedPEInfo: properties: authentihashes: $ref: '#/definitions/Authentihashes' company_name: minLength: 1 title: Company name type: string file_description: minLength: 1 title: File description type: string file_version: minLength: 1 title: File version type: string internal_name: minLength: 1 title: Internal name type: string legal_copyright: minLength: 1 title: Legal copyright type: string original_filename: minLength: 1 title: Original filename type: string pe_timestamp: format: date-time title: Pe timestamp type: string product_name: minLength: 1 title: Product name type: string product_version: minLength: 1 title: Product version type: string required: - authentihashes - company_name - file_description - file_version - internal_name - legal_copyright - original_filename - pe_timestamp - product_name - product_version type: object Info: properties: display_name: minLength: 1 title: Display name type: string issuer_name: minLength: 1 title: Issuer name type: string not_after: format: date-time title: Not after type: string not_before: format: date-time title: Not before type: string serial_number: minLength: 1 title: Serial number type: string thumbprint: minLength: 1 title: Thumbprint type: string thumbprint_sha256: minLength: 1 title: Thumbprint sha256 type: string required: - display_name - issuer_name - not_after - not_before - serial_number - thumbprint - thumbprint_sha256 type: object InfoPermissions: properties: drivers: enum: - disabled - read_only - read_write title: Drivers type: string list_directory_contents: enum: - disabled - read_only - read_write title: List directory contents type: string network_shares: enum: - disabled - read_only - read_write title: Network shares type: string pip_list: enum: - disabled - read_only - read_write title: Pip list type: string processes: enum: - disabled - read_only - read_write title: Processes type: string sessions: enum: - disabled - read_only - read_write title: Sessions type: string windows_kb: enum: - disabled - read_only - read_write title: Windows kb type: string required: - drivers - list_directory_contents - network_shares - pip_list - processes - sessions - windows_kb type: object InjectedThread: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' region_allocation_base: title: Region allocation base type: integer region_allocation_protect: title: Region allocation protect type: integer region_allocation_size: title: Region allocation size type: integer region_base_address: title: Region base address type: integer region_dump: minLength: 1 title: Region dump type: string region_dump_base: title: Region dump base type: integer region_protect: title: Region protect type: integer region_sha256: minLength: 1 title: Region sha256 type: string region_size: title: Region size type: integer region_state: title: Region state type: integer region_type: title: Region type type: integer source_image: minLength: 1 title: Source image type: string source_process_guid: minLength: 1 title: Source process guid type: string source_process_id: title: Source process id type: integer source_thread_id: title: Source thread id type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string start_address: title: Start address type: integer start_address_string: minLength: 1 title: Start address string type: string target_image: minLength: 1 title: Target image type: string target_process_guid: minLength: 1 title: Target process guid type: string target_process_id: title: Target process id type: integer target_thread_id: title: Target thread id type: integer tenant: minLength: 1 title: Tenant type: string thread_dump: minLength: 1 title: Thread dump type: string thread_sha256: minLength: 1 title: Thread sha256 type: string username: minLength: 1 title: Username type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - groups - id - log_type - region_allocation_base - region_allocation_protect - region_allocation_size - region_base_address - region_dump - region_dump_base - region_protect - region_sha256 - region_size - region_state - region_type - source_image - source_process_guid - source_process_id - source_thread_id - stacktrace - stacktrace_minimal - start_address - start_address_string - target_image - target_process_guid - target_process_id - target_thread_id - tenant - thread_dump - thread_sha256 - username - utc_time type: object InnerAgent: properties: additional_info: $ref: '#/definitions/InnerAgentAdditionalInfo' agentid: minLength: 1 title: Agentid type: string distroid: minLength: 1 title: Distroid type: string dnsdomainname: minLength: 1 title: Dnsdomainname type: string domain: minLength: 1 title: Domain type: string domainname: minLength: 1 title: Domainname type: string hostname: minLength: 1 title: Hostname type: string ipaddress: minLength: 1 title: Ipaddress type: string osproducttype: minLength: 1 title: Osproducttype type: string ostype: minLength: 1 title: Ostype type: string osversion: minLength: 1 title: Osversion type: string producttype: minLength: 1 title: Producttype type: string version: minLength: 1 title: Version type: string required: - additional_info - agentid - distroid - dnsdomainname - domain - domainname - hostname - ipaddress - osproducttype - ostype - osversion - producttype - version type: object InnerAgentAdditionalInfo: properties: additional_info1: minLength: 1 title: Additional info1 type: string additional_info2: minLength: 1 title: Additional info2 type: string additional_info3: minLength: 1 title: Additional info3 type: string additional_info4: minLength: 1 title: Additional info4 type: string required: - additional_info1 - additional_info2 - additional_info3 - additional_info4 type: object InnerChatFeedback: properties: comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string score: maximum: 1.0 minimum: -1.0 title: Score type: number x-nullable: true submitted: readOnly: true title: Submitted type: boolean type: object InnerChatRequest: properties: creation_date: format: date-time readOnly: true title: Creation date type: string enforce_tool: description: Force the LLM to use a specific tool enum: - agent_list - analyze_security_event - driver_block_list - ioc - powershell - security_event_list - sigma - threat_list - yara title: Enforce tool type: string x-nullable: true feedback: $ref: '#/definitions/InnerChatFeedback' id: format: uuid title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string locations: items: $ref: '#/definitions/AppLocationRead' type: array message: title: Message type: string response: title: Response type: string x-nullable: true response_failed: title: Response failed type: boolean response_finished: title: Response finished type: boolean response_urls: description: List of external URLs that are relevant to the response items: minLength: 1 title: Response urls type: string type: array x-nullable: true steps: description: List of steps the LLM went through to answer the request items: minLength: 1 title: Steps type: string type: array x-nullable: true user: $ref: '#/definitions/HlSimpleUserSerializer' required: - id - locations type: object InnerCorrelationRule: properties: creation_date: format: date title: Creation date type: string x-nullable: true description: title: Description type: string x-nullable: true hl_silent: title: Hl silent type: boolean hl_status: enum: - experimental - stable - testing title: Hl status type: string x-nullable: true id: format: uuid title: Id type: string level: enum: - critical - high - informational - low - medium title: Level type: string x-nullable: true modified_date: format: date title: Modified date type: string x-nullable: true name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true raw_tags: items: maxLength: 256 minLength: 1 title: Raw tags type: string type: array rule_confidence: enum: - moderate - strong - weak title: Rule confidence type: string x-nullable: true status: title: Status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - id - name type: object InnerDriverLoad: properties: agent: $ref: '#/definitions/IndexedInnerAgent' groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' imagebase: title: Imagebase type: integer imagename: minLength: 1 title: Imagename type: string imagepath: minLength: 1 title: Imagepath type: string imagesize: title: Imagesize type: integer ioc_type: minLength: 1 title: Ioc type type: string ioc_uuid: minLength: 1 title: Ioc uuid type: string ioc_value: minLength: 1 title: Ioc value type: string log_type: minLength: 1 title: Log type type: string matched_rules: $ref: '#/definitions/MatchedYaraRule' matched_rules_count: title: Matched rules count type: integer pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/IndexedPEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer rule_revision: title: Rule revision type: integer score: title: Score type: number sigma_rule_content: minLength: 1 title: Sigma rule content type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - agent - groups - hashes - imagebase - imagename - imagepath - imagesize - ioc_type - ioc_uuid - ioc_value - log_type - matched_rules - matched_rules_count - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - rule_revision - score - sigma_rule_content - signature_info - signed - size - tenant type: object InnerEventLog: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string computer_name: minLength: 1 title: Computer name type: string event_data: items: $ref: '#/definitions/IndexedKeyValueDoc' type: array event_date: format: date-time title: Event date type: string event_id: title: Event id type: integer keywords: items: minLength: 1 type: string type: array level: minLength: 1 title: Level type: string log_name: minLength: 1 title: Log name type: string log_type: minLength: 1 title: Log type type: string pid: title: Pid type: integer process_id: title: Process id type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string provider_guid: minLength: 1 title: Provider guid type: string record_number: title: Record number type: integer sigma_rule_content: minLength: 1 title: Sigma rule content type: string source_name: minLength: 1 title: Source name type: string thread_id: title: Thread id type: integer threat_process_name: minLength: 1 title: Threat process name type: string type: minLength: 1 title: Type type: string user: $ref: '#/definitions/IndexedEventUser' user_data: items: $ref: '#/definitions/IndexedKeyValueDoc' type: array required: - '@event_create_date' - '@timestamp' - computer_name - event_data - event_date - event_id - keywords - level - log_name - log_type - pid - process_id - process_image_path - process_unique_id - provider_guid - record_number - sigma_rule_content - source_name - thread_id - threat_process_name - type - user - user_data type: object InnerFeedback: properties: comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string score: maximum: 1.0 minimum: -1.0 title: Score type: number x-nullable: true submitted: readOnly: true title: Submitted type: boolean type: object InnerGroup: properties: id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - id - name type: object InnerGroupEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' group_id: minLength: 1 title: Group id type: string group_name: minLength: 1 title: Group name type: string groups: $ref: '#/definitions/InnerGroup' log_type: minLength: 1 title: Log type type: string member_id: minLength: 1 title: Member id type: string member_name: minLength: 1 title: Member name type: string operation_type: minLength: 1 title: Operation type type: string source_domain_name: minLength: 1 title: Source domain name type: string source_user_id: minLength: 1 title: Source user id type: string source_user_name: minLength: 1 title: Source user name type: string target_domain_name: minLength: 1 title: Target domain name type: string tenant: minLength: 1 title: Tenant type: string windows: $ref: '#/definitions/GroupEventWindows' required: - '@event_create_date' - '@timestamp' - agent - group_id - group_name - groups - log_type - member_id - member_name - operation_type - source_domain_name - source_user_id - source_user_name - target_domain_name - tenant - windows type: object InnerInjectedThread: properties: agent: $ref: '#/definitions/IndexedInnerAgent' groups: $ref: '#/definitions/InnerGroup' log_type: minLength: 1 title: Log type type: string matched_rules: $ref: '#/definitions/MatchedYaraRule' matched_rules_count: title: Matched rules count type: integer region_allocation_base: title: Region allocation base type: integer region_allocation_protect: title: Region allocation protect type: integer region_allocation_size: title: Region allocation size type: integer region_base_address: title: Region base address type: integer region_dump: minLength: 1 title: Region dump type: string region_dump_base: title: Region dump base type: integer region_protect: title: Region protect type: integer region_sha256: minLength: 1 title: Region sha256 type: string region_size: title: Region size type: integer region_state: title: Region state type: integer region_type: title: Region type type: integer rule_revision: title: Rule revision type: integer score: title: Score type: number source_image: minLength: 1 title: Source image type: string source_process_guid: minLength: 1 title: Source process guid type: string source_process_id: title: Source process id type: integer source_thread_id: title: Source thread id type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string start_address: title: Start address type: integer start_address_string: minLength: 1 title: Start address string type: string target_image: minLength: 1 title: Target image type: string target_process_guid: minLength: 1 title: Target process guid type: string target_process_id: title: Target process id type: integer target_thread_id: title: Target thread id type: integer tenant: minLength: 1 title: Tenant type: string thread_dump: minLength: 1 title: Thread dump type: string thread_sha256: minLength: 1 title: Thread sha256 type: string utc_time: format: date-time title: Utc time type: string required: - agent - groups - log_type - matched_rules - matched_rules_count - region_allocation_base - region_allocation_protect - region_allocation_size - region_base_address - region_dump - region_dump_base - region_protect - region_sha256 - region_size - region_state - region_type - rule_revision - score - source_image - source_process_guid - source_process_id - source_thread_id - stacktrace - stacktrace_minimal - start_address - start_address_string - target_image - target_process_guid - target_process_id - target_thread_id - tenant - thread_dump - thread_sha256 - utc_time type: object InnerNetwork: properties: agent: $ref: '#/definitions/IndexedInnerAgent' conn_type: title: Conn type type: integer connection_closed_time: format: date-time title: Connection closed time type: string connection_start_time: format: date-time title: Connection start time type: string connection_successful: title: Connection successful type: boolean connection_unique_id: minLength: 1 title: Connection unique id type: string daddr: minLength: 1 title: Daddr type: string daddr_geoip: $ref: '#/definitions/GeoIP' direction: minLength: 1 title: Direction type: string dnames: items: minLength: 1 type: string type: array dport: title: Dport type: integer event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' image_name: minLength: 1 title: Image name type: string incoming_bytes: title: Incoming bytes type: integer incoming_protocol: $ref: '#/definitions/ApplicationProtocol' initiated: title: Initiated type: boolean is_ipv6: title: Is ipv6 type: boolean kind: minLength: 1 title: Kind type: string outgoing_bytes: title: Outgoing bytes type: integer outgoing_protocol: $ref: '#/definitions/ApplicationProtocol' pid: title: Pid type: integer process_unique_id: minLength: 1 title: Process unique id type: string saddr: minLength: 1 title: Saddr type: string saddr_geoip: $ref: '#/definitions/GeoIP' sport: title: Sport type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string required: - agent - conn_type - connection_closed_time - connection_start_time - connection_successful - connection_unique_id - daddr - daddr_geoip - direction - dnames - dport - event_id - groups - image_name - incoming_bytes - incoming_protocol - initiated - is_ipv6 - kind - outgoing_bytes - outgoing_protocol - pid - process_unique_id - saddr - saddr_geoip - sport - tenant - timestamp - username type: object InnerPassword: properties: codes: items: enum: - password_entirely_numeric - password_too_common - password_too_few_lowercase - password_too_few_numeric - password_too_few_special - password_too_few_uppercase - password_too_short - password_too_similar type: string readOnly: true type: array config: items: minLength: 1 type: string readOnly: true type: array messages: items: minLength: 1 type: string readOnly: true type: array params: additionalProperties: minLength: 1 type: string readOnly: true title: Params type: object type: object InnerProcess: properties: agent: $ref: '#/definitions/IndexedInnerAgent' ancestors: minLength: 1 title: Ancestors type: string cdhash: minLength: 1 title: Cdhash type: string characteristics: items: $ref: '#/definitions/Characteristics' type: array codesigning_flags: title: Codesigning flags type: integer codesigning_flags_str: minLength: 1 title: Codesigning flags str type: string commandline: minLength: 1 title: Commandline type: string create_time: format: date-time title: Create time type: string current_directory: minLength: 1 title: Current directory type: string egid: title: Egid type: integer egroup: minLength: 1 title: Egroup type: string enabled: title: Enabled type: boolean error_msg: minLength: 1 title: Error msg type: string euid: title: Euid type: integer eusername: minLength: 1 title: Eusername type: string fake_parent_commandline: minLength: 1 title: Fake parent commandline type: string fake_parent_image: minLength: 1 title: Fake parent image type: string fake_parent_unique_id: minLength: 1 title: Fake parent unique id type: string fake_ppid: title: Fake ppid type: integer gid: title: Gid type: integer grandparent_commandline: minLength: 1 title: Grandparent commandline type: string grandparent_image: minLength: 1 title: Grandparent image type: string grandparent_integrity_level: minLength: 1 title: Grandparent integrity level type: string grandparent_unique_id: minLength: 1 title: Grandparent unique id type: string group: minLength: 1 title: Group type: string groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' hlai_alert_level: minLength: 1 title: Hlai alert level type: string hlai_version: minLength: 1 title: Hlai version type: string image_name: minLength: 1 title: Image name type: string integrity_level: minLength: 1 title: Integrity level type: string ioc_type: minLength: 1 title: Ioc type type: string ioc_uuid: minLength: 1 title: Ioc uuid type: string ioc_value: minLength: 1 title: Ioc value type: string is_platform_binary: title: Is platform binary type: boolean kube_details: $ref: '#/definitions/KubeProcessInfo' level: minLength: 1 title: Level type: string lnk_info: $ref: '#/definitions/LnkInfo' log_type: minLength: 1 title: Log type type: string logonid: title: Logonid type: integer matched_rules: $ref: '#/definitions/MatchedYaraRule' matched_rules_count: title: Matched rules count type: integer memfd_name: minLength: 1 title: Memfd name type: string parent_commandline: minLength: 1 title: Parent commandline type: string parent_image: minLength: 1 title: Parent image type: string parent_integrity_level: minLength: 1 title: Parent integrity level type: string parent_unique_id: minLength: 1 title: Parent unique id type: string pe_imphash: minLength: 1 title: Pe imphash type: string pe_info: $ref: '#/definitions/IndexedPEInfo' pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer pid: title: Pid type: integer ppid: title: Ppid type: integer process_name: minLength: 1 title: Process name type: string process_unique_id: minLength: 1 title: Process unique id type: string rule_revision: title: Rule revision type: integer score: title: Score type: number session: title: Session type: integer sgid: title: Sgid type: integer sgroup: minLength: 1 title: Sgroup type: string sigma_rule_content: minLength: 1 title: Sigma rule content type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string status: title: Status type: integer status_msg: minLength: 1 title: Status msg type: string suid: title: Suid type: integer susername: minLength: 1 title: Susername type: string tenant: minLength: 1 title: Tenant type: string uid: title: Uid type: integer username: minLength: 1 title: Username type: string usersid: minLength: 1 title: Usersid type: string version: minLength: 1 title: Version type: string required: - agent - ancestors - cdhash - characteristics - codesigning_flags - codesigning_flags_str - commandline - create_time - current_directory - egid - egroup - enabled - error_msg - euid - eusername - fake_parent_commandline - fake_parent_image - fake_parent_unique_id - fake_ppid - gid - grandparent_commandline - grandparent_image - grandparent_integrity_level - grandparent_unique_id - group - groups - hashes - hlai_alert_level - hlai_version - image_name - integrity_level - ioc_type - ioc_uuid - ioc_value - is_platform_binary - kube_details - level - lnk_info - log_type - logonid - matched_rules - matched_rules_count - memfd_name - parent_commandline - parent_image - parent_integrity_level - parent_unique_id - pe_imphash - pe_info - pe_timestamp - pe_timestamp_int - pid - ppid - process_name - process_unique_id - rule_revision - score - session - sgid - sgroup - sigma_rule_content - signature_info - signed - size - stacktrace - stacktrace_minimal - status - status_msg - suid - susername - tenant - uid - username - usersid - version type: object InnerRequest: properties: creation_date: format: date-time readOnly: true title: Creation date type: string feedback: $ref: '#/definitions/InnerFeedback' id: format: uuid title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string message: title: Message type: string response: title: Response type: string x-nullable: true response_finished: title: Response finished type: boolean required: - id type: object InnerRuleCounts: description: Return the total count for each inner rule type. properties: correlation: title: Correlation type: integer sigma: title: Sigma type: integer required: - correlation - sigma type: object InnerSigmaRule: properties: can_block: title: Can block type: boolean creation_date: format: date title: Creation date type: string x-nullable: true description: title: Description type: string x-nullable: true hl_silent: title: Hl silent type: boolean hl_status: enum: - experimental - stable - testing title: Hl status type: string x-nullable: true id: format: uuid title: Id type: string level: enum: - critical - high - informational - low - medium title: Level type: string x-nullable: true modified_date: format: date title: Modified date type: string x-nullable: true name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true os: enum: - linux - macos - unknown - windows title: Os type: string raw_tags: items: maxLength: 256 minLength: 1 title: Raw tags type: string type: array rule_confidence: enum: - moderate - strong - weak title: Rule confidence type: string x-nullable: true status: title: Status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - id - name type: object InnerUSBInterface: properties: alternate_setting: minLength: 1 title: Alternate setting type: string interface_class: minLength: 1 title: Interface class type: string interface_description: minLength: 1 title: Interface description type: string interface_number: minLength: 1 title: Interface number type: string interface_protocol: minLength: 1 title: Interface protocol type: string interface_subclass: minLength: 1 title: Interface subclass type: string required: - alternate_setting - interface_class - interface_description - interface_number - interface_protocol - interface_subclass type: object InnerUserEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' log_type: minLength: 1 title: Log type type: string new_user_name: minLength: 1 title: New user name type: string operation_type: minLength: 1 title: Operation type type: string source_domain_name: minLength: 1 title: Source domain name type: string source_user_id: minLength: 1 title: Source user id type: string source_user_name: minLength: 1 title: Source user name type: string target_domain_name: minLength: 1 title: Target domain name type: string target_user_id: minLength: 1 title: Target user id type: string target_user_name: minLength: 1 title: Target user name type: string tenant: minLength: 1 title: Tenant type: string windows: $ref: '#/definitions/UserEventWindows' required: - '@event_create_date' - '@timestamp' - agent - groups - log_type - new_user_name - operation_type - source_domain_name - source_user_id - source_user_name - target_domain_name - target_user_id - target_user_name - tenant - windows type: object Installation: properties: agent: $ref: '#/definitions/Agent' application: $ref: '#/definitions/AppStatistics' first_seen: format: date-time readOnly: true title: First seen type: string id: format: uuid readOnly: true title: Id type: string installation_date: format: date-time readOnly: true title: Installation date type: string x-nullable: true installed_as_dependency: readOnly: true title: Installed as dependency type: boolean x-nullable: true installed_for: minLength: 1 readOnly: true title: Installed for type: string x-nullable: true last_seen: format: date-time readOnly: true title: Last seen type: string source_package_name: minLength: 1 readOnly: true title: Source package name type: string x-nullable: true source_package_version: minLength: 1 readOnly: true title: Source package version type: string x-nullable: true status: enum: - installed - uninstalled - updated readOnly: true title: Status type: string version: minLength: 1 readOnly: true title: Version type: string x-nullable: true version_array: items: maximum: 2147483647 minimum: -2147483648 title: Version array type: integer readOnly: true type: array x-nullable: true required: - agent - application type: object InstallationVersionGraphCounts: properties: count: title: Count type: integer version: minLength: 1 title: Version type: string required: - count - version type: object InstallationVersionGraphResponse: properties: counts: items: $ref: '#/definitions/InstallationVersionGraphCounts' type: array date: format: date title: Date type: string required: - counts - date type: object Installer: properties: host: minLength: 1 title: Host type: string installers: items: $ref: '#/definitions/InstallerInfo' type: array key: minLength: 1 title: Key type: string port: title: Port type: integer preferred_password: minLength: 6 title: Preferred password type: string x-nullable: true proto: enum: - http - https title: Proto type: string rust_key: minLength: 1 title: Rust key type: string required: - host - installers - key - port - preferred_password - proto - rust_key type: object InstallerInfo: properties: arch: enum: - x86 - x86_64 title: Arch type: string x-nullable: true channel: enum: - latest - stable title: Channel type: string distribution: enum: - debian_ubuntu - generic - nixOs - redhat_centos title: Distribution type: string filename: minLength: 1 title: Filename type: string filetype: enum: - deb - elf - msi - pkg - rpm title: Filetype type: string interactive_command: minLength: 1 title: Interactive command type: string x-nullable: true non_interactive_command: minLength: 1 title: Non interactive command type: string os: enum: - linux - macos - unknown - windows title: Os type: string platform: minLength: 1 title: Platform type: string tutorial: $ref: '#/definitions/Turorial' version: minLength: 1 title: Version type: string version_channel: minLength: 1 title: Version channel type: string required: - arch - channel - distribution - filename - filetype - interactive_command - non_interactive_command - os - platform - tutorial - version - version_channel type: object Interface: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' description: minLength: 1 title: Description type: string id: minLength: 1 title: Id type: string ips: minLength: 1 title: Ips type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer mac_address: minLength: 1 title: Mac address type: string name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - description - id - ips - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - mac_address - name - tenant type: object InvestigationCase: properties: agent_ids: minLength: 1 title: Agent ids type: string assignee_id: title: Assignee id type: integer author_id: title: Author id type: integer author_username: minLength: 1 title: Author username type: string created_at: format: date-time title: Created at type: string description: minLength: 1 title: Description type: string id: minLength: 1 title: Id type: string last_modifier_id: title: Last modifier id type: integer last_update: format: date-time title: Last update type: string status: minLength: 1 title: Status type: string timeline_ids: minLength: 1 title: Timeline ids type: string title: minLength: 1 title: Title type: string required: - agent_ids - assignee_id - author_id - author_username - created_at - description - id - last_modifier_id - last_update - status - timeline_ids - title type: object Irma: properties: positives: title: Positives type: integer report_found: title: Report found type: boolean request_date: format: date-time title: Request date type: string scan_date: format: date-time title: Scan date type: string scans: items: $ref: '#/definitions/IrmaScan' type: array score: description: Percentage of detection (positive/total) * 100 title: Score type: integer total: title: Total type: integer required: - positives - report_found - request_date - scan_date - scans - score - total type: object IrmaScan: properties: av_name: minLength: 1 title: Av name type: string av_version: minLength: 1 title: Av version type: string db_version: minLength: 1 title: Db version type: string detected: title: Detected type: boolean result: minLength: 1 title: Result type: string required: - av_name - av_version - db_version - detected - result type: object Job: properties: action: readOnly: true title: Action type: string canceled: title: Canceled type: integer creationtime: format: date-time readOnly: true title: Creationtime type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' description: title: Description type: string x-nullable: true done: title: Done type: integer endpoint_username: minLength: 1 readOnly: true title: Endpoint username type: string x-nullable: true error: title: Error type: integer id: minLength: 1 readOnly: true title: Id type: string injecting: title: Injecting type: integer instance: title: Instance type: integer is_scheduled: readOnly: true title: Is scheduled type: boolean parameters: additionalProperties: type: string x-nullable: true readOnly: true title: Parameters type: object running: title: Running type: integer source_id: minLength: 1 readOnly: true title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat readOnly: true title: Source type type: string x-nullable: true title: title: Title type: string x-nullable: true waiting: title: Waiting type: integer required: - canceled - creator - done - error - injecting - instance - running - waiting type: object JobCreation: properties: actions: items: $ref: '#/definitions/Action' type: array description: title: Description type: string targets: $ref: '#/definitions/Target' title: title: Title type: string required: - actions - description - targets - title type: object JobInstance: properties: action: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan title: Action type: string agent_id: readOnly: true title: Agent id type: string creationtime: format: date-time title: Creationtime type: string creator: minLength: 1 readOnly: true title: Creator type: string description: minLength: 1 readOnly: true title: Description type: string duration: maximum: 2147483647 minimum: -2147483648 title: Duration type: integer x-nullable: true endtime: format: date-time title: Endtime type: string x-nullable: true group_id: readOnly: true title: Group id type: string hostname: title: Hostname type: string x-nullable: true id: minLength: 1 title: Id type: string job_id: readOnly: true title: Job id type: string parameters: additionalProperties: type: string x-nullable: true title: Parameters type: object references: items: $ref: '#/definitions/JobInstanceReference' readOnly: true type: array relaunched: title: Relaunched type: boolean remote_shell_command_id: readOnly: true title: Remote shell command id type: string starttime: format: date-time title: Starttime type: string x-nullable: true state: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 title: State type: integer task_id: maximum: 2147483647 minimum: -2147483648 title: Task id type: integer title: minLength: 1 readOnly: true title: Title type: string required: - action - parameters type: object JobInstanceReference: properties: reference_type: enum: - analysis - binary readOnly: true title: Reference type type: string reference_value: minLength: 1 readOnly: true title: Reference value type: string type: object JobLight: properties: action: readOnly: true title: Action type: string creationtime: format: date-time title: Creationtime type: string id: minLength: 1 title: Id type: string parameters: additionalProperties: type: string x-nullable: true readOnly: true title: Parameters type: object type: object JobOSSupport: properties: action: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan title: Action type: string supported_os: items: enum: - linux - macos - windows type: string type: array required: - action - supported_os type: object KPI: properties: compatible: $ref: '#/definitions/OSTypeCount' incompatible: $ref: '#/definitions/OSTypeCount' installed: $ref: '#/definitions/OSTypeCount' seen: readOnly: true title: Seen type: integer to_check: readOnly: true title: To check type: integer total: readOnly: true title: Total type: integer type: object KernelCallback: properties: create_process: $ref: '#/definitions/Callback' create_thread: $ref: '#/definitions/Callback' eventtime_datetime: format: date-time title: Eventtime datetime type: string load_image: $ref: '#/definitions/Callback' required: - create_process - create_thread - eventtime_datetime - load_image type: object KernelModule: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer memory_size: minLength: 1 title: Memory size type: string module_name: minLength: 1 title: Module name type: string n_instance: minLength: 1 title: N instance type: string offset: minLength: 1 title: Offset type: string requirements: minLength: 1 title: Requirements type: string status: minLength: 1 title: Status type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - memory_size - module_name - n_instance - offset - requirements - status - tenant type: object KeyValueDoc: properties: key: minLength: 1 title: Key type: string value: minLength: 1 title: Value type: string required: - key - value type: object KnownDLL: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_name: minLength: 1 title: Item name type: string item_status: title: Item status type: integer item_value: minLength: 1 title: Item value type: string job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string required: - '@timestamp' - agent - controlset - id - item_name - item_status - item_value - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - timestamp type: object KnownProcessFinderKiller: properties: process_unique_id: minLength: 1 title: Process unique id type: string required: - process_unique_id type: object KubeProcessInfo: properties: pod_name: minLength: 1 title: Pod name type: string pod_unique_id: minLength: 1 title: Pod unique id type: string required: - pod_name - pod_unique_id type: object LLMPermissions: properties: chat_send_messages: title: Chat send messages type: boolean chat_view_messages: title: Chat view messages type: boolean required: - chat_send_messages - chat_view_messages type: object LSAPackage: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string type: minLength: 1 title: Type type: string value: minLength: 1 title: Value type: string required: - '@timestamp' - agent - binaryinfo - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - type - value type: object LastScan: properties: creationtime: format: date-time readOnly: true title: Creationtime type: string endtime: format: date-time readOnly: true title: Endtime type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string job_id: readOnly: true title: Job id type: string starttime: format: date-time readOnly: true title: Starttime type: string x-nullable: true state: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 readOnly: true title: State type: integer updatetime: format: date-time readOnly: true title: Updatetime type: string type: object LatestFIMReport: properties: highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string id: format: uuid readOnly: true title: Id type: string report_date: format: date-time readOnly: true title: Report date type: string x-nullable: true type: object LegacyInstaller: properties: beta: default: false title: Beta type: boolean fileDownloaded: minLength: 1 title: Filedownloaded type: string filename: minLength: 1 title: Filename type: string system: enum: - custom_linux64 - deb64 - macos-pkg - rpm64 - win32 - win64 title: System type: string version: minLength: 1 title: Version type: string required: - fileDownloaded - filename - system - version type: object LegacyInstallerInfo: properties: host: minLength: 1 title: Host type: string installers: items: $ref: '#/definitions/LegacyInstaller' type: array key: minLength: 1 title: Key type: string port: title: Port type: integer preferred_password: minLength: 6 title: Preferred password type: string x-nullable: true proto: enum: - http - https title: Proto type: string rust_key: minLength: 1 title: Rust key type: string required: - host - installers - key - port - preferred_password - proto - rust_key type: object LegacyService: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string first_launch: format: date-time title: First launch type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer last_launch: format: date-time title: Last launch type: string legacy_name: minLength: 1 title: Legacy name type: string present: title: Present type: boolean service_name: minLength: 1 title: Service name type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - controlset - first_launch - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - last_launch - legacy_name - present - service_name - tenant type: object Level: properties: data: items: type: integer type: array label: items: minLength: 1 type: string type: array required: - data - label type: object Library: properties: approximate_last_seen: format: date-time title: Approximate last seen type: string downloaded: title: Downloaded type: integer downloaded_date: format: date-time title: Downloaded date type: string first_seen: format: date-time title: First seen type: string hashes: $ref: '#/definitions/Hashes' id: minLength: 1 title: Id type: string names: items: minLength: 1 type: string type: array ostype: minLength: 1 title: Ostype type: string paths: items: minLength: 1 type: string type: array pe_info: $ref: '#/definitions/PEInfo' signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - approximate_last_seen - downloaded - downloaded_date - first_seen - hashes - id - names - ostype - paths - pe_info - signature_info - signed - size - tenant type: object LibraryLoad: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' dotnet_info: $ref: '#/definitions/DotnetInfo' event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' hashes: $ref: '#/definitions/Hashes' id: minLength: 1 title: Id type: string image_base: title: Image base type: integer library_path: minLength: 1 title: Library path type: string library_type: minLength: 1 title: Library type type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pe_info: $ref: '#/definitions/PEInfo' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean size: title: Size type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - dotnet_info - event_id - groups - hashes - id - image_base - library_path - library_type - log_type - pe_info - pid - process_image_path - process_unique_id - signature_info - signed - size - stacktrace - stacktrace_minimal - tenant - utc_time type: object ListAntivirusPolicy: properties: agent_count: readOnly: true title: Agent count type: integer antivirus_slug: minLength: 1 readOnly: true title: Antivirus slug type: string creation_date: format: date-time readOnly: true title: Creation date type: string description: minLength: 1 readOnly: true title: Description type: string x-nullable: true hurukaiav: $ref: '#/definitions/HlAntivirus' id: format: uuid readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' revision: readOnly: true title: Revision type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string windowsdefender: $ref: '#/definitions/WindowsDefender' required: - last_modifier type: object ListDir: properties: '@timestamp': format: date-time title: '@timestamp' type: string ads: title: Ads type: boolean agent: $ref: '#/definitions/DataAgent' atime: format: date-time title: Atime type: string crtime: format: date-time title: Crtime type: string ctime: format: date-time title: Ctime type: string filetype: title: Filetype type: integer id: minLength: 1 title: Id type: string is_hidden: title: Is hidden type: boolean is_system: title: Is system type: boolean item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer md5: minLength: 1 title: Md5 type: string mtime: format: date-time title: Mtime type: string owner: minLength: 1 title: Owner type: string path: minLength: 1 title: Path type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - ads - agent - atime - crtime - ctime - filetype - id - is_hidden - is_system - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - md5 - mtime - owner - path - sha1 - sha256 - size - tenant type: object ListDirectory: properties: compute_hashes: default: true title: Compute hashes type: boolean directory: minLength: 1 title: Directory type: string recursive: title: Recursive type: boolean required: - directory - recursive type: object ListFIMFileModification: properties: agent: $ref: '#/definitions/MinimalAgentInfo' creation_date: format: date-time readOnly: true title: Creation date type: string current_access_mode: readOnly: true title: Current access mode type: integer x-nullable: true current_entry_type: enum: - directory - file readOnly: true title: Current entry type type: string current_gid: readOnly: true title: Current gid type: integer x-nullable: true current_hash: minLength: 1 readOnly: true title: Current hash type: string x-nullable: true current_last_change_time: format: date-time readOnly: true title: Current last change time type: string x-nullable: true current_last_modification_time: format: date-time readOnly: true title: Current last modification time type: string x-nullable: true current_size: readOnly: true title: Current size type: integer x-nullable: true current_uid: readOnly: true title: Current uid type: integer x-nullable: true fim_policy: $ref: '#/definitions/MinimalFIMPolicy' highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string id: format: uuid readOnly: true title: Id type: string last_modifier: readOnly: true title: Last modifier type: integer x-nullable: true last_scan_with_changes: format: date-time readOnly: true title: Last scan with changes type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string ostype: enum: - linux - macos - windows readOnly: true title: Ostype type: string path: minLength: 1 readOnly: true title: Path type: string previous_access_mode: readOnly: true title: Previous access mode type: integer x-nullable: true previous_entry_type: enum: - directory - file readOnly: true title: Previous entry type type: string previous_gid: readOnly: true title: Previous gid type: integer x-nullable: true previous_hash: minLength: 1 readOnly: true title: Previous hash type: string x-nullable: true previous_last_change_time: format: date-time readOnly: true title: Previous last change time type: string x-nullable: true previous_last_modification_time: format: date-time readOnly: true title: Previous last modification time type: string x-nullable: true previous_size: readOnly: true title: Previous size type: integer x-nullable: true previous_uid: readOnly: true title: Previous uid type: integer x-nullable: true report_id: format: uuid title: Report id type: string status: enum: - accepted - not reviewed - rejected readOnly: true title: Status type: string type: enum: - content - creation - deletion - error - initialization - metadata - metadata and content - type change readOnly: true title: Type type: string required: - report_id type: object ListFIMPathExclusion: properties: creation_date: format: date-time readOnly: true title: Creation date type: string enabled: readOnly: true title: Enabled type: boolean id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' os_type: enum: - linux - macos - windows readOnly: true title: Os type type: string path: minLength: 1 readOnly: true title: Path type: string path_type: enum: - directory - file - recursive_directory readOnly: true title: Path type type: string tenant: minLength: 1 readOnly: true title: Tenant type: string type: object ListFIMPathInclusion: properties: creation_date: format: date-time readOnly: true title: Creation date type: string criticality: enum: - critical - high - low - medium readOnly: true title: Criticality type: string enabled: readOnly: true title: Enabled type: boolean id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' os_type: enum: - linux - macos - windows readOnly: true title: Os type type: string path: minLength: 1 readOnly: true title: Path type: string path_type: enum: - directory - file - recursive_directory readOnly: true title: Path type type: string scan_type: enum: - content - metadata - metadata and content readOnly: true title: Scan type type: string tenant: minLength: 1 readOnly: true title: Tenant type: string type: object ListFIMPolicy: properties: agent_policies: items: $ref: '#/definitions/MinimalPolicy' readOnly: true type: array description: minLength: 1 readOnly: true title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid readOnly: true title: Id type: string name: minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' revision: readOnly: true title: Revision type: integer rule_highest_level: enum: - critical - high - low - medium readOnly: true title: Rule highest level type: string tenant: minLength: 1 readOnly: true title: Tenant type: string type: object ListFIMReport: properties: agents: items: $ref: '#/definitions/MinimalAgentInfo' readOnly: true type: array covered_endpoints_count: readOnly: true title: Covered endpoints count type: integer critical_level_count: readOnly: true title: Critical level count type: integer fim_policy: $ref: '#/definitions/MinimalFIMPolicy' high_level_count: readOnly: true title: High level count type: integer highest_criticality: enum: - critical - high - low - medium readOnly: true title: Highest criticality type: string id: format: uuid readOnly: true title: Id type: string last_modification_date: format: date-time readOnly: true title: Last modification date type: string x-nullable: true last_modifier: readOnly: true title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string low_level_count: readOnly: true title: Low level count type: integer medium_level_count: readOnly: true title: Medium level count type: integer modifications_accepted_count: readOnly: true title: Modifications accepted count type: integer modifications_count: readOnly: true title: Modifications count type: integer modifications_not_reviewed_count: readOnly: true title: Modifications not reviewed count type: integer modifications_rejected_count: readOnly: true title: Modifications rejected count type: integer modified_endpoints_count: readOnly: true title: Modified endpoints count type: integer name: minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' report_date: format: date-time readOnly: true title: Report date type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - fim_policy type: object ListFirewallNetwork: properties: blocks_count: readOnly: true title: Blocks count type: integer description: title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid title: Id type: string name: maxLength: 256 title: Name type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' policies_count: readOnly: true title: Policies count type: integer rules_count: readOnly: true title: Rules count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string type: object ListFirewallPolicy: properties: description: title: Description type: string x-nullable: true endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string network_zones_count: readOnly: true title: Network zones count type: integer origin_stack: $ref: '#/definitions/OriginStack' revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer rules_count: readOnly: true title: Rules count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object ListFirewallRule: properties: action: enum: - Allow - Drop - Reject title: Action type: string description: title: Description type: string x-nullable: true direction: enum: - Both - In - Out title: Direction type: string enabled: title: Enabled type: boolean id: format: uuid title: Id type: string index: maximum: 2147483647 minimum: 0 title: Index type: integer ip_version: enum: - Both - IPv4 - IPv6 title: Ip version type: string local_application: maxLength: 256 title: Local application type: string x-nullable: true local_ip: readOnly: true title: Local ip type: string x-nullable: true local_ports: readOnly: true title: Local ports type: string x-nullable: true name: maxLength: 256 title: Name type: string x-nullable: true origin_stack: $ref: '#/definitions/OriginStack' profile_id: format: uuid title: Profile id type: string protocol: enum: - ICMP - IPV6_ICMP - TCP - UDP title: Protocol type: string x-nullable: true remote_ip: readOnly: true title: Remote ip type: string x-nullable: true remote_ports: readOnly: true title: Remote ports type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - index - profile_id type: object ListVulnerabilityPolicy: properties: description: title: Description type: string x-nullable: true enabled_cves_count_critical: readOnly: true title: Enabled cves count critical type: integer enabled_cves_count_high: readOnly: true title: Enabled cves count high type: integer enabled_cves_count_low: readOnly: true title: Enabled cves count low type: integer enabled_cves_count_medium: readOnly: true title: Enabled cves count medium type: integer endpoints_count: readOnly: true title: Endpoints count type: integer id: format: uuid title: Id type: string linked_endpoint_policies_count: readOnly: true title: Linked endpoint policies count type: integer name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object LnkInfo: properties: file_path: minLength: 1 title: File path type: string required: - file_path type: object LnkReport: properties: arguments: minLength: 1 title: Arguments type: string base_network: minLength: 1 title: Base network type: string base_path: minLength: 1 title: Base path type: string path: minLength: 1 title: Path type: string remaining_path: minLength: 1 title: Remaining path type: string required: - arguments - base_network - base_path - path - remaining_path type: object LogLevelStat: properties: DEBUG: title: Debug type: integer ERROR: title: Error type: integer INFO: title: Info type: integer WARNING: title: Warning type: integer required: - DEBUG - ERROR - INFO - WARNING type: object Logs: properties: logs: minLength: 1 title: Logs type: string required: - logs type: object MFA: properties: enabled: default: false title: Enabled type: boolean type: object MFAEnableByUser: properties: enabled: default: DISABLED enum: - DISABLED - ENABLED title: Enabled type: string ids: items: type: string x-nullable: true type: array type: object MFAMethodActivationConfirmationValidator: properties: code: minLength: 1 title: Code type: string required: - code type: object MFAMethodCode: properties: method: maxLength: 255 minLength: 1 title: Method type: string type: object MFT: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' children_count: title: Children count type: integer companyname: minLength: 1 title: Companyname type: string dentrytype: minLength: 1 title: Dentrytype type: string filedescription: minLength: 1 title: Filedescription type: string filename: minLength: 1 title: Filename type: string filename_extension: minLength: 1 title: Filename extension type: string fileversion: minLength: 1 title: Fileversion type: string firstbytes: minLength: 1 title: Firstbytes type: string fn_atime: format: date-time title: Fn atime type: string fn_crtime: format: date-time title: Fn crtime type: string fn_ctime: format: date-time title: Fn ctime type: string fn_mtime: format: date-time title: Fn mtime type: string fullpath: minLength: 1 title: Fullpath type: string id: minLength: 1 title: Id type: string inode: minLength: 1 title: Inode type: string inodetype: minLength: 1 title: Inodetype type: string internalname: minLength: 1 title: Internalname type: string inuse: title: Inuse type: boolean isads: title: Isads type: boolean iscatalogsigned: title: Iscatalogsigned type: boolean ishidden: title: Ishidden type: boolean isro: description: Is Read-Only title: Isro type: boolean issigned: title: Issigned type: boolean item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer legalcopyright: minLength: 1 title: Legalcopyright type: string md5: minLength: 1 title: Md5 type: string mountpoint: minLength: 1 title: Mountpoint type: string originalfilename: minLength: 1 title: Originalfilename type: string path: minLength: 1 title: Path type: string perms: minLength: 1 title: Perms type: string productname: minLength: 1 title: Productname type: string productversion: minLength: 1 title: Productversion type: string rootdisplayname: minLength: 1 title: Rootdisplayname type: string rootissuername: minLength: 1 title: Rootissuername type: string rootserialnumber: minLength: 1 title: Rootserialnumber type: string rootthumbprint: minLength: 1 title: Rootthumbprint type: string seq: title: Seq type: integer sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string si_atime: format: date-time title: Si atime type: string si_crtime: format: date-time title: Si crtime type: string si_ctime: format: date-time title: Si ctime type: string si_mtime: format: date-time title: Si mtime type: string signerdisplayname: minLength: 1 title: Signerdisplayname type: string signerissuername: minLength: 1 title: Signerissuername type: string signerserialnumber: minLength: 1 title: Signerserialnumber type: string signerthumbprint: minLength: 1 title: Signerthumbprint type: string size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string volumename: minLength: 1 title: Volumename type: string required: - '@timestamp' - agent - children_count - companyname - dentrytype - filedescription - filename - filename_extension - fileversion - firstbytes - fn_atime - fn_crtime - fn_ctime - fn_mtime - fullpath - id - inode - inodetype - internalname - inuse - isads - iscatalogsigned - ishidden - isro - issigned - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - legalcopyright - md5 - mountpoint - originalfilename - path - perms - productname - productversion - rootdisplayname - rootissuername - rootserialnumber - rootthumbprint - seq - sha1 - sha256 - si_atime - si_crtime - si_ctime - si_mtime - signerdisplayname - signerissuername - signerserialnumber - signerthumbprint - size - tenant - volumename type: object MFTAgent: properties: agentid: minLength: 1 title: Agentid type: string domainname: minLength: 1 title: Domainname type: string hostname: minLength: 1 title: Hostname type: string osproducttype: minLength: 1 title: Osproducttype type: string ostype: minLength: 1 title: Ostype type: string osversion: minLength: 1 title: Osversion type: string version: minLength: 1 title: Version type: string required: - agentid type: object MFTGetDirectoryResponse: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/MFTAgent' dentrytype: minLength: 1 title: Dentrytype type: string filedescription: minLength: 1 title: Filedescription type: string filename: minLength: 1 title: Filename type: string filename_extension: minLength: 1 title: Filename extension type: string fn_atime: format: date-time title: Fn atime type: string fn_crtime: format: date-time title: Fn crtime type: string fn_ctime: format: date-time title: Fn ctime type: string fn_mtime: format: date-time title: Fn mtime type: string fullpath: minLength: 1 title: Fullpath type: string inode: minLength: 1 title: Inode type: string inodetype: minLength: 1 title: Inodetype type: string inuse: title: Inuse type: boolean isads: title: Isads type: boolean ishidden: title: Ishidden type: boolean isro: title: Isro type: boolean item_status: minLength: 1 title: Item status type: string job_id: minLength: 1 title: Job id type: string job_instance_id: minLength: 1 title: Job instance id type: string log_type: minLength: 1 title: Log type type: string mountpoint: minLength: 1 title: Mountpoint type: string object_type: minLength: 1 title: Object type type: string path: minLength: 1 title: Path type: string seq: title: Seq type: integer si_atime: format: date-time title: Si atime type: string si_crtime: format: date-time title: Si crtime type: string si_ctime: format: date-time title: Si ctime type: string si_mtime: format: date-time title: Si mtime type: string signerdisplayname: minLength: 1 title: Signerdisplayname type: string size: title: Size type: integer tenant: title: Tenant type: string volumename: minLength: 1 title: Volumename type: string required: - tenant type: object MachoCodeDirectory: properties: code_limit: title: Code limit type: integer flags: items: minLength: 1 type: string type: array hash_offset: title: Hash offset type: integer hash_size: title: Hash size type: integer hash_type: title: Hash type type: integer ident: minLength: 1 title: Ident type: string ident_offset: title: Ident offset type: integer n_code_slots: title: N code slots type: integer n_special_slots: title: N special slots type: integer page_size: title: Page size type: integer platform: title: Platform type: integer spare2: title: Spare2 type: integer version: title: Version type: integer required: - code_limit - flags - hash_offset - hash_size - hash_type - ident - ident_offset - n_code_slots - n_special_slots - page_size - platform - spare2 - version type: object MachoCodeSignature: properties: code_directory: $ref: '#/definitions/MachoCodeDirectory' entitlements: items: minLength: 1 type: string type: array required: - code_directory - entitlements type: object MachoReport: properties: code_signature: $ref: '#/definitions/MachoCodeSignature' cpu_subtype: minLength: 1 title: Cpu subtype type: string cpu_type: minLength: 1 title: Cpu type type: string filetype: minLength: 1 title: Filetype type: string flags: items: minLength: 1 type: string type: array imports: items: minLength: 1 type: string type: array load_commands: items: minLength: 1 type: string type: array magic: title: Magic type: integer nbarch: title: Nbarch type: integer size_of_commands: title: Size of commands type: integer uuid: minLength: 1 title: Uuid type: string required: - code_signature - cpu_subtype - cpu_type - filetype - flags - imports - load_commands - magic - nbarch - size_of_commands - uuid type: object MatchedYaraRule: properties: content: minLength: 1 title: Content type: string namespace: minLength: 1 title: Namespace type: string rulename: minLength: 1 title: Rulename type: string source: minLength: 1 title: Source type: string required: - content - namespace - rulename - source type: object MaterializedViewStatus: properties: celery_task_id: maxLength: 100 minLength: 1 title: Celery task id type: string x-nullable: true duration_minutes: maximum: 2147483647 minimum: -2147483648 title: Duration minutes type: integer x-nullable: true finished_at: format: date-time title: Finished at type: string x-nullable: true status: enum: - Error - Finished - Running title: Status type: string triggered_by: $ref: '#/definitions/HlSimpleUserSerializer' view_name: minLength: 1 title: View name type: string required: - status - triggered_by - view_name type: object MatrixTactic: properties: tactic: minLength: 1 title: Tactic type: string techniques: items: $ref: '#/definitions/Technique' type: array required: - tactic - techniques type: object MicroSubnet: properties: gateway_ipaddress: minLength: 1 title: Gateway ipaddress type: string x-nullable: true gateway_macaddress: minLength: 1 title: Gateway macaddress type: string x-nullable: true id: format: uuid title: Id type: string last_seen: format: date-time title: Last seen type: string x-nullable: true name: title: Name type: string x-nullable: true required: - gateway_ipaddress - gateway_macaddress type: object MinimalAgentInfo: properties: hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string required: - hostname - id type: object MinimalAgentInfoWithOS: properties: hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string ostype: enum: - linux - macos - windows title: Ostype type: string required: - hostname - id - ostype type: object MinimalFIMPolicy: properties: id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object MinimalFirewallPolicy: properties: agent_count: readOnly: true title: Agent count type: integer id: format: uuid title: Id type: string name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object MinimalPolicy: properties: agent_count: readOnly: true title: Agent count type: integer id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - name type: object MiscellaneousPermissions: properties: api_documentation: title: Api documentation type: boolean product_documentation: title: Product documentation type: boolean required: - api_documentation - product_documentation type: object MissingProcess: properties: image_name: minLength: 1 title: Image name type: string pid: minLength: 1 title: Pid type: string process_unique_id: minLength: 1 title: Process unique id type: string required: - image_name - pid - process_unique_id type: object Module: properties: binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' hashes_requested: title: Hashes requested type: boolean linux_module_path: minLength: 1 title: Linux module path type: string module_base_addr: minLength: 1 title: Module base addr type: string module_name: minLength: 1 title: Module name type: string module_path: minLength: 1 title: Module path type: string module_regions: $ref: '#/definitions/ModuleRegion' module_size: title: Module size type: integer region_type: minLength: 1 title: Region type type: string signature_requested: title: Signature requested type: boolean required: - binaryinfo - hashes_requested - linux_module_path - module_base_addr - module_name - module_path - module_regions - module_size - region_type - signature_requested type: object ModuleRegion: properties: addr: minLength: 1 title: Addr type: string perms: minLength: 1 title: Perms type: string size: title: Size type: integer required: - addr - perms - size type: object MonitoringPermissions: properties: can_see_license_info: title: Can see license info type: boolean can_see_logs: title: Can see logs type: boolean can_use_monitoring_ui: title: Can use monitoring ui type: boolean required: - can_see_license_info - can_see_logs - can_use_monitoring_ui type: object NDAsset: properties: '@timestamp': format: date-time title: '@timestamp' type: string acknowledged: enum: - seen - to_check title: Acknowledged type: string agent: $ref: '#/definitions/__DataAgentSerializer' agent_status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Agent status type: string compatible: title: Compatible type: boolean description: minLength: 1 title: Description type: string detected_agent: $ref: '#/definitions/MinimalAgentInfo' first_seen: format: date-time title: First seen type: string gateway_ipaddress: minLength: 1 title: Gateway ipaddress type: string gateway_macaddress: minLength: 1 title: Gateway macaddress type: string hardware_address: minLength: 1 title: Hardware address type: string id: minLength: 1 title: Id type: string ip: minLength: 1 title: Ip type: string last_seen: format: date-time title: Last seen type: string name: minLength: 1 title: Name type: string netbios_groups: items: minLength: 1 type: string type: array netbios_name: minLength: 1 title: Netbios name type: string observation_count: title: Observation count type: integer ostype: minLength: 1 title: Ostype type: string oui_vendor: minLength: 1 title: Oui vendor type: string random_hardware_address: title: Random hardware address type: boolean rmDNS_additional_records: items: minLength: 1 type: string type: array rmDNS_names: items: minLength: 1 type: string type: array subnet_id: minLength: 1 title: Subnet id type: string subnet_name: minLength: 1 title: Subnet name type: string required: - hardware_address - ip type: object NamedPipe: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' desired_access: title: Desired access type: integer event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string inbound_quota: title: Inbound quota type: integer log_type: minLength: 1 title: Log type type: string maximum_instances: title: Maximum instances type: integer named_pipe_type: title: Named pipe type type: integer origin_stack: $ref: '#/definitions/OriginStack' outbound_quota: title: Outbound quota type: integer pipe_name: minLength: 1 title: Pipe name type: string pipe_operation: minLength: 1 title: Pipe operation type: string platform: minLength: 1 title: Platform type: string process_unique_id: minLength: 1 title: Process unique id type: string source_process_unique_id: minLength: 1 title: Source process unique id type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - desired_access - event_id - groups - id - image_name - inbound_quota - log_type - maximum_instances - named_pipe_type - outbound_quota - pipe_name - pipe_operation - platform - process_unique_id - source_process_unique_id - stacktrace - stacktrace_minimal - tenant - utc_time type: object NetInterface: properties: addresses_ipv4: items: minLength: 1 type: string readOnly: true type: array addresses_ipv6: items: minLength: 1 type: string readOnly: true type: array agent: $ref: '#/definitions/SimpleAgent' guid: readOnly: true title: Guid type: string x-nullable: true hardware_address: readOnly: true title: Hardware address type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string is_favorite_interface: readOnly: true title: Is favorite interface type: boolean name: minLength: 1 readOnly: true title: Name type: string oui_vendor: readOnly: true title: Oui vendor type: string x-nullable: true required: - agent type: object NetWDiscovery: properties: auto_scan_interval: minimum: 1 title: Auto scan interval type: integer enabled: default: false title: Enabled type: boolean required: - auto_scan_interval type: object Network: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' conn_type: title: Conn type type: integer connection_closed_time: format: date-time title: Connection closed time type: string connection_start_time: format: date-time title: Connection start time type: string connection_successful: title: Connection successful type: boolean connection_unique_id: minLength: 1 title: Connection unique id type: string daddr: minLength: 1 title: Daddr type: string daddr_geoip: $ref: '#/definitions/GeoIP' direction: minLength: 1 title: Direction type: string dnames: items: minLength: 1 type: string type: array dport: title: Dport type: integer event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string incoming_bytes: title: Incoming bytes type: integer incoming_protocol: $ref: '#/definitions/ApplicationProtocol' initiated: title: Initiated type: boolean is_ipv6: title: Is ipv6 type: boolean kind: minLength: 1 title: Kind type: string log_type: minLength: 1 title: Log type type: string outgoing_bytes: title: Outgoing bytes type: integer outgoing_protocol: $ref: '#/definitions/ApplicationProtocol' pid: title: Pid type: integer process_unique_id: minLength: 1 title: Process unique id type: string saddr: minLength: 1 title: Saddr type: string saddr_geoip: $ref: '#/definitions/GeoIP' sport: title: Sport type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string required: - '@event_create_date' - '@timestamp' - agent - conn_type - connection_closed_time - connection_start_time - connection_successful - connection_unique_id - daddr - daddr_geoip - direction - dnames - dport - event_id - groups - id - image_name - incoming_bytes - incoming_protocol - initiated - is_ipv6 - kind - log_type - outgoing_bytes - outgoing_protocol - pid - process_unique_id - saddr - saddr_geoip - sport - tenant - timestamp - username type: object NetworkDeviceDetails: properties: ip: minLength: 1 title: Ip type: string x-nullable: true last_connection_detected_date: format: date-time readOnly: true title: Last connection detected date type: string last_connection_detected_job_instance_id: format: uuid readOnly: true title: Last connection detected job instance id type: string mac_addr: maxLength: 17 minLength: 1 title: Mac addr type: string netbios_groups: items: maxLength: 256 minLength: 1 title: Netbios groups type: string type: array netbios_name: title: Netbios name type: string x-nullable: true oui_vendor: title: Oui vendor type: string x-nullable: true random_hardware_address: title: Random hardware address type: boolean rmDNS_additional_records: items: maxLength: 256 minLength: 1 title: RmDNS additional records type: string type: array rmDNS_names: items: maxLength: 256 minLength: 1 title: RmDNS names type: string type: array subnets: items: $ref: '#/definitions/MicroSubnet' readOnly: true type: array required: - mac_addr type: object NetworkDiscovery: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' agent_status: description: Status of the detected machine's agent. Can be a value of `AgentStatus` or `unknown`. minLength: 1 title: Agent status type: string compatible: title: Compatible type: boolean detected_agent: description: Agent of the detected machine, if any items: $ref: '#/definitions/ReducedAgent' maxItems: 1 type: array gateway_ipaddress: minLength: 1 title: Gateway ipaddress type: string gateway_macaddress: minLength: 1 title: Gateway macaddress type: string hardware_address: description: MAC address of the detected machine minLength: 1 title: Hardware address type: string id: minLength: 1 title: Id type: string ip: description: IP address of the detected machine minLength: 1 title: Ip type: string job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer netbios_groups: items: description: NetBIOS groups of the detected machine minLength: 1 type: string type: array netbios_name: description: NetBIOS name of the detected machine minLength: 1 title: Netbios name type: string os_fingerprint: minLength: 1 title: Os fingerprint type: string ostype: minLength: 1 title: Ostype type: string oui_vendor: description: OUI vendor of the detected machine minLength: 1 title: Oui vendor type: string random_hardware_address: description: Is the hardware address of the detected machine random? title: Random hardware address type: boolean rmDNS_additional_records: items: description: Additional reverse DNS records of the detected machine minLength: 1 type: string type: array rmDNS_names: items: description: Reverse DNS names of the detected machine minLength: 1 type: string type: array subnet_id: minLength: 1 title: Subnet id type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - agent_status - compatible - detected_agent - gateway_ipaddress - gateway_macaddress - hardware_address - id - ip - job_id - job_instance_action - job_instance_id - job_instance_task_id - netbios_groups - netbios_name - os_fingerprint - ostype - oui_vendor - random_hardware_address - rmDNS_additional_records - rmDNS_names - subnet_id - tenant type: object NetworkDiscoveryConfig: properties: auto_scan_interval: default: 23 title: Auto scan interval type: integer connector_type: enum: - assemblyline - base - cape - connector_misp - export - export_elastic - export_s3 - export_secops - export_splunk - glimps - irma - ldap_auth - orion - proxy - thehive - virustotal readOnly: true title: Connector type type: string enable_auto_scan: default: false title: Enable auto scan type: boolean enable_os_fingerprinting: default: false title: Enable os fingerprinting type: boolean exclude_domestic_subnets: default: true title: Exclude domestic subnets type: boolean exclude_low_populated: default: false title: Exclude low populated type: boolean id: minLength: 1 readOnly: true title: Id type: string last_modified: format: date-time readOnly: true title: Last modified type: string last_modifier: minLength: 1 readOnly: true title: Last modifier type: string low_populated_limit: default: 5 title: Low populated limit type: integer name: minLength: 1 title: Name type: string time_to_forget: default: 14 title: Time to forget type: integer type: default: network_discovery enum: - network_discovery readOnly: true title: Type type: string required: - name type: object x-nullable: true NetworkDiscoveryParam: properties: enable_os_fingerprinting: default: false title: Enable os fingerprinting type: boolean ignore_randomized_macaddr: default: false title: Ignore randomized macaddr type: boolean ip: format: ipv4 minLength: 1 title: Ip type: string prefix_length: maximum: 32 minimum: 8 title: Prefix length type: integer subnet_id: minLength: 1 title: Subnet id type: string use_nbtscan: title: Use nbtscan type: boolean use_rmDNS: title: Use rmdns type: boolean required: - ip - prefix_length - use_nbtscan - use_rmDNS type: object NetworkIsolationExclusion: properties: description: title: Description type: string x-nullable: true id: format: uuid title: Id type: string local_application: title: Local application type: string x-nullable: true name: maxLength: 256 title: Name type: string x-nullable: true network_exclusion: $ref: '#/definitions/NetworkIsolationNetworkBasedExclusion' policy: title: Policy type: string required: - policy type: object NetworkIsolationIpExclusion: properties: fqdn: maxLength: 255 title: Fqdn type: string x-nullable: true id: format: uuid title: Id type: string ip_address: minLength: 1 title: Ip address type: string x-nullable: true local_exclusion: title: Local exclusion type: string x-nullable: true mask: maximum: 2147483647 minimum: 0 title: Mask type: integer x-nullable: true remote_exclusion: title: Remote exclusion type: string x-nullable: true representation: maxLength: 1024 minLength: 1 title: Representation type: string type: enum: - CIDR - FQDN - IP title: Type type: string type: object NetworkIsolationNetworkBasedExclusion: properties: direction: enum: - Both - In - Out title: Direction type: string local_ip: $ref: '#/definitions/NetworkIsolationIpExclusion' local_ports: items: $ref: '#/definitions/NetworkIsolationPortExclusion' type: array protocol: enum: - ALL - ICMP - IPV6_ICMP - TCP - UDP title: Protocol type: string remote_ip: $ref: '#/definitions/NetworkIsolationIpExclusion' remote_ports: items: $ref: '#/definitions/NetworkIsolationPortExclusion' type: array type: object NetworkIsolationPortExclusion: properties: id: format: uuid title: Id type: string local_exclusion: title: Local exclusion type: string x-nullable: true origin: maximum: 65535 minimum: 0 title: Origin type: integer remote_exclusion: title: Remote exclusion type: string x-nullable: true representation: maxLength: 1024 minLength: 1 title: Representation type: string to: maximum: 65535 minimum: 0 title: To type: integer x-nullable: true type: enum: - PORT - RANGE title: Type type: string x-nullable: true required: - origin type: object NetworkListen: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string address: minLength: 1 title: Address type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer port: title: Port type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string tenant: minLength: 1 title: Tenant type: string transport_protocol: minLength: 1 title: Transport protocol type: string transport_protocol_number: title: Transport protocol number type: integer utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - address - agent - groups - id - log_type - pid - port - process_image_path - process_unique_id - tenant - transport_protocol - transport_protocol_number - utc_time type: object NetworkShare: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' caption: minLength: 1 title: Caption type: string description: minLength: 1 title: Description type: string id: minLength: 1 title: Id type: string installdate: minLength: 1 title: Installdate type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string path: minLength: 1 title: Path type: string sharetype: minLength: 1 title: Sharetype type: string sharetypeval: minLength: 1 title: Sharetypeval type: string status: minLength: 1 title: Status type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - caption - description - id - installdate - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - path - sharetype - sharetypeval - status - tenant type: object NetworkSniffer: properties: capture_all_interfaces: default: false title: Capture all interfaces type: boolean datasize: minimum: 0 title: Datasize type: integer x-nullable: true packets: minimum: 0 title: Packets type: integer x-nullable: true seconds: minimum: 0 title: Seconds type: integer x-nullable: true type: object NewChat: properties: context_info: $ref: '#/definitions/AppLocationCreate' enforce_tool: enum: - agent_list - analyze_security_event - driver_block_list - ioc - powershell - security_event_list - sigma - threat_list - yara title: Enforce tool type: string message: minLength: 1 title: Message type: string public: default: false title: Public type: boolean title: title: Title type: string required: - message type: object NewChatRequest: properties: context_info: $ref: '#/definitions/AppLocationCreate' enforce_tool: enum: - agent_list - analyze_security_event - driver_block_list - ioc - powershell - security_event_list - sigma - threat_list - yara title: Enforce tool type: string message: minLength: 1 title: Message type: string required: - message type: object NewConversation: properties: message: title: Message type: string required: - message type: object NewThreatAggregation: properties: closed: default: true title: Closed type: boolean false_positive: default: true title: False positive type: boolean type: object NixTutorial: properties: create_nix_service_file: minLength: 1 title: Create nix service file type: string hurukai_config: minLength: 1 title: Hurukai config type: string install_agent_files: minLength: 1 title: Install agent files type: string x-nullable: true switch_config: minLength: 1 title: Switch config type: string required: - create_nix_service_file - hurukai_config - install_agent_files - switch_config type: object Node: properties: alertCount: title: Alertcount type: integer childProcessCount: title: Childprocesscount type: integer childProcessCountConfidence: minLength: 1 title: Childprocesscountconfidence type: string class_name: minLength: 1 title: Class name type: string connectionCount: title: Connectioncount type: integer dnsResolutionCount: title: Dnsresolutioncount type: integer fileDownloadCount: title: Filedownloadcount type: integer id: minLength: 1 title: Id type: string injectedThreadCount: title: Injectedthreadcount type: integer libraryLoadCount: title: Libraryloadcount type: integer name: minLength: 1 title: Name type: string namedPipeCount: title: Namedpipecount type: integer parents: items: minLength: 1 type: string type: array powershellCount: title: Powershellcount type: integer registryCount: title: Registrycount type: integer signed: title: Signed type: boolean timestamp: format: date-time title: Timestamp type: string type: minLength: 1 title: Type type: string required: - alertCount - childProcessCount - childProcessCountConfidence - class_name - connectionCount - dnsResolutionCount - fileDownloadCount - id - injectedThreadCount - libraryLoadCount - name - namedPipeCount - parents - powershellCount - registryCount - signed - timestamp - type type: object Note: properties: content: title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string resource: default: threat enum: - threat title: Resource type: string resource_id: minLength: 1 title: Resource id type: string title: minLength: 1 title: Title type: string required: - resource_id - title type: object NoteRequestBody: properties: content: minLength: 1 title: Content type: string title: minLength: 1 title: Title type: string required: - content - title type: object NoteResponse: properties: content: title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string resource: default: threat enum: - threat title: Resource type: string resource_id: minLength: 1 title: Resource id type: string title: minLength: 1 title: Title type: string required: - title type: object OIDCActiveProvider: properties: name: minLength: 1 title: Name type: string slug: format: slug maxLength: 100 minLength: 1 pattern: ^[-a-zA-Z0-9_]+$ title: Slug type: string required: - name - slug type: object OIDCProvider: properties: auth_method: enum: - client_secret_basic - client_secret_post title: Auth method type: string callback_url: maxLength: 500 minLength: 1 title: Callback url type: string client_id: minLength: 1 title: Client id type: string client_secret: minLength: 1 title: Client secret type: string x-nullable: true debug: title: Debug type: boolean default_role: title: Default role type: string x-nullable: true enabled: title: Enabled type: boolean groups_claim: minLength: 1 title: Groups claim type: string x-nullable: true id: readOnly: true title: ID type: integer name: minLength: 1 title: Name type: string pkce: title: Pkce type: boolean pkce_method: enum: - S256 title: Pkce method type: string provider_group: items: $ref: '#/definitions/GroupsOIDCProvider' type: array x-nullable: true server_metadata_url: format: uri maxLength: 500 minLength: 1 title: Server metadata url type: string slug: format: slug maxLength: 100 minLength: 1 pattern: ^[-a-zA-Z0-9_]+$ title: Slug type: string ssl_cacert: format: uri readOnly: true title: Ssl cacert type: string x-nullable: true ssl_cacert_filename: minLength: 1 title: Ssl cacert filename type: string x-nullable: true ssl_cert: format: uri readOnly: true title: Ssl cert type: string x-nullable: true ssl_cert_filename: minLength: 1 title: Ssl cert filename type: string x-nullable: true ssl_key: format: uri readOnly: true title: Ssl key type: string x-nullable: true ssl_key_filename: minLength: 1 title: Ssl key filename type: string x-nullable: true required: - client_id - name - server_metadata_url type: object OSTypeCount: properties: linux: title: Linux type: integer macos: title: Macos type: integer total: title: Total type: integer unknown: title: Unknown type: integer windows: title: Windows type: integer required: - linux - macos - total - windows type: object OUICodes: properties: codes: items: minLength: 1 type: string type: array required: - codes type: object OriginStack: properties: id: minLength: 1 title: Id type: string is_current: title: Is current type: boolean is_supervisor: title: Is supervisor type: boolean is_tenant: title: Is tenant type: boolean name: minLength: 1 title: Name type: string x-nullable: true required: - id - is_current - is_supervisor - is_tenant type: object OrionAV: properties: antivirus_name: minLength: 1 title: Antivirus name type: string infected: title: Infected type: boolean threat_name: minLength: 1 title: Threat name type: string required: - antivirus_name - infected - threat_name type: object OrionDynamicScan: properties: files: $ref: '#/definitions/OrionDynamicScanEntry' network: $ref: '#/definitions/OrionDynamicScanEntry' persistence: $ref: '#/definitions/OrionDynamicScanEntry' processes: $ref: '#/definitions/OrionDynamicScanEntry' system: $ref: '#/definitions/OrionDynamicScanEntry' required: - files - network - persistence - processes - system type: object OrionDynamicScanEntry: properties: description: items: minLength: 1 type: string type: array score: title: Score type: integer required: - description - score type: object OrionRule: properties: description: minLength: 1 title: Description type: string format: minLength: 1 title: Format type: string name: minLength: 1 title: Name type: string risk: minLength: 1 title: Risk type: string type: minLength: 1 title: Type type: string required: - description - format - name - risk - type type: object OrionScan: properties: antivirus: $ref: '#/definitions/OrionAV' description: minLength: 1 title: Description type: string dynamic: $ref: '#/definitions/OrionDynamicScan' external_link: minLength: 1 title: External link type: string level: minLength: 1 title: Level type: string networks: items: minLength: 1 type: string type: array report_id: minLength: 1 title: Report id type: string risk: minLength: 1 title: Risk type: string rules_hits: $ref: '#/definitions/OrionRule' scan_date: format: date-time title: Scan date type: string scanner: $ref: '#/definitions/OrionDynamicScan' required: - antivirus - description - dynamic - external_link - level - networks - report_id - risk - rules_hits - scan_date - scanner type: object PDFRetention: properties: pdf_max_age: minLength: 1 title: Pdf max age type: string x-nullable: true pdf_max_size: minLength: 1 title: Pdf max size type: string x-nullable: true type: object PEInfo: properties: authentihashes: $ref: '#/definitions/Authentihashes' company_name: minLength: 1 title: Company name type: string file_description: minLength: 1 title: File description type: string file_version: minLength: 1 title: File version type: string internal_name: minLength: 1 title: Internal name type: string legal_copyright: minLength: 1 title: Legal copyright type: string original_filename: minLength: 1 title: Original filename type: string pe_timestamp: format: date-time title: Pe timestamp type: string pe_timestamp_int: title: Pe timestamp int type: integer product_name: minLength: 1 title: Product name type: string product_version: minLength: 1 title: Product version type: string required: - authentihashes - company_name - file_description - file_version - internal_name - legal_copyright - original_filename - pe_timestamp - pe_timestamp_int - product_name - product_version type: object PaginatedBatchAgentList: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/BatchAgentList' type: array required: - count - results type: object ParseFileSystem: properties: bDoComputeHash: title: Bdocomputehash type: boolean bGetFirstBytes: title: Bgetfirstbytes type: boolean maxPeComputeSize: title: Maxpecomputesize type: integer x-nullable: true restrictToDirectory: minLength: 1 title: Restricttodirectory type: string required: - bDoComputeHash - bGetFirstBytes type: object Password: properties: password: minLength: 1 title: Password type: string type: object PasswordSecurity: properties: check_derived: default: true title: Check derived type: boolean check_dictionary: default: true title: Check dictionary type: boolean min_caps_count: minimum: 0 title: Min caps count type: integer x-nullable: true min_length: default: 8 minimum: 1 title: Min length type: integer x-nullable: true min_lower_count: minimum: 0 title: Min lower count type: integer x-nullable: true min_numerical_char_count: minimum: 0 title: Min numerical char count type: integer x-nullable: true min_special_char_count: minimum: 0 title: Min special char count type: integer x-nullable: true type: object PasswordSecurityConfig: properties: check_derived: readOnly: true title: Check derived type: boolean check_dictionary: readOnly: true title: Check dictionary type: boolean min_caps_count: readOnly: true title: Min caps count type: integer min_length: readOnly: true title: Min length type: integer min_lower_count: readOnly: true title: Min lower count type: integer min_numerical_char_count: readOnly: true title: Min numerical char count type: integer min_special_char_count: readOnly: true title: Min special char count type: integer type: object PasswordValidationError: properties: password: $ref: '#/definitions/InnerPassword' required: - password type: object PathDownloadRequest: properties: agent_id: minLength: 1 title: Agent id type: string auto_analyze: default: false title: Auto analyze type: boolean path: minLength: 1 title: Path type: string sha256: minLength: 1 title: Sha256 type: string tenant: minLength: 1 title: Tenant type: string x-nullable: true required: - agent_id - path - sha256 type: object PathExclusion: properties: comment: title: Comment type: string hl_av: format: uuid title: Hl av type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true path: minLength: 1 title: Path type: string path_type: enum: - "" - directory - file - recursive_directory title: Path type type: string x-nullable: true platform_os: enum: - linux - macos - unknown - windows title: Platform os type: string x-nullable: true synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string required: - path type: object PathExclusionList: properties: path_exclusions: default: [] items: $ref: '#/definitions/PathExclusion' type: array type: object PeExport: properties: name: minLength: 1 title: Name type: string ordinal: title: Ordinal type: integer required: - name - ordinal type: object PeReport: properties: exports: items: $ref: '#/definitions/PeExport' type: array resources: items: $ref: '#/definitions/PeResource' type: array sections: items: $ref: '#/definitions/PeSection' type: array required: - exports - resources - sections type: object PeResource: properties: codepage: minLength: 1 title: Codepage type: string data_offset: title: Data offset type: integer data_size: title: Data size type: integer entropy: title: Entropy type: number language: minLength: 1 title: Language type: string name: minLength: 1 title: Name type: string resource_type: minLength: 1 title: Resource type type: string sha256: minLength: 1 title: Sha256 type: string size: title: Size type: integer timestamp: title: Timestamp type: integer required: - codepage - data_offset - data_size - entropy - language - name - resource_type - sha256 - size - timestamp type: object PeSection: properties: entropy: title: Entropy type: number md5: minLength: 1 title: Md5 type: string name: minLength: 1 title: Name type: string raw_size: title: Raw size type: integer virtual_address: title: Virtual address type: integer virtual_size: title: Virtual size type: integer required: - entropy - md5 - name - raw_size - virtual_address - virtual_size type: object Permission: properties: codename: enum: - administration_agent_installers - administration_global_settings - administration_role_edit - administration_role_view - administration_user_edit - administration_user_view - attack_surface_network_discovery_edit - attack_surface_network_discovery_view - attack_surface_vulnerability_edit - attack_surface_vulnerability_view - data_exploration_file_download - data_exploration_investigation_edit - data_exploration_investigation_view - data_exploration_search - data_exploration_telemetry - data_exploration_visualization - detection_sec_event_edit - detection_sec_event_view - detection_threat_edit - detection_threat_view - detection_view_experimental - endpoint_agent_delivery_management_edit - endpoint_agent_delivery_management_view - endpoint_agent_lifecycle - endpoint_lifecycle - endpoint_management_edit - endpoint_management_view - endpoint_policy_edit - endpoint_policy_view - job_acquisition_capture_ram_edit - job_acquisition_capture_ram_view - job_acquisition_collect_raw_data_edit - job_acquisition_collect_raw_data_view - job_acquisition_download_directory_edit - job_acquisition_download_directory_view - job_acquisition_download_file_edit - job_acquisition_download_file_view - job_acquisition_network_sniffer_edit - job_acquisition_network_sniffer_view - job_acquisition_parse_filesystem_edit - job_acquisition_parse_filesystem_view - job_acquisition_process_dumper_edit - job_acquisition_process_dumper_view - job_debug_agent_diagnostic_edit - job_debug_agent_diagnostic_view - job_debug_minidump_edit - job_debug_minidump_view - job_debug_profile_memory_edit - job_debug_profile_memory_view - job_evidence_prefetch_edit - job_evidence_prefetch_view - job_info_drivers_edit - job_info_drivers_view - job_info_list_directory_contents_edit - job_info_list_directory_contents_view - job_info_network_shares_edit - job_info_network_shares_view - job_info_pip_list_edit - job_info_pip_list_view - job_info_processes_edit - job_info_processes_view - job_info_sessions_edit - job_info_sessions_view - job_info_windows_kb_edit - job_info_windows_kb_view - job_persistence_linux_persistence_edit - job_persistence_linux_persistence_view - job_persistence_registry_edit - job_persistence_registry_view - job_persistence_scheduled_tasks_edit - job_persistence_scheduled_tasks_view - job_persistence_startup_files_edit - job_persistence_startup_files_view - job_persistence_wmi_edit - job_persistence_wmi_view - job_remediation_file_deletion_edit - job_remediation_file_deletion_view - job_remediation_process_kill_edit - job_remediation_process_kill_view - job_remediation_quarantine_files_edit - job_remediation_quarantine_files_view - job_remediation_registry_operation_edit - job_remediation_registry_operation_view - job_remediation_scheduled_task_deletion_edit - job_remediation_scheduled_task_deletion_view - job_remediation_service_deletion_edit - job_remediation_service_deletion_view - job_scan_antivirus_scan_edit - job_scan_antivirus_scan_view - job_scan_ioc_scan_edit - job_scan_ioc_scan_view - job_scan_yara_scan_edit - job_scan_yara_scan_view - llm_chat_send_messages - llm_chat_view_messages - misc_api_documentation - misc_product_documentation - monitoring_agent_logs - monitoring_ui - protection_antivirus_edit - protection_antivirus_view - protection_device_control_edit - protection_device_control_view - protection_fim_edit - protection_fim_view - protection_firewall_edit - protection_firewall_view - remediation_isolation - remote_shell_command_cat - remote_shell_command_cd - remote_shell_command_chmod - remote_shell_command_chown - remote_shell_command_cp - remote_shell_command_env - remote_shell_command_filehash - remote_shell_command_listmount - remote_shell_command_mkdir - remote_shell_command_mv - remote_shell_command_pwd - remote_shell_command_run - remote_shell_command_set - remote_shell_command_stat - remote_shell_command_unset - remote_shell_executable_edit - remote_shell_executable_view - remote_shell_session_edit - remote_shell_session_view - threat_intelligence_edit - threat_intelligence_experimental - threat_intelligence_view - threat_intelligence_whitelist_edit - threat_intelligence_whitelist_view title: Codename type: string id: readOnly: true title: Id type: integer name: maxLength: 255 minLength: 1 title: Name type: string type: readOnly: true title: Type type: string required: - codename - name type: object PermissionUpdate: properties: codenames: items: enum: - administration_agent_installers - administration_global_settings - administration_role_edit - administration_role_view - administration_user_edit - administration_user_view - attack_surface_network_discovery_edit - attack_surface_network_discovery_view - attack_surface_vulnerability_edit - attack_surface_vulnerability_view - data_exploration_file_download - data_exploration_investigation_edit - data_exploration_investigation_view - data_exploration_search - data_exploration_telemetry - data_exploration_visualization - detection_sec_event_edit - detection_sec_event_view - detection_threat_edit - detection_threat_view - detection_view_experimental - endpoint_agent_lifecycle - endpoint_lifecycle - endpoint_management_edit - endpoint_management_view - endpoint_policy_edit - endpoint_policy_view - job_acquisition_capture_ram_edit - job_acquisition_capture_ram_view - job_acquisition_collect_raw_data_edit - job_acquisition_collect_raw_data_view - job_acquisition_download_directory_edit - job_acquisition_download_directory_view - job_acquisition_download_file_edit - job_acquisition_download_file_view - job_acquisition_network_sniffer_edit - job_acquisition_network_sniffer_view - job_acquisition_parse_filesystem_edit - job_acquisition_parse_filesystem_view - job_acquisition_process_dumper_edit - job_acquisition_process_dumper_view - job_debug_agent_diagnostic_edit - job_debug_agent_diagnostic_view - job_debug_minidump_edit - job_debug_minidump_view - job_debug_profile_memory_edit - job_debug_profile_memory_view - job_evidence_prefetch_edit - job_evidence_prefetch_view - job_info_drivers_edit - job_info_drivers_view - job_info_list_directory_contents_edit - job_info_list_directory_contents_view - job_info_network_shares_edit - job_info_network_shares_view - job_info_pip_list_edit - job_info_pip_list_view - job_info_processes_edit - job_info_processes_view - job_info_sessions_edit - job_info_sessions_view - job_info_windows_kb_edit - job_info_windows_kb_view - job_persistence_linux_persistence_edit - job_persistence_linux_persistence_view - job_persistence_registry_edit - job_persistence_registry_view - job_persistence_scheduled_tasks_edit - job_persistence_scheduled_tasks_view - job_persistence_startup_files_edit - job_persistence_startup_files_view - job_persistence_wmi_edit - job_persistence_wmi_view - job_remediation_file_deletion_edit - job_remediation_file_deletion_view - job_remediation_process_kill_edit - job_remediation_process_kill_view - job_remediation_quarantine_files_edit - job_remediation_quarantine_files_view - job_remediation_registry_operation_edit - job_remediation_registry_operation_view - job_remediation_scheduled_task_deletion_edit - job_remediation_scheduled_task_deletion_view - job_remediation_service_deletion_edit - job_remediation_service_deletion_view - job_scan_antivirus_scan_edit - job_scan_antivirus_scan_view - job_scan_ioc_scan_edit - job_scan_ioc_scan_view - job_scan_yara_scan_edit - job_scan_yara_scan_view - llm_chat_send_messages - llm_chat_view_messages - misc_api_documentation - misc_product_documentation - monitoring_agent_logs - monitoring_ui - protection_antivirus_edit - protection_antivirus_view - protection_device_control_edit - protection_device_control_view - protection_fim_edit - protection_fim_view - protection_firewall_edit - protection_firewall_view - remediation_isolation - remote_shell_command_cat - remote_shell_command_cd - remote_shell_command_chmod - remote_shell_command_chown - remote_shell_command_cp - remote_shell_command_env - remote_shell_command_filehash - remote_shell_command_listmount - remote_shell_command_mkdir - remote_shell_command_mv - remote_shell_command_pwd - remote_shell_command_run - remote_shell_command_set - remote_shell_command_stat - remote_shell_command_unset - remote_shell_executable_edit - remote_shell_executable_view - remote_shell_session_edit - remote_shell_session_view - threat_intelligence_edit - threat_intelligence_experimental - threat_intelligence_view - threat_intelligence_whitelist_edit - threat_intelligence_whitelist_view type: string type: array required: - codenames type: object Permissions: properties: action_remediation: $ref: '#/definitions/ActionRemediationPermissions' administration: $ref: '#/definitions/AdministrationPermissions' data_exploration: $ref: '#/definitions/DataExplorationPermissions' detection: $ref: '#/definitions/DetectionPermissions' endpoints: $ref: '#/definitions/EndpointsPermissions' llm: $ref: '#/definitions/LLMPermissions' miscellaneous: $ref: '#/definitions/MiscellaneousPermissions' protection: $ref: '#/definitions/ProtectionPermissions' remote_shell: $ref: '#/definitions/RemoteShellPermission' threat_intelligence: $ref: '#/definitions/ThreatIntelligencePermissions' required: - action_remediation - administration - data_exploration - detection - endpoints - llm - miscellaneous - protection - remote_shell - threat_intelligence type: object PersistanceFile: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' data: minLength: 1 title: Data type: string data_b64: minLength: 1 title: Data b64 type: string filepath: minLength: 1 title: Filepath type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer md5: minLength: 1 title: Md5 type: string mode: minLength: 1 title: Mode type: string persistance_type: minLength: 1 title: Persistance type type: string sha1: minLength: 1 title: Sha1 type: string sha256: minLength: 1 title: Sha256 type: string size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - binaryinfo - data - data_b64 - filepath - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - md5 - mode - persistance_type - sha1 - sha256 - size - tenant type: object PersistencePermissions: properties: linux_persistence: enum: - disabled - read_only - read_write title: Linux persistence type: string registry: enum: - disabled - read_only - read_write title: Registry type: string scheduled_tasks: enum: - disabled - read_only - read_write title: Scheduled tasks type: string startup_files: enum: - disabled - read_only - read_write title: Startup files type: string wmi: enum: - disabled - read_only - read_write title: Wmi type: string required: - linux_persistence - registry - scheduled_tasks - startup_files - wmi type: object Pipe: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant type: object Policy: properties: agent_auto_forget: default: false title: Agent auto forget type: boolean agent_auto_forget_max_days: default: 1 minimum: 1 title: Agent auto forget max days type: integer agent_auto_update: title: Agent auto update type: boolean agent_count: readOnly: true title: Agent count type: integer agent_ui_admin_message: title: Agent ui admin message type: string x-nullable: true agent_ui_enabled: title: Agent ui enabled type: boolean agent_ui_notification_level: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification level type: integer agent_ui_notification_scope: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification scope type: integer agent_upgrade_strategy: enum: - latest - manual - stable title: Agent upgrade strategy type: string always_go_through_proxy: title: Always go through proxy type: boolean antivirus_policy: format: uuid readOnly: true title: Antivirus policy type: string x-nullable: true antivirus_policy_name: readOnly: true title: Antivirus policy name type: string antivirus_profile: readOnly: true title: Antivirus profile type: string antivirus_profile_name: readOnly: true title: Antivirus profile name type: string audit_killswitch: title: Audit killswitch type: boolean binary_download_enabled: title: Binary download enabled type: boolean correlation_mode: maximum: 3 minimum: 0 title: Correlation mode type: integer correlation_ruleset: format: uuid title: Correlation ruleset type: string x-nullable: true description: title: Description type: string x-nullable: true device_control_policy: format: uuid readOnly: true title: Device control policy type: string x-nullable: true driverblock_mode: maximum: 3 minimum: 0 title: Driverblock mode type: integer driverblock_strategy: enum: - blocklist - heuristic title: Driverblock strategy type: string feature_callback_tampering: title: Feature callback tampering type: boolean feature_dse_tampering_mode: maximum: 2147483647 minimum: -2147483648 title: Feature dse tampering mode type: integer feature_event_stacktrace: title: Feature event stacktrace type: boolean feature_live_process_heuristics: title: Feature live process heuristics type: boolean feature_ppl_antimalware: title: Feature ppl antimalware type: boolean feature_process_tampering: title: Feature process tampering type: boolean feature_windows_filesystem_events: title: Feature windows filesystem events type: boolean fim_policy: format: uuid title: Fim policy type: string x-nullable: true firewall_policy: format: uuid readOnly: true title: Firewall policy type: string x-nullable: true hibou_minimum_level: minLength: 1 title: Hibou minimum level type: string hibou_mode: maximum: 3 minimum: 0 title: Hibou mode type: integer hibou_skip_signed_ms: title: Hibou skip signed ms type: boolean hibou_skip_signed_others: title: Hibou skip signed others type: boolean hlai_files_minimum_level: minLength: 1 title: Hlai files minimum level type: string hlai_files_mode: maximum: 1 minimum: 0 title: Hlai files mode type: integer hlai_minimum_level: minLength: 1 title: Hlai minimum level type: string hlai_mode: maximum: 3 minimum: 0 title: Hlai mode type: integer hlai_pdf: title: Hlai pdf type: boolean hlai_scan_libraries: title: Hlai scan libraries type: boolean hlai_scripts_minimum_level: minLength: 1 title: Hlai scripts minimum level type: string hlai_scripts_mode: maximum: 3 minimum: 0 title: Hlai scripts mode type: integer hlai_skip_signed_ms: title: Hlai skip signed ms type: boolean hlai_skip_signed_others: title: Hlai skip signed others type: boolean hlai_vba: title: Hlai vba type: boolean hlai_written_executable: title: Hlai written executable type: boolean id: minLength: 1 readOnly: true title: Id type: string ioc_mode: maximum: 3 minimum: 0 title: Ioc mode type: integer ioc_ruleset: format: uuid title: Ioc ruleset type: string x-nullable: true ioc_scan_libraries: title: Ioc scan libraries type: boolean ioc_scan_written_executable: title: Ioc scan written executable type: boolean isolation_exclusions_revision: maximum: 2147483647 minimum: 0 title: Isolation exclusions revision type: integer x-nullable: true library_download_enabled: title: Library download enabled type: boolean linux_exclusions: minimum: 0 readOnly: true title: Linux exclusions type: integer linux_paths_other_watched_globs: default: - /dev/shm/** - /home/*/* - /home/*/*/* - /root/* - /root/*/* - /tmp/** items: minLength: 1 type: string minItems: 0 type: array linux_self_protection: title: Linux self protection type: boolean linux_self_protection_feature_hosts: title: Linux self protection feature hosts type: boolean linux_startup_block: title: Linux startup block type: boolean linux_use_isolation: title: Linux use isolation type: boolean local_endpoint_cache_size: default: 10240 maximum: 20480 minimum: 512 title: Local endpoint cache size type: integer loglevel: enum: - CRITICAL - DEBUG - ERROR - INFO - WARNING title: Loglevel type: string macos_exclusions: minimum: 0 readOnly: true title: Macos exclusions type: integer macos_paths_muted_exact: default: - /Library/Bluetooth/com.apple.MobileBluetooth.ledevices.paired.db-wal - /dev/null - /dev/ttys001 - /private/var/root/Library/Logs/Bluetooth/bluetoothd-hci-latest.pklg items: minLength: 1 type: string minItems: 0 type: array macos_paths_muted_globs: default: [] items: minLength: 1 type: string minItems: 0 type: array macos_paths_muted_prefixes: default: - /System/Volumes/Data/.Spotlight-V100/ - /private/var/db/dslocal/nodes/Default/users/ - /private/var/folders/ - /sbin/ - /usr/libexec/ - /usr/sbin/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_use_isolation: title: Macos use isolation type: boolean name: minLength: 1 title: Name type: string network_isolation_exclusions: minimum: 0 readOnly: true title: Network isolation exclusions type: integer origin_stack: $ref: '#/definitions/OriginStack' ransomguard_auto_blacklist: title: Ransomguard auto blacklist type: boolean ransomguard_canaries_name: minLength: 1 title: Ransomguard canaries name type: string x-nullable: true ransomguard_heuristic_mode: maximum: 2147483647 minimum: -2147483648 title: Ransomguard heuristic mode type: integer ransomguard_mode: maximum: 3 minimum: 0 title: Ransomguard mode type: integer remote_shell_mode: enum: - disabled - read - read_write - read_write_execute title: Remote shell mode type: string revision: readOnly: true title: Revision type: integer self_protection: title: Self protection type: boolean self_protection_feature_hosts: title: Self protection feature hosts type: boolean self_protection_feature_safe_mode: title: Self protection feature safe mode type: boolean self_protection_firewall: title: Self protection firewall type: boolean sidewatch_mode: maximum: 3 minimum: 0 title: Sidewatch mode type: integer sigma_mode: maximum: 3 minimum: 0 title: Sigma mode type: integer sigma_ruleset: format: uuid title: Sigma ruleset type: string x-nullable: true sleepjitter: maximum: 2147483647 minimum: -2147483648 title: Sleepjitter type: integer sleeptime: maximum: 2147483647 minimum: -2147483648 title: Sleeptime type: integer telemetry_alerts_limit: title: Telemetry alerts limit type: boolean telemetry_alerts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry alerts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_limit: title: Telemetry amsi dynamic scripts limit type: boolean telemetry_amsi_dynamic_scripts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi dynamic scripts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_state: enum: - disabled - live - on_alert title: Telemetry amsi dynamic scripts state type: string telemetry_amsi_other_scans_limit: title: Telemetry amsi other scans limit type: boolean telemetry_amsi_other_scans_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi other scans limit value type: integer x-nullable: true telemetry_amsi_other_scans_state: enum: - disabled - live - on_alert title: Telemetry amsi other scans state type: string telemetry_authentication: title: Telemetry authentication type: boolean telemetry_authentication_limit: title: Telemetry authentication limit type: boolean telemetry_authentication_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry authentication limit value type: integer x-nullable: true telemetry_authentication_state: enum: - disabled - live - on_alert title: Telemetry authentication state type: string telemetry_dns_resolution: title: Telemetry dns resolution type: boolean telemetry_dns_resolution_limit: title: Telemetry dns resolution limit type: boolean telemetry_dns_resolution_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry dns resolution limit value type: integer x-nullable: true telemetry_dns_resolution_state: enum: - disabled - live - on_alert title: Telemetry dns resolution state type: string telemetry_dotnet_library_state: enum: - disabled - on_alert title: Telemetry dotnet library state type: string telemetry_driverload: title: Telemetry driverload type: boolean telemetry_driverload_limit: title: Telemetry driverload limit type: boolean telemetry_driverload_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry driverload limit value type: integer x-nullable: true telemetry_driverload_state: enum: - disabled - live - on_alert title: Telemetry driverload state type: string telemetry_file_download_limit: title: Telemetry file download limit type: boolean telemetry_file_download_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file download limit value type: integer x-nullable: true telemetry_file_download_state: enum: - disabled - live - on_alert title: Telemetry file download state type: string telemetry_file_limit: title: Telemetry file limit type: boolean telemetry_file_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file limit value type: integer x-nullable: true telemetry_file_state: enum: - disabled - on_alert title: Telemetry file state type: string telemetry_kube_pod_event_limit: title: Telemetry kube pod event limit type: boolean telemetry_kube_pod_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry kube pod event limit value type: integer x-nullable: true telemetry_kube_pod_event_state: enum: - disabled - live - on_alert title: Telemetry kube pod event state type: string telemetry_library_load_limit: title: Telemetry library load limit type: boolean telemetry_library_load_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry library load limit value type: integer x-nullable: true telemetry_library_load_state: enum: - disabled - on_alert title: Telemetry library load state type: string telemetry_log: title: Telemetry log type: boolean telemetry_log_limit: title: Telemetry log limit type: boolean telemetry_log_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry log limit value type: integer x-nullable: true telemetry_log_state: enum: - disabled - live - on_alert title: Telemetry log state type: string telemetry_named_pipe_limit: title: Telemetry named pipe limit type: boolean telemetry_named_pipe_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry named pipe limit value type: integer x-nullable: true telemetry_named_pipe_state: enum: - disabled - on_alert title: Telemetry named pipe state type: string telemetry_network: title: Telemetry network type: boolean telemetry_network_limit: title: Telemetry network limit type: boolean telemetry_network_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network limit value type: integer x-nullable: true telemetry_network_listen_limit: title: Telemetry network listen limit type: boolean telemetry_network_listen_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network listen limit value type: integer x-nullable: true telemetry_network_listen_state: enum: - disabled - on_alert title: Telemetry network listen state type: string telemetry_network_state: enum: - disabled - live - on_alert title: Telemetry network state type: string telemetry_on_alert_enabled: title: Telemetry on alert enabled type: boolean telemetry_on_alert_live_overrides: items: enum: - telemetry_file_state - telemetry_named_pipe_state - telemetry_network_listen_state - telemetry_process_access_state - telemetry_process_tamper_state - telemetry_raw_device_access_state - telemetry_raw_socket_creation_state - telemetry_registry_state - telemetry_url_request_state - telemetry_wmi_event_state type: string type: array telemetry_on_alert_post_alert_max_duration_secs: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max duration secs type: integer telemetry_on_alert_post_alert_max_event_count: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max event count type: integer telemetry_on_alert_pre_alert_event_count: maximum: 2147483647 minimum: 1 title: Telemetry on alert pre alert event count type: integer telemetry_powershell: title: Telemetry powershell type: boolean telemetry_powershell_limit: title: Telemetry powershell limit type: boolean telemetry_powershell_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry powershell limit value type: integer x-nullable: true telemetry_powershell_state: enum: - disabled - live - on_alert title: Telemetry powershell state type: string telemetry_process: title: Telemetry process type: boolean telemetry_process_access_limit: title: Telemetry process access limit type: boolean telemetry_process_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process access limit value type: integer x-nullable: true telemetry_process_access_state: enum: - disabled - on_alert title: Telemetry process access state type: string telemetry_process_limit: title: Telemetry process limit type: boolean telemetry_process_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process limit value type: integer x-nullable: true telemetry_process_state: enum: - disabled - live - on_alert title: Telemetry process state type: string telemetry_process_tamper_limit: title: Telemetry process tamper limit type: boolean telemetry_process_tamper_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process tamper limit value type: integer x-nullable: true telemetry_process_tamper_state: enum: - disabled - on_alert title: Telemetry process tamper state type: string telemetry_raw_device_access_limit: title: Telemetry raw device access limit type: boolean telemetry_raw_device_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw device access limit value type: integer x-nullable: true telemetry_raw_device_access_state: enum: - disabled - on_alert title: Telemetry raw device access state type: string telemetry_raw_socket_creation_limit: title: Telemetry raw socket creation limit type: boolean telemetry_raw_socket_creation_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw socket creation limit value type: integer x-nullable: true telemetry_raw_socket_creation_state: enum: - disabled - on_alert title: Telemetry raw socket creation state type: string telemetry_registry_limit: title: Telemetry registry limit type: boolean telemetry_registry_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry registry limit value type: integer x-nullable: true telemetry_registry_state: enum: - disabled - on_alert title: Telemetry registry state type: string telemetry_remotethread: title: Telemetry remotethread type: boolean telemetry_remotethread_limit: title: Telemetry remotethread limit type: boolean telemetry_remotethread_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry remotethread limit value type: integer x-nullable: true telemetry_remotethread_state: enum: - disabled - live - on_alert title: Telemetry remotethread state type: string telemetry_scheduled_tasks_limit: title: Telemetry scheduled tasks limit type: boolean telemetry_scheduled_tasks_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry scheduled tasks limit value type: integer x-nullable: true telemetry_scheduled_tasks_state: enum: - disabled - live - on_alert title: Telemetry scheduled tasks state type: string telemetry_service_limit: title: Telemetry service limit type: boolean telemetry_service_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry service limit value type: integer x-nullable: true telemetry_service_state: enum: - disabled - live - on_alert title: Telemetry service state type: string telemetry_url_request_limit: title: Telemetry url request limit type: boolean telemetry_url_request_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry url request limit value type: integer x-nullable: true telemetry_url_request_state: enum: - disabled - on_alert title: Telemetry url request state type: string telemetry_usb_activity_limit: title: Telemetry usb activity limit type: boolean telemetry_usb_activity_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry usb activity limit value type: integer x-nullable: true telemetry_usb_activity_state: enum: - disabled - live - on_alert title: Telemetry usb activity state type: string telemetry_user_group_limit: title: Telemetry user group limit type: boolean telemetry_user_group_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry user group limit value type: integer x-nullable: true telemetry_user_group_state: enum: - disabled - live - on_alert title: Telemetry user group state type: string telemetry_wmi_event_limit: title: Telemetry wmi event limit type: boolean telemetry_wmi_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry wmi event limit value type: integer x-nullable: true telemetry_wmi_event_state: enum: - disabled - on_alert title: Telemetry wmi event state type: string tenant: minLength: 1 readOnly: true title: Tenant type: string thread_download_enabled: title: Thread download enabled type: boolean use_driver: readOnly: true title: Use driver type: boolean use_isolation: title: Use isolation type: boolean use_process_block: readOnly: true title: Use process block type: string vulnerability_policy: format: uuid title: Vulnerability policy type: string x-nullable: true windows_eventlog_config: default: detection_events: Application|Application Error: excluded: [] included: [] Application|Application Hang: excluded: [] included: [] Application|MSSQLSERVER: excluded: [] included: - 15457 Application|Microsoft-Windows-User Profiles Service: excluded: [] included: [] Application|Microsoft-Windows-WMI: excluded: [] included: [] Application|Microsoft-Windows-Winlogon: excluded: [] included: [] Application|MsiInstaller: excluded: [] included: [] Application|SecurityCenter: excluded: [] included: [] Application|Windows Error Reporting: excluded: [] included: [] Application|Wow64 Emulation Layer: excluded: [] included: [] Microsoft-Windows-CodeIntegrity/Operational|Microsoft-Windows-CodeIntegrity: excluded: [] included: [] Microsoft-Windows-NTLM/Operational|Microsoft-Windows-NTLM: excluded: [] included: [] Microsoft-Windows-PowerShell/Operational|Microsoft-Windows-PowerShell: excluded: [] included: [] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational|Microsoft-Windows-TerminalServices-LocalSessionManager: excluded: [] included: [] ? Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational|Microsoft-Windows-TerminalServices-RemoteConnectionManager : excluded: [] included: [] Security|Microsoft-Windows-Eventlog: excluded: [] included: [] Security|Microsoft-Windows-Security-Auditing: excluded: [] included: - 4608 - 4609 - 4610 - 4611 - 4612 - 4614 - 4615 - 4616 - 4618 - 4621 - 4622 - 4624 - 4625 - 4634 - 4647 - 4648 - 4649 - 4697 - 4698 - 4699 - 4700 - 4701 - 4702 - 4703 - 4704 - 4705 - 4706 - 4707 - 4713 - 4716 - 4717 - 4718 - 4719 - 4720 - 4722 - 4723 - 4724 - 4725 - 4726 - 4727 - 4728 - 4729 - 4730 - 4731 - 4732 - 4733 - 4734 - 4735 - 4737 - 4738 - 4739 - 4740 - 4741 - 4742 - 4743 - 4744 - 4745 - 4746 - 4747 - 4748 - 4749 - 4750 - 4751 - 4752 - 4753 - 4754 - 4755 - 4756 - 4757 - 4758 - 4759 - 4760 - 4761 - 4762 - 4764 - 4765 - 4766 - 4767 - 4768 - 4769 - 4770 - 4771 - 4772 - 4773 - 4774 - 4776 - 4777 - 4778 - 4779 - 4781 - 4793 - 4797 - 4798 - 4799 - 4800 - 4801 - 4802 - 4803 - 4820 - 4821 - 4822 - 4823 - 4824 - 4825 - 4826 - 4865 - 4866 - 4867 - 4870 - 4886 - 4887 - 4888 - 4893 - 4898 - 4902 - 4904 - 4905 - 4907 - 4931 - 4932 - 4933 - 4946 - 4948 - 4956 - 4964 - 4985 - 5024 - 5025 - 5029 - 5030 - 5033 - 5034 - 5035 - 5037 - 5059 - 5136 - 5137 - 5138 - 5139 - 5140 - 5145 - 6144 - 6145 - 6272 - 6273 - 6278 - 6416 - 6423 - 6424 System|Microsoft Antimalware: excluded: [] included: [] System|Microsoft-Windows-Bits-Client: excluded: [] included: [] System|Microsoft-Windows-Directory-Services-SAM: excluded: [] included: [] System|Microsoft-Windows-DistributedCOM: excluded: [] included: [] System|Microsoft-Windows-Eventlog: excluded: [] included: [] System|Microsoft-Windows-GroupPolicy: excluded: [] included: [] System|Microsoft-Windows-Kernel-General: excluded: [] included: [] System|Microsoft-Windows-Kernel-Power: excluded: [] included: [] System|Microsoft-Windows-TaskScheduler: excluded: [] included: [] System|Microsoft-Windows-WER-SystemErrorReporting: excluded: [] included: [] System|Microsoft-Windows-WindowsUpdateClient: excluded: [] included: [] System|Microsoft-Windows-Wininit: excluded: [] included: [] System|Microsoft-Windows-Winlogon: excluded: [] included: [] System|Service Control Manager: excluded: [] included: [] System|User32: excluded: [] included: [] Windows Powershell|PowerShell: excluded: [] included: [] telemetry_events: Application|Application Error: excluded: [] included: [] Application|Application Hang: excluded: [] included: [] Application|MSSQLSERVER: excluded: [] included: - 15457 Application|Microsoft-Windows-User Profiles Service: excluded: [] included: [] Application|Microsoft-Windows-WMI: excluded: [] included: [] Application|Microsoft-Windows-Winlogon: excluded: [] included: [] Application|MsiInstaller: excluded: [] included: [] Application|SecurityCenter: excluded: [] included: [] Application|Windows Error Reporting: excluded: [] included: [] Application|Wow64 Emulation Layer: excluded: [] included: [] Microsoft-Windows-CodeIntegrity/Operational|Microsoft-Windows-CodeIntegrity: excluded: [] included: [] Microsoft-Windows-NTLM/Operational|Microsoft-Windows-NTLM: excluded: [] included: [] Microsoft-Windows-PowerShell/Operational|Microsoft-Windows-PowerShell: excluded: [] included: [] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational|Microsoft-Windows-TerminalServices-LocalSessionManager: excluded: [] included: [] ? Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational|Microsoft-Windows-TerminalServices-RemoteConnectionManager : excluded: [] included: [] Security|Microsoft-Windows-Eventlog: excluded: [] included: [] Security|Microsoft-Windows-Security-Auditing: excluded: [] included: - 4608 - 4609 - 4610 - 4611 - 4612 - 4614 - 4615 - 4616 - 4618 - 4621 - 4622 - 4624 - 4625 - 4634 - 4647 - 4648 - 4649 - 4697 - 4698 - 4699 - 4700 - 4701 - 4702 - 4703 - 4704 - 4705 - 4706 - 4707 - 4713 - 4716 - 4717 - 4718 - 4719 - 4720 - 4722 - 4723 - 4724 - 4725 - 4726 - 4727 - 4728 - 4729 - 4730 - 4731 - 4732 - 4733 - 4734 - 4735 - 4737 - 4738 - 4739 - 4740 - 4741 - 4742 - 4743 - 4744 - 4745 - 4746 - 4747 - 4748 - 4749 - 4750 - 4751 - 4752 - 4753 - 4754 - 4755 - 4756 - 4757 - 4758 - 4759 - 4760 - 4761 - 4762 - 4764 - 4765 - 4766 - 4767 - 4768 - 4769 - 4770 - 4771 - 4772 - 4773 - 4774 - 4776 - 4777 - 4778 - 4779 - 4781 - 4793 - 4797 - 4798 - 4799 - 4800 - 4801 - 4802 - 4803 - 4820 - 4821 - 4822 - 4823 - 4824 - 4825 - 4826 - 4865 - 4866 - 4867 - 4870 - 4886 - 4887 - 4888 - 4893 - 4898 - 4902 - 4904 - 4905 - 4907 - 4931 - 4932 - 4933 - 4946 - 4948 - 4956 - 4964 - 4985 - 5024 - 5025 - 5029 - 5030 - 5033 - 5034 - 5035 - 5037 - 5059 - 5136 - 5137 - 5138 - 5139 - 5140 - 5145 - 6144 - 6145 - 6272 - 6273 - 6278 - 6416 - 6423 - 6424 System|Microsoft Antimalware: excluded: [] included: [] System|Microsoft-Windows-Bits-Client: excluded: [] included: [] System|Microsoft-Windows-Directory-Services-SAM: excluded: [] included: [] System|Microsoft-Windows-DistributedCOM: excluded: [] included: [] System|Microsoft-Windows-Eventlog: excluded: [] included: [] System|Microsoft-Windows-GroupPolicy: excluded: [] included: [] System|Microsoft-Windows-Kernel-General: excluded: [] included: [] System|Microsoft-Windows-Kernel-Power: excluded: [] included: [] System|Microsoft-Windows-TaskScheduler: excluded: [] included: [] System|Microsoft-Windows-WER-SystemErrorReporting: excluded: [] included: [] System|Microsoft-Windows-WindowsUpdateClient: excluded: [] included: [] System|Microsoft-Windows-Wininit: excluded: [] included: [] System|Microsoft-Windows-Winlogon: excluded: [] included: [] System|Service Control Manager: excluded: [] included: [] System|User32: excluded: [] included: [] Windows Powershell|PowerShell: excluded: [] included: [] description: |- Holds the dynamic subscription configuration for eventlogs. Stores which event ids to subscribe, for each event log channel. properties: detection_events: additionalProperties: items: description: Lists of event ids to include and exclude for a given channel. properties: excluded: description: A list of event ids to exclude. items: type: integer type: array included: description: |- A list of event ids to include. An empty list should be considered a None, which will automatically subscribe to all events ids of the associated channel. items: type: integer type: array type: object type: array description: |- Event log channels and ids to subscribe for detection only. Events generated that match this configuration, will be sent to the detection engines. type: object telemetry_events: additionalProperties: items: description: Lists of event ids to include and exclude for a given channel. properties: excluded: description: A list of event ids to exclude. items: type: integer type: array included: description: |- A list of event ids to include. An empty list should be considered a None, which will automatically subscribe to all events ids of the associated channel. items: type: integer type: array type: object type: array description: |- Event log channels and ids to subscribe for. Events generated that match this configuration will be sent to the backend if the event log telemetry is enabled. type: object required: - detection_events - telemetry_events title: Windows Eventlog Config type: object windows_exclusions: minimum: 0 readOnly: true title: Windows exclusions type: integer windows_read_watched_paths: default: - '*\PROGRAM FILES*' - '*\PROGRAMDATA\*' - '*\USERS\*' - '*\WINDOWS\SYSTEM32\DRIVERS\ETC\*' - '*\WINDOWS\SYSTEM32\TASKS\*' items: minLength: 1 type: string minItems: 0 type: array windows_registry_read_blacklist: default: [] items: minLength: 1 type: string minItems: 0 type: array windows_registry_read_whitelist: default: - HKLM\SAM\SAM\DOMAINS\ACCOUNT\USERS\*\* - HKLM\SECURITY\CACHE\* - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\* - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\DATA - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\GBG - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\JD - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\SKEW1 - HKLM\SYSTEM\CONTROLSET???\SERVICES\SYSMONDRV\PARAMETERS\* - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\DATA - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\GBG - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\JD - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\SKEW1 - HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CERTSVC\CONFIGURATION\*\POLICYMODULES\CERTIFICATEAUTHORITY_MICROSOFTDEFAULT.POLICY\EDITFLAGS - HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSMONDRV\PARAMETERS\* - HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AAD\STORAGE\* - HKU\*\SOFTWARE\OPENSSH\AGENT\KEYS\* - HKU\*\SOFTWARE\ORL\WINVNC3\PASSWORD\* - HKU\*\SOFTWARE\SIMONTATHAM\* items: minLength: 1 type: string minItems: 0 type: array windows_self_protection: title: Windows self protection type: boolean windows_self_protection_feature_firewall: title: Windows self protection feature firewall type: boolean windows_self_protection_feature_hosts: title: Windows self protection feature hosts type: boolean windows_self_protection_feature_safe_mode: title: Windows self protection feature safe mode type: boolean windows_write_watched_paths: default: - '*\PROGRAM FILES*' - '*\PROGRAMDATA\*' - '*\USERS\*' - '*\WINDOWS\SYSTEM32\DRIVERS\ETC\*' - '*\WINDOWS\SYSTEM32\TASKS\*' items: minLength: 1 type: string minItems: 0 type: array yara_mode: maximum: 3 minimum: 0 title: Yara mode type: integer yara_ruleset: format: uuid title: Yara ruleset type: string x-nullable: true yara_scan_libraries_load: title: Yara scan libraries load type: boolean yara_scan_written_executable: title: Yara scan written executable type: boolean yara_scan_written_files: title: Yara scan written files type: boolean yara_skip_signed_ms: title: Yara skip signed ms type: boolean yara_skip_signed_others: title: Yara skip signed others type: boolean required: - name type: object PolicyAgentDetails: properties: agent_auto_forget: default: false title: Agent auto forget type: boolean agent_auto_forget_max_days: default: 1 minimum: 1 title: Agent auto forget max days type: integer agent_auto_update: title: Agent auto update type: boolean agent_count: readOnly: true title: Agent count type: integer agent_ui_admin_message: title: Agent ui admin message type: string x-nullable: true agent_ui_enabled: title: Agent ui enabled type: boolean agent_ui_notification_level: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification level type: integer agent_ui_notification_scope: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification scope type: integer agent_upgrade_strategy: enum: - latest - manual - stable title: Agent upgrade strategy type: string always_go_through_proxy: title: Always go through proxy type: boolean antivirus_policy: format: uuid readOnly: true title: Antivirus policy type: string x-nullable: true antivirus_policy_name: readOnly: true title: Antivirus policy name type: string antivirus_profile: readOnly: true title: Antivirus profile type: string antivirus_profile_name: readOnly: true title: Antivirus profile name type: string audit_killswitch: title: Audit killswitch type: boolean binary_download_enabled: title: Binary download enabled type: boolean correlation_mode: maximum: 3 minimum: 0 title: Correlation mode type: integer correlation_ruleset: format: uuid title: Correlation ruleset type: string x-nullable: true description: title: Description type: string x-nullable: true device_control_policy: format: uuid readOnly: true title: Device control policy type: string x-nullable: true disabled_telemetry_count: readOnly: true title: Disabled telemetry count type: integer driverblock_mode: maximum: 3 minimum: 0 title: Driverblock mode type: integer driverblock_strategy: enum: - blocklist - heuristic title: Driverblock strategy type: string feature_callback_tampering: title: Feature callback tampering type: boolean feature_dse_tampering_mode: maximum: 2147483647 minimum: -2147483648 title: Feature dse tampering mode type: integer feature_event_stacktrace: title: Feature event stacktrace type: boolean feature_live_process_heuristics: title: Feature live process heuristics type: boolean feature_ppl_antimalware: title: Feature ppl antimalware type: boolean feature_process_tampering: title: Feature process tampering type: boolean feature_windows_filesystem_events: title: Feature windows filesystem events type: boolean fim_policy: format: uuid title: Fim policy type: string x-nullable: true firewall_policy: format: uuid readOnly: true title: Firewall policy type: string x-nullable: true hibou_minimum_level: minLength: 1 title: Hibou minimum level type: string hibou_mode: maximum: 3 minimum: 0 title: Hibou mode type: integer hibou_skip_signed_ms: title: Hibou skip signed ms type: boolean hibou_skip_signed_others: title: Hibou skip signed others type: boolean hlai_files_minimum_level: minLength: 1 title: Hlai files minimum level type: string hlai_files_mode: maximum: 1 minimum: 0 title: Hlai files mode type: integer hlai_minimum_level: minLength: 1 title: Hlai minimum level type: string hlai_mode: maximum: 3 minimum: 0 title: Hlai mode type: integer hlai_pdf: title: Hlai pdf type: boolean hlai_scan_libraries: title: Hlai scan libraries type: boolean hlai_scripts_minimum_level: minLength: 1 title: Hlai scripts minimum level type: string hlai_scripts_mode: maximum: 3 minimum: 0 title: Hlai scripts mode type: integer hlai_skip_signed_ms: title: Hlai skip signed ms type: boolean hlai_skip_signed_others: title: Hlai skip signed others type: boolean hlai_vba: title: Hlai vba type: boolean hlai_written_executable: title: Hlai written executable type: boolean id: minLength: 1 readOnly: true title: Id type: string ioc_mode: maximum: 3 minimum: 0 title: Ioc mode type: integer ioc_ruleset: format: uuid title: Ioc ruleset type: string x-nullable: true ioc_scan_libraries: title: Ioc scan libraries type: boolean ioc_scan_written_executable: title: Ioc scan written executable type: boolean isolation_exclusions_revision: maximum: 2147483647 minimum: 0 title: Isolation exclusions revision type: integer x-nullable: true library_download_enabled: title: Library download enabled type: boolean linux_exclusions: minimum: 0 readOnly: true title: Linux exclusions type: integer linux_self_protection: title: Linux self protection type: boolean linux_self_protection_feature_hosts: title: Linux self protection feature hosts type: boolean linux_startup_block: title: Linux startup block type: boolean linux_use_isolation: title: Linux use isolation type: boolean live_telemetry_count: readOnly: true title: Live telemetry count type: integer local_endpoint_cache_size: default: 10240 maximum: 20480 minimum: 512 title: Local endpoint cache size type: integer loglevel: enum: - CRITICAL - DEBUG - ERROR - INFO - WARNING title: Loglevel type: string macos_exclusions: minimum: 0 readOnly: true title: Macos exclusions type: integer macos_use_isolation: title: Macos use isolation type: boolean name: minLength: 1 title: Name type: string network_isolation_exclusions: minimum: 0 readOnly: true title: Network isolation exclusions type: integer on_alert_telemetry_count: readOnly: true title: On alert telemetry count type: integer origin_stack: $ref: '#/definitions/OriginStack' ransomguard_auto_blacklist: title: Ransomguard auto blacklist type: boolean ransomguard_canaries_name: minLength: 1 title: Ransomguard canaries name type: string x-nullable: true ransomguard_heuristic_mode: maximum: 2147483647 minimum: -2147483648 title: Ransomguard heuristic mode type: integer ransomguard_mode: maximum: 3 minimum: 0 title: Ransomguard mode type: integer remote_shell_mode: enum: - disabled - read - read_write - read_write_execute title: Remote shell mode type: string revision: readOnly: true title: Revision type: integer self_protection: title: Self protection type: boolean self_protection_feature_hosts: title: Self protection feature hosts type: boolean self_protection_feature_safe_mode: title: Self protection feature safe mode type: boolean self_protection_firewall: title: Self protection firewall type: boolean sidewatch_mode: maximum: 3 minimum: 0 title: Sidewatch mode type: integer sigma_mode: maximum: 3 minimum: 0 title: Sigma mode type: integer sigma_ruleset: format: uuid title: Sigma ruleset type: string x-nullable: true sleepjitter: maximum: 2147483647 minimum: -2147483648 title: Sleepjitter type: integer sleeptime: maximum: 2147483647 minimum: -2147483648 title: Sleeptime type: integer telemetry_alerts_limit: title: Telemetry alerts limit type: boolean telemetry_alerts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry alerts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_limit: title: Telemetry amsi dynamic scripts limit type: boolean telemetry_amsi_dynamic_scripts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi dynamic scripts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_state: enum: - disabled - live - on_alert title: Telemetry amsi dynamic scripts state type: string telemetry_amsi_other_scans_limit: title: Telemetry amsi other scans limit type: boolean telemetry_amsi_other_scans_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi other scans limit value type: integer x-nullable: true telemetry_amsi_other_scans_state: enum: - disabled - live - on_alert title: Telemetry amsi other scans state type: string telemetry_authentication: title: Telemetry authentication type: boolean telemetry_authentication_limit: title: Telemetry authentication limit type: boolean telemetry_authentication_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry authentication limit value type: integer x-nullable: true telemetry_authentication_state: enum: - disabled - live - on_alert title: Telemetry authentication state type: string telemetry_dns_resolution: title: Telemetry dns resolution type: boolean telemetry_dns_resolution_limit: title: Telemetry dns resolution limit type: boolean telemetry_dns_resolution_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry dns resolution limit value type: integer x-nullable: true telemetry_dns_resolution_state: enum: - disabled - live - on_alert title: Telemetry dns resolution state type: string telemetry_dotnet_library_state: enum: - disabled - on_alert title: Telemetry dotnet library state type: string telemetry_driverload: title: Telemetry driverload type: boolean telemetry_driverload_limit: title: Telemetry driverload limit type: boolean telemetry_driverload_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry driverload limit value type: integer x-nullable: true telemetry_driverload_state: enum: - disabled - live - on_alert title: Telemetry driverload state type: string telemetry_file_download_limit: title: Telemetry file download limit type: boolean telemetry_file_download_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file download limit value type: integer x-nullable: true telemetry_file_download_state: enum: - disabled - live - on_alert title: Telemetry file download state type: string telemetry_file_limit: title: Telemetry file limit type: boolean telemetry_file_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file limit value type: integer x-nullable: true telemetry_file_state: enum: - disabled - on_alert title: Telemetry file state type: string telemetry_kube_pod_event_limit: title: Telemetry kube pod event limit type: boolean telemetry_kube_pod_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry kube pod event limit value type: integer x-nullable: true telemetry_kube_pod_event_state: enum: - disabled - live - on_alert title: Telemetry kube pod event state type: string telemetry_library_load_limit: title: Telemetry library load limit type: boolean telemetry_library_load_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry library load limit value type: integer x-nullable: true telemetry_library_load_state: enum: - disabled - on_alert title: Telemetry library load state type: string telemetry_log: title: Telemetry log type: boolean telemetry_log_limit: title: Telemetry log limit type: boolean telemetry_log_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry log limit value type: integer x-nullable: true telemetry_log_state: enum: - disabled - live - on_alert title: Telemetry log state type: string telemetry_named_pipe_limit: title: Telemetry named pipe limit type: boolean telemetry_named_pipe_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry named pipe limit value type: integer x-nullable: true telemetry_named_pipe_state: enum: - disabled - on_alert title: Telemetry named pipe state type: string telemetry_network: title: Telemetry network type: boolean telemetry_network_limit: title: Telemetry network limit type: boolean telemetry_network_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network limit value type: integer x-nullable: true telemetry_network_listen_limit: title: Telemetry network listen limit type: boolean telemetry_network_listen_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network listen limit value type: integer x-nullable: true telemetry_network_listen_state: enum: - disabled - on_alert title: Telemetry network listen state type: string telemetry_network_state: enum: - disabled - live - on_alert title: Telemetry network state type: string telemetry_on_alert_enabled: title: Telemetry on alert enabled type: boolean telemetry_on_alert_live_overrides: items: enum: - telemetry_file_state - telemetry_named_pipe_state - telemetry_network_listen_state - telemetry_process_access_state - telemetry_process_tamper_state - telemetry_raw_device_access_state - telemetry_raw_socket_creation_state - telemetry_registry_state - telemetry_url_request_state - telemetry_wmi_event_state type: string type: array telemetry_on_alert_post_alert_max_duration_secs: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max duration secs type: integer telemetry_on_alert_post_alert_max_event_count: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max event count type: integer telemetry_on_alert_pre_alert_event_count: maximum: 2147483647 minimum: 1 title: Telemetry on alert pre alert event count type: integer telemetry_powershell: title: Telemetry powershell type: boolean telemetry_powershell_limit: title: Telemetry powershell limit type: boolean telemetry_powershell_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry powershell limit value type: integer x-nullable: true telemetry_powershell_state: enum: - disabled - live - on_alert title: Telemetry powershell state type: string telemetry_process: title: Telemetry process type: boolean telemetry_process_access_limit: title: Telemetry process access limit type: boolean telemetry_process_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process access limit value type: integer x-nullable: true telemetry_process_access_state: enum: - disabled - on_alert title: Telemetry process access state type: string telemetry_process_limit: title: Telemetry process limit type: boolean telemetry_process_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process limit value type: integer x-nullable: true telemetry_process_state: enum: - disabled - live - on_alert title: Telemetry process state type: string telemetry_process_tamper_limit: title: Telemetry process tamper limit type: boolean telemetry_process_tamper_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process tamper limit value type: integer x-nullable: true telemetry_process_tamper_state: enum: - disabled - on_alert title: Telemetry process tamper state type: string telemetry_raw_device_access_limit: title: Telemetry raw device access limit type: boolean telemetry_raw_device_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw device access limit value type: integer x-nullable: true telemetry_raw_device_access_state: enum: - disabled - on_alert title: Telemetry raw device access state type: string telemetry_raw_socket_creation_limit: title: Telemetry raw socket creation limit type: boolean telemetry_raw_socket_creation_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw socket creation limit value type: integer x-nullable: true telemetry_raw_socket_creation_state: enum: - disabled - on_alert title: Telemetry raw socket creation state type: string telemetry_registry_limit: title: Telemetry registry limit type: boolean telemetry_registry_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry registry limit value type: integer x-nullable: true telemetry_registry_state: enum: - disabled - on_alert title: Telemetry registry state type: string telemetry_remotethread: title: Telemetry remotethread type: boolean telemetry_remotethread_limit: title: Telemetry remotethread limit type: boolean telemetry_remotethread_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry remotethread limit value type: integer x-nullable: true telemetry_remotethread_state: enum: - disabled - live - on_alert title: Telemetry remotethread state type: string telemetry_scheduled_tasks_limit: title: Telemetry scheduled tasks limit type: boolean telemetry_scheduled_tasks_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry scheduled tasks limit value type: integer x-nullable: true telemetry_scheduled_tasks_state: enum: - disabled - live - on_alert title: Telemetry scheduled tasks state type: string telemetry_service_limit: title: Telemetry service limit type: boolean telemetry_service_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry service limit value type: integer x-nullable: true telemetry_service_state: enum: - disabled - live - on_alert title: Telemetry service state type: string telemetry_url_request_limit: title: Telemetry url request limit type: boolean telemetry_url_request_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry url request limit value type: integer x-nullable: true telemetry_url_request_state: enum: - disabled - on_alert title: Telemetry url request state type: string telemetry_usb_activity_limit: title: Telemetry usb activity limit type: boolean telemetry_usb_activity_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry usb activity limit value type: integer x-nullable: true telemetry_usb_activity_state: enum: - disabled - live - on_alert title: Telemetry usb activity state type: string telemetry_user_group_limit: title: Telemetry user group limit type: boolean telemetry_user_group_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry user group limit value type: integer x-nullable: true telemetry_user_group_state: enum: - disabled - live - on_alert title: Telemetry user group state type: string telemetry_wmi_event_limit: title: Telemetry wmi event limit type: boolean telemetry_wmi_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry wmi event limit value type: integer x-nullable: true telemetry_wmi_event_state: enum: - disabled - on_alert title: Telemetry wmi event state type: string tenant: minLength: 1 readOnly: true title: Tenant type: string thread_download_enabled: title: Thread download enabled type: boolean use_driver: readOnly: true title: Use driver type: boolean use_isolation: title: Use isolation type: boolean use_process_block: readOnly: true title: Use process block type: string vulnerability_policy: format: uuid title: Vulnerability policy type: string x-nullable: true windows_exclusions: minimum: 0 readOnly: true title: Windows exclusions type: integer windows_self_protection: title: Windows self protection type: boolean windows_self_protection_feature_firewall: title: Windows self protection feature firewall type: boolean windows_self_protection_feature_hosts: title: Windows self protection feature hosts type: boolean windows_self_protection_feature_safe_mode: title: Windows self protection feature safe mode type: boolean yara_mode: maximum: 3 minimum: 0 title: Yara mode type: integer yara_ruleset: format: uuid title: Yara ruleset type: string x-nullable: true yara_scan_libraries_load: title: Yara scan libraries load type: boolean yara_scan_written_executable: title: Yara scan written executable type: boolean yara_scan_written_files: title: Yara scan written files type: boolean yara_skip_signed_ms: title: Yara skip signed ms type: boolean yara_skip_signed_others: title: Yara skip signed others type: boolean required: - name type: object PolicyAutomation: properties: comment: minLength: 1 title: Comment type: string group_ids: minLength: 1 title: Group ids type: string hash: minLength: 1 title: Hash type: string id: minLength: 1 title: Id type: string last_modifier_id: title: Last modifier id type: integer last_update: format: date-time title: Last update type: string policy_id: format: uuid title: Policy id type: string priority: title: Priority type: integer rules: items: $ref: '#/definitions/PolicyAutomationRule' type: array required: - comment - group_ids - hash - id - last_modifier_id - last_update - policy_id - priority - rules type: object PolicyAutomationRule: properties: case_insensitive: title: Case insensitive type: boolean field: minLength: 1 title: Field type: string operator: minLength: 1 title: Operator type: string value: minLength: 1 title: Value type: string required: - case_insensitive - field - operator - value type: object PolicyLight: properties: agent_auto_forget: default: false title: Agent auto forget type: boolean agent_auto_forget_max_days: default: 1 minimum: 1 title: Agent auto forget max days type: integer agent_auto_update: title: Agent auto update type: boolean agent_count: readOnly: true title: Agent count type: integer agent_ui_admin_message: title: Agent ui admin message type: string x-nullable: true agent_ui_enabled: title: Agent ui enabled type: boolean agent_ui_notification_level: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification level type: integer agent_ui_notification_scope: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification scope type: integer agent_upgrade_strategy: enum: - latest - manual - stable title: Agent upgrade strategy type: string always_go_through_proxy: title: Always go through proxy type: boolean antivirus_policy: format: uuid readOnly: true title: Antivirus policy type: string x-nullable: true antivirus_policy_name: readOnly: true title: Antivirus policy name type: string antivirus_profile: readOnly: true title: Antivirus profile type: string antivirus_profile_name: readOnly: true title: Antivirus profile name type: string audit_killswitch: title: Audit killswitch type: boolean binary_download_enabled: title: Binary download enabled type: boolean correlation_mode: maximum: 3 minimum: 0 title: Correlation mode type: integer correlation_ruleset: format: uuid title: Correlation ruleset type: string x-nullable: true description: title: Description type: string x-nullable: true device_control_policy: format: uuid readOnly: true title: Device control policy type: string x-nullable: true driverblock_mode: maximum: 3 minimum: 0 title: Driverblock mode type: integer driverblock_strategy: enum: - blocklist - heuristic title: Driverblock strategy type: string feature_callback_tampering: title: Feature callback tampering type: boolean feature_dse_tampering_mode: maximum: 2147483647 minimum: -2147483648 title: Feature dse tampering mode type: integer feature_event_stacktrace: title: Feature event stacktrace type: boolean feature_live_process_heuristics: title: Feature live process heuristics type: boolean feature_ppl_antimalware: title: Feature ppl antimalware type: boolean feature_process_tampering: title: Feature process tampering type: boolean feature_windows_filesystem_events: title: Feature windows filesystem events type: boolean fim_policy: format: uuid title: Fim policy type: string x-nullable: true firewall_policy: format: uuid readOnly: true title: Firewall policy type: string x-nullable: true hibou_minimum_level: minLength: 1 title: Hibou minimum level type: string hibou_mode: maximum: 3 minimum: 0 title: Hibou mode type: integer hibou_skip_signed_ms: title: Hibou skip signed ms type: boolean hibou_skip_signed_others: title: Hibou skip signed others type: boolean hlai_files_minimum_level: minLength: 1 title: Hlai files minimum level type: string hlai_files_mode: maximum: 1 minimum: 0 title: Hlai files mode type: integer hlai_minimum_level: minLength: 1 title: Hlai minimum level type: string hlai_mode: maximum: 3 minimum: 0 title: Hlai mode type: integer hlai_pdf: title: Hlai pdf type: boolean hlai_scan_libraries: title: Hlai scan libraries type: boolean hlai_scripts_minimum_level: minLength: 1 title: Hlai scripts minimum level type: string hlai_scripts_mode: maximum: 3 minimum: 0 title: Hlai scripts mode type: integer hlai_skip_signed_ms: title: Hlai skip signed ms type: boolean hlai_skip_signed_others: title: Hlai skip signed others type: boolean hlai_vba: title: Hlai vba type: boolean hlai_written_executable: title: Hlai written executable type: boolean id: minLength: 1 readOnly: true title: Id type: string ioc_mode: maximum: 3 minimum: 0 title: Ioc mode type: integer ioc_ruleset: format: uuid title: Ioc ruleset type: string x-nullable: true ioc_scan_libraries: title: Ioc scan libraries type: boolean ioc_scan_written_executable: title: Ioc scan written executable type: boolean isolation_exclusions_revision: maximum: 2147483647 minimum: 0 title: Isolation exclusions revision type: integer x-nullable: true library_download_enabled: title: Library download enabled type: boolean linux_exclusions: minimum: 0 readOnly: true title: Linux exclusions type: integer linux_self_protection: title: Linux self protection type: boolean linux_self_protection_feature_hosts: title: Linux self protection feature hosts type: boolean linux_startup_block: title: Linux startup block type: boolean linux_use_isolation: title: Linux use isolation type: boolean local_endpoint_cache_size: default: 10240 maximum: 20480 minimum: 512 title: Local endpoint cache size type: integer loglevel: enum: - CRITICAL - DEBUG - ERROR - INFO - WARNING title: Loglevel type: string macos_exclusions: minimum: 0 readOnly: true title: Macos exclusions type: integer macos_use_isolation: title: Macos use isolation type: boolean name: minLength: 1 title: Name type: string network_isolation_exclusions: minimum: 0 readOnly: true title: Network isolation exclusions type: integer origin_stack: $ref: '#/definitions/OriginStack' ransomguard_auto_blacklist: title: Ransomguard auto blacklist type: boolean ransomguard_canaries_name: minLength: 1 title: Ransomguard canaries name type: string x-nullable: true ransomguard_heuristic_mode: maximum: 2147483647 minimum: -2147483648 title: Ransomguard heuristic mode type: integer ransomguard_mode: maximum: 3 minimum: 0 title: Ransomguard mode type: integer remote_shell_mode: enum: - disabled - read - read_write - read_write_execute title: Remote shell mode type: string revision: readOnly: true title: Revision type: integer self_protection: title: Self protection type: boolean self_protection_feature_hosts: title: Self protection feature hosts type: boolean self_protection_feature_safe_mode: title: Self protection feature safe mode type: boolean self_protection_firewall: title: Self protection firewall type: boolean sidewatch_mode: maximum: 3 minimum: 0 title: Sidewatch mode type: integer sigma_mode: maximum: 3 minimum: 0 title: Sigma mode type: integer sigma_ruleset: format: uuid title: Sigma ruleset type: string x-nullable: true sleepjitter: maximum: 2147483647 minimum: -2147483648 title: Sleepjitter type: integer sleeptime: maximum: 2147483647 minimum: -2147483648 title: Sleeptime type: integer telemetry_alerts_limit: title: Telemetry alerts limit type: boolean telemetry_alerts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry alerts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_limit: title: Telemetry amsi dynamic scripts limit type: boolean telemetry_amsi_dynamic_scripts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi dynamic scripts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_state: enum: - disabled - live - on_alert title: Telemetry amsi dynamic scripts state type: string telemetry_amsi_other_scans_limit: title: Telemetry amsi other scans limit type: boolean telemetry_amsi_other_scans_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi other scans limit value type: integer x-nullable: true telemetry_amsi_other_scans_state: enum: - disabled - live - on_alert title: Telemetry amsi other scans state type: string telemetry_authentication: title: Telemetry authentication type: boolean telemetry_authentication_limit: title: Telemetry authentication limit type: boolean telemetry_authentication_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry authentication limit value type: integer x-nullable: true telemetry_authentication_state: enum: - disabled - live - on_alert title: Telemetry authentication state type: string telemetry_dns_resolution: title: Telemetry dns resolution type: boolean telemetry_dns_resolution_limit: title: Telemetry dns resolution limit type: boolean telemetry_dns_resolution_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry dns resolution limit value type: integer x-nullable: true telemetry_dns_resolution_state: enum: - disabled - live - on_alert title: Telemetry dns resolution state type: string telemetry_dotnet_library_state: enum: - disabled - on_alert title: Telemetry dotnet library state type: string telemetry_driverload: title: Telemetry driverload type: boolean telemetry_driverload_limit: title: Telemetry driverload limit type: boolean telemetry_driverload_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry driverload limit value type: integer x-nullable: true telemetry_driverload_state: enum: - disabled - live - on_alert title: Telemetry driverload state type: string telemetry_file_download_limit: title: Telemetry file download limit type: boolean telemetry_file_download_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file download limit value type: integer x-nullable: true telemetry_file_download_state: enum: - disabled - live - on_alert title: Telemetry file download state type: string telemetry_file_limit: title: Telemetry file limit type: boolean telemetry_file_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file limit value type: integer x-nullable: true telemetry_file_state: enum: - disabled - on_alert title: Telemetry file state type: string telemetry_kube_pod_event_limit: title: Telemetry kube pod event limit type: boolean telemetry_kube_pod_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry kube pod event limit value type: integer x-nullable: true telemetry_kube_pod_event_state: enum: - disabled - live - on_alert title: Telemetry kube pod event state type: string telemetry_library_load_limit: title: Telemetry library load limit type: boolean telemetry_library_load_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry library load limit value type: integer x-nullable: true telemetry_library_load_state: enum: - disabled - on_alert title: Telemetry library load state type: string telemetry_log: title: Telemetry log type: boolean telemetry_log_limit: title: Telemetry log limit type: boolean telemetry_log_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry log limit value type: integer x-nullable: true telemetry_log_state: enum: - disabled - live - on_alert title: Telemetry log state type: string telemetry_named_pipe_limit: title: Telemetry named pipe limit type: boolean telemetry_named_pipe_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry named pipe limit value type: integer x-nullable: true telemetry_named_pipe_state: enum: - disabled - on_alert title: Telemetry named pipe state type: string telemetry_network: title: Telemetry network type: boolean telemetry_network_limit: title: Telemetry network limit type: boolean telemetry_network_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network limit value type: integer x-nullable: true telemetry_network_listen_limit: title: Telemetry network listen limit type: boolean telemetry_network_listen_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network listen limit value type: integer x-nullable: true telemetry_network_listen_state: enum: - disabled - on_alert title: Telemetry network listen state type: string telemetry_network_state: enum: - disabled - live - on_alert title: Telemetry network state type: string telemetry_on_alert_enabled: title: Telemetry on alert enabled type: boolean telemetry_on_alert_live_overrides: items: enum: - telemetry_file_state - telemetry_named_pipe_state - telemetry_network_listen_state - telemetry_process_access_state - telemetry_process_tamper_state - telemetry_raw_device_access_state - telemetry_raw_socket_creation_state - telemetry_registry_state - telemetry_url_request_state - telemetry_wmi_event_state type: string type: array telemetry_on_alert_post_alert_max_duration_secs: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max duration secs type: integer telemetry_on_alert_post_alert_max_event_count: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max event count type: integer telemetry_on_alert_pre_alert_event_count: maximum: 2147483647 minimum: 1 title: Telemetry on alert pre alert event count type: integer telemetry_powershell: title: Telemetry powershell type: boolean telemetry_powershell_limit: title: Telemetry powershell limit type: boolean telemetry_powershell_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry powershell limit value type: integer x-nullable: true telemetry_powershell_state: enum: - disabled - live - on_alert title: Telemetry powershell state type: string telemetry_process: title: Telemetry process type: boolean telemetry_process_access_limit: title: Telemetry process access limit type: boolean telemetry_process_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process access limit value type: integer x-nullable: true telemetry_process_access_state: enum: - disabled - on_alert title: Telemetry process access state type: string telemetry_process_limit: title: Telemetry process limit type: boolean telemetry_process_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process limit value type: integer x-nullable: true telemetry_process_state: enum: - disabled - live - on_alert title: Telemetry process state type: string telemetry_process_tamper_limit: title: Telemetry process tamper limit type: boolean telemetry_process_tamper_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process tamper limit value type: integer x-nullable: true telemetry_process_tamper_state: enum: - disabled - on_alert title: Telemetry process tamper state type: string telemetry_raw_device_access_limit: title: Telemetry raw device access limit type: boolean telemetry_raw_device_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw device access limit value type: integer x-nullable: true telemetry_raw_device_access_state: enum: - disabled - on_alert title: Telemetry raw device access state type: string telemetry_raw_socket_creation_limit: title: Telemetry raw socket creation limit type: boolean telemetry_raw_socket_creation_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw socket creation limit value type: integer x-nullable: true telemetry_raw_socket_creation_state: enum: - disabled - on_alert title: Telemetry raw socket creation state type: string telemetry_registry_limit: title: Telemetry registry limit type: boolean telemetry_registry_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry registry limit value type: integer x-nullable: true telemetry_registry_state: enum: - disabled - on_alert title: Telemetry registry state type: string telemetry_remotethread: title: Telemetry remotethread type: boolean telemetry_remotethread_limit: title: Telemetry remotethread limit type: boolean telemetry_remotethread_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry remotethread limit value type: integer x-nullable: true telemetry_remotethread_state: enum: - disabled - live - on_alert title: Telemetry remotethread state type: string telemetry_scheduled_tasks_limit: title: Telemetry scheduled tasks limit type: boolean telemetry_scheduled_tasks_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry scheduled tasks limit value type: integer x-nullable: true telemetry_scheduled_tasks_state: enum: - disabled - live - on_alert title: Telemetry scheduled tasks state type: string telemetry_service_limit: title: Telemetry service limit type: boolean telemetry_service_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry service limit value type: integer x-nullable: true telemetry_service_state: enum: - disabled - live - on_alert title: Telemetry service state type: string telemetry_url_request_limit: title: Telemetry url request limit type: boolean telemetry_url_request_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry url request limit value type: integer x-nullable: true telemetry_url_request_state: enum: - disabled - on_alert title: Telemetry url request state type: string telemetry_usb_activity_limit: title: Telemetry usb activity limit type: boolean telemetry_usb_activity_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry usb activity limit value type: integer x-nullable: true telemetry_usb_activity_state: enum: - disabled - live - on_alert title: Telemetry usb activity state type: string telemetry_user_group_limit: title: Telemetry user group limit type: boolean telemetry_user_group_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry user group limit value type: integer x-nullable: true telemetry_user_group_state: enum: - disabled - live - on_alert title: Telemetry user group state type: string telemetry_wmi_event_limit: title: Telemetry wmi event limit type: boolean telemetry_wmi_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry wmi event limit value type: integer x-nullable: true telemetry_wmi_event_state: enum: - disabled - on_alert title: Telemetry wmi event state type: string tenant: minLength: 1 readOnly: true title: Tenant type: string thread_download_enabled: title: Thread download enabled type: boolean use_driver: readOnly: true title: Use driver type: boolean use_isolation: title: Use isolation type: boolean use_process_block: readOnly: true title: Use process block type: string vulnerability_policy: format: uuid title: Vulnerability policy type: string x-nullable: true windows_exclusions: minimum: 0 readOnly: true title: Windows exclusions type: integer windows_self_protection: title: Windows self protection type: boolean windows_self_protection_feature_firewall: title: Windows self protection feature firewall type: boolean windows_self_protection_feature_hosts: title: Windows self protection feature hosts type: boolean windows_self_protection_feature_safe_mode: title: Windows self protection feature safe mode type: boolean yara_mode: maximum: 3 minimum: 0 title: Yara mode type: integer yara_ruleset: format: uuid title: Yara ruleset type: string x-nullable: true yara_scan_libraries_load: title: Yara scan libraries load type: boolean yara_scan_written_executable: title: Yara scan written executable type: boolean yara_scan_written_files: title: Yara scan written files type: boolean yara_skip_signed_ms: title: Yara skip signed ms type: boolean yara_skip_signed_others: title: Yara skip signed others type: boolean required: - name type: object PolicyName: properties: name: minLength: 1 title: Name type: string type: object PolicySet: properties: agent_count: readOnly: true title: Agent count type: integer agent_policy_id: minLength: 1 title: Agent policy id type: string agent_policy_name: minLength: 1 readOnly: true title: Agent policy name type: string antivirus_policy_id: minLength: 1 title: Antivirus policy id type: string x-nullable: true antivirus_policy_name: minLength: 1 readOnly: true title: Antivirus policy name type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true custom: readOnly: true title: Custom type: boolean description: title: Description type: string x-nullable: true device_control_policy_id: minLength: 1 title: Device control policy id type: string x-nullable: true device_control_policy_name: minLength: 1 readOnly: true title: Device control policy name type: string x-nullable: true fim_policy_id: minLength: 1 title: Fim policy id type: string x-nullable: true fim_policy_name: minLength: 1 readOnly: true title: Fim policy name type: string x-nullable: true firewall_policy_id: minLength: 1 title: Firewall policy id type: string x-nullable: true firewall_policy_name: minLength: 1 readOnly: true title: Firewall policy name type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' revision: readOnly: true title: Revision type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string vulnerability_policy_id: minLength: 1 title: Vulnerability policy id type: string x-nullable: true vulnerability_policy_name: minLength: 1 readOnly: true title: Vulnerability policy name type: string x-nullable: true required: - agent_policy_id - antivirus_policy_id - device_control_policy_id - fim_policy_id - firewall_policy_id - name - vulnerability_policy_id type: object PolicySetCreate: properties: agent_policy_id: minLength: 1 title: Agent policy id type: string antivirus_policy_id: format: uuid title: Antivirus policy id type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true description: title: Description type: string x-nullable: true device_control_policy_id: format: uuid title: Device control policy id type: string x-nullable: true fim_policy_id: format: uuid title: Fim policy id type: string x-nullable: true firewall_policy_id: format: uuid title: Firewall policy id type: string x-nullable: true id: format: uuid title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string parent_policy_set_id: format: uuid title: Parent policy set id type: string x-nullable: true revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer vulnerability_policy_id: format: uuid title: Vulnerability policy id type: string x-nullable: true required: - agent_policy_id - name type: object PolicySetLight: properties: agent_policy_id: minLength: 1 title: Agent policy id type: string antivirus_policy_id: minLength: 1 title: Antivirus policy id type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true description: title: Description type: string x-nullable: true device_control_policy_id: minLength: 1 title: Device control policy id type: string x-nullable: true fim_policy_id: minLength: 1 title: Fim policy id type: string x-nullable: true firewall_policy_id: minLength: 1 title: Firewall policy id type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' parent_policy_set_id: format: uuid title: Parent policy set id type: string x-nullable: true revision: readOnly: true title: Revision type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string vulnerability_policy_id: minLength: 1 title: Vulnerability policy id type: string x-nullable: true required: - agent_policy_id - antivirus_policy_id - device_control_policy_id - fim_policy_id - firewall_policy_id - name - vulnerability_policy_id type: object x-nullable: true PolicySetName: properties: name: minLength: 1 title: Name type: string type: object PolicySetPolicies: properties: agent_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' antivirus_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true description: title: Description type: string x-nullable: true device_control_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' fim_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' firewall_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' id: format: uuid title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string parent_policy_set_id: format: uuid title: Parent policy set id type: string x-nullable: true revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer vulnerability_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' required: - name type: object x-nullable: true PolicySetPolicyIdAndName: properties: id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - id - name type: object PolicySetRetrieve: properties: agent_count: readOnly: true title: Agent count type: integer agent_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' agent_policy_id: minLength: 1 title: Agent policy id type: string agent_policy_name: minLength: 1 readOnly: true title: Agent policy name type: string antivirus_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' antivirus_policy_id: minLength: 1 title: Antivirus policy id type: string x-nullable: true antivirus_policy_name: minLength: 1 readOnly: true title: Antivirus policy name type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true custom: readOnly: true title: Custom type: boolean description: title: Description type: string x-nullable: true device_control_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' device_control_policy_id: minLength: 1 title: Device control policy id type: string x-nullable: true device_control_policy_name: minLength: 1 readOnly: true title: Device control policy name type: string x-nullable: true fim_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' fim_policy_id: minLength: 1 title: Fim policy id type: string x-nullable: true fim_policy_name: minLength: 1 readOnly: true title: Fim policy name type: string x-nullable: true firewall_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' firewall_policy_id: minLength: 1 title: Firewall policy id type: string x-nullable: true firewall_policy_name: minLength: 1 readOnly: true title: Firewall policy name type: string x-nullable: true id: format: uuid title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true parent_policy_set: $ref: '#/definitions/PolicySetPolicies' parent_policy_set_id: format: uuid title: Parent policy set id type: string x-nullable: true revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string vulnerability_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' vulnerability_policy_id: minLength: 1 title: Vulnerability policy id type: string x-nullable: true vulnerability_policy_name: minLength: 1 readOnly: true title: Vulnerability policy name type: string x-nullable: true required: - agent_policy_id - antivirus_policy_id - device_control_policy_id - fim_policy_id - firewall_policy_id - name - vulnerability_policy_id type: object PolicyUpdateData: properties: is_guard: title: Is guard type: boolean is_scout: title: Is scout type: boolean policy_id: minLength: 1 title: Policy id type: string policy_name: minLength: 1 title: Policy name type: string policy_revision: title: Policy revision type: integer type: object Powershell: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string incomplete: title: Incomplete type: boolean log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string script_block: minLength: 1 title: Script block type: string script_path: minLength: 1 title: Script path type: string sha256: minLength: 1 title: Sha256 type: string signature_info: $ref: '#/definitions/SignatureInfo' signed: title: Signed type: boolean tenant: minLength: 1 title: Tenant type: string required: - '@event_create_date' - '@timestamp' - agent - groups - id - incomplete - log_type - pid - process_image_path - process_unique_id - script_block - script_path - sha256 - signature_info - signed - tenant type: object Prefetch: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' directories: minLength: 1 title: Directories type: string executable_name: minLength: 1 title: Executable name type: string filename: minLength: 1 title: Filename type: string filepath: minLength: 1 title: Filepath type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer last_executed: format: date-time title: Last executed type: string resources: minLength: 1 title: Resources type: string run_count: title: Run count type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - directories - executable_name - filename - filepath - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - last_executed - resources - run_count - tenant type: object Process: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' cmdline: minLength: 1 title: Cmdline type: string connections: $ref: '#/definitions/Connection' cpu_percent: title: Cpu percent type: number create_time: format: date-time title: Create time type: string critical: title: Critical type: boolean exe: minLength: 1 title: Exe type: string fd: $ref: '#/definitions/FileDescriptor' handles: $ref: '#/definitions/Handle' hashes_requested: title: Hashes requested type: boolean id: minLength: 1 title: Id type: string integrity_level: minLength: 1 title: Integrity level type: string iskernel: title: Iskernel type: boolean item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer maybe_hollow: title: Maybe hollow type: boolean mem_private_bytes: title: Mem private bytes type: integer mem_working_set: title: Mem working set type: integer modules: $ref: '#/definitions/Module' name: minLength: 1 title: Name type: string pid: title: Pid type: integer ppid: title: Ppid type: integer process_bits: title: Process bits type: integer session: title: Session type: integer signature_requested: title: Signature requested type: boolean status: minLength: 1 title: Status type: string suspicious: title: Suspicious type: boolean tenant: minLength: 1 title: Tenant type: string threads: $ref: '#/definitions/Thread' username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - binaryinfo - cmdline - connections - cpu_percent - create_time - critical - exe - fd - handles - hashes_requested - id - integrity_level - iskernel - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - maybe_hollow - mem_private_bytes - mem_working_set - modules - name - pid - ppid - process_bits - session - signature_requested - status - suspicious - tenant - threads - username type: object ProcessAccess: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string access: title: Access type: integer access_str: minLength: 1 title: Access str type: string agent: $ref: '#/definitions/InnerAgent' event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' hash: title: Hash type: integer id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' source_image: minLength: 1 title: Source image type: string source_process_unique_id: minLength: 1 title: Source process unique id type: string source_tid: title: Source tid type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_full: minLength: 1 title: Stacktrace full type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target_image: minLength: 1 title: Target image type: string target_process_unique_id: minLength: 1 title: Target process unique id type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - access - access_str - agent - event_id - groups - hash - id - log_type - source_image - source_process_unique_id - source_tid - stacktrace - stacktrace_full - stacktrace_minimal - target_image - target_process_unique_id - tenant - utc_time type: object ProcessRedaction: properties: id: minLength: 1 title: Id type: string process_name: minLength: 1 title: Process name type: string regex: minLength: 1 title: Regex type: string required: - id - process_name - regex type: object ProcessTamper: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string image_base_address: title: Image base address type: integer image_name: minLength: 1 title: Image name type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_entrypoint_file: minLength: 1 title: Process entrypoint file type: string process_entrypoint_memory: minLength: 1 title: Process entrypoint memory type: string process_header_file: minLength: 1 title: Process header file type: string process_header_memory: minLength: 1 title: Process header memory type: string tamper_flag: title: Tamper flag type: integer tamper_flag_as_str: minLength: 1 title: Tamper flag as str type: string target_process_unique_id: minLength: 1 title: Target process unique id type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - event_id - groups - id - image_base_address - image_name - log_type - pid - process_entrypoint_file - process_entrypoint_memory - process_header_file - process_header_memory - tamper_flag - tamper_flag_as_str - target_process_unique_id - tenant - utc_time type: object Processes: properties: auto_download_new_files: default: false title: Auto download new files type: boolean getConnectionsList: title: Getconnectionslist type: boolean getHandlesList: title: Gethandleslist type: boolean getSignaturesInfo: title: Getsignaturesinfo type: boolean maxsize_files_download: default: 104857600 minimum: 0 title: Maxsize files download type: integer required: - getConnectionsList - getHandlesList - getSignaturesInfo type: object ProcessesGraph: properties: calc_time: title: Calc time type: number current_process_id: minLength: 1 title: Current process id type: string edges: items: $ref: '#/definitions/Edges' type: array missing_processes: additionalProperties: $ref: '#/definitions/MissingProcess' title: Missing processes type: object nodes: items: $ref: '#/definitions/Node' type: array processes: additionalProperties: $ref: '#/definitions/DocProcessesSerializer' title: Processes type: object required: - calc_time - current_process_id - edges - missing_processes - nodes - processes type: object ProfileIdList: properties: all: default: false title: All type: boolean profile_ids: items: format: uuid type: string type: array type: object ProfileToNetwork: properties: id: format: uuid title: Id type: string network: $ref: '#/definitions/DetailFirewallNetwork' profile: $ref: '#/definitions/FirewallProfile' required: - network - profile type: object ProfileToNetworkId: properties: network_id: format: uuid title: Network id type: string profile_id: format: uuid title: Profile id type: string required: - network_id - profile_id type: object x-nullable: true ProtectionPermissions: properties: antivirus: enum: - disabled - read_only - read_write title: Antivirus type: string device_control: enum: - disabled - read_only - read_write title: Device control type: string file_integrity_monitoring: enum: - disabled - read_only - read_write title: File integrity monitoring type: string firewall: enum: - disabled - read_only - read_write title: Firewall type: string required: - antivirus - device_control - file_integrity_monitoring - firewall type: object QuarantineActionHistory: properties: action: enum: - Acquire - Add - Delete - Restore title: Action type: string action_result: enum: - Failed - Success - Unknown title: Action result type: string action_result_message: title: Action result message type: string x-nullable: true action_result_reason: title: Action result reason type: string x-nullable: true action_uid: format: uuid title: Action uid type: string agent: $ref: '#/definitions/QuarantinedAgent' comment: title: Comment type: string x-nullable: true date: format: date-time title: Date type: string error_message: title: Error message type: string x-nullable: true file_hash: title: File hash type: string x-nullable: true file_path: title: File path type: string x-nullable: true file_uid: format: uuid title: File uid type: string x-nullable: true id: format: uuid title: Id type: string job_instance_number: maximum: 2147483647 minimum: -2147483648 title: Job instance number type: integer x-nullable: true job_uid: format: uuid title: Job uid type: string x-nullable: true type: enum: - automatic - manual - unknown title: Type type: string required: - action - action_uid - agent - date - id type: object QuarantinedAgent: properties: hostname: minLength: 1 readOnly: true title: Hostname type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string osproducttype: minLength: 1 readOnly: true title: Osproducttype type: string x-nullable: true ostype: minLength: 1 readOnly: true title: Ostype type: string x-nullable: true type: object QuarantinedFile: properties: path: minLength: 1 title: Path type: string status: title: Status type: integer required: - path - status type: object QuarantinedItem: properties: acl: title: Acl type: string x-nullable: true acquired: title: Acquired type: boolean agent: $ref: '#/definitions/QuarantinedAgent' comment: title: Comment type: string x-nullable: true date: format: date-time title: Date type: string x-nullable: true download_jobinstance: $ref: '#/definitions/StatusJobInstance' full_security_descriptor: title: Full security descriptor type: string x-nullable: true group_id: maximum: 2147483647 minimum: -2147483648 title: Group id type: integer x-nullable: true id: format: uuid title: Id type: string item_md5: maxLength: 2048 minLength: 1 title: Item md5 type: string x-nullable: true item_sha1: maxLength: 2048 minLength: 1 title: Item sha1 type: string x-nullable: true item_sha256: maxLength: 2048 minLength: 1 title: Item sha256 type: string x-nullable: true item_sha512: maxLength: 2048 minLength: 1 title: Item sha512 type: string x-nullable: true local_id: format: uuid title: Local id type: string mode: maxLength: 2048 minLength: 1 title: Mode type: string x-nullable: true new_file_path: minLength: 1 title: New file path type: string original_file_path: minLength: 1 title: Original file path type: string original_file_size: maximum: 2147483647 minimum: -2147483648 title: Original file size type: integer x-nullable: true status_jobinstance: $ref: '#/definitions/StatusJobInstance' type: enum: - automatic - manual - unknown title: Type type: string user_id: maximum: 2147483647 minimum: -2147483648 title: User id type: integer x-nullable: true user_sid: title: User sid type: string x-nullable: true required: - agent - download_jobinstance - id - new_file_path - original_file_path - status_jobinstance type: object QueryUnapplyRetroactively: properties: id: format: uuid title: Id type: string revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer required: - id - revision type: object QuickFixEngineering: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' caption: minLength: 1 title: Caption type: string csname: minLength: 1 title: Csname type: string description: minLength: 1 title: Description type: string fixcomments: minLength: 1 title: Fixcomments type: string hotfixid: minLength: 1 title: Hotfixid type: string id: minLength: 1 title: Id type: string installdate: minLength: 1 title: Installdate type: string installedby: minLength: 1 title: Installedby type: string installedon: minLength: 1 title: Installedon type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string servicepackineffect: minLength: 1 title: Servicepackineffect type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - caption - csname - description - fixcomments - hotfixid - id - installdate - installedby - installedon - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - servicepackineffect - tenant type: object Ransomguard: properties: alert_level: default: critical enum: - critical - high - informational - low - medium title: Alert level type: string type: object RansomguardCanaryData: properties: canary_destination_path: minLength: 1 title: Canary destination path type: string canary_path: minLength: 1 title: Canary path type: string required: - canary_destination_path - canary_path type: object RansomguardHeuristic: properties: ransomguard_heur_deleter_delete_weight: minimum: 0 title: Ransomguard heur deleter delete weight type: integer x-nullable: true ransomguard_heur_deleter_high_entropy_weight: minimum: 0 title: Ransomguard heur deleter high entropy weight type: integer x-nullable: true ransomguard_heur_deleter_matched_pairs_weight: minimum: 0 title: Ransomguard heur deleter matched pairs weight type: integer x-nullable: true ransomguard_heur_deleter_max_renamed: minimum: 0 title: Ransomguard heur deleter max renamed type: integer x-nullable: true ransomguard_heur_deleter_max_renamed_from: minimum: 0 title: Ransomguard heur deleter max renamed from type: integer x-nullable: true ransomguard_heur_deleter_max_renamed_to: minimum: 0 title: Ransomguard heur deleter max renamed to type: integer x-nullable: true ransomguard_heur_deleter_max_suspicious_entropy_write_count: minimum: 0 title: Ransomguard heur deleter max suspicious entropy write count type: integer x-nullable: true ransomguard_heur_deleter_max_write_extension: minimum: 0 title: Ransomguard heur deleter max write extension type: integer x-nullable: true ransomguard_heur_deleter_min_delete_sec: minimum: 0 title: Ransomguard heur deleter min delete sec type: integer x-nullable: true ransomguard_heur_deleter_min_high_entropy_write: minimum: 0 title: Ransomguard heur deleter min high entropy write type: integer x-nullable: true ransomguard_heur_deleter_min_matched_pairs: minimum: 0 title: Ransomguard heur deleter min matched pairs type: integer x-nullable: true ransomguard_heur_deleter_min_read_extension: minimum: 0 title: Ransomguard heur deleter min read extension type: integer x-nullable: true ransomguard_heur_deleter_min_read_sec: minimum: 0 title: Ransomguard heur deleter min read sec type: integer x-nullable: true ransomguard_heur_deleter_min_read_write_ratio: minimum: 0 title: Ransomguard heur deleter min read write ratio type: integer x-nullable: true ransomguard_heur_deleter_min_read_write_ratio_weight: minimum: 0 title: Ransomguard heur deleter min read write ratio weight type: integer x-nullable: true ransomguard_heur_deleter_min_write_read_ratio: minimum: 0 title: Ransomguard heur deleter min write read ratio type: integer x-nullable: true ransomguard_heur_deleter_min_write_read_ratio_weight: minimum: 0 title: Ransomguard heur deleter min write read ratio weight type: integer x-nullable: true ransomguard_heur_deleter_min_write_sec: minimum: 0 title: Ransomguard heur deleter min write sec type: integer x-nullable: true ransomguard_heur_deleter_read_weight: minimum: 0 title: Ransomguard heur deleter read weight type: integer x-nullable: true ransomguard_heur_deleter_threshold: minimum: 0 title: Ransomguard heur deleter threshold type: integer x-nullable: true ransomguard_heur_deleter_write_weight: minimum: 0 title: Ransomguard heur deleter write weight type: integer x-nullable: true ransomguard_heur_min_high_entropy_operations: minimum: 0 title: Ransomguard heur min high entropy operations type: integer x-nullable: true ransomguard_heur_overwriter_delete_weight: minimum: 0 title: Ransomguard heur overwriter delete weight type: integer x-nullable: true ransomguard_heur_overwriter_high_entropy_weight: minimum: 0 title: Ransomguard heur overwriter high entropy weight type: integer x-nullable: true ransomguard_heur_overwriter_max_delete_sec: minimum: 0 title: Ransomguard heur overwriter max delete sec type: integer x-nullable: true ransomguard_heur_overwriter_min_high_entropy_write: minimum: 0 title: Ransomguard heur overwriter min high entropy write type: integer x-nullable: true ransomguard_heur_overwriter_min_overwrite: minimum: 0 title: Ransomguard heur overwriter min overwrite type: integer x-nullable: true ransomguard_heur_overwriter_min_overwrite_with_wrong_header: minimum: 0 title: Ransomguard heur overwriter min overwrite with wrong header type: integer x-nullable: true ransomguard_heur_overwriter_min_rename_check_imbalance: minimum: 0 title: Ransomguard heur overwriter min rename check imbalance type: integer x-nullable: true ransomguard_heur_overwriter_min_rename_from_to_ratio: minimum: 0 title: Ransomguard heur overwriter min rename from to ratio type: integer x-nullable: true ransomguard_heur_overwriter_min_rename_sec: minimum: 0 title: Ransomguard heur overwriter min rename sec type: integer x-nullable: true ransomguard_heur_overwriter_min_rename_to_from_ratio: minimum: 0 title: Ransomguard heur overwriter min rename to from ratio type: integer x-nullable: true ransomguard_heur_overwriter_min_suspicious_high_entropy_write: minimum: 0 title: Ransomguard heur overwriter min suspicious high entropy write type: integer x-nullable: true ransomguard_heur_overwriter_overwrite_weight: minimum: 0 title: Ransomguard heur overwriter overwrite weight type: integer x-nullable: true ransomguard_heur_overwriter_rename_from_to_ratio_weight: minimum: 0 title: Ransomguard heur overwriter rename from to ratio weight type: integer x-nullable: true ransomguard_heur_overwriter_rename_to_from_ratio_weight: minimum: 0 title: Ransomguard heur overwriter rename to from ratio weight type: integer x-nullable: true ransomguard_heur_overwriter_rename_weight: minimum: 0 title: Ransomguard heur overwriter rename weight type: integer x-nullable: true ransomguard_heur_overwriter_suspicious_high_entropy_weight: minimum: 0 title: Ransomguard heur overwriter suspicious high entropy weight type: integer x-nullable: true ransomguard_heur_overwriter_threshold: minimum: 0 title: Ransomguard heur overwriter threshold type: integer x-nullable: true ransomguard_heur_overwriter_wrong_header_weight: minimum: 0 title: Ransomguard heur overwriter wrong header weight type: integer x-nullable: true type: object RansomguardHeuristicConfig: properties: deleter_delete_weight: title: Deleter delete weight type: integer deleter_high_entropy_weight: title: Deleter high entropy weight type: integer deleter_matched_pairs_weight: title: Deleter matched pairs weight type: integer deleter_max_renamed: title: Deleter max renamed type: integer deleter_max_renamed_from: title: Deleter max renamed from type: integer deleter_max_renamed_to: title: Deleter max renamed to type: integer deleter_max_suspicious_entropy_write_count: title: Deleter max suspicious entropy write count type: integer deleter_max_write_extension: title: Deleter max write extension type: integer deleter_min_delete_sec: title: Deleter min delete sec type: integer deleter_min_high_entropy_write: title: Deleter min high entropy write type: integer deleter_min_matched_pairs: title: Deleter min matched pairs type: integer deleter_min_read_extension: title: Deleter min read extension type: integer deleter_min_read_sec: title: Deleter min read sec type: integer deleter_min_read_write_ratio: title: Deleter min read write ratio type: integer deleter_min_read_write_ratio_weight: title: Deleter min read write ratio weight type: integer deleter_min_write_read_ratio: title: Deleter min write read ratio type: integer deleter_min_write_read_ratio_weight: title: Deleter min write read ratio weight type: integer deleter_min_write_sec: title: Deleter min write sec type: integer deleter_read_weight: title: Deleter read weight type: integer deleter_threshold: title: Deleter threshold type: integer deleter_write_weight: title: Deleter write weight type: integer min_high_entropy_operations: title: Min high entropy operations type: integer overwriter_delete_weight: title: Overwriter delete weight type: integer overwriter_high_entropy_weight: title: Overwriter high entropy weight type: integer overwriter_max_delete_sec: title: Overwriter max delete sec type: integer overwriter_min_high_entropy_write: title: Overwriter min high entropy write type: integer overwriter_min_overwrite: title: Overwriter min overwrite type: integer overwriter_min_overwrite_with_wrong_header: title: Overwriter min overwrite with wrong header type: integer overwriter_min_rename_check_imbalance: title: Overwriter min rename check imbalance type: integer overwriter_min_rename_from_to_ratio: title: Overwriter min rename from to ratio type: integer overwriter_min_rename_sec: title: Overwriter min rename sec type: integer overwriter_min_rename_to_from_ratio: title: Overwriter min rename to from ratio type: integer overwriter_min_suspicious_high_entropy_write: title: Overwriter min suspicious high entropy write type: integer overwriter_overwrite_weight: title: Overwriter overwrite weight type: integer overwriter_rename_from_to_ratio_weight: title: Overwriter rename from to ratio weight type: integer overwriter_rename_to_from_ratio_weight: title: Overwriter rename to from ratio weight type: integer overwriter_rename_weight: title: Overwriter rename weight type: integer overwriter_suspicious_high_entropy_weight: title: Overwriter suspicious high entropy weight type: integer overwriter_threshold: title: Overwriter threshold type: integer overwriter_wrong_header_weight: title: Overwriter wrong header weight type: integer required: - deleter_delete_weight - deleter_high_entropy_weight - deleter_matched_pairs_weight - deleter_max_renamed - deleter_max_renamed_from - deleter_max_renamed_to - deleter_max_suspicious_entropy_write_count - deleter_max_write_extension - deleter_min_delete_sec - deleter_min_high_entropy_write - deleter_min_matched_pairs - deleter_min_read_extension - deleter_min_read_sec - deleter_min_read_write_ratio - deleter_min_read_write_ratio_weight - deleter_min_write_read_ratio - deleter_min_write_read_ratio_weight - deleter_min_write_sec - deleter_read_weight - deleter_threshold - deleter_write_weight - min_high_entropy_operations - overwriter_delete_weight - overwriter_high_entropy_weight - overwriter_max_delete_sec - overwriter_min_high_entropy_write - overwriter_min_overwrite - overwriter_min_overwrite_with_wrong_header - overwriter_min_rename_check_imbalance - overwriter_min_rename_from_to_ratio - overwriter_min_rename_sec - overwriter_min_rename_to_from_ratio - overwriter_min_suspicious_high_entropy_write - overwriter_overwrite_weight - overwriter_rename_from_to_ratio_weight - overwriter_rename_to_from_ratio_weight - overwriter_rename_weight - overwriter_suspicious_high_entropy_weight - overwriter_threshold - overwriter_wrong_header_weight type: object RansomguardHeuristicData: properties: config: $ref: '#/definitions/RansomguardHeuristicConfig' report: $ref: '#/definitions/RansomguardHeuristicReport' required: - config - report type: object RansomguardHeuristicReport: properties: windows_create_delete_pairs_count: title: Windows create delete pairs count type: integer windows_delete_time_queue: title: Windows delete time queue type: integer windows_extension_read_set_count: title: Windows extension read set count type: integer windows_extension_rename_from_set_count: title: Windows extension rename from set count type: integer windows_extension_rename_to_set_count: title: Windows extension rename to set count type: integer windows_extension_write_set_count: title: Windows extension write set count type: integer windows_file_wrong_header_count: title: Windows file wrong header count type: integer windows_high_entropy_write_count: title: Windows high entropy write count type: integer windows_overwrite_count: title: Windows overwrite count type: integer windows_read_time_queue: title: Windows read time queue type: integer windows_renamed_time_queue: title: Windows renamed time queue type: integer windows_suspicious_high_entropy_write_count: title: Windows suspicious high entropy write count type: integer windows_write_time_queue: title: Windows write time queue type: integer required: - windows_create_delete_pairs_count - windows_delete_time_queue - windows_extension_read_set_count - windows_extension_rename_from_set_count - windows_extension_rename_to_set_count - windows_extension_write_set_count - windows_file_wrong_header_count - windows_high_entropy_write_count - windows_overwrite_count - windows_read_time_queue - windows_renamed_time_queue - windows_suspicious_high_entropy_write_count - windows_write_time_queue type: object RawDeviceAccess: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' desired_access: title: Desired access type: integer desired_access_str: minLength: 1 title: Desired access str type: string device_name: minLength: 1 title: Device name type: string event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string image_name: minLength: 1 title: Image name type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_unique_id: minLength: 1 title: Process unique id type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - desired_access - desired_access_str - device_name - event_id - groups - id - image_name - log_type - pid - process_unique_id - stacktrace - stacktrace_minimal - tenant - utc_time type: object RawSocketCreation: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' family: title: Family type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string protocol: title: Protocol type: integer sock_type: title: Sock type type: integer tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - family - groups - id - log_type - pid - process_image_path - process_unique_id - protocol - sock_type - tenant - utc_time type: object ReducedAgent: properties: hostname: minLength: 1 title: Hostname type: string id: minLength: 1 title: Id type: string required: - hostname - id type: object Registry: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' data_string_added: items: minLength: 1 type: string type: array data_string_removed: items: minLength: 1 type: string type: array details: minLength: 1 title: Details type: string event_id: title: Event id type: integer event_type: minLength: 1 title: Event type type: string groups: $ref: '#/definitions/InnerGroup' hive_path: minLength: 1 title: Hive path type: string id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string new_name: minLength: 1 title: New name type: string origin_stack: $ref: '#/definitions/OriginStack' pid: title: Pid type: integer previous_details: minLength: 1 title: Previous details type: string process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string registry_value_type: minLength: 1 title: Registry value type type: string stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string target_object: minLength: 1 title: Target object type: string tenant: minLength: 1 title: Tenant type: string tid: title: Tid type: integer utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - data_string_added - data_string_removed - details - event_id - event_type - groups - hive_path - id - log_type - new_name - pid - previous_details - process_image_path - process_unique_id - registry_value_type - stacktrace - stacktrace_minimal - target_object - tenant - tid - utc_time type: object RemediationPermissions: properties: file_deletion: enum: - disabled - read_only - read_write title: File deletion type: string process_kill: enum: - disabled - read_only - read_write title: Process kill type: string quarantine_files: enum: - disabled - read_only - read_write title: Quarantine files type: string registry_operation: enum: - disabled - read_only - read_write title: Registry operation type: string scheduled_task_deletion: enum: - disabled - read_only - read_write title: Scheduled task deletion type: string service_deletion: enum: - disabled - read_only - read_write title: Service deletion type: string required: - file_deletion - process_kill - quarantine_files - registry_operation - scheduled_task_deletion - service_deletion type: object RemediationRegopItemSeralizer: properties: hive: description: '0: HKLM, 1: HKCR, 2: HKU; deprecated, `hive_str` is to be used instead.' enum: - 0 - 1 - 2 title: Hive type: integer hive_str: description: Hive to operate under; replaces `hive`; required if `hive` is unused. enum: - HKCR - HKLM - HKU title: Hive str type: string operator_type: description: '0: DELETE_VALUE, 1: DELETE_KEY' enum: - 0 - 1 title: Operator type type: integer path_hive: minLength: 1 title: Path hive type: string value_name: title: Value name type: string required: - operator_type - path_hive type: object RemediationRegops: properties: force: default: false title: Force type: boolean values: items: $ref: '#/definitions/RemediationRegopItemSeralizer' type: array required: - values type: object RemoteShell: properties: delayed: readOnly: true title: Delayed type: boolean delayed_update_at: format: date-time readOnly: true title: Delayed update at type: string x-nullable: true delayed_update_data: readOnly: true title: Delayed update data type: string mfa_required: default: false title: Mfa required type: boolean session_timeout: default: 10 description: minutes minimum: 10 title: Session timeout type: integer write_command_agents_per_day: default: 20 description: maximum agents on which write commands can be executed minimum: 1 title: Write command agents per day type: integer write_command_agents_per_day_enabled: default: false title: Write command agents per day enabled type: boolean type: object RemoteShellCommand: properties: command: enum: - cat - cd - chmod - chown - cp - env - filehash - getdir - getfile - help - kill - listmount - ls - mkdir - mv - ps - pwd - quarantine-add - quarantine-delete - quarantine-get - quarantine-list - quarantine-restore - rm - run - set - stat - unknown - unset title: Command type: string created_at: format: date-time readOnly: true title: Created at type: string cwd: maxLength: 8192 title: Cwd type: string env: title: Env type: object executable: $ref: '#/definitions/RemoteShellExecutable' exit_code: maximum: 2147483647 minimum: -2147483648 title: Exit code type: integer x-nullable: true id: format: uuid title: Id type: string jobinstances: items: $ref: '#/definitions/JobInstance' type: array x-nullable: true params: maxLength: 8192 title: Params type: string raw_command: maxLength: 8192 minLength: 1 title: Raw command type: string response: title: Response type: string session: $ref: '#/definitions/RemoteShellSession' state: enum: - aborted - failure - pending - running - success title: State type: string unset_env: title: Unset env type: object updated_at: format: date-time readOnly: true title: Updated at type: string required: - command - id - raw_command - session type: object RemoteShellCommandPoll: properties: command: enum: - cat - cd - chmod - chown - cp - env - filehash - getdir - getfile - help - kill - listmount - ls - mkdir - mv - ps - pwd - quarantine-add - quarantine-delete - quarantine-get - quarantine-list - quarantine-restore - rm - run - set - stat - unknown - unset title: Command type: string created_at: format: date-time readOnly: true title: Created at type: string cwd: maxLength: 8192 title: Cwd type: string env: title: Env type: object executable: $ref: '#/definitions/RemoteShellExecutable' exit_code: maximum: 2147483647 minimum: -2147483648 title: Exit code type: integer x-nullable: true id: format: uuid title: Id type: string jobinstances: items: $ref: '#/definitions/JobInstance' type: array x-nullable: true params: maxLength: 8192 title: Params type: string raw_command: maxLength: 8192 minLength: 1 title: Raw command type: string response: title: Response type: string session_id: minLength: 1 title: Session id type: string state: enum: - aborted - failure - pending - running - success title: State type: string unset_env: title: Unset env type: object updated_at: format: date-time readOnly: true title: Updated at type: string required: - command - id - raw_command - session_id type: object RemoteShellErrorCodeResponse: properties: code: default: unknown_error enum: - agent_did_not_respond - agent_does_not_support_command - agent_id_mismatch - executable_already_exists - executable_download_failed - executable_name_already_exists - executable_name_cannot_contain_spaces - executable_upload_failed - unknown_error title: Code type: string status: minLength: 1 title: Status type: string required: - status type: object RemoteShellExecutable: properties: created_at: format: date-time title: Created at type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' current: default: true title: Current type: boolean description: minLength: 1 title: Description type: string executable_type: enum: - bat - exe - ps1 - unknown title: Executable type type: string file_extension: maxLength: 16 title: File extension type: string x-nullable: true filename: minLength: 1 title: Filename type: string id: format: uuid title: Id type: string name: maxLength: 2048 minLength: 1 title: Name type: string sha256: maxLength: 64 minLength: 1 title: Sha256 type: string size: maximum: 2147483647 minimum: -2147483648 title: Size type: integer version: default: 0 maximum: 2147483647 minimum: -2147483648 title: Version type: integer required: - created_at - creator - description - executable_type - filename - id - name - sha256 - size type: object x-nullable: true RemoteShellExecutablePoll: properties: command_id: minLength: 1 title: Command id type: string created_at: format: date-time title: Created at type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' current: default: true title: Current type: boolean description: minLength: 1 title: Description type: string executable_type: enum: - bat - exe - ps1 - unknown title: Executable type type: string file_extension: maxLength: 16 title: File extension type: string x-nullable: true filename: minLength: 1 title: Filename type: string id: format: uuid title: Id type: string name: maxLength: 2048 minLength: 1 title: Name type: string sha256: maxLength: 64 minLength: 1 title: Sha256 type: string size: maximum: 2147483647 minimum: -2147483648 title: Size type: integer version: default: 0 maximum: 2147483647 minimum: -2147483648 title: Version type: integer required: - command_id - created_at - creator - description - executable_type - filename - id - name - sha256 - size type: object RemoteShellExecutableUpdate: properties: description: minLength: 1 title: Description type: string executable_type: enum: - bat - exe - ps1 - unknown title: Executable type type: string required: - description - executable_type type: object RemoteShellExecutableUploadRequest: properties: description: minLength: 1 title: Description type: string executable_type: enum: - bat - exe - ps1 - unknown title: Executable type type: string name: minLength: 1 title: Name type: string required: - description - executable_type - name type: object RemoteShellPermission: properties: command_cat: title: Command cat type: boolean command_cd: title: Command cd type: boolean command_chmod: title: Command chmod type: boolean command_chown: title: Command chown type: boolean command_cp: title: Command cp type: boolean command_env: title: Command env type: boolean command_filehash: title: Command filehash type: boolean command_listmount: title: Command listmount type: boolean command_mkdir: title: Command mkdir type: boolean command_mv: title: Command mv type: boolean command_pwd: title: Command pwd type: boolean command_run: title: Command run type: boolean command_set: title: Command set type: boolean command_stat: title: Command stat type: boolean command_unset: title: Command unset type: boolean executable: enum: - disabled - read_only - read_write title: Executable type: string session: enum: - disabled - read_only - read_write title: Session type: string required: - command_cat - command_cd - command_chmod - command_chown - command_cp - command_env - command_filehash - command_listmount - command_mkdir - command_mv - command_pwd - command_run - command_set - command_stat - command_unset - executable - session type: object RemoteShellPollRequest: properties: abort_command_id: format: uuid title: Abort command id type: string x-nullable: true raw_command: maxLength: 8192 minLength: 1 title: Raw command type: string x-nullable: true type: object RemoteShellPollResponse: properties: commands: items: $ref: '#/definitions/RemoteShellCommandPoll' type: array executables: items: $ref: '#/definitions/RemoteShellExecutablePoll' type: array jobinstances: items: $ref: '#/definitions/JobInstance' type: array session: $ref: '#/definitions/RemoteShellSession' timestamp: title: Timestamp type: number required: - commands - executables - jobinstances - session - timestamp type: object RemoteShellPossibleCommands: properties: commands: items: $ref: '#/definitions/RemoteShellPossibleCommandsCommand' type: array minimum_version: minLength: 1 title: Minimum version type: string required: - commands - minimum_version type: object RemoteShellPossibleCommandsCommand: properties: allowed: title: Allowed type: boolean description: minLength: 1 title: Description type: string minimum_agent_version: minLength: 1 title: Minimum agent version type: string name: enum: - cat - cd - chmod - chown - cp - env - filehash - getdir - getfile - help - kill - listmount - ls - mkdir - mv - ps - pwd - quarantine-add - quarantine-delete - quarantine-get - quarantine-list - quarantine-restore - rm - run - set - stat - unknown - unset title: Name type: string os: items: enum: - linux - macos - windows type: string type: array required: - allowed - description - minimum_agent_version - name - os type: object RemoteShellSession: properties: active: title: Active type: boolean agent: $ref: '#/definitions/SimpleAgent' closed_at: format: date-time title: Closed at type: string x-nullable: true created_at: format: date-time title: Created at type: string cwd: maxLength: 8192 title: Cwd type: string duration: readOnly: true title: Duration type: number env: title: Env type: object id: format: uuid title: Id type: string jobs: items: $ref: '#/definitions/SimpleJob' readOnly: true type: array supported_commands: items: minLength: 1 type: string type: array unset_env: title: Unset env type: object updated_at: format: date-time title: Updated at type: string user: $ref: '#/definitions/HlSimpleUserSerializer' required: - agent - created_at - id - supported_commands - updated_at - user type: object RemoteShellSessionList: properties: active: title: Active type: boolean agent: $ref: '#/definitions/SimpleAgent' closed_at: format: date-time title: Closed at type: string x-nullable: true created_at: format: date-time title: Created at type: string cwd: maxLength: 8192 title: Cwd type: string duration: readOnly: true title: Duration type: number env: title: Env type: object executables: items: $ref: '#/definitions/RemoteShellExecutable' readOnly: true type: array id: format: uuid title: Id type: string jobs: items: $ref: '#/definitions/SimpleJob' readOnly: true type: array supported_commands: items: minLength: 1 type: string type: array unset_env: title: Unset env type: object updated_at: format: date-time title: Updated at type: string user: $ref: '#/definitions/HlSimpleUserSerializer' required: - agent - created_at - id - supported_commands - updated_at - user type: object RemoteThread: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' event_id: title: Event id type: integer groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string new_thread_id: title: New thread id type: integer origin_stack: $ref: '#/definitions/OriginStack' source_image: minLength: 1 title: Source image type: string source_process_guid: minLength: 1 title: Source process guid type: string source_process_id: title: Source process id type: integer stacktrace: minLength: 1 title: Stacktrace type: string stacktrace_minimal: minLength: 1 title: Stacktrace minimal type: string start_address: title: Start address type: integer start_address_string: minLength: 1 title: Start address string type: string start_function: minLength: 1 title: Start function type: string start_module: minLength: 1 title: Start module type: string start_module_base: title: Start module base type: integer target_image: minLength: 1 title: Target image type: string target_process_guid: minLength: 1 title: Target process guid type: string target_process_id: title: Target process id type: integer tenant: minLength: 1 title: Tenant type: string username: minLength: 1 title: Username type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - event_id - groups - id - log_type - new_thread_id - source_image - source_process_guid - source_process_id - stacktrace - stacktrace_minimal - start_address - start_address_string - start_function - start_module - start_module_base - target_image - target_process_guid - target_process_id - tenant - username - utc_time type: object ReplaceWhitelistRule: properties: apply_retroactively: default: false title: Apply retroactively type: boolean comment: title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid title: Correlation rule id type: string x-nullable: true criteria: items: $ref: '#/definitions/ReplaceWhitelistRuleCriteria' type: array enabled: title: Enabled type: boolean expiration_date: format: date-time title: Expiration date type: string x-nullable: true security_event_from_status: default: - new items: enum: - closed - false_positive - investigating - new type: string type: array security_event_new_status: default: false_positive enum: - closed - false_positive - investigating title: Security event new status type: string sigma_rule_id: title: Sigma rule id type: string x-nullable: true target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory title: Target type: string required: - criteria type: object ReplaceWhitelistRuleCriteria: properties: case_insensitive: default: false title: Case insensitive type: boolean field: minLength: 1 title: Field type: string id: format: uuid title: Id type: string operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard title: Operator type: string sub_criteria: items: $ref: '#/definitions/WhitelistRuleSubCriterion' type: array x-nullable: true value: title: Value type: string required: - field type: object ReportAgentVulnerabilitiesAggregation: properties: hostname: minLength: 1 title: Hostname type: string id: format: uuid title: Id type: string latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string nb_critical_level: title: Nb critical level type: integer nb_high_level: title: Nb high level type: integer nb_low_level: title: Nb low level type: integer nb_medium_level: title: Nb medium level type: integer nb_vulnerabilities: title: Nb vulnerabilities type: integer status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Status type: string required: - hostname - latest_vulnscan_date - nb_critical_level - nb_high_level - nb_low_level - nb_medium_level - nb_vulnerabilities type: object ReportAgentVulnerabilitiesAggregationListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/ReportAgentVulnerabilitiesAggregation' type: array required: - count - results type: object Request: properties: conversation: format: uuid title: Conversation type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string id: format: uuid readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string message: title: Message type: string response: minLength: 1 readOnly: true title: Response type: string x-nullable: true response_finished: readOnly: true title: Response finished type: boolean type: object RequestToken: properties: is_expirable: default: false title: Is expirable type: boolean type: object ResetPassword: properties: password: minLength: 1 title: Password type: string token: minLength: 1 title: Token type: string username: minLength: 1 title: Username type: string required: - password - token - username type: object ResetPasswordLinkRequest: properties: duration_unit: default: hours enum: - days - hours - minutes title: Duration unit type: string duration_value: title: Duration value type: integer revoke_api_token: default: false title: Revoke api token type: boolean set_password_to_unusable: default: false title: Set password to unusable type: boolean required: - duration_value type: object ResetPasswordLinkResponse: properties: created_at: format: date-time title: Created at type: string created_by: $ref: '#/definitions/HlSimpleUserSerializer' duration_minutes: title: Duration minutes type: integer expires_at: format: date-time title: Expires at type: string reset_token: minLength: 1 title: Reset token type: string required: - created_at - created_by - duration_minutes - expires_at - reset_token type: object ResponseMountpoints: properties: mountpoint: minLength: 1 title: Mountpoint type: string volumenames: items: minLength: 1 type: string type: array required: - mountpoint - volumenames type: object ResponseStatus: properties: status: minLength: 1 title: Status type: string required: - status type: object ResponseToken: properties: api_token: readOnly: true title: Api token type: string type: object RestoreFromQuarantine: properties: values: items: $ref: '#/definitions/RestoreFromQuarantineItem' type: array required: - values type: object RestoreFromQuarantineItem: properties: local_id: format: uuid title: Local id type: string overwrite_existing: default: true title: Overwrite existing type: boolean required: - local_id type: object RetrieveAntivirusPolicy: properties: agent_count: readOnly: true title: Agent count type: integer agent_policies: items: $ref: '#/definitions/MinimalPolicy' type: array antivirus_slug: minLength: 1 readOnly: true title: Antivirus slug type: string creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true hurukaiav: $ref: '#/definitions/HlAntivirus' id: format: uuid title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer windowsdefender: $ref: '#/definitions/WindowsDefender' required: - last_modifier - name type: object Role: properties: can_access_all_groups: title: Can access all groups type: boolean description: title: Description type: string group_count: default: 0 readOnly: true title: Group count type: integer groups: items: $ref: '#/definitions/BasicGroup' readOnly: true type: array id: format: uuid readOnly: true title: Id type: string is_supervisor_role: title: Is supervisor role type: boolean name: maxLength: 150 minLength: 1 title: Name type: string old_id: readOnly: true title: Old id type: integer origin_stack: $ref: '#/definitions/OriginStack' permissions: description: Return all permissions with an enabled field items: $ref: '#/definitions/RolePermission' readOnly: true type: array tenant: minLength: 1 readOnly: true title: Tenant type: string user_count: default: 0 readOnly: true title: User count type: integer required: - name type: object RolePermission: properties: codename: enum: - administration_agent_installers - administration_global_settings - administration_role_edit - administration_role_view - administration_user_edit - administration_user_view - attack_surface_network_discovery_edit - attack_surface_network_discovery_view - attack_surface_vulnerability_edit - attack_surface_vulnerability_view - data_exploration_file_download - data_exploration_investigation_edit - data_exploration_investigation_view - data_exploration_search - data_exploration_telemetry - data_exploration_visualization - detection_sec_event_edit - detection_sec_event_view - detection_threat_edit - detection_threat_view - detection_view_experimental - endpoint_agent_delivery_management_edit - endpoint_agent_delivery_management_view - endpoint_agent_lifecycle - endpoint_lifecycle - endpoint_management_edit - endpoint_management_view - endpoint_policy_edit - endpoint_policy_view - job_acquisition_capture_ram_edit - job_acquisition_capture_ram_view - job_acquisition_collect_raw_data_edit - job_acquisition_collect_raw_data_view - job_acquisition_download_directory_edit - job_acquisition_download_directory_view - job_acquisition_download_file_edit - job_acquisition_download_file_view - job_acquisition_network_sniffer_edit - job_acquisition_network_sniffer_view - job_acquisition_parse_filesystem_edit - job_acquisition_parse_filesystem_view - job_acquisition_process_dumper_edit - job_acquisition_process_dumper_view - job_debug_agent_diagnostic_edit - job_debug_agent_diagnostic_view - job_debug_minidump_edit - job_debug_minidump_view - job_debug_profile_memory_edit - job_debug_profile_memory_view - job_evidence_prefetch_edit - job_evidence_prefetch_view - job_info_drivers_edit - job_info_drivers_view - job_info_list_directory_contents_edit - job_info_list_directory_contents_view - job_info_network_shares_edit - job_info_network_shares_view - job_info_pip_list_edit - job_info_pip_list_view - job_info_processes_edit - job_info_processes_view - job_info_sessions_edit - job_info_sessions_view - job_info_windows_kb_edit - job_info_windows_kb_view - job_persistence_linux_persistence_edit - job_persistence_linux_persistence_view - job_persistence_registry_edit - job_persistence_registry_view - job_persistence_scheduled_tasks_edit - job_persistence_scheduled_tasks_view - job_persistence_startup_files_edit - job_persistence_startup_files_view - job_persistence_wmi_edit - job_persistence_wmi_view - job_remediation_file_deletion_edit - job_remediation_file_deletion_view - job_remediation_process_kill_edit - job_remediation_process_kill_view - job_remediation_quarantine_files_edit - job_remediation_quarantine_files_view - job_remediation_registry_operation_edit - job_remediation_registry_operation_view - job_remediation_scheduled_task_deletion_edit - job_remediation_scheduled_task_deletion_view - job_remediation_service_deletion_edit - job_remediation_service_deletion_view - job_scan_antivirus_scan_edit - job_scan_antivirus_scan_view - job_scan_ioc_scan_edit - job_scan_ioc_scan_view - job_scan_yara_scan_edit - job_scan_yara_scan_view - llm_chat_send_messages - llm_chat_view_messages - misc_api_documentation - misc_product_documentation - monitoring_agent_logs - monitoring_ui - protection_antivirus_edit - protection_antivirus_view - protection_device_control_edit - protection_device_control_view - protection_fim_edit - protection_fim_view - protection_firewall_edit - protection_firewall_view - remediation_isolation - remote_shell_command_cat - remote_shell_command_cd - remote_shell_command_chmod - remote_shell_command_chown - remote_shell_command_cp - remote_shell_command_env - remote_shell_command_filehash - remote_shell_command_listmount - remote_shell_command_mkdir - remote_shell_command_mv - remote_shell_command_pwd - remote_shell_command_run - remote_shell_command_set - remote_shell_command_stat - remote_shell_command_unset - remote_shell_executable_edit - remote_shell_executable_view - remote_shell_session_edit - remote_shell_session_view - threat_intelligence_edit - threat_intelligence_experimental - threat_intelligence_view - threat_intelligence_whitelist_edit - threat_intelligence_whitelist_view title: Codename type: string enabled: readOnly: true title: Enabled type: boolean id: readOnly: true title: Id type: integer name: maxLength: 255 minLength: 1 title: Name type: string type: readOnly: true title: Type type: string required: - codename - name type: object Rule: properties: count: default: 0 title: Count type: integer level: items: minLength: 1 type: string type: array name: minLength: 1 title: Name type: string required: - level - name type: object RuleUpdateRuleset: properties: actions: $ref: '#/definitions/Actions' new_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: New state type: string rule_ids: items: minLength: 1 type: string type: array set_default: default: false title: Set default type: boolean source_id: minLength: 1 title: Source id type: string update_by_query: default: false title: Update by query type: boolean required: - source_id type: object Ruleset: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer cap_unmodified_sources_allowed_actions: title: Cap unmodified sources allowed actions type: boolean config_slug: enum: - alert_block_and_quarantine_moderate_and_strong - alert_block_and_quarantine_strong - alert_moderate_block_quarantine_strong - alert_weak_and_moderate_block_quarantine_strong - alert_weak_block_quarantine_moderate_and_strong title: Config slug type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean engine: enum: - correlation - ioc - sigma - yara title: Engine type: string id: format: uuid title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 128 minLength: 1 title: Name type: string new_source_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: New source state type: string origin_stack: $ref: '#/definitions/OriginStack' policies: items: $ref: '#/definitions/PolicyLight' readOnly: true type: array quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer read_only: readOnly: true title: Read only type: boolean required: - engine - name type: object RulesetLight: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer cap_unmodified_sources_allowed_actions: title: Cap unmodified sources allowed actions type: boolean config_slug: enum: - alert_block_and_quarantine_moderate_and_strong - alert_block_and_quarantine_strong - alert_moderate_block_quarantine_strong - alert_weak_and_moderate_block_quarantine_strong - alert_weak_block_quarantine_moderate_and_strong title: Config slug type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean engine: enum: - correlation - ioc - sigma - yara title: Engine type: string id: format: uuid title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 128 minLength: 1 title: Name type: string new_source_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: New source state type: string origin_stack: $ref: '#/definitions/OriginStack' quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer read_only: title: Read only type: boolean required: - engine - name type: object RulesetRuleSerializer: properties: block_on_agent: title: Block on agent type: boolean enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_id: minLength: 1 readOnly: true title: Rule id type: string rule_type: readOnly: true title: Rule type type: integer x-nullable: true ruleset: format: uuid title: Ruleset type: string synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true required: - block_on_agent - enabled - endpoint_detection - quarantine_on_agent - ruleset type: object RulesetSourceRuleDefaultSerializer: properties: block_on_agent: title: Block on agent type: boolean enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean ruleset: format: uuid title: Ruleset type: string source_id: minLength: 1 readOnly: true title: Source id type: string source_type: readOnly: true title: Source type type: integer x-nullable: true synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true required: - block_on_agent - enabled - endpoint_detection - quarantine_on_agent - ruleset type: object RulesetSourceSerializer: properties: block_on_agent: title: Block on agent type: boolean enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean force_inherit_source_state: title: Force inherit source state type: boolean id: format: uuid readOnly: true title: Id type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean ruleset: format: uuid title: Ruleset type: string source_id: minLength: 1 readOnly: true title: Source id type: string source_type: readOnly: true title: Source type type: integer x-nullable: true synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true required: - block_on_agent - enabled - endpoint_detection - force_inherit_source_state - quarantine_on_agent - ruleset type: object RulesetUpdate: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer cap_unmodified_sources_allowed_actions: title: Cap unmodified sources allowed actions type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean engine: enum: - correlation - ioc - sigma - yara readOnly: true title: Engine type: string id: format: uuid title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 128 minLength: 1 title: Name type: string new_source_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: New source state type: string policies: items: $ref: '#/definitions/PolicyLight' readOnly: true type: array quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer required: - name type: object RunKey: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer location: minLength: 1 title: Location type: string name: minLength: 1 title: Name type: string path: minLength: 1 title: Path type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - location - name - path - tenant - timestamp - username - wow64 type: object ScanPermissions: properties: antivirus_scan: enum: - disabled - read_only - read_write title: Antivirus scan type: string ioc_scan: enum: - disabled - read_only - read_write title: Ioc scan type: string yara_scan: enum: - disabled - read_only - read_write title: Yara scan type: string required: - antivirus_scan - ioc_scan - yara_scan type: object Schedule: properties: end_at: format: date-time title: End at type: string x-nullable: true execution_time: format: date-time title: Execution time type: string x-nullable: true repeat_every: $ref: '#/definitions/ScheduleRepeat' week_days: items: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer type: array required: - execution_time - repeat_every type: object x-nullable: true ScheduleRepeat: properties: frequency: minimum: 0 title: Frequency type: integer frequency_type: enum: - day - hour - month - week title: Frequency type type: string required: - frequency - frequency_type type: object ScheduledTaskBinary: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' application_name: minLength: 1 title: Application name type: string author: minLength: 1 title: Author type: string binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' comment: minLength: 1 title: Comment type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer lastrun: minLength: 1 title: Lastrun type: string short_name: minLength: 1 title: Short name type: string task_parameters: minLength: 1 title: Task parameters type: string tenant: minLength: 1 title: Tenant type: string uuid: minLength: 1 title: Uuid type: string required: - '@timestamp' - agent - application_name - author - binaryinfo - comment - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - lastrun - short_name - task_parameters - tenant - uuid type: object ScheduledTaskGlu: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' content: minLength: 1 title: Content type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - content - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant type: object ScheduledTaskXML: properties: '@timestamp': format: date-time title: '@timestamp' type: string action_type: minLength: 1 title: Action type type: string agent: $ref: '#/definitions/DataAgent' arguments: minLength: 1 title: Arguments type: string binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' command: minLength: 1 title: Command type: string creation_date: format: date-time title: Creation date type: string description: minLength: 1 title: Description type: string display_name: minLength: 1 title: Display name type: string enabled: title: Enabled type: boolean hidden: title: Hidden type: boolean id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer principal_id: minLength: 1 title: Principal id type: string run_level: minLength: 1 title: Run level type: string short_name: minLength: 1 title: Short name type: string tenant: minLength: 1 title: Tenant type: string triggers: minLength: 1 title: Triggers type: string uri: minLength: 1 title: Uri type: string user_id: minLength: 1 title: User id type: string working_directory: minLength: 1 title: Working directory type: string required: - '@timestamp' - action_type - agent - arguments - binaryinfo - command - creation_date - description - display_name - enabled - hidden - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - principal_id - run_level - short_name - tenant - triggers - uri - user_id - working_directory type: object Search: properties: alertCount: title: Alertcount type: integer binaries: items: $ref: '#/definitions/_SearchBinary' type: array id: title: Id type: integer iocCount: title: Ioccount type: integer persistence: $ref: '#/definitions/_SearchPersistence' processCount: title: Processcount type: integer telemetryProcessCount: title: Telemetryprocesscount type: integer title: minLength: 1 title: Title type: string virustotalCount: title: Virustotalcount type: integer yaraCount: title: Yaracount type: integer yaraFilesystemCount: title: Yarafilesystemcount type: integer yaraMemoryCount: title: Yaramemorycount type: integer required: - alertCount - binaries - id - iocCount - persistence - processCount - telemetryProcessCount - title - virustotalCount - yaraCount - yaraFilesystemCount - yaraMemoryCount type: object SearchBinaryPersistence: properties: class: minLength: 1 title: Class type: string count: title: Count type: integer filter_field: minLength: 1 title: Filter field type: string key: minLength: 1 title: Key type: string required: - class - count - filter_field - key type: object SearchDumpProcess: properties: values: items: $ref: '#/definitions/WildcardProcess' type: array required: - values type: object Security: properties: session_duration: minimum: 1 title: Session duration type: integer required: - session_duration type: object SecurityEventCountByLevel: properties: critical: minimum: 0 title: Critical type: integer high: minimum: 0 title: High type: integer informational: minimum: 0 title: Informational type: integer low: minimum: 0 title: Low type: integer medium: minimum: 0 title: Medium type: integer required: - critical - high - informational - low - medium type: object SecurityEventCountByStatus: properties: closed: minimum: 0 title: Closed type: integer false_positive: minimum: 0 title: False positive type: integer investigating: minimum: 0 title: Investigating type: integer new: minimum: 0 title: New type: integer required: - closed - false_positive - investigating - new type: object SecurityProvider: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string value: minLength: 1 title: Value type: string required: - '@timestamp' - agent - binaryinfo - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - timestamp - value type: object ServerMetadataUrl: properties: server_metadata_url: format: uri maxLength: 500 minLength: 1 title: Server metadata url type: string ssl_cacert: format: uri readOnly: true title: Ssl cacert type: string x-nullable: true ssl_cert: format: uri readOnly: true title: Ssl cert type: string x-nullable: true ssl_key: format: uri readOnly: true title: Ssl key type: string x-nullable: true required: - server_metadata_url type: object Service: properties: '@timestamp': format: date-time title: '@timestamp' type: string accountrun: minLength: 1 title: Accountrun type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string description: minLength: 1 title: Description type: string display_name: minLength: 1 title: Display name type: string dll: minLength: 1 title: Dll type: string dll_main: minLength: 1 title: Dll main type: string id: minLength: 1 title: Id type: string image_path: minLength: 1 title: Image path type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer parameter_timestamp: minLength: 1 title: Parameter timestamp type: string security_descriptor: minLength: 1 title: Security descriptor type: string service_name: minLength: 1 title: Service name type: string service_start: title: Service start type: integer service_start_str: minLength: 1 title: Service start str type: string service_type: title: Service type type: integer service_type_str: minLength: 1 title: Service type str type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string required: - '@timestamp' - accountrun - agent - binaryinfo - controlset - description - display_name - dll - dll_main - id - image_path - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - parameter_timestamp - security_descriptor - service_name - service_start - service_start_str - service_type - service_type_str - tenant - timestamp type: object ServiceControlManager: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer security_descriptor: minLength: 1 title: Security descriptor type: string service_name: minLength: 1 title: Service name type: string service_type: title: Service type type: integer tenant: minLength: 1 title: Tenant type: string type: minLength: 1 title: Type type: string value: minLength: 1 title: Value type: string required: - '@timestamp' - agent - binaryinfo - controlset - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - security_descriptor - service_name - service_type - tenant - type - value type: object Session: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' authenticationpackage: minLength: 1 title: Authenticationpackage type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer logonid: title: Logonid type: integer logontype: title: Logontype type: integer logontypestr: minLength: 1 title: Logontypestr type: string sessionstarttime: format: date-time title: Sessionstarttime type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - authenticationpackage - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - logonid - logontype - logontypestr - sessionstarttime - tenant type: object SessionInfo: properties: authentication_package: minLength: 1 title: Authentication package type: string event_time: format: date-time title: Event time type: string logon_id: title: Logon id type: integer logon_type: title: Logon type type: integer source_hostname: minLength: 1 title: Source hostname type: string source_ip: minLength: 1 title: Source ip type: string source_port: title: Source port type: integer target_domain: minLength: 1 title: Target domain type: string target_sid: minLength: 1 title: Target sid type: string target_username: minLength: 1 title: Target username type: string required: - authentication_package - event_time - logon_id - logon_type - source_hostname - source_ip - source_port - target_domain - target_sid - target_username type: object SessionManager_Execute: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_name: minLength: 1 title: Item name type: string item_status: title: Item status type: integer item_value: minLength: 1 title: Item value type: string job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer session_type: minLength: 1 title: Session type type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - controlset - id - item_name - item_status - item_value - job_id - job_instance_action - job_instance_id - job_instance_task_id - session_type - tenant type: object SessionManager_PendingFileRenameOperation: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string item_name: minLength: 1 title: Item name type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer new_file_name: minLength: 1 title: New file name type: string old_file_name: minLength: 1 title: Old file name type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - controlset - id - item_name - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - new_file_name - old_file_name - tenant type: object Shellbag: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer shellbag_path: minLength: 1 title: Shellbag path type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - shellbag_path - tenant - timestamp - username type: object ShimCache: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' exec_flag: title: Exec flag type: boolean file_path: minLength: 1 title: File path type: string file_size: title: File size type: integer id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer last_exec_time: format: date-time title: Last exec time type: string last_modified_time: format: date-time title: Last modified time type: string tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - binaryinfo - exec_flag - file_path - file_size - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - last_exec_time - last_modified_time - tenant type: object ShortInstallation: properties: application_id: format: uuid title: Application id type: string x-nullable: true name: minLength: 1 title: Name type: string required: - application_id - name type: object ShortInstallationWithVersion: properties: application_id: format: uuid title: Application id type: string x-nullable: true name: minLength: 1 title: Name type: string version: minLength: 1 title: Version type: string required: - application_id - name - version type: object Sidewatch: properties: alert_level: default: critical enum: - critical - high - informational - low - medium title: Alert level type: string type: object SidewatchDetectionDetails: properties: kind: minLength: 1 title: Kind type: string required: - kind type: object SigmaRule: properties: alert_count: readOnly: true title: Alert count type: integer backend_detection: default: false readOnly: true title: Backend detection type: boolean block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_os: enum: - linux - macos - unknown - windows readOnly: true title: Rule os type: string rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer required: - content - name - source_id type: object SigmaRuleLinkedToCorrelationRuleResponse: properties: code: default: unknown_error enum: - linked_sigma_rule - unknown_error title: Code type: string details: minLength: 1 title: Details type: string linked_correlation: items: $ref: '#/definitions/SimpleCorrelationRuleAndSourceSerializer' type: array sigma_rule: $ref: '#/definitions/SimpleSigmaRuleAndSourceSerializer' required: - details - linked_correlation - sigma_rule type: object SigmaRulesetRule: properties: alert_count: readOnly: true title: Alert count type: integer backend_detection: default: false readOnly: true title: Backend detection type: boolean block_on_agent: readOnly: true title: Block on agent type: boolean content: minLength: 1 readOnly: true title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: readOnly: true title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: readOnly: true title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Global state type: string hl_status: enum: - experimental - stable - testing readOnly: true title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: readOnly: true title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak readOnly: true title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium readOnly: true title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_os: enum: - linux - macos - unknown - windows readOnly: true title: Rule os type: string rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string ruleset_rule: $ref: '#/definitions/RulesetRuleSerializer' ruleset_rule_default: readOnly: true title: Ruleset rule default type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string state: enum: - alert - backend_alert - block - default - disabled - quarantine readOnly: true title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer type: object SigmaRulesetSource: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string new_rule_state: default: default enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer ruleset_source: $ref: '#/definitions/RulesetSourceSerializer' ruleset_source_rule_default: $ref: '#/definitions/RulesetSourceRuleDefaultSerializer' state: default: default enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object SigmaSource: properties: block_on_agent: title: Block on agent type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object SignatureInfo: properties: root_info: $ref: '#/definitions/Info' signed_authenticode: title: Signed authenticode type: boolean signed_catalog: title: Signed catalog type: boolean signer_info: $ref: '#/definitions/Info' required: - root_info - signed_authenticode - signed_catalog - signer_info type: object Simple: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' date: format: date-time title: Date type: string id: minLength: 1 title: Id type: string job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer msg: minLength: 1 title: Msg type: string simple_type: minLength: 1 title: Simple type type: string success: title: Success type: boolean tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - date - id - job_id - job_instance_action - job_instance_id - job_instance_task_id - msg - simple_type - success - tenant type: object SimpleAgent: properties: hostname: minLength: 1 readOnly: true title: Hostname type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string type: object SimpleBatchRetrieve: properties: agent_count: minimum: 0 title: Agent count type: integer archived: title: Archived type: boolean creationtime: format: date-time title: Creationtime type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' description: title: Description type: string x-nullable: true id: minLength: 1 title: Id type: string jobs: items: enum: - IOCScan - agentDiagnostic - agentMinidump - avScan - collectRAWEvidences - deleteScheduledTask - deleteService - downloadDirectory - downloadFile - filepathDeleter - getHives - getLoadedDriverList - getNetworkShare - getPipeList - getPrefetch - getProcessList - getQFE - getRawWMI - getScheduledTasks - getSessions - getStartupFileList - getWMI - knownProcessFinderKiller - listDirectory - memoryDumper - networkDiscovery - networkSniffer - parseFilesystem - persistanceScanner - processDumper - profileMemory - quarantineAcquireFile - quarantineAdd - quarantineDelete - quarantineRestore - registryOperation - searchProcessDumper - wildcardProcessFinderKiller - yaraScan type: string type: array source_id: minLength: 1 title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat title: Source type type: string x-nullable: true template: title: Template type: string x-nullable: true title: title: Title type: string x-nullable: true required: - agent_count - creator - jobs type: object SimpleCorrelationRuleAndSourceSerializer: properties: correlation_rule_id: format: uuid title: Correlation rule id type: string correlation_rule_name: minLength: 1 title: Correlation rule name type: string correlation_source_id: format: uuid title: Correlation source id type: string correlation_source_name: minLength: 1 title: Correlation source name type: string required: - correlation_rule_id - correlation_rule_name - correlation_source_id - correlation_source_name type: object SimpleJob: properties: archived: title: Archived type: boolean creationtime: format: date-time title: Creationtime type: string creator: $ref: '#/definitions/HlSimpleUserSerializer' description: title: Description type: string x-nullable: true endpoint_username: maxLength: 4096 minLength: 1 title: Endpoint username type: string x-nullable: true id: minLength: 1 title: Id type: string is_scheduled: title: Is scheduled type: boolean remote_shell_session: format: uuid title: Remote shell session type: string x-nullable: true source_id: minLength: 1 title: Source id type: string x-nullable: true source_type: enum: - agent - alert - batch_duplicated - endpoint_agent - endpoint_user - group - investigation - remote_shell - security_event - threat title: Source type type: string x-nullable: true template: title: Template type: string x-nullable: true title: title: Title type: string x-nullable: true version: enum: - 1 - 2 title: Version type: integer type: object SimpleSigmaRuleAndSourceSerializer: properties: sigma_rule_id: format: uuid title: Sigma rule id type: string sigma_rule_name: minLength: 1 title: Sigma rule name type: string sigma_source_id: format: uuid title: Sigma source id type: string sigma_source_name: minLength: 1 title: Sigma source name type: string required: - sigma_rule_id - sigma_rule_name - sigma_source_id - sigma_source_name type: object SimpleSubnet: properties: gateway_ipaddress: minLength: 1 readOnly: true title: Gateway ipaddress type: string x-nullable: true gateway_macaddress: minLength: 1 readOnly: true title: Gateway macaddress type: string x-nullable: true gateway_oui: minLength: 1 readOnly: true title: Gateway oui type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true type: object SimpleTenant: properties: tenant: minLength: 1 title: Tenant type: string x-nullable: true type: object SimpleWindowsGroup: properties: domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string kind: enum: - domain_local_group - global_group - local_group - well_known_group readOnly: true title: Kind type: string name: minLength: 1 readOnly: true title: Name type: string sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true type: object SingleUpdateFIMFileModification: properties: id: format: uuid title: Id type: string status: enum: - accepted - not reviewed - rejected title: Status type: string required: - id - status type: object Startup: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' filename: minLength: 1 title: Filename type: string fullpathname: minLength: 1 title: Fullpathname type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer mainfile_binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' target_arguments: minLength: 1 title: Target arguments type: string target_path: minLength: 1 title: Target path type: string tenant: minLength: 1 title: Tenant type: string username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - binaryinfo - filename - fullpathname - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - mainfile_binaryinfo - target_arguments - target_path - tenant - username type: object Stat: properties: agent: items: $ref: '#/definitions/StatAgent' type: array alert_type: $ref: '#/definitions/AlertType' at_risk: default: 0 title: At risk type: integer closed: default: 0 title: Closed type: integer closed_percent: default: 0 title: Closed percent type: integer cyber_kill_chain: $ref: '#/definitions/CyberKillChain' investigating: default: 0 title: Investigating type: integer investigating_percent: default: 0 title: Investigating percent type: integer level: $ref: '#/definitions/Level' new: default: 0 title: New type: integer new_percent: default: 0 title: New percent type: integer prevented: default: 0 title: Prevented type: integer prevented_percent: default: 0 title: Prevented percent type: integer rule: items: $ref: '#/definitions/Rule' type: array total: default: 0 title: Total type: integer required: - agent - alert_type - cyber_kill_chain - level - rule type: object StatAgent: properties: count: default: 0 title: Count type: integer id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - id - name type: object StaticAnalysis: properties: analysis_date: format: date-time title: Analysis date type: string capabilities: items: $ref: '#/definitions/Capability' type: array capabilities_count: title: Capabilities count type: integer cobalt_conf: $ref: '#/definitions/CobaltConf' elf_report: $ref: '#/definitions/ElfReport' exports_count: title: Exports count type: integer extracted: items: minLength: 1 type: string type: array file_availability: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: File availability type: integer id: minLength: 1 title: Id type: string imports: items: $ref: '#/definitions/Import' type: array imports_count: title: Imports count type: integer kinds: items: minLength: 1 type: string type: array lnk_report: $ref: '#/definitions/LnkReport' macho_report: $ref: '#/definitions/MachoReport' magic: minLength: 1 title: Magic type: string pe_report: $ref: '#/definitions/PeReport' sha256: minLength: 1 title: Sha256 type: string size: title: Size type: integer special_strings: items: $ref: '#/definitions/ExtractedSpecialCategory' type: array special_strings_count: title: Special strings count type: integer status: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 255 readOnly: true title: Status type: integer strings_count: title: Strings count type: integer tags: items: $ref: '#/definitions/StaticAnalysisTag' type: array tlsh: minLength: 1 title: Tlsh type: string required: - analysis_date - capabilities - capabilities_count - cobalt_conf - elf_report - exports_count - extracted - id - imports - imports_count - kinds - lnk_report - macho_report - magic - pe_report - sha256 - size - special_strings - special_strings_count - strings_count - tags - tlsh type: object StaticAnalysisTag: properties: level: title: Level type: integer name: minLength: 1 title: Name type: string required: - level - name type: object StatusJobInstance: properties: action: minLength: 1 readOnly: true title: Action type: string endtime: format: date-time readOnly: true title: Endtime type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string job_id: readOnly: true title: Job id type: string starttime: format: date-time readOnly: true title: Starttime type: string x-nullable: true state: enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 readOnly: true title: State type: integer type: object SubEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/IndexedInnerAgent' alert_subtype: minLength: 1 title: Alert subtype type: string alert_time: format: date-time title: Alert time type: string alert_type: enum: - cape - correlation - device_control - driver - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara title: Alert type type: string alert_unique_id: minLength: 1 title: Alert unique id type: string av_detection_details: $ref: '#/definitions/AntivirusDetectionDetails' bpf: $ref: '#/definitions/ECSBpf' byovd_detection_details: $ref: '#/definitions/ByovdDetectionDetails' comm_port_tamper: $ref: '#/definitions/CommPortTamper' confidence: minLength: 1 title: Confidence type: string confidence_int: title: Confidence int type: integer correlation: $ref: '#/definitions/CorrelationInfo' correlation_event_id: minLength: 1 title: Correlation event id type: string correlation_rule_id: minLength: 1 title: Correlation rule id type: string destination: $ref: '#/definitions/ECSDestination' details_amsi_scan: $ref: '#/definitions/DetailAmsiScan' details_connection: $ref: '#/definitions/DetailConnection' details_dns_resolution: $ref: '#/definitions/DetailDnsResolution' details_file: $ref: '#/definitions/DetailFile' details_library: $ref: '#/definitions/DetailLibrary' details_linux_filesystem_event: $ref: '#/definitions/DetailLinuxFilesystemEvent' details_macos_filesystem_event: $ref: '#/definitions/DetailMacosFilesystemEvent' details_named_pipe_connected: $ref: '#/definitions/DetailNamedPipeConnected' details_named_pipe_created: $ref: '#/definitions/DetailNamedPipeCreated' details_network_listen: $ref: '#/definitions/DetailNetworkListen' details_powershell: $ref: '#/definitions/DetailPowershell' details_primary_token_change: $ref: '#/definitions/DetailPrimaryTokenChange' details_process_access: $ref: '#/definitions/DetailProcessAccess' details_process_tamper: $ref: '#/definitions/DetailProcessTamper' details_raw_device_access: $ref: '#/definitions/DetailRawDeviceAccess' details_raw_socket_creation: $ref: '#/definitions/DetailRawSocketCreation' details_registry: $ref: '#/definitions/DetailRegistry' details_remotethread: $ref: '#/definitions/DetailRemoteThread' details_url_request: $ref: '#/definitions/DetailUrlRequest' details_usb_device_event: $ref: '#/definitions/DetailsUsbDeviceEvent' details_windows_filesystem_event: $ref: '#/definitions/DetailWindowsFilesystemEvent' detection_date: format: date-time title: Detection date type: string detection_origin: minLength: 1 title: Detection origin type: string detection_timestamp: format: date-time title: Detection timestamp type: string driverload: $ref: '#/definitions/InnerDriverLoad' dse_tamper: $ref: '#/definitions/DseTamper' etw_ti_ke_insert_queue_apc: $ref: '#/definitions/ECSEtwTiKeInsertQueueApc' etw_ti_nt_allocate_virtual_memory: $ref: '#/definitions/ECSEtwTiNtAllocateVirtualMemory' etw_ti_nt_map_view_of_section: $ref: '#/definitions/ECSEtwTiNtMapViewOfSection' etw_ti_nt_protect_virtual_memory: $ref: '#/definitions/ECSEtwTiNtProtectVirtualMemory' etw_ti_nt_read_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' etw_ti_nt_set_context_thread: $ref: '#/definitions/ECSEtwTiNtSetContextThread' etw_ti_nt_write_virtual_memory: $ref: '#/definitions/ECSEtwTiNtReadWriteVirtualMemory' event: $ref: '#/definitions/ECSEvent' event_session: $ref: '#/definitions/SessionInfo' eventlog: $ref: '#/definitions/InnerEventLog' firewall_self_protection: $ref: '#/definitions/FirewallSelfProtection' group_event: $ref: '#/definitions/InnerGroupEvent' hlai_binaries_benchmark_data: $ref: '#/definitions/HlaiBinariesBenchmarkData' hlai_scripts_benchmark_data: $ref: '#/definitions/HlaiScriptsBenchmarkData' id: minLength: 1 title: Id type: string ingestion_date: format: date-time title: Ingestion date type: string is_standalone_rule: title: Is standalone rule type: boolean kernel_callback: $ref: '#/definitions/KernelCallback' level: minLength: 1 title: Level type: string level_int: title: Level int type: integer log_type: minLength: 1 title: Log type type: string mitre_cells: items: minLength: 1 type: string type: array msg: minLength: 1 title: Msg type: string network: $ref: '#/definitions/InnerNetwork' origin_stack: $ref: '#/definitions/OriginStack' process: $ref: '#/definitions/InnerProcess' process_duplicate_handle: $ref: '#/definitions/ECSProcessDuplicateHandle' process_ptrace: $ref: '#/definitions/ECSProcessPtrace' process_session: $ref: '#/definitions/SessionInfo' ransomguard_canary_data: $ref: '#/definitions/RansomguardCanaryData' ransomguard_detection_type: minLength: 1 title: Ransomguard detection type type: string ransomguard_heuristic_data: $ref: '#/definitions/RansomguardHeuristicData' references: items: minLength: 1 type: string type: array rule_content: minLength: 1 title: Rule content type: string rule_id: minLength: 1 title: Rule id type: string rule_name: minLength: 1 title: Rule name type: string scheduled_task: $ref: '#/definitions/ECSScheduledTask' sidewatch_detection_details: $ref: '#/definitions/SidewatchDetectionDetails' source: $ref: '#/definitions/ECSSource' stack_trace: $ref: '#/definitions/ECSStackTrace' tags: items: minLength: 1 type: string type: array target: $ref: '#/definitions/ECSTarget' tenant: minLength: 1 title: Tenant type: string thread: $ref: '#/definitions/InnerInjectedThread' user: $ref: '#/definitions/ECSUser' user_event: $ref: '#/definitions/InnerUserEvent' win32k_get_async_key_state: $ref: '#/definitions/ECSWin32kGetAsyncKeyState' win32k_register_raw_input_devices: $ref: '#/definitions/ECSWin32kRegisterRawInputDevices' win32k_set_windows_hook_ex: $ref: '#/definitions/ECSWin32kSetWindowsHookEx' windows_service: $ref: '#/definitions/ECSWindowsService' wmi_event: $ref: '#/definitions/WmiEvent' required: - '@event_create_date' - '@timestamp' - alert_subtype - alert_time - alert_type - alert_unique_id - bpf - confidence - confidence_int - correlation_event_id - correlation_rule_id - destination - detection_date - detection_origin - detection_timestamp - etw_ti_ke_insert_queue_apc - etw_ti_nt_allocate_virtual_memory - etw_ti_nt_map_view_of_section - etw_ti_nt_protect_virtual_memory - etw_ti_nt_read_virtual_memory - etw_ti_nt_set_context_thread - etw_ti_nt_write_virtual_memory - event - group_event - id - ingestion_date - is_standalone_rule - level - level_int - log_type - mitre_cells - msg - process_duplicate_handle - process_ptrace - ransomguard_detection_type - references - rule_content - rule_id - rule_name - scheduled_task - source - stack_trace - tags - target - tenant - user - user_event - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service type: object SubPolicyCodeDetailsResponse: properties: code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - details type: object SubPolicyCopyResponse: properties: details: minLength: 1 title: Details type: string new_description: minLength: 1 title: New description type: string new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string required: - details - new_description - new_id - new_name type: object SubnetAgg: properties: gateway_ipaddress: minLength: 1 title: Gateway ipaddress type: string gateway_macaddress: minLength: 1 title: Gateway macaddress type: string id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string observation_count: title: Observation count type: integer required: - id - observation_count type: object SubnetBulkAction: properties: action: enum: - disable_autoscan - disable_blacklist - disable_whitelist - enable_autoscan - enable_blacklist - enable_whitelist - launch_scan title: Action type: string ids: items: format: uuid type: string type: array required: - action - ids type: object SubnetBulkActionResponse: properties: status: enum: - invalid_action - no_agents_available - success - unknown_error title: Status type: string unscannable_subnets: items: $ref: '#/definitions/__SubnetSerializer' readOnly: true type: array required: - status type: object SubnetExclusion: properties: cidr: minLength: 1 title: Cidr type: string x-nullable: true comment: title: Comment type: string x-nullable: true description: title: Description type: string x-nullable: true enabled: title: Enabled type: boolean id: format: uuid title: Id type: string ip_address: minLength: 1 title: Ip address type: string x-nullable: true ip_range: readOnly: true title: Ip range type: string ip_range_end: minLength: 1 title: Ip range end type: string x-nullable: true mac_addresses: items: minLength: 1 type: string type: array reason: title: Reason type: string x-nullable: true vendor_codes: items: minLength: 1 type: string type: array type: object SubnetInclusion: properties: cidr: minLength: 1 title: Cidr type: string x-nullable: true description: title: Description type: string x-nullable: true enabled: title: Enabled type: boolean id: format: uuid title: Id type: string ip_address: minLength: 1 title: Ip address type: string x-nullable: true ip_range: readOnly: true title: Ip range type: string ip_range_end: minLength: 1 title: Ip range end type: string x-nullable: true mac_addresses: items: minLength: 1 type: string type: array vendor_codes: items: minLength: 1 type: string type: array type: object SubnetStats: properties: first_observation_time: format: date-time title: First observation time type: string last_observation_time: format: date-time title: Last observation time type: string required: - first_observation_time - last_observation_time type: object SupervisorAllConfigSection: properties: tenants: additionalProperties: $ref: '#/definitions/AllConfigSection' title: Tenants type: object required: - tenants type: object SupervisorAllConfigSectionDownload: properties: config: $ref: '#/definitions/SupervisorAllConfigSection' version: minLength: 1 title: Version type: string required: - config type: object SysinternalsUsage: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer programname: minLength: 1 title: Programname type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - programname - tenant - timestamp - username type: object Tag: properties: ids: items: type: string x-nullable: true type: array new_comment: title: New comment type: string new_status: minLength: 1 title: New status type: string required: - ids - new_status type: object Target: properties: agents: items: type: string x-nullable: true type: array groups: items: type: string x-nullable: true type: array required: - agents - groups type: object Task: properties: action: $ref: '#/definitions/AllAction' can_read_action: description: |- True if the user has read access on this action. If False, the job params will be omitted. Non-sensitive information, like the status and the existence of this action, are still provided to users that can access at least one action in the job, to provide context. title: Can read action type: boolean id: format: uuid title: Id type: string status: $ref: '#/definitions/BatchStats' task_id: title: Task id type: integer required: - action - can_read_action - id - status - task_id type: object TaskDeliveryInfo: properties: exchange: minLength: 1 title: Exchange type: string priority: title: Priority type: integer redelivered: title: Redelivered type: boolean routing_key: minLength: 1 title: Routing key type: string required: - exchange - priority - redelivered - routing_key type: object TaskDetail: properties: acknowledged: title: Acknowledged type: boolean args: items: type: string type: array delivery_info: $ref: '#/definitions/TaskDeliveryInfo' hostname: minLength: 1 title: Hostname type: string id: minLength: 1 title: Id type: string kwargs: additionalProperties: type: string title: Kwargs type: object name: minLength: 1 title: Name type: string time_start: title: Time start type: number type: minLength: 1 title: Type type: string worker: minLength: 1 title: Worker type: string worker_pid: title: Worker pid type: integer required: - acknowledged - args - delivery_info - hostname - id - kwargs - name - time_start - type - worker - worker_pid type: object TaskDetailList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/TaskDetail' type: array required: - count - results type: object TaskResult: properties: content_encoding: description: The encoding used to save the task result data maxLength: 64 minLength: 1 title: Result Encoding type: string content_type: description: Content type of the result data maxLength: 128 minLength: 1 title: Result Content Type type: string date_created: description: Datetime field when the task result was created in UTC format: date-time readOnly: true title: Created DateTime type: string date_done: description: Datetime field when the task was completed in UTC format: date-time readOnly: true title: Completed DateTime type: string id: readOnly: true title: ID type: integer meta: description: JSON meta information about the task, such as information on child tasks minLength: 1 readOnly: true title: Task Meta Information type: string x-nullable: true periodic_task_name: description: Name of the Periodic Task which was run maxLength: 255 minLength: 1 title: Periodic Task Name type: string x-nullable: true result: description: The data returned by the task. Use content_encoding and content_type fields to read. minLength: 1 readOnly: true title: Result Data type: string x-nullable: true status: description: Current state of the task being run enum: - FAILURE - PENDING - RECEIVED - RETRY - REVOKED - STARTED - SUCCESS title: Task State type: string task_args: description: JSON representation of the positional arguments used with the task minLength: 1 title: Task Positional Arguments type: string x-nullable: true task_id: description: Celery ID for the Task that was run maxLength: 255 minLength: 1 title: Task ID type: string task_kwargs: description: JSON representation of the named arguments used with the task minLength: 1 title: Task Named Arguments type: string x-nullable: true task_name: description: Name of the Task which was run maxLength: 255 minLength: 1 title: Task Name type: string x-nullable: true traceback: description: Text of the traceback if the task generated one title: Traceback type: string x-nullable: true worker: description: Worker that executes the task maxLength: 100 minLength: 1 title: Worker type: string x-nullable: true required: - content_encoding - content_type - task_id type: object Technique: properties: hits: title: Hits type: integer technique_id: minLength: 1 title: Technique id type: string technique_name: minLength: 1 title: Technique name type: string required: - hits - technique_id - technique_name type: object TelemetryConfigResponse: properties: live_override_allowed: title: Live override allowed type: boolean telemetries: $ref: '#/definitions/TelemetryConfigTelemetries' required: - live_override_allowed - telemetries type: object TelemetryConfigTelemetries: properties: telemetry_amsi_dynamic_scripts_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_amsi_other_scans_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_authentication_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_dns_resolution_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_dotnet_library_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_driverload_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_file_download_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_file_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_kube_pod_event_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_library_load_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_log_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_named_pipe_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_network_listen_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_network_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_powershell_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_process_access_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_process_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_process_tamper_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_raw_device_access_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_raw_socket_creation_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_registry_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_remotethread_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_scheduled_tasks_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_service_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_url_request_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_usb_activity_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_user_group_state: $ref: '#/definitions/_TelemetryConfigItem' telemetry_wmi_event_state: $ref: '#/definitions/_TelemetryConfigItem' type: object TelemetryWmiEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' consumer: minLength: 1 title: Consumer type: string destination: minLength: 1 title: Destination type: string event_date: format: date-time title: Event date type: string filter: minLength: 1 title: Filter type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string kind: minLength: 1 title: Kind type: string log_type: minLength: 1 title: Log type type: string name: minLength: 1 title: Name type: string namespace: minLength: 1 title: Namespace type: string operation: minLength: 1 title: Operation type: string origin_stack: $ref: '#/definitions/OriginStack' query: minLength: 1 title: Query type: string tenant: minLength: 1 title: Tenant type: string type: minLength: 1 title: Type type: string user_name: minLength: 1 title: User name type: string user_sid: minLength: 1 title: User sid type: string required: - '@event_create_date' - '@timestamp' - agent - consumer - destination - event_date - filter - groups - id - kind - log_type - name - namespace - operation - query - tenant - type - user_name - user_sid type: object TestPassword: properties: password: minLength: 1 title: Password type: string username: minLength: 1 title: Username type: string required: - username type: object Thread: properties: region_base_address: title: Region base address type: integer region_dump: format: uri readOnly: true title: Region dump type: string region_protect: title: Region protect type: integer region_size: title: Region size type: integer region_state: title: Region state type: integer region_type: title: Region type type: integer start_address: title: Start address type: integer start_time: format: date-time title: Start time type: string suspicious: title: Suspicious type: boolean thread_dump: format: uri readOnly: true title: Thread dump type: string thread_id: title: Thread id type: integer thread_state: title: Thread state type: integer wait_reason: title: Wait reason type: integer required: - region_base_address - region_protect - region_size - region_state - region_type - start_address - start_time - suspicious - thread_id - thread_state - wait_reason type: object ThreadDump: properties: approximate_last_seen: format: date-time title: Approximate last seen type: string downloaded: title: Downloaded type: integer downloaded_date: format: date-time title: Downloaded date type: string first_seen: format: date-time title: First seen type: string hashes: $ref: '#/definitions/Hashes' id: minLength: 1 title: Id type: string ostype: minLength: 1 title: Ostype type: string size: title: Size type: integer tenant: minLength: 1 title: Tenant type: string required: - approximate_last_seen - downloaded - downloaded_date - first_seen - hashes - id - ostype - size - tenant type: object Threat: properties: agent_count: minimum: 0 readOnly: true title: Agent count type: integer closed_date: format: date-time readOnly: true title: Closed date type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string first_seen: format: date-time readOnly: true title: First seen type: string id: minLength: 1 title: Id type: string impacted_user_count: minimum: 0 readOnly: true title: Impacted user count type: integer last_seen: format: date-time readOnly: true title: Last seen type: string level: enum: - critical - high - low - medium readOnly: true title: Level type: string linked_threat: format: uuid readOnly: true title: Linked threat type: string x-nullable: true mitre_tactics: additionalProperties: type: string x-nullable: true readOnly: true title: Mitre tactics type: object old_id: readOnly: true title: Old id type: integer origin_stack: $ref: '#/definitions/OriginStack' rule_count: minimum: 0 readOnly: true title: Rule count type: integer slug: minLength: 1 readOnly: true title: Slug type: string status: enum: - closed - false_positive - investigating - new readOnly: true title: Status type: string tenant: minLength: 1 readOnly: true title: Tenant type: string top_agents: items: $ref: '#/definitions/ThreatAgent' readOnly: true type: array top_impacted_users: items: $ref: '#/definitions/ThreatUser' readOnly: true type: array top_rules: items: $ref: '#/definitions/ThreatRule' readOnly: true type: array total_security_event_count: readOnly: true title: Total security event count type: integer required: - id type: object ThreatAgent: properties: agent_hostname: minLength: 1 readOnly: true title: Agent hostname type: string agent_id: readOnly: true title: Agent id type: string agent_osproducttype: minLength: 1 readOnly: true title: Agent osproducttype type: string agent_ostype: enum: - linux - macos - unknown - windows readOnly: true title: Agent ostype type: string agent_osversion: minLength: 1 readOnly: true title: Agent osversion type: string agent_status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Agent status type: string security_event_count: readOnly: true title: Security event count type: integer type: object ThreatDefaultAction: properties: default_actions: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: Default actions type: string threat_id: maximum: 9223372036854775807 minimum: -9223372036854775808 title: Threat id type: integer required: - default_actions - threat_id type: object ThreatDetail: properties: agent_count: minimum: 0 readOnly: true title: Agent count type: integer closed_date: format: date-time readOnly: true title: Closed date type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string first_seen: format: date-time readOnly: true title: First seen type: string id: minLength: 1 title: Id type: string impacted_user_count: minimum: 0 readOnly: true title: Impacted user count type: integer last_seen: format: date-time readOnly: true title: Last seen type: string level: enum: - critical - high - low - medium readOnly: true title: Level type: string linked_threat: format: uuid readOnly: true title: Linked threat type: string x-nullable: true mitre_tactics: additionalProperties: type: string x-nullable: true readOnly: true title: Mitre tactics type: object note: $ref: '#/definitions/Note' old_id: readOnly: true title: Old id type: integer origin_stack: $ref: '#/definitions/OriginStack' rule_count: minimum: 0 readOnly: true title: Rule count type: integer security_event_count_by_level: $ref: '#/definitions/SecurityEventCountByLevel' security_event_count_by_status: $ref: '#/definitions/SecurityEventCountByStatus' slug: minLength: 1 readOnly: true title: Slug type: string status: enum: - closed - false_positive - investigating - new readOnly: true title: Status type: string top_agents: items: $ref: '#/definitions/ThreatAgent' readOnly: true type: array top_impacted_users: items: $ref: '#/definitions/ThreatUser' readOnly: true type: array top_rules: items: $ref: '#/definitions/ThreatRule' readOnly: true type: array total_security_event_count: readOnly: true title: Total security event count type: integer required: - id type: object ThreatIntelligence: properties: default_hl_status: default: stable minLength: 1 title: Default hl status type: string force_hl_status: default: false title: Force hl status type: boolean test_maturity_delay: minimum: 1 title: Test maturity delay type: integer x-nullable: true test_maturity_threshold: minimum: 1 title: Test maturity threshold type: integer x-nullable: true type: object ThreatIntelligencePermissions: properties: engines: enum: - disabled - read_only - read_write title: Engines type: string manage_lifecycle: title: Manage lifecycle type: boolean whitelists: enum: - disabled - read_only - read_write title: Whitelists type: string required: - engines - manage_lifecycle - whitelists type: object ThreatRule: properties: creation_date: readOnly: true title: Creation date type: string description: readOnly: true title: Description type: string id: readOnly: true title: ID type: integer last_update: readOnly: true title: Last update type: string rule_id: minLength: 1 title: Rule id type: string rule_level: enum: - critical - high - informational - low - medium title: Rule level type: string rule_msg: title: Rule msg type: string x-nullable: true rule_name: minLength: 1 title: Rule name type: string rule_os: items: type: string readOnly: true type: array rule_type: enum: - all - assemblyline - base - cape - correlation - device_control - driver - glimps - hibou - hlai - hlaiscripts - hurukaiav - ioc - irma - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - unknown - vt - yara title: Rule type type: string security_event_count: maximum: 2147483647 minimum: -2147483648 title: Security event count type: integer required: - rule_id - rule_level - rule_name type: object ThreatStatusBinding: properties: enabled: default: true title: Enabled type: boolean type: object ThreatUser: properties: security_event_count: readOnly: true title: Security event count type: integer user_name: minLength: 1 readOnly: true title: User name type: string user_sid: minLength: 1 readOnly: true title: User sid type: string type: object TimelineFavorite: properties: agent_id: format: uuid title: Agent id type: string id: format: uuid readOnly: true title: Id type: string timeline_event_id: maxLength: 64 minLength: 1 title: Timeline event id type: string required: - agent_id - timeline_event_id type: object TimelineGraph: properties: count: items: additionalProperties: minimum: 1 type: integer type: object type: array date: format: date-time title: Date type: string required: - count - date type: object Token: properties: auth_token: minLength: 1 title: Auth token type: string required: - auth_token type: object Turorial: properties: nix: $ref: '#/definitions/NixTutorial' nix_store: $ref: '#/definitions/NixTutorial' required: - nix - nix_store type: object x-nullable: true USBActivity: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' db_product_name: description: Name reported directly by the USB device's firmware minLength: 1 title: Db product name type: string db_vendor_name: description: Name reported directly by the USB device's firmware minLength: 1 title: Db vendor name type: string device_class: minLength: 1 title: Device class type: string device_product_name: description: Official product name standardized by the Linux USB ID database minLength: 1 title: Device product name type: string device_protocol: minLength: 1 title: Device protocol type: string device_subclass: minLength: 1 title: Device subclass type: string device_vendor_name: description: Official vendor name standardized by the Linux USB ID database minLength: 1 title: Device vendor name type: string event_type: enum: - blocked - connected - disconnected title: Event type type: string groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string interfaces: items: $ref: '#/definitions/InnerUSBInterface' type: array log_type: minLength: 1 title: Log type type: string origin_stack: $ref: '#/definitions/OriginStack' product_id: minLength: 1 title: Product id type: string product_name: description: Name sourced either from the Linux USB ID database, or the USB device's firmware minLength: 1 title: Product name type: string serial_number: minLength: 1 title: Serial number type: string tenant: minLength: 1 title: Tenant type: string utc_time: format: date-time title: Utc time type: string vendor_id: minLength: 1 title: Vendor id type: string vendor_name: description: Name sourced either from the Linux USB ID database, or the USB device's firmware minLength: 1 title: Vendor name type: string required: - '@event_create_date' - '@timestamp' - agent - db_product_name - db_vendor_name - device_class - device_product_name - device_protocol - device_subclass - device_vendor_name - event_type - groups - id - interfaces - log_type - product_id - product_name - serial_number - tenant - utc_time - vendor_id - vendor_name type: object UUIDList: properties: all: default: false title: All type: boolean ids: items: format: uuid type: string type: array type: object UnprotectedAssetBulkUpdateCompatibility: properties: ids: items: format: uuid type: string type: array value: enum: - compatible - uncompatible - unknown title: Value type: string required: - ids - value type: object UnprotectedAssetBulkUpdateOS: properties: ids: items: format: uuid type: string type: array value: enum: - linux - macos - unknown - windows title: Value type: string required: - ids - value type: object UnprotectedAssetBulkUpdateResponse: properties: compatibility_update_count: title: Compatibility update count type: integer missing_ids: items: format: uuid type: string type: array os_update_count: title: Os update count type: integer status: enum: - invalid_endpoint_asset_ids - no_endpoint_asset_found - success title: Status type: string required: - status type: object UnprotectedAssetDetails: properties: acknowledged: enum: - seen - to_check readOnly: true title: Acknowledged type: string active_directory_devices: items: $ref: '#/definitions/IdentityActiveDirectoryDevice' readOnly: true type: array compatibility: enum: - compatible - uncompatible - unknown readOnly: true title: Compatibility type: string creation_date: format: date-time readOnly: true title: Creation date type: string description: minLength: 1 readOnly: true title: Description type: string x-nullable: true entra_id_devices: items: $ref: '#/definitions/IdentityEntraIdDevice' readOnly: true type: array id: format: uuid readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true network_interfaces: items: $ref: '#/definitions/NetworkDeviceDetails' readOnly: true type: array os: enum: - linux - macos - unknown - windows readOnly: true title: Os type: string type: object UnprotectedAssetKPI: properties: linux_compatible: readOnly: true title: Linux compatible type: integer linux_uncompatible: readOnly: true title: Linux uncompatible type: integer macos_compatible: readOnly: true title: Macos compatible type: integer macos_uncompatible: readOnly: true title: Macos uncompatible type: integer total_compatible: readOnly: true title: Total compatible type: integer total_uncompatible: readOnly: true title: Total uncompatible type: integer unknown_uncompatible: readOnly: true title: Unknown uncompatible type: integer windows_compatible: readOnly: true title: Windows compatible type: integer windows_uncompatible: readOnly: true title: Windows uncompatible type: integer type: object UnprotectedAssetList: properties: acknowledged: enum: - seen - to_check readOnly: true title: Acknowledged type: string compatibility: enum: - compatible - uncompatible - unknown readOnly: true title: Compatibility type: string creation_date: format: date-time readOnly: true title: Creation date type: string description: minLength: 1 readOnly: true title: Description type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string ip: minLength: 1 readOnly: true title: Ip type: string last_update: format: date-time readOnly: true title: Last update type: string mac_addr: minLength: 1 readOnly: true title: Mac addr type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true netbios_groups: items: minLength: 1 type: string type: array netbios_name: minLength: 1 readOnly: true title: Netbios name type: string network_device_count: readOnly: true title: Network device count type: integer observation_count: readOnly: true title: Observation count type: integer os: enum: - linux - macos - unknown - windows readOnly: true title: Os type: string oui_vendor: minLength: 1 readOnly: true title: Oui vendor type: string random_hardware_address: readOnly: true title: Random hardware address type: boolean rmDNS_additional_records: items: minLength: 1 type: string type: array rmDNS_names: items: minLength: 1 type: string type: array subnet_discovered_by: $ref: '#/definitions/_SubnetDiscoveredBy' required: - netbios_groups - rmDNS_additional_records - rmDNS_names type: object UnprotectedAssetUpdate: properties: acknowledged: enum: - seen - to_check title: Acknowledged type: string compatibility: enum: - compatible - uncompatible - unknown title: Compatibility type: string description: title: Description type: string x-nullable: true name: title: Name type: string x-nullable: true os: enum: - linux - macos - unknown - windows title: Os type: string type: object UpdateAllRuleset: properties: new_actions: $ref: '#/definitions/Actions' set_default: default: false title: Set default type: boolean set_source_actions: default: false title: Set source actions type: boolean set_source_default_actions: default: false title: Set source default actions type: boolean state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - state type: object UpdateFIMFileModification: properties: status: enum: - accepted - not reviewed - rejected title: Status type: string required: - status type: object UpdateFIMPathExclusionSerializerForBulk: properties: enabled: title: Enabled type: boolean id: format: uuid title: Id type: string os_type: enum: - linux - macos - windows title: Os type type: string path: minLength: 1 title: Path type: string path_type: enum: - directory - file - recursive_directory title: Path type type: string required: - id - os_type - path - path_type type: object UpdateFIMPathInclusionSerializerForBulk: properties: criticality: enum: - critical - high - low - medium title: Criticality type: string enabled: title: Enabled type: boolean id: format: uuid title: Id type: string os_type: enum: - linux - macos - windows title: Os type type: string path: minLength: 1 title: Path type: string path_type: enum: - directory - file - recursive_directory title: Path type type: string scan_type: enum: - content - metadata - metadata and content title: Scan type type: string required: - criticality - id - os_type - path - path_type - scan_type type: object UpdateFIMPolicy: properties: description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string periodicity: $ref: '#/definitions/Schedule' required: - name - periodicity type: object UpdateFIMReport: properties: status: enum: - accepted - rejected title: Status type: string required: - status type: object UpdateFIMReportByAgent: properties: agent_id: minLength: 1 title: Agent id type: string status: enum: - accepted - rejected title: Status type: string required: - agent_id - status type: object UpdateFIMReportByPath: properties: agg_key: minLength: 1 title: Agg key type: string status: enum: - accepted - rejected title: Status type: string required: - agg_key - status type: object UpdateFirewallNetwork: properties: blocks: items: $ref: '#/definitions/FirewallNetworkBlock' type: array description: title: Description type: string x-nullable: true name: maxLength: 256 title: Name type: string x-nullable: true type: object UpdateFirewallPolicy: properties: default_profile_id: format: uuid title: Default profile id type: string description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string network_to_profile: items: $ref: '#/definitions/ProfileToNetworkId' type: array x-nullable: true required: - default_profile_id - name - network_to_profile type: object UpdateFirewallRule: properties: action: enum: - Allow - Drop - Reject title: Action type: string description: title: Description type: string x-nullable: true direction: enum: - Both - In - Out title: Direction type: string enabled: title: Enabled type: boolean ip_version: enum: - Both - IPv4 - IPv6 title: Ip version type: string local_application: maxLength: 256 title: Local application type: string x-nullable: true local_ip: $ref: '#/definitions/FirewallIp' local_ports: items: $ref: '#/definitions/FirewallPort' type: array x-nullable: true name: maxLength: 256 title: Name type: string x-nullable: true protocol: enum: - ICMP - IPV6_ICMP - TCP - UDP title: Protocol type: string x-nullable: true remote_ip: $ref: '#/definitions/FirewallIp' remote_ports: items: $ref: '#/definitions/FirewallPort' type: array x-nullable: true required: - local_ip - local_ports - remote_ip - remote_ports type: object UpdateLevelThreat: properties: new_level: enum: - critical - high - low - medium title: New level type: string threat_ids: items: minLength: 1 type: string type: array update_by_query: title: Update by query type: boolean required: - new_level - threat_ids - update_by_query type: object UpdatePolicy: properties: policy_ids: items: type: string x-nullable: true type: array required: - policy_ids type: object UpdatePolicyGroup: properties: policy_id: minLength: 1 title: Policy id type: string type: object UpdateRulesetSource: properties: actions: $ref: '#/definitions/Actions' new_rule_actions: $ref: '#/definitions/Actions' new_rule_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string set_default: default: false title: Set default type: boolean set_new_rule_default: default: false title: Set new rule default type: boolean state: enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string type: object UpdateStatusThreat: properties: new_status: enum: - closed - false_positive - investigating - new title: New status type: string tag_security_events: default: false title: Tag security events type: boolean threat_ids: items: minLength: 1 type: string type: array update_by_query: title: Update by query type: boolean required: - new_status - threat_ids - update_by_query type: object UpdateUsbRule: properties: action: enum: - allow - block title: Action type: string base_classes: items: $ref: '#/definitions/BaseClass' type: array creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true device_type: enum: - external - internal - unknown title: Device type type: string enabled: title: Enabled type: boolean id: format: uuid title: Id type: string index: readOnly: true title: Index type: integer last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string rule_creation_type: enum: - class - custom - serial_number - simple - vendor_product title: Rule creation type type: string serial_numbers: items: maxLength: 256 minLength: 1 type: string x-nullable: true type: array vendor_products: items: $ref: '#/definitions/VendorProductIDs' type: array required: - base_classes - name - rule_creation_type type: object UpdateVulnerabilityPolicy: properties: description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object UpdateVulnerabilityReport: properties: status: enum: - not reviewed - reviewed title: Status type: string required: - status type: object UpgradeTaskResult: properties: date_created: description: Datetime field when the task result was created in UTC format: date-time readOnly: true title: Created DateTime type: string date_done: description: Datetime field when the task was completed in UTC format: date-time readOnly: true title: Completed DateTime type: string filename: readOnly: true title: Filename type: string x-nullable: true result: description: The data returned by the task. Use content_encoding and content_type fields to read. minLength: 1 readOnly: true title: Result Data type: string x-nullable: true status: description: Current state of the task being run enum: - FAILURE - PENDING - RECEIVED - RETRY - REVOKED - STARTED - SUCCESS title: Task State type: string task_args: description: JSON representation of the positional arguments used with the task minLength: 1 title: Task Positional Arguments type: string x-nullable: true task_id: description: Celery ID for the Task that was run maxLength: 255 minLength: 1 title: Task ID type: string required: - task_id type: object UpgradeTaskResultList: properties: count: title: Count type: integer latest: $ref: '#/definitions/UpgradeTaskResult' next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/UpgradeTaskResult' type: array required: - count - latest - results type: object UrlRequest: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' host: minLength: 1 title: Host type: string id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string method: minLength: 1 title: Method type: string origin_stack: $ref: '#/definitions/OriginStack' password: minLength: 1 title: Password type: string path: minLength: 1 title: Path type: string port: title: Port type: integer process_image_path: minLength: 1 title: Process image path type: string process_unique_id: minLength: 1 title: Process unique id type: string query_params: minLength: 1 title: Query params type: string scheme: minLength: 1 title: Scheme type: string tenant: minLength: 1 title: Tenant type: string url: minLength: 1 title: Url type: string user_agent: minLength: 1 title: User agent type: string username: minLength: 1 title: Username type: string utc_time: format: date-time title: Utc time type: string required: - '@event_create_date' - '@timestamp' - agent - groups - host - id - log_type - method - password - path - port - process_image_path - process_unique_id - query_params - scheme - tenant - url - user_agent - username - utc_time type: object UsbRule: properties: action: enum: - allow - block title: Action type: string base_classes: items: $ref: '#/definitions/BaseClass' type: array creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true device_type: enum: - external - internal - unknown title: Device type type: string emplace_at_front: default: false title: Emplace at front type: boolean enabled: title: Enabled type: boolean id: format: uuid title: Id type: string index: readOnly: true title: Index type: integer last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' policy_id: format: uuid title: Policy id type: string rule_creation_type: enum: - class - custom - serial_number - simple - vendor_product title: Rule creation type type: string serial_numbers: items: maxLength: 256 minLength: 1 type: string x-nullable: true type: array vendor_products: items: $ref: '#/definitions/VendorProductIDs' type: array required: - name - policy_id - rule_creation_type type: object UsbRuleDuplication: properties: description: title: Description type: string x-nullable: true name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object UserAppSettings: properties: app_settings: title: App settings type: object type: object UserEvent: properties: '@event_create_date': format: date-time title: '@event create date' type: string '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/InnerAgent' groups: $ref: '#/definitions/InnerGroup' id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string new_user_name: minLength: 1 title: New user name type: string operation_type: minLength: 1 title: Operation type type: string origin_stack: $ref: '#/definitions/OriginStack' source_domain_name: minLength: 1 title: Source domain name type: string source_user_id: minLength: 1 title: Source user id type: string source_user_name: minLength: 1 title: Source user name type: string target_domain_name: minLength: 1 title: Target domain name type: string target_user_id: minLength: 1 title: Target user id type: string target_user_name: minLength: 1 title: Target user name type: string tenant: minLength: 1 title: Tenant type: string windows: $ref: '#/definitions/UserEventWindows' required: - '@event_create_date' - '@timestamp' - agent - groups - id - log_type - new_user_name - operation_type - source_domain_name - source_user_id - source_user_name - target_domain_name - target_user_id - target_user_name - tenant - windows type: object UserEventWindows: properties: account_expires: minLength: 1 title: Account expires type: string allowed_to_delegate_to: minLength: 1 title: Allowed to delegate to type: string display_name: minLength: 1 title: Display name type: string home_directory: minLength: 1 title: Home directory type: string home_path: minLength: 1 title: Home path type: string logon_hours: minLength: 1 title: Logon hours type: string new_uac_value: minLength: 1 title: New uac value type: string old_uac_value: minLength: 1 title: Old uac value type: string password_last_set: minLength: 1 title: Password last set type: string primary_group_id: minLength: 1 title: Primary group id type: string privilege_list: minLength: 1 title: Privilege list type: string profile_path: minLength: 1 title: Profile path type: string sam_account_name: minLength: 1 title: Sam account name type: string script_path: minLength: 1 title: Script path type: string sid_history: minLength: 1 title: Sid history type: string source_logon_id: title: Source logon id type: integer user_account_control: minLength: 1 title: User account control type: string user_parameters: minLength: 1 title: User parameters type: string user_principal_name: minLength: 1 title: User principal name type: string user_workstations: minLength: 1 title: User workstations type: string required: - account_expires - allowed_to_delegate_to - display_name - home_directory - home_path - logon_hours - new_uac_value - old_uac_value - password_last_set - primary_group_id - privilege_list - profile_path - sam_account_name - script_path - sid_history - source_logon_id - user_account_control - user_parameters - user_principal_name - user_workstations type: object UserLogin: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' host_ip: minLength: 1 title: Host ip type: string host_kernel: minLength: 1 title: Host kernel type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer login_time: format: date-time title: Login time type: string pid: title: Pid type: integer session_id: minLength: 1 title: Session id type: string tenant: minLength: 1 title: Tenant type: string terminal_suffix: minLength: 1 title: Terminal suffix type: string tty_id: minLength: 1 title: Tty id type: string user_status: minLength: 1 title: User status type: string userlogin_type: minLength: 1 title: Userlogin type type: string username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - host_ip - host_kernel - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - login_time - pid - session_id - tenant - terminal_suffix - tty_id - user_status - userlogin_type - username type: object UserMFAMethod: properties: is_primary: title: Is primary type: boolean name: maxLength: 255 minLength: 1 title: Name type: string required: - name type: object UsersList: properties: ids: items: type: string x-nullable: true type: array required: - ids type: object VendorProductIDs: properties: product_id: title: Product id type: string x-nullable: true vendor_id: title: Vendor id type: string x-nullable: true type: object VerifyResetTokenResponse: properties: error: minLength: 1 title: Error type: string expires_at: format: date-time title: Expires at type: string username: minLength: 1 title: Username type: string valid: title: Valid type: boolean required: - valid type: object VersionUpdateData: properties: final_version: $ref: '#/definitions/VersionUpdateDataVersion' from_version: $ref: '#/definitions/VersionUpdateDataVersion' result: enum: - fail_create_file - fail_download - fail_other - fail_signature - fail_upgrade_didnt_change_version - fail_upgrade_process - fail_write_file - success - unknown title: Result type: string required: - final_version - from_version - result type: object VersionUpdateDataVersion: properties: major: minimum: 0 title: Major type: integer minor: minimum: 0 title: Minor type: integer patch: minimum: 0 title: Patch type: integer suffix: minLength: 1 title: Suffix type: string x-nullable: true required: - major - minor - patch - suffix type: object VirusTotal: properties: permalink: minLength: 1 title: Permalink type: string positives: title: Positives type: integer report_found: title: Report found type: boolean request_date: format: date-time title: Request date type: string scan_date: format: date-time title: Scan date type: string scans: items: $ref: '#/definitions/VirusTotalScan' type: array score: description: Percentage of detection (positive/total) * 100 title: Score type: integer total: title: Total type: integer required: - permalink - positives - report_found - request_date - scan_date - scans - score - total type: object VirusTotalScan: properties: av_name: minLength: 1 title: Av name type: string detected: title: Detected type: boolean result: minLength: 1 title: Result type: string update: format: date-time title: Update type: string version: minLength: 1 title: Version type: string required: - av_name - detected - result - update - version type: object VulnerabilityAgent: properties: domainname: minLength: 1 title: Domainname type: string x-nullable: true groups: items: type: string type: array uniqueItems: true hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string lastseen: format: date-time title: Lastseen type: string x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true osproducttype: minLength: 1 title: Osproducttype type: string x-nullable: true ostype: minLength: 1 title: Ostype type: string x-nullable: true osversion: minLength: 1 title: Osversion type: string x-nullable: true status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Status type: string version: minLength: 1 title: Version type: string x-nullable: true required: - groups type: object VulnerabilityKpisDistribution: properties: nb_vulns_with_score_0_1: title: Nb vulns with score 0 1 type: integer nb_vulns_with_score_1_2: title: Nb vulns with score 1 2 type: integer nb_vulns_with_score_2_3: title: Nb vulns with score 2 3 type: integer nb_vulns_with_score_3_4: title: Nb vulns with score 3 4 type: integer nb_vulns_with_score_4_5: title: Nb vulns with score 4 5 type: integer nb_vulns_with_score_5_6: title: Nb vulns with score 5 6 type: integer nb_vulns_with_score_6_7: title: Nb vulns with score 6 7 type: integer nb_vulns_with_score_7_8: title: Nb vulns with score 7 8 type: integer nb_vulns_with_score_8_9: title: Nb vulns with score 8 9 type: integer nb_vulns_with_score_9_10: title: Nb vulns with score 9 10 type: integer required: - nb_vulns_with_score_0_1 - nb_vulns_with_score_1_2 - nb_vulns_with_score_2_3 - nb_vulns_with_score_3_4 - nb_vulns_with_score_4_5 - nb_vulns_with_score_5_6 - nb_vulns_with_score_6_7 - nb_vulns_with_score_7_8 - nb_vulns_with_score_8_9 - nb_vulns_with_score_9_10 type: object VulnerabilityPolicyName: properties: name: maxLength: 256 minLength: 1 title: Name type: string required: - name type: object VulnerabilityReportCountAgentsGraphCounts: properties: count: title: Count type: integer ostype: enum: - linux - macos - unknown - windows title: Ostype type: string required: - count - ostype type: object VulnerabilityReportCountCveGraphCounts: properties: count: title: Count type: integer severity: enum: - critical - high - low - medium - none title: Severity type: string required: - count - severity type: object VulnerabilityReportCountOverTimeAgentsGraphResponse: properties: counts: items: $ref: '#/definitions/VulnerabilityReportCountAgentsGraphCounts' type: array date: format: date title: Date type: string required: - counts - date type: object VulnerabilityReportCountOverTimeCveGraphResponse: properties: counts: items: $ref: '#/definitions/VulnerabilityReportCountCveGraphCounts' type: array date: format: date title: Date type: string required: - counts - date type: object VulnerabilityReportCvesListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/VulnerabilityReportVulnerabilities' type: array required: - count - results type: object VulnerabilityReportVulnerabilities: properties: agent: $ref: '#/definitions/VulnerabilityAgent' cve: $ref: '#/definitions/Cve' vulnerable_installations: items: $ref: '#/definitions/VulnerableInstallationReport' type: array required: - agent - cve - vulnerable_installations type: object VulnerabilityReports: properties: id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string nb_critical_level: title: Nb critical level type: integer nb_cves: title: Nb cves type: integer nb_endpoints: title: Nb endpoints type: integer nb_high_level: title: Nb high level type: integer nb_low_level: title: Nb low level type: integer nb_medium_level: title: Nb medium level type: integer nb_vulnerabilities: title: Nb vulnerabilities type: integer report_date: format: date title: Report date type: string status: enum: - not reviewed - reviewed title: Status type: string required: - id - name - nb_critical_level - nb_cves - nb_endpoints - nb_high_level - nb_low_level - nb_medium_level - nb_vulnerabilities - report_date - status type: object VulnerabilityScanResultByAgent: properties: domainname: minLength: 1 title: Domainname type: string x-nullable: true groups: items: type: string type: array uniqueItems: true hostname: minLength: 1 title: Hostname type: string x-nullable: true id: format: uuid title: Id type: string lastseen: format: date-time title: Lastseen type: string x-nullable: true latest_vulnscan_date: format: date-time title: Latest vulnscan date type: string x-nullable: true osproducttype: minLength: 1 title: Osproducttype type: string x-nullable: true ostype: minLength: 1 title: Ostype type: string x-nullable: true osversion: minLength: 1 title: Osversion type: string x-nullable: true status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Status type: string version: minLength: 1 title: Version type: string x-nullable: true vuln_count: readOnly: true title: Vuln count type: integer vuln_count_critical: readOnly: true title: Vuln count critical type: integer vuln_count_high: readOnly: true title: Vuln count high type: integer vuln_count_low: readOnly: true title: Vuln count low type: integer vuln_count_medium: readOnly: true title: Vuln count medium type: integer required: - groups type: object VulnerabilityScanResultByAgentListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/VulnerabilityScanResultByAgent' type: array required: - count - results type: object VulnerableApplicationWithCountAggregation: properties: highest_score: title: Highest score type: number id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string nb_critical_level: title: Nb critical level type: integer nb_cves: title: Nb cves type: integer nb_endpoints: title: Nb endpoints type: integer nb_high_level: title: Nb high level type: integer nb_low_level: title: Nb low level type: integer nb_medium_level: title: Nb medium level type: integer nb_vulnerabilities: title: Nb vulnerabilities type: integer ostype: minLength: 1 title: Ostype type: string publisher: minLength: 1 title: Publisher type: string required: - highest_score - id - name - nb_critical_level - nb_cves - nb_endpoints - nb_high_level - nb_low_level - nb_medium_level - nb_vulnerabilities - ostype - publisher type: object VulnerableInstallationReport: properties: application_id: format: uuid title: Application id type: string name: minLength: 1 title: Name type: string version: minLength: 1 title: Version type: string required: - application_id - name - version type: object Wdigest: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' controlset: minLength: 1 title: Controlset type: string id: minLength: 1 title: Id type: string int_value: title: Int value type: integer item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string required: - '@timestamp' - agent - controlset - id - int_value - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - timestamp type: object WhitelistMassDelete: properties: ids: items: type: string x-nullable: true type: array required: - ids type: object WhitelistMassToggle: properties: enabled: title: Enabled type: boolean ids: items: type: string x-nullable: true type: array required: - enabled - ids type: object WhitelistRuleCriteriaSnapshot: properties: case_insensitive: default: false title: Case insensitive type: boolean field: minLength: 1 readOnly: true title: Field type: string operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard readOnly: true title: Operator type: string sub_criteria: items: $ref: '#/definitions/WhitelistRuleSubCriterionSnapshot' type: array value: title: Value type: string type: object WhitelistRuleHistoryRecord: properties: action: enum: - created - edited - expired - remove_expiration_date - retroactive_action_cancelled - set_expiration_date - toggled readOnly: true title: Action type: string cancelled_action_timestamp: format: date-time readOnly: true title: Cancelled action timestamp type: string x-nullable: true is_cancelled: readOnly: true title: Is cancelled type: boolean is_retroactive_application: readOnly: true title: Is retroactive application type: boolean security_event_from_status: minLength: 1 readOnly: true title: Security event from status type: string x-nullable: true security_event_new_status: enum: - closed - false_positive - investigating readOnly: true title: Security event new status type: string x-nullable: true security_event_tagged_count: readOnly: true title: Security event tagged count type: integer snapshot: $ref: '#/definitions/WhitelistRuleSnapshot' timestamp: format: date-time readOnly: true title: Timestamp type: string username: minLength: 1 readOnly: true title: Username type: string type: object WhitelistRuleSnapshot: properties: comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true correlation_embedded_rule_id: format: uuid readOnly: true title: Correlation embedded rule id type: string x-nullable: true correlation_rule_id: format: uuid readOnly: true title: Correlation rule id type: string x-nullable: true criteria: items: $ref: '#/definitions/WhitelistRuleCriteriaSnapshot' type: array enabled: readOnly: true title: Enabled type: boolean expiration_date: format: date-time readOnly: true title: Expiration date type: string x-nullable: true revision: readOnly: true title: Revision type: integer sigma_rule_id: minLength: 1 readOnly: true title: Sigma rule id type: string x-nullable: true target: enum: - all - cape - correlation - glimps - hlai - hlaiscripts - hurukaiav - ioc - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - telemetry_amsi_scan - telemetry_authentication - telemetry_bpf - telemetry_dns_resolution - telemetry_driver_load - telemetry_etw_ti_ke_insert_queue_apc - telemetry_etw_ti_nt_allocate_virtual_memory - telemetry_etw_ti_nt_map_view_of_section - telemetry_etw_ti_nt_protect_virtual_memory - telemetry_etw_ti_nt_read_virtual_memory - telemetry_etw_ti_nt_resume_process - telemetry_etw_ti_nt_resume_thread - telemetry_etw_ti_nt_set_context_thread - telemetry_etw_ti_nt_suspend_process - telemetry_etw_ti_nt_suspend_thread - telemetry_etw_ti_nt_write_virtual_memory - telemetry_eventlog - telemetry_file - telemetry_group_event - telemetry_injected_thread - telemetry_kube_pod_event - telemetry_library_load - telemetry_named_pipe - telemetry_network - telemetry_network_listen - telemetry_powershell - telemetry_process - telemetry_process_access - telemetry_process_duplicate_handle - telemetry_process_ptrace - telemetry_process_tamper - telemetry_raw_device_access - telemetry_raw_socket_creation - telemetry_registry - telemetry_remote_thread - telemetry_scheduled_task - telemetry_url_request - telemetry_usb_activity - telemetry_user_event - telemetry_win32k_get_async_key_state - telemetry_win32k_register_raw_input_devices - telemetry_win32k_set_windows_hook_ex - telemetry_windows_service - telemetry_wmi_event - vt - yara - yara_memory readOnly: true title: Target type: string type: object WhitelistRuleSubCriterion: properties: case_insensitive: default: false title: Case insensitive type: boolean operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard title: Operator type: string value: title: Value type: string required: - operator - value type: object x-nullable: true WhitelistRuleSubCriterionSnapshot: properties: case_insensitive: readOnly: true title: Case insensitive type: boolean operator: enum: - contains - eq - ncontains - neq - nwildcard - regex - wildcard readOnly: true title: Operator type: string value: minLength: 1 readOnly: true title: Value type: string type: object WhitelistRuleSummary: properties: all_count_disabled: default: 0 minimum: 0 title: All count disabled type: integer all_count_enabled: default: 0 minimum: 0 title: All count enabled type: integer correlation_count_disabled: default: 0 minimum: 0 title: Correlation count disabled type: integer correlation_count_enabled: default: 0 minimum: 0 title: Correlation count enabled type: integer hlai_count_disabled: default: 0 minimum: 0 title: Hlai count disabled type: integer hlai_count_enabled: default: 0 minimum: 0 title: Hlai count enabled type: integer other_count_disabled: default: 0 minimum: 0 title: Other count disabled type: integer other_count_enabled: default: 0 minimum: 0 title: Other count enabled type: integer sigma_count_disabled: default: 0 minimum: 0 title: Sigma count disabled type: integer sigma_count_enabled: default: 0 minimum: 0 title: Sigma count enabled type: integer total_count_disabled: default: 0 minimum: 0 title: Total count disabled type: integer total_count_enabled: default: 0 minimum: 0 title: Total count enabled type: integer yara_count_disabled: default: 0 minimum: 0 title: Yara count disabled type: integer yara_count_enabled: default: 0 minimum: 0 title: Yara count enabled type: integer type: object WhitelistedByData: properties: is_retroactive_application: description: Indicate if the record is registered by an application action (not a cancel/revert). title: Is retroactive application type: boolean whitelist_id: description: Whitelist rule identifier. minLength: 1 title: Whitelist id type: string whitelist_revision: description: Whitelist rule revision. title: Whitelist revision type: integer required: - is_retroactive_application - whitelist_id - whitelist_revision type: object WildcardProcess: properties: param_operator: description: '0: ITEM_EQUAL, 1: ITEM_NOT_EQUAL, 2: ITEM_CONTAINS, 3: ITEM_NOT_CONTAINS' enum: - 0 - 1 - 2 - 3 title: Param operator type: integer param_type: description: '0: PROCESS_NAME, 1: PROCESS_PATH, 2: PROCESS_IS_CRITICAL, 3: PROCESS_USERNAME, 4: PROCESS_COMMANDLINE, 15: PROCESS_PID, 16: PROCESS_HASH_MD5, 17: PROCESS_HASH_SHA1, 18: PROCESS_HASH_SHA256, 10: PROCESS_PARENT_NAME, 11: PROCESS_PARENT_PATH, 12: PROCESS_PARENT_IS_CRITICAL, 13: PROCESS_PARENT_USERNAME, 14: PROCESS_PARENT_COMMANDLINE' enum: - 0 - 1 - 2 - 3 - 4 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 title: Param type type: integer param_value: minLength: 1 title: Param value type: string required: - param_operator - param_type - param_value type: object WildcardProcessFinderKiller: properties: values: items: $ref: '#/definitions/WildcardProcess' type: array required: - values type: object WindowsDefender: properties: check_for_signatures_before_running_scan: title: Check for signatures before running scan type: boolean x-nullable: true disable_archive_scanning: title: Disable archive scanning type: boolean x-nullable: true disable_auto_exclusions: title: Disable auto exclusions type: boolean x-nullable: true disable_behavior_monitoring: title: Disable behavior monitoring type: boolean x-nullable: true disable_catchup_full_scan: title: Disable catchup full scan type: boolean x-nullable: true disable_catchup_quick_scan: title: Disable catchup quick scan type: boolean x-nullable: true disable_email_scanning: title: Disable email scanning type: boolean x-nullable: true disable_ioav_protection: title: Disable ioav protection type: boolean x-nullable: true disable_realtime_monitoring: title: Disable realtime monitoring type: boolean x-nullable: true disable_removable_drive_scanning: title: Disable removable drive scanning type: boolean x-nullable: true disable_restore_point: title: Disable restore point type: boolean x-nullable: true disable_scanning_mapped_network_drives_for_full_scan: title: Disable scanning mapped network drives for full scan type: boolean x-nullable: true disable_scanning_network_files: title: Disable scanning network files type: boolean x-nullable: true disable_script_scanning: title: Disable script scanning type: boolean x-nullable: true exclusion_extension: items: minLength: 1 title: Exclusion extension type: string type: array x-nullable: true exclusion_path: items: minLength: 1 title: Exclusion path type: string type: array x-nullable: true exclusion_process: items: minLength: 1 title: Exclusion process type: string type: array x-nullable: true high_threat_default_action: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: High threat default action type: string x-nullable: true low_threat_default_action: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: Low threat default action type: string x-nullable: true maps_reporting: enum: - advanced - basic - disabled title: Maps reporting type: string x-nullable: true moderate_threat_default_action: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: Moderate threat default action type: string x-nullable: true quarantine_purge_items_after_delay: maximum: 2147483647 minimum: -2147483648 title: Quarantine purge items after delay type: integer x-nullable: true randomize_schedule_task_times: title: Randomize schedule task times type: boolean x-nullable: true real_time_scan_direction: enum: - both - incoming - outcoming title: Real time scan direction type: string x-nullable: true remediation_schedule_day: enum: - everyday - friday - monday - never - saturday - sunday - thursday - tuesday - wednesday title: Remediation schedule day type: string x-nullable: true remediation_schedule_time: maximum: 2147483647 minimum: -2147483648 title: Remediation schedule time type: integer x-nullable: true scan_avg_cpu_load_factor: maximum: 2147483647 minimum: -2147483648 title: Scan avg cpu load factor type: integer x-nullable: true scan_only_if_idle_enabled: title: Scan only if idle enabled type: boolean x-nullable: true scan_parameters: enum: - full_scan - quick_scan title: Scan parameters type: string x-nullable: true scan_purge_items_after_delay: maximum: 2147483647 minimum: -2147483648 title: Scan purge items after delay type: integer x-nullable: true scan_schedule_day: enum: - everyday - friday - monday - never - saturday - sunday - thursday - tuesday - wednesday title: Scan schedule day type: string x-nullable: true scan_schedule_quick_scan_time: maximum: 2147483647 minimum: -2147483648 title: Scan schedule quick scan time type: integer x-nullable: true scan_schedule_time: maximum: 2147483647 minimum: -2147483648 title: Scan schedule time type: integer x-nullable: true severe_threat_default_action: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: Severe threat default action type: string x-nullable: true signature_definition_update_file_shares_sources: items: minLength: 1 title: Signature definition update file shares sources type: string type: array x-nullable: true signature_fallback_order: items: minLength: 1 title: Signature fallback order type: string type: array x-nullable: true signature_schedule_day: enum: - everyday - friday - monday - never - saturday - sunday - thursday - tuesday - wednesday title: Signature schedule day type: string x-nullable: true signature_schedule_time: maximum: 2147483647 minimum: -2147483648 title: Signature schedule time type: integer x-nullable: true signature_update_catchup_interval: maximum: 2147483647 minimum: -2147483648 title: Signature update catchup interval type: integer x-nullable: true signature_update_interval: maximum: 2147483647 minimum: -2147483648 title: Signature update interval type: integer x-nullable: true submit_samples_consent: enum: - always_prompt - never_send - send_all - send_safe title: Submit samples consent type: string x-nullable: true threat_id_default_actions: items: $ref: '#/definitions/ThreatDefaultAction' type: array ui_lockdown: title: Ui lockdown type: boolean x-nullable: true unknown_threat_default_action: enum: - allow - block - clean - no_action - quarantine - remove - user_defined title: Unknown threat default action type: string x-nullable: true type: object x-nullable: true WindowsLocalGroup: properties: agent: $ref: '#/definitions/SimpleAgent' child_groups: items: $ref: '#/definitions/SimpleWindowsGroup' readOnly: true type: array x-nullable: true comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string kind: enum: - domain_local_group - global_group - local_group - well_known_group readOnly: true title: Kind type: string last_update: format: date-time readOnly: true title: Last update type: string local_users: items: $ref: '#/definitions/AgentWindowsSimpleLocalUser' readOnly: true type: array name: minLength: 1 readOnly: true title: Name type: string parent_group: $ref: '#/definitions/SimpleWindowsGroup' remote_users: items: $ref: '#/definitions/WindowsRemoteUser' readOnly: true type: array sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true user_count: readOnly: true title: User count type: integer required: - agent type: object WindowsLocalUser: properties: account_disabled: readOnly: true title: Account disabled type: boolean agent: $ref: '#/definitions/SimpleAgent' bad_password_count: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Bad password count type: integer comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string flags: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Flags type: integer x-nullable: true full_name: minLength: 1 readOnly: true title: Full name type: string x-nullable: true groups: items: $ref: '#/definitions/WindowsSimpleLocalGroup' readOnly: true type: array id: minLength: 1 readOnly: true title: Id type: string last_logon: format: date-time readOnly: true title: Last logon type: string x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true num_logons: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Num logons type: integer password_doesnt_expire: readOnly: true title: Password doesnt expire type: boolean password_expired: readOnly: true title: Password expired type: boolean password_last_set: format: date-time readOnly: true title: Password last set type: string x-nullable: true privilege_level: enum: - 0 - 1 - 2 readOnly: true title: Privilege level type: integer rid: maximum: 2147483647 minimum: -2147483648 readOnly: true title: Rid type: integer x-nullable: true sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true required: - agent type: object WindowsQfe: properties: agent: $ref: '#/definitions/Agent' caption: minLength: 1 readOnly: true title: Caption type: string x-nullable: true description: minLength: 1 readOnly: true title: Description type: string x-nullable: true hot_fix_id: minLength: 1 readOnly: true title: Hot fix id type: string id: format: uuid readOnly: true title: Id type: string installed_by: minLength: 1 readOnly: true title: Installed by type: string x-nullable: true installed_on: format: date-time readOnly: true title: Installed on type: string x-nullable: true required: - agent type: object WindowsRemoteUser: properties: creation_date: format: date-time readOnly: true title: Creation date type: string domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string x-nullable: true sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true type: object WindowsShellExecuteHook: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsShellExtension: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsShellIconOverlayIdentifier: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsShellLoadAndRun: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsShellServiceObject: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsShellServiceObjectDelayLoad: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' clsid_details: $ref: '#/definitions/CLSID' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - clsid_details - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WindowsSimpleLocalGroup: properties: comment: minLength: 1 readOnly: true title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string domain: minLength: 1 readOnly: true title: Domain type: string x-nullable: true id: minLength: 1 readOnly: true title: Id type: string kind: enum: - domain_local_group - global_group - local_group - well_known_group readOnly: true title: Kind type: string last_update: format: date-time readOnly: true title: Last update type: string name: minLength: 1 readOnly: true title: Name type: string parent_group: readOnly: true title: Parent group type: string x-nullable: true sid: minLength: 1 readOnly: true title: Sid type: string x-nullable: true type: object Winlogon: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string type: minLength: 1 title: Type type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant - timestamp - type - username - value - wow64 type: object WinlogonNotify: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer name: minLength: 1 title: Name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string username: minLength: 1 title: Username type: string value: minLength: 1 title: Value type: string wow64: title: Wow64 type: boolean required: - '@timestamp' - agent - binaryinfo - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - name - tenant - timestamp - username - value - wow64 type: object WinsockHelper: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' controlset: minLength: 1 title: Controlset type: string helper_name: minLength: 1 title: Helper name type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer service_name: minLength: 1 title: Service name type: string tenant: minLength: 1 title: Tenant type: string timestamp: format: date-time title: Timestamp type: string required: - '@timestamp' - agent - binaryinfo - controlset - helper_name - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - service_name - tenant - timestamp type: object Wmi: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' consumerdata: minLength: 1 title: Consumerdata type: string eventconsumername: minLength: 1 title: Eventconsumername type: string eventfilter: minLength: 1 title: Eventfilter type: string eventfiltername: minLength: 1 title: Eventfiltername type: string filtertoconsumertype: minLength: 1 title: Filtertoconsumertype type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer tenant: minLength: 1 title: Tenant type: string required: - '@timestamp' - agent - consumerdata - eventconsumername - eventfilter - eventfiltername - filtertoconsumertype - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - tenant type: object WmiEvent: properties: consumer: minLength: 1 title: Consumer type: string destination: minLength: 1 title: Destination type: string event_date: format: date-time title: Event date type: string filter: minLength: 1 title: Filter type: string kind: minLength: 1 title: Kind type: string name: minLength: 1 title: Name type: string namespace: minLength: 1 title: Namespace type: string operation: minLength: 1 title: Operation type: string query: minLength: 1 title: Query type: string type: minLength: 1 title: Type type: string user_name: minLength: 1 title: User name type: string user_sid: minLength: 1 title: User sid type: string required: - consumer - destination - event_date - filter - kind - name - namespace - operation - query - type - user_name - user_sid type: object Yara: properties: '@timestamp': format: date-time title: '@timestamp' type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' cmdline: minLength: 1 title: Cmdline type: string create_time: format: date-time title: Create time type: string description: minLength: 1 title: Description type: string file_name: minLength: 1 title: File name type: string hit_type: minLength: 1 title: Hit type type: string id: minLength: 1 title: Id type: string item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer linux_cmdline: minLength: 1 title: Linux cmdline type: string linux_file_name: minLength: 1 title: Linux file name type: string linux_source_name: minLength: 1 title: Linux source name type: string pid: title: Pid type: integer reference: minLength: 1 title: Reference type: string rule_name: minLength: 1 title: Rule name type: string score: title: Score type: integer source_name: minLength: 1 title: Source name type: string tenant: minLength: 1 title: Tenant type: string username: minLength: 1 title: Username type: string required: - '@timestamp' - agent - binaryinfo - cmdline - create_time - description - file_name - hit_type - id - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - linux_cmdline - linux_file_name - linux_source_name - pid - reference - rule_name - score - source_name - tenant - username type: object YaraFile: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 1024 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_classifications: items: minLength: 1 title: Rule classifications type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_context: items: maxLength: 256 minLength: 1 title: Rule context type: string type: array rule_count: readOnly: true title: Rule count type: integer rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_names: items: minLength: 1 title: Rule names type: string readOnly: true type: array rule_os: items: enum: - linux - macos - unknown - windows title: Rule os type: string readOnly: true type: array rule_score: readOnly: true title: Rule score type: integer x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer required: - content - name - source_id type: object YaraInfo: properties: id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - id - name type: object YaraRule: properties: namespace: minLength: 1 title: Namespace type: string rulename: minLength: 1 title: Rulename type: string source: minLength: 1 title: Source type: string required: - namespace - rulename - source type: object YaraRulesetRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: readOnly: true title: Block on agent type: boolean content: minLength: 1 readOnly: true title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: readOnly: true title: Enabled type: boolean endpoint_detection: readOnly: true title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Global state type: string hl_status: enum: - experimental - stable - testing readOnly: true title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 1024 minLength: 1 readOnly: true title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: readOnly: true title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string readOnly: true type: array rule_classifications: items: minLength: 1 title: Rule classifications type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak readOnly: true title: Rule confidence override type: string x-nullable: true rule_context: items: maxLength: 256 minLength: 1 title: Rule context type: string readOnly: true type: array rule_count: readOnly: true title: Rule count type: integer rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium readOnly: true title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_names: items: minLength: 1 title: Rule names type: string readOnly: true type: array rule_os: items: enum: - linux - macos - unknown - windows title: Rule os type: string readOnly: true type: array rule_score: readOnly: true title: Rule score type: integer x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array ruleset_rule: $ref: '#/definitions/RulesetRuleSerializer' ruleset_rule_default: readOnly: true title: Ruleset rule default type: boolean source: readOnly: true title: Source type: string source_id: minLength: 1 readOnly: true title: Source id type: string state: enum: - alert - backend_alert - block - default - disabled - quarantine readOnly: true title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string type: object YaraRulesetSource: properties: alert_rule_count: default: 0 readOnly: true title: Alert rule count type: integer block_on_agent: title: Block on agent type: boolean block_rule_count: default: 0 readOnly: true title: Block rule count type: integer creation_date: format: date-time readOnly: true title: Creation date type: string default_rule_count: minimum: 0 readOnly: true title: Default rule count type: integer description: title: Description type: string disabled_rule_count: default: 0 readOnly: true title: Disabled rule count type: integer effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean file_count: default: 0 readOnly: true title: File count type: integer file_experimental_count: default: 0 readOnly: true title: File experimental count type: integer file_stable_count: default: 0 readOnly: true title: File stable count type: integer file_testing_count: default: 0 readOnly: true title: File testing count type: integer global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string new_rule_state: default: default enum: - alert - backend_alert - block - default - disabled - quarantine title: New rule state type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean quarantine_rule_count: default: 0 readOnly: true title: Quarantine rule count type: integer rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer ruleset_source: $ref: '#/definitions/RulesetSourceSerializer' ruleset_source_rule_default: $ref: '#/definitions/RulesetSourceRuleDefaultSerializer' state: default: default enum: - alert - backend_alert - block - default - disabled - force_inherit - quarantine title: State type: string tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object YaraScan: properties: auto_download_new_files: default: false title: Auto download new files type: boolean directoriesToScan: items: minLength: 1 type: string type: array files: items: minLength: 1 type: string type: array filesBySource: items: $ref: '#/definitions/FilesBySource' readOnly: true type: array maxsize_files_download: default: 104857600 minimum: 0 title: Maxsize files download type: integer scanFilesystem: default: true title: Scanfilesystem type: boolean scanProcesses: default: false title: Scanprocesses type: boolean sources: items: minLength: 1 type: string type: array useDefaultPriority: default: true title: Usedefaultpriority type: boolean type: object YaraSource: properties: block_on_agent: title: Block on agent type: boolean creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean file_count: default: 0 readOnly: true title: File count type: integer file_experimental_count: default: 0 readOnly: true title: File experimental count type: integer file_stable_count: default: 0 readOnly: true title: File stable count type: integer file_testing_count: default: 0 readOnly: true title: File testing count type: integer global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_default: enum: - moderate - strong - weak title: Rule confidence default type: string rule_count: default: 0 readOnly: true title: Rule count type: integer rule_disabled_count: default: 0 readOnly: true title: Rule disabled count type: integer rule_enabled_count: default: 0 readOnly: true title: Rule enabled count type: integer rule_experimental_count: default: 0 readOnly: true title: Rule experimental count type: integer rule_level_default: enum: - critical - high - informational - low - medium title: Rule level default type: string rule_stable_count: default: 0 readOnly: true title: Rule stable count type: integer rule_testing_count: default: 0 readOnly: true title: Rule testing count type: integer tenant: minLength: 1 readOnly: true title: Tenant type: string required: - name type: object _AddAgentResponse: properties: added: title: Added type: integer status: minLength: 1 title: Status type: string required: - added - status type: object _AddTimelineRequest: properties: timeline_ids: items: minLength: 1 type: string type: array required: - timeline_ids type: object _AddTimelineResponse: properties: added: items: minLength: 1 type: string type: array status: minLength: 1 title: Status type: string required: - added - status type: object _AgentInfo: properties: hostname: minLength: 1 title: Hostname type: string id: minLength: 1 title: Id type: string required: - hostname - id type: object _AggregateTag: properties: ids: items: type: string x-nullable: true type: array new_comment: title: New comment type: string new_status: minLength: 1 title: New status type: string tag_alerts: title: Tag alerts type: boolean required: - ids - new_status type: object _AirgapStatus: properties: format: readOnly: true title: Format type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string x-nullable: true status: enum: - failure - pending - processing - success readOnly: true title: Status type: string x-nullable: true targets: additionalProperties: enum: - failure - pending - processing - success type: string x-nullable: true title: Targets type: object version: minLength: 1 readOnly: true title: Version type: string x-nullable: true required: - targets type: object _AlerterRevision: properties: correlation_correlationrule: default: 0 title: Correlation correlationrule type: integer ioc_driverblocklist: default: 0 title: Ioc driverblocklist type: integer ioc_iocrule: default: 0 title: Ioc iocrule type: integer sigma_sigmarule: default: 0 title: Sigma sigmarule type: integer yara_yarafile: default: 0 title: Yara yarafile type: integer type: object _AssetSubnets: properties: agent: $ref: '#/definitions/__DataAgentSerializer' agent_status: enum: - access_denied - idle - offline - online - unknown readOnly: true title: Agent status type: string auto_scan: title: Auto scan type: boolean description: title: Description type: string gateway_ipaddress: minLength: 1 title: Gateway ipaddress type: string gateway_macaddress: minLength: 1 title: Gateway macaddress type: string gateway_oui: minLength: 1 title: Gateway oui type: string id: minLength: 1 title: Id type: string job_instance_id: minLength: 1 title: Job instance id type: string last_scan_date: format: date-time title: Last scan date type: string name: minLength: 1 title: Name type: string netbios_groups: items: minLength: 1 type: string type: array netbios_name: minLength: 1 title: Netbios name type: string observation_count: title: Observation count type: integer rmDNS_additional_records: items: minLength: 1 type: string type: array rmDNS_names: items: minLength: 1 type: string type: array required: - id - job_instance_id - last_scan_date - observation_count type: object _AssetUpdate: properties: acknowledged: enum: - seen - to_check title: Acknowledged type: string description: title: Description type: string name: title: Name type: string type: object _Auth: properties: eventid: minLength: 1 title: Eventid type: string id: minLength: 1 title: Id type: string log_type: minLength: 1 title: Log type type: string package: minLength: 1 title: Package type: string process_name: minLength: 1 title: Process name type: string timestamp: minLength: 1 title: Timestamp type: string username: minLength: 1 title: Username type: string required: - eventid - id - log_type - package - process_name - timestamp - username type: object _AuthEdgeData: properties: authentications: items: $ref: '#/definitions/_Auth' type: array statistics: $ref: '#/definitions/_AuthentStats' required: - authentications - statistics type: object _AuthNodeData: properties: agent_id: minLength: 1 title: Agent id type: string hostname: minLength: 1 title: Hostname type: string incoming_stats: $ref: '#/definitions/_AuthentStats' ip: minLength: 1 title: Ip type: string outgoing_stats: $ref: '#/definitions/_AuthentStats' required: - agent_id - hostname - incoming_stats - ip - outgoing_stats type: object _AuthentEdge: properties: data: $ref: '#/definitions/_AuthEdgeData' id: minLength: 1 title: Id type: string source: minLength: 1 title: Source type: string target: minLength: 1 title: Target type: string required: - data - id - source - target type: object _AuthentGraph: properties: edges: items: $ref: '#/definitions/_AuthentEdge' type: array nodes: items: $ref: '#/definitions/_AuthentNode' type: array required: - edges - nodes type: object _AuthentNode: properties: data: $ref: '#/definitions/_AuthNodeData' id: minLength: 1 title: Id type: string name: minLength: 1 title: Name type: string required: - data - id - name type: object _AuthentStats: properties: logon_types: additionalProperties: type: integer title: Logon types type: object package_names: additionalProperties: type: integer title: Package names type: object success: title: Success type: integer total: title: Total type: integer required: - logon_types - package_names - success - total type: object _ChunkedUpload: properties: chunk: title: Chunk type: integer chunk_total: title: Chunk total type: integer filename: minLength: 1 title: Filename type: string x-nullable: true required: - chunk - chunk_total - filename type: object _CircuitBreakerQuery: properties: blocking: title: Blocking type: boolean blocking_description: minLength: 1 title: Blocking description type: string blocking_reason: minLength: 1 title: Blocking reason type: string type: object _CircuitBreakerStatsQuery: properties: linux: $ref: '#/definitions/_CircuitBreakerQuery' macos: $ref: '#/definitions/_CircuitBreakerQuery' windows: $ref: '#/definitions/_CircuitBreakerQuery' type: object _ClassifyDefaultAgents: properties: agents: items: $ref: '#/definitions/Agent' type: array dry_run: title: Dry run type: boolean groups: items: $ref: '#/definitions/Group' type: array update_count: title: Update count type: integer updates: additionalProperties: $ref: '#/definitions/_Updates' title: Updates type: object required: - dry_run - update_count - updates type: object _ConnectionsList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/Connection' type: array required: - count - results type: object _CorrelationSourceRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/CorrelationRulesetSource' type: array required: - count - results type: object _CreateIOCRule: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean category: title: Category type: string x-nullable: true comment: title: Comment type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string description: title: Description type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string info: title: Info type: string x-nullable: true last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true overwrite: default: false title: Overwrite type: boolean quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer type: enum: - domain_name - filename - filepath - hash - ip_both - ip_dst - ip_src - url title: Type type: string value: minLength: 1 title: Value type: string required: - source_id - type - value type: object _CreateSigmaRule: properties: alert_count: readOnly: true title: Alert count type: integer backend_detection: default: false readOnly: true title: Backend detection type: boolean block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string declared_in: title: Declared in type: string x-nullable: true effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: default: true readOnly: true title: Endpoint detection type: boolean errors: minLength: 1 readOnly: true title: Errors type: string x-nullable: true global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 100 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true overwrite: default: false title: Overwrite type: boolean quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_description: minLength: 1 readOnly: true title: Rule description type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_id: minLength: 1 readOnly: true title: Rule id type: string x-nullable: true rule_is_depended_on: items: additionalProperties: type: string x-nullable: true type: object readOnly: true type: array rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_name: minLength: 1 readOnly: true title: Rule name type: string x-nullable: true rule_os: enum: - linux - macos - unknown - windows readOnly: true title: Rule os type: string rule_status: minLength: 1 readOnly: true title: Rule status type: string x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array rule_type: readOnly: true title: Rule type type: string source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer warnings: minLength: 1 readOnly: true title: Warnings type: string x-nullable: true whitelist_count: readOnly: true title: Whitelist count type: integer required: - content - name - source_id type: object _CreateYaraFile: properties: alert_count: readOnly: true title: Alert count type: integer block_on_agent: title: Block on agent type: boolean content: minLength: 1 title: Content type: string creation_date: format: date-time readOnly: true title: Creation date type: string effective_state: enum: - alert - backend_alert - block - disabled - quarantine readOnly: true title: Effective state type: string enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - disabled - quarantine title: Global state type: string hl_local_testing_status: description: deprecated title: Hl local testing status type: string x-nullable: true hl_status: enum: - experimental - stable - testing title: Hl status type: string hl_testing_start_time: format: date-time readOnly: true title: Hl testing start time type: string id: minLength: 1 readOnly: true title: Id type: string last_modifier: $ref: '#/definitions/HlSimpleUserSerializer' last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 1024 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 readOnly: true title: Origin stack id type: string x-nullable: true overwrite: default: false title: Overwrite type: boolean quarantine_on_agent: title: Quarantine on agent type: boolean references: items: minLength: 1 title: References type: string type: array rule_classifications: items: minLength: 1 title: Rule classifications type: string readOnly: true type: array rule_confidence: enum: - moderate - strong - weak readOnly: true title: Rule confidence type: string x-nullable: true rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_context: items: maxLength: 256 minLength: 1 title: Rule context type: string type: array rule_count: readOnly: true title: Rule count type: integer rule_creation_date: format: date readOnly: true title: Rule creation date type: string x-nullable: true rule_effective_confidence: enum: - moderate - strong - weak readOnly: true title: Rule effective confidence type: string rule_effective_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule effective level type: string rule_level: enum: - critical - high - informational - low - medium readOnly: true title: Rule level type: string x-nullable: true rule_level_overridden: readOnly: true title: Rule level overridden type: boolean rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true rule_modified_date: format: date readOnly: true title: Rule modified date type: string x-nullable: true rule_names: items: minLength: 1 title: Rule names type: string readOnly: true type: array rule_os: items: enum: - linux - macos - unknown - windows title: Rule os type: string readOnly: true type: array rule_score: readOnly: true title: Rule score type: integer x-nullable: true rule_tactic_tags: items: maxLength: 256 minLength: 1 title: Rule tactic tags type: string readOnly: true type: array rule_technique_tags: items: maxLength: 256 minLength: 1 title: Rule technique tags type: string readOnly: true type: array source: readOnly: true title: Source type: string source_id: minLength: 1 title: Source id type: string tenant: minLength: 1 readOnly: true title: Tenant type: string test_maturity_current_count: readOnly: true title: Test maturity current count type: integer test_maturity_delay: readOnly: true title: Test maturity delay type: integer test_maturity_threshold: readOnly: true title: Test maturity threshold type: integer required: - content - name - source_id type: object _DeleteAgentResponse: properties: removed: title: Removed type: integer status: minLength: 1 title: Status type: string required: - removed - status type: object _DeleteTimelineResponse: properties: removed: items: minLength: 1 type: string type: array status: minLength: 1 title: Status type: string required: - removed - status type: object _DeviceControlCodeDetailsResponse: properties: code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - ordering_mismatching_usb_rule_count - ordering_wrong_usb_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - details type: object _DeviceControlPolicyInUseResponse: properties: agent_policy: items: $ref: '#/definitions/AgentPolicyIdAndName' type: array code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - ordering_mismatching_usb_rule_count - ordering_wrong_usb_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - agent_policy - details type: object _DeviceControlPolicyMassDeleteResponse: properties: code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - ordering_mismatching_usb_rule_count - ordering_wrong_usb_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string deleted_policies: title: Deleted policies type: integer details: minLength: 1 title: Details type: string required: - details type: object _DeviceControlPolicyUsbRuleDuplicateResponse: properties: new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string status: minLength: 1 title: Status type: string required: - new_id - new_name - status type: object _DeviceControlPolicyUsbRuleOrdering: properties: ordered_usb_rules_ids: items: format: uuid type: string type: array required: - ordered_usb_rules_ids type: object _DeviceScanHistory: properties: asset: $ref: '#/definitions/NDAsset' job_instance: $ref: '#/definitions/JobInstance' kpis: $ref: '#/definitions/KPI' scan_date: format: date-time readOnly: true title: Scan date type: string scanning_agent: $ref: '#/definitions/_LightAgent' type: object _DisassembleParams: properties: dumps: items: type: string x-nullable: true type: array required: - dumps type: object _Disassembly: properties: bpf: title: Bpf type: string raw: title: Raw type: string x86_32: title: X86 32 type: string x86_64: title: X86 64 type: string required: - raw - x86_32 - x86_64 type: object _Domain: properties: domains: items: minLength: 1 type: string type: array required: - domains type: object _DomainController: properties: dnsdomainname: minLength: 1 title: Dnsdomainname type: string domain_controller: minLength: 1 title: Domain controller type: string required: - dnsdomainname - domain_controller type: object _DriverBlocklistPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/DriverBlocklist' type: array source: $ref: '#/definitions/DriverBlocklistSource' required: - count - results type: object _DriverBlocklistRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/DriverBlocklistRulesetRule' type: array source: $ref: '#/definitions/DriverBlocklistSource' required: - count - results type: object _DriverBlocklistRulesetSourcePagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/DriverBlocklistRulesetSource' type: array required: - count - results type: object _DriverRulesetResponse: properties: actions: $ref: '#/definitions/Actions' rule_ids: items: minLength: 1 type: string type: array set_default: title: Set default type: boolean source: $ref: '#/definitions/DriverBlocklistRulesetSource' state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - rule_ids - set_default - source - state type: object _EditMaintenanceNotice: properties: description: minLength: 1 title: Description type: string end_date: format: date-time title: End date type: string lifespan: title: Lifespan type: string title: minLength: 1 title: Title type: string required: - description - title type: object _ExplorerListResponse: properties: data: items: $ref: '#/definitions/Search' type: array recordsFiltered: title: Recordsfiltered type: integer recordsTotal: title: Recordstotal type: integer required: - data - recordsFiltered - recordsTotal type: object _FIMPolicyInUseResponse: properties: agent_policies: items: $ref: '#/definitions/AgentPolicyIdAndName' type: array code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - agent_policies - details type: object _FirewallNetworkCopyResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string required: - details - new_id - new_name type: object _FirewallNetworkInUseResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string firewall_policy: items: $ref: '#/definitions/FirewallPolicyIdAndName' type: array required: - details - firewall_policy type: object _FirewallNetworkMassDeleteResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string deleted_network_blocks: title: Deleted network blocks type: integer deleted_networks: title: Deleted networks type: integer details: minLength: 1 title: Details type: string required: - details type: object _FirewallPolicyInUseResponse: properties: agent_policy: items: $ref: '#/definitions/AgentPolicyIdAndName' type: array code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - agent_policy - details type: object _FirewallPolicyMassDeleteResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string deleted_policies: title: Deleted policies type: integer deleted_profile_to_networks: title: Deleted profile to networks type: integer details: minLength: 1 title: Details type: string required: - details type: object _FirewallProfileCopyResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string required: - details - new_id - new_name type: object _FirewallProfileInUseResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string details: minLength: 1 title: Details type: string firewall_policy: items: $ref: '#/definitions/FirewallPolicyIdAndName' type: array required: - details - firewall_policy type: object _FirewallProfileMassDeleteResponse: properties: code: default: unknown_error enum: - default_policy_protection - default_profile_protection - endpoint_policy_not_found - multiple_network_deleted - multiple_policy_deleted - multiple_profile_deleted - network_in_use - network_update_failed - no_network_deleted - no_policy_deleted - no_profile_deleted - not_owned_network - not_owned_policy - not_owned_profile - ordering_mismatching_rule_count - ordering_wrong_rule_id - policy_in_use - policy_update_failed - policy_with_same_name_exists - profile_in_use - profile_update_failed - rule_update_failed - unknown_error title: Code type: string deleted_profiles: title: Deleted profiles type: integer deleted_rules: title: Deleted rules type: integer details: minLength: 1 title: Details type: string required: - details type: object _FirewallProfileRuleOrdering: properties: ordered_rules_ids: items: format: uuid type: string type: array required: - ordered_rules_ids type: object _FirewallRuleCopyResponse: properties: new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string status: minLength: 1 title: Status type: string required: - new_id - new_name - status type: object _GeneratedPasswords: properties: passwords: items: minLength: 1 type: string type: array required: - passwords type: object _GetWhitelistRuleFieldsResponse: properties: fields: items: $ref: '#/definitions/AlertField' type: array required: - fields type: object _GroupID: properties: group_ids: items: minLength: 1 type: string type: array required: - group_ids type: object _HandlesList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/Handle' type: array required: - count - results type: object _IOCPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/IOCRule' type: array source: $ref: '#/definitions/IOCSource' required: - count - results type: object _IOCRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/IOCRulesetRule' type: array source: $ref: '#/definitions/IOCSource' required: - count - results type: object _IOCRulesetResponse: properties: actions: $ref: '#/definitions/Actions' rule_ids: items: minLength: 1 type: string type: array set_default: title: Set default type: boolean source: $ref: '#/definitions/IOCRulesetSource' state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - rule_ids - set_default - source - state type: object _IOCSourceRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/IOCRulesetSource' type: array required: - count - results type: object _InvestigationStatus: properties: ids: items: type: string x-nullable: true type: array new_status: maximum: 4 minimum: 0 title: New status type: integer required: - new_status type: object _InvestigationStatusStats: properties: new_status: maximum: 4 minimum: 0 title: New status type: integer stats: items: type: object type: array required: - new_status - stats type: object _IsolationResponse: properties: policy_not_allowed: items: $ref: '#/definitions/_AgentInfo' type: array requested: items: $ref: '#/definitions/_AgentInfo' type: array unrequested: items: $ref: '#/definitions/_AgentInfo' type: array unsupported: items: $ref: '#/definitions/_AgentInfo' type: array type: object _KpiCount: properties: count: readOnly: true title: Count type: integer kpi: minLength: 1 readOnly: true title: Kpi type: string type: object _LightAgent: properties: hostname: minLength: 1 readOnly: true title: Hostname type: string id: minLength: 1 readOnly: true title: Id type: string ostype: enum: - linux - macos - unknown - windows readOnly: true title: Ostype type: string version: minLength: 1 readOnly: true title: Version type: string type: object _Login: properties: password: minLength: 1 title: Password type: string username: minLength: 1 title: Username type: string required: - password - username type: object _MFAMethodBackupCodesGeneration: properties: code: minLength: 1 title: Code type: string required: - code type: object _MFAMethodDeactivationValidator: properties: code: minLength: 1 title: Code type: string type: object _MainGraph: properties: graph: $ref: '#/definitions/_AuthentGraph' required: - graph type: object _ManageAgentRequest: properties: agent_ids: items: minLength: 1 type: string type: array group_ids: items: minLength: 1 type: string type: array type: object _ModulesList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/Module' type: array required: - count - results type: object _MonitoringAlerts: properties: alert_count_critical: default: 0 title: Alert count critical type: integer alert_count_error: default: 0 title: Alert count error type: integer type: object _NamesAntivirusPolicy: properties: id: format: uuid title: Id type: string name: minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: minLength: 1 title: Origin stack id type: string x-nullable: true required: - id - name type: object _OIDCActiveProviderPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/OIDCActiveProvider' type: array required: - count - results type: object _OptionalUUID: properties: id: default: "" format: uuid title: Id type: string x-nullable: true type: object _PolicyCopyResponse: properties: new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string status: minLength: 1 title: Status type: string required: - new_id - new_name - status type: object _PolicySetCopyResponse: properties: new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string status: minLength: 1 title: Status type: string required: - new_id - new_name - status type: object _PolicySetCustom: properties: agent_id: format: uuid title: Agent id type: string edits: $ref: '#/definitions/PolicySetCreate' required: - agent_id - edits type: object _PolicySetUpdate: properties: agent_count: readOnly: true title: Agent count type: integer agent_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' agent_policy_id: minLength: 1 title: Agent policy id type: string agent_policy_name: minLength: 1 readOnly: true title: Agent policy name type: string antivirus_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' antivirus_policy_id: minLength: 1 title: Antivirus policy id type: string x-nullable: true antivirus_policy_name: minLength: 1 readOnly: true title: Antivirus policy name type: string x-nullable: true creation_date: format: date-time readOnly: true title: Creation date type: string creator: title: Creator type: integer x-nullable: true custom: readOnly: true title: Custom type: boolean description: title: Description type: string x-nullable: true device_control_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' device_control_policy_id: minLength: 1 title: Device control policy id type: string x-nullable: true device_control_policy_name: minLength: 1 readOnly: true title: Device control policy name type: string x-nullable: true fim_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' fim_policy_id: minLength: 1 title: Fim policy id type: string x-nullable: true fim_policy_name: minLength: 1 readOnly: true title: Fim policy name type: string x-nullable: true firewall_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' firewall_policy_id: minLength: 1 title: Firewall policy id type: string x-nullable: true firewall_policy_name: minLength: 1 readOnly: true title: Firewall policy name type: string x-nullable: true id: format: uuid title: Id type: string last_modifier: title: Last modifier type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string name: maxLength: 256 minLength: 1 title: Name type: string origin_stack: $ref: '#/definitions/OriginStack' origin_stack_id: maxLength: 64 minLength: 1 title: Origin stack id type: string x-nullable: true parent_policy_set: $ref: '#/definitions/PolicySetPolicies' parent_policy_set_id: format: uuid title: Parent policy set id type: string x-nullable: true revision: maximum: 2147483647 minimum: -2147483648 title: Revision type: integer synchronization_status: format: uuid title: Synchronization status type: string x-nullable: true tenant: minLength: 1 readOnly: true title: Tenant type: string updated_fields: additionalProperties: type: string x-nullable: true title: Updated fields type: object vulnerability_policy: $ref: '#/definitions/PolicySetPolicyIdAndName' vulnerability_policy_id: minLength: 1 title: Vulnerability policy id type: string x-nullable: true vulnerability_policy_name: minLength: 1 readOnly: true title: Vulnerability policy name type: string x-nullable: true required: - agent_policy_id - antivirus_policy_id - device_control_policy_id - fim_policy_id - firewall_policy_id - name - updated_fields - vulnerability_policy_id type: object _PolicyUpdate: properties: agent_auto_forget: default: false title: Agent auto forget type: boolean agent_auto_forget_max_days: default: 1 minimum: 1 title: Agent auto forget max days type: integer agent_auto_update: title: Agent auto update type: boolean agent_count: readOnly: true title: Agent count type: integer agent_ui_admin_message: title: Agent ui admin message type: string x-nullable: true agent_ui_enabled: title: Agent ui enabled type: boolean agent_ui_notification_level: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification level type: integer agent_ui_notification_scope: maximum: 2147483647 minimum: -2147483648 title: Agent ui notification scope type: integer agent_upgrade_strategy: enum: - latest - manual - stable title: Agent upgrade strategy type: string always_go_through_proxy: title: Always go through proxy type: boolean antivirus_policy: format: uuid readOnly: true title: Antivirus policy type: string x-nullable: true antivirus_policy_name: readOnly: true title: Antivirus policy name type: string antivirus_profile: readOnly: true title: Antivirus profile type: string antivirus_profile_name: readOnly: true title: Antivirus profile name type: string audit_killswitch: title: Audit killswitch type: boolean binary_download_enabled: title: Binary download enabled type: boolean correlation_mode: maximum: 3 minimum: 0 title: Correlation mode type: integer correlation_ruleset: format: uuid title: Correlation ruleset type: string x-nullable: true description: title: Description type: string x-nullable: true device_control_policy: format: uuid readOnly: true title: Device control policy type: string x-nullable: true driverblock_mode: maximum: 3 minimum: 0 title: Driverblock mode type: integer driverblock_strategy: enum: - blocklist - heuristic title: Driverblock strategy type: string feature_callback_tampering: title: Feature callback tampering type: boolean feature_dse_tampering_mode: maximum: 2147483647 minimum: -2147483648 title: Feature dse tampering mode type: integer feature_event_stacktrace: title: Feature event stacktrace type: boolean feature_live_process_heuristics: title: Feature live process heuristics type: boolean feature_ppl_antimalware: title: Feature ppl antimalware type: boolean feature_process_tampering: title: Feature process tampering type: boolean feature_windows_filesystem_events: title: Feature windows filesystem events type: boolean fim_policy: format: uuid title: Fim policy type: string x-nullable: true firewall_policy: format: uuid readOnly: true title: Firewall policy type: string x-nullable: true hibou_minimum_level: minLength: 1 title: Hibou minimum level type: string hibou_mode: maximum: 3 minimum: 0 title: Hibou mode type: integer hibou_skip_signed_ms: title: Hibou skip signed ms type: boolean hibou_skip_signed_others: title: Hibou skip signed others type: boolean hlai_files_minimum_level: minLength: 1 title: Hlai files minimum level type: string hlai_files_mode: maximum: 1 minimum: 0 title: Hlai files mode type: integer hlai_minimum_level: minLength: 1 title: Hlai minimum level type: string hlai_mode: maximum: 3 minimum: 0 title: Hlai mode type: integer hlai_pdf: title: Hlai pdf type: boolean hlai_scan_libraries: title: Hlai scan libraries type: boolean hlai_scripts_minimum_level: minLength: 1 title: Hlai scripts minimum level type: string hlai_scripts_mode: maximum: 3 minimum: 0 title: Hlai scripts mode type: integer hlai_skip_signed_ms: title: Hlai skip signed ms type: boolean hlai_skip_signed_others: title: Hlai skip signed others type: boolean hlai_vba: title: Hlai vba type: boolean hlai_written_executable: title: Hlai written executable type: boolean id: minLength: 1 readOnly: true title: Id type: string ioc_mode: maximum: 3 minimum: 0 title: Ioc mode type: integer ioc_ruleset: format: uuid title: Ioc ruleset type: string x-nullable: true ioc_scan_libraries: title: Ioc scan libraries type: boolean ioc_scan_written_executable: title: Ioc scan written executable type: boolean isolation_exclusions_revision: maximum: 2147483647 minimum: 0 title: Isolation exclusions revision type: integer x-nullable: true library_download_enabled: title: Library download enabled type: boolean linux_exclusions: minimum: 0 readOnly: true title: Linux exclusions type: integer linux_paths_other_watched_globs: default: - /dev/shm/** - /home/*/* - /home/*/*/* - /root/* - /root/*/* - /tmp/** items: minLength: 1 type: string minItems: 0 type: array linux_self_protection: title: Linux self protection type: boolean linux_self_protection_feature_hosts: title: Linux self protection feature hosts type: boolean linux_startup_block: title: Linux startup block type: boolean linux_use_isolation: title: Linux use isolation type: boolean local_endpoint_cache_size: default: 10240 maximum: 20480 minimum: 512 title: Local endpoint cache size type: integer loglevel: enum: - CRITICAL - DEBUG - ERROR - INFO - WARNING title: Loglevel type: string macos_exclusions: minimum: 0 readOnly: true title: Macos exclusions type: integer macos_paths_muted_exact: default: - /Library/Bluetooth/com.apple.MobileBluetooth.ledevices.paired.db-wal - /dev/null - /dev/ttys001 - /private/var/root/Library/Logs/Bluetooth/bluetoothd-hci-latest.pklg items: minLength: 1 type: string minItems: 0 type: array macos_paths_muted_globs: default: [] items: minLength: 1 type: string minItems: 0 type: array macos_paths_muted_prefixes: default: - /System/Volumes/Data/.Spotlight-V100/ - /private/var/db/dslocal/nodes/Default/users/ - /private/var/folders/ - /sbin/ - /usr/libexec/ - /usr/sbin/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_other_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_read_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_exact: default: - /.ssh/authorized_keys - /etc/aliases - /etc/aliases.db - /etc/bashrc - /etc/group - /etc/hosts - /etc/krb5.keytab - /etc/localtime - /etc/mail.rc - /etc/master.passwd - /etc/networks - /etc/ntp.conf - /etc/passwd - /etc/pf.conf - /etc/pf.os - /etc/profile - /etc/protocols - /etc/resolv.conf - /etc/services - /etc/shells - /etc/sudoers - /etc/zprofile - /etc/zshrc - /etc/zshrc_Apple_Terminal - /private/var/at/at.allow - /private/var/at/at.deny - /private/var/at/cron.allow - /private/var/at/cron.deny - /var/run/utmpx items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_globs: default: - /Users/*/* - /Users/*/.config/* - /Users/*/.config/*/* - /Users/*/.ssh/authorized_keys - /Users/*/Library/LaunchAgents/* - /etc/cups/* - /etc/pf/anchors/* - /etc/postfix/* - /etc/rc.* - /etc/security/* - /etc/ssh/* - /etc/ssl/* items: minLength: 1 type: string minItems: 0 type: array macos_paths_write_watched_prefixes: default: - /Library/LaunchAgents/ - /Library/LaunchDaemons/ - /Library/StartupItems/ - /System/Library/LaunchAgents/ - /System/Library/LaunchDaemons/ - /Users/ - /etc/ - /etc/pam.d/ - /etc/sudoers.d/ - /private/var/at/tabs/ items: minLength: 1 type: string minItems: 0 type: array macos_use_isolation: title: Macos use isolation type: boolean name: minLength: 1 title: Name type: string network_isolation_exclusions: minimum: 0 readOnly: true title: Network isolation exclusions type: integer origin_stack: $ref: '#/definitions/OriginStack' ransomguard_auto_blacklist: title: Ransomguard auto blacklist type: boolean ransomguard_canaries_name: minLength: 1 title: Ransomguard canaries name type: string x-nullable: true ransomguard_heuristic_mode: maximum: 2147483647 minimum: -2147483648 title: Ransomguard heuristic mode type: integer ransomguard_mode: maximum: 3 minimum: 0 title: Ransomguard mode type: integer remote_shell_mode: enum: - disabled - read - read_write - read_write_execute title: Remote shell mode type: string revision: readOnly: true title: Revision type: integer self_protection: title: Self protection type: boolean self_protection_feature_hosts: title: Self protection feature hosts type: boolean self_protection_feature_safe_mode: title: Self protection feature safe mode type: boolean self_protection_firewall: title: Self protection firewall type: boolean sidewatch_mode: maximum: 3 minimum: 0 title: Sidewatch mode type: integer sigma_mode: maximum: 3 minimum: 0 title: Sigma mode type: integer sigma_ruleset: format: uuid title: Sigma ruleset type: string x-nullable: true sleepjitter: maximum: 2147483647 minimum: -2147483648 title: Sleepjitter type: integer sleeptime: maximum: 2147483647 minimum: -2147483648 title: Sleeptime type: integer telemetry_alerts_limit: title: Telemetry alerts limit type: boolean telemetry_alerts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry alerts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_limit: title: Telemetry amsi dynamic scripts limit type: boolean telemetry_amsi_dynamic_scripts_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi dynamic scripts limit value type: integer x-nullable: true telemetry_amsi_dynamic_scripts_state: enum: - disabled - live - on_alert title: Telemetry amsi dynamic scripts state type: string telemetry_amsi_other_scans_limit: title: Telemetry amsi other scans limit type: boolean telemetry_amsi_other_scans_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry amsi other scans limit value type: integer x-nullable: true telemetry_amsi_other_scans_state: enum: - disabled - live - on_alert title: Telemetry amsi other scans state type: string telemetry_authentication: title: Telemetry authentication type: boolean telemetry_authentication_limit: title: Telemetry authentication limit type: boolean telemetry_authentication_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry authentication limit value type: integer x-nullable: true telemetry_authentication_state: enum: - disabled - live - on_alert title: Telemetry authentication state type: string telemetry_dns_resolution: title: Telemetry dns resolution type: boolean telemetry_dns_resolution_limit: title: Telemetry dns resolution limit type: boolean telemetry_dns_resolution_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry dns resolution limit value type: integer x-nullable: true telemetry_dns_resolution_state: enum: - disabled - live - on_alert title: Telemetry dns resolution state type: string telemetry_dotnet_library_state: enum: - disabled - on_alert title: Telemetry dotnet library state type: string telemetry_driverload: title: Telemetry driverload type: boolean telemetry_driverload_limit: title: Telemetry driverload limit type: boolean telemetry_driverload_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry driverload limit value type: integer x-nullable: true telemetry_driverload_state: enum: - disabled - live - on_alert title: Telemetry driverload state type: string telemetry_file_download_limit: title: Telemetry file download limit type: boolean telemetry_file_download_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file download limit value type: integer x-nullable: true telemetry_file_download_state: enum: - disabled - live - on_alert title: Telemetry file download state type: string telemetry_file_limit: title: Telemetry file limit type: boolean telemetry_file_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry file limit value type: integer x-nullable: true telemetry_file_state: enum: - disabled - on_alert title: Telemetry file state type: string telemetry_kube_pod_event_limit: title: Telemetry kube pod event limit type: boolean telemetry_kube_pod_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry kube pod event limit value type: integer x-nullable: true telemetry_kube_pod_event_state: enum: - disabled - live - on_alert title: Telemetry kube pod event state type: string telemetry_library_load_limit: title: Telemetry library load limit type: boolean telemetry_library_load_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry library load limit value type: integer x-nullable: true telemetry_library_load_state: enum: - disabled - on_alert title: Telemetry library load state type: string telemetry_log: title: Telemetry log type: boolean telemetry_log_limit: title: Telemetry log limit type: boolean telemetry_log_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry log limit value type: integer x-nullable: true telemetry_log_state: enum: - disabled - live - on_alert title: Telemetry log state type: string telemetry_named_pipe_limit: title: Telemetry named pipe limit type: boolean telemetry_named_pipe_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry named pipe limit value type: integer x-nullable: true telemetry_named_pipe_state: enum: - disabled - on_alert title: Telemetry named pipe state type: string telemetry_network: title: Telemetry network type: boolean telemetry_network_limit: title: Telemetry network limit type: boolean telemetry_network_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network limit value type: integer x-nullable: true telemetry_network_listen_limit: title: Telemetry network listen limit type: boolean telemetry_network_listen_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry network listen limit value type: integer x-nullable: true telemetry_network_listen_state: enum: - disabled - on_alert title: Telemetry network listen state type: string telemetry_network_state: enum: - disabled - live - on_alert title: Telemetry network state type: string telemetry_on_alert_enabled: title: Telemetry on alert enabled type: boolean telemetry_on_alert_live_overrides: items: enum: - telemetry_file_state - telemetry_named_pipe_state - telemetry_network_listen_state - telemetry_process_access_state - telemetry_process_tamper_state - telemetry_raw_device_access_state - telemetry_raw_socket_creation_state - telemetry_registry_state - telemetry_url_request_state - telemetry_wmi_event_state type: string type: array telemetry_on_alert_post_alert_max_duration_secs: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max duration secs type: integer telemetry_on_alert_post_alert_max_event_count: maximum: 2147483647 minimum: 0 title: Telemetry on alert post alert max event count type: integer telemetry_on_alert_pre_alert_event_count: maximum: 2147483647 minimum: 1 title: Telemetry on alert pre alert event count type: integer telemetry_powershell: title: Telemetry powershell type: boolean telemetry_powershell_limit: title: Telemetry powershell limit type: boolean telemetry_powershell_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry powershell limit value type: integer x-nullable: true telemetry_powershell_state: enum: - disabled - live - on_alert title: Telemetry powershell state type: string telemetry_process: title: Telemetry process type: boolean telemetry_process_access_limit: title: Telemetry process access limit type: boolean telemetry_process_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process access limit value type: integer x-nullable: true telemetry_process_access_state: enum: - disabled - on_alert title: Telemetry process access state type: string telemetry_process_limit: title: Telemetry process limit type: boolean telemetry_process_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process limit value type: integer x-nullable: true telemetry_process_state: enum: - disabled - live - on_alert title: Telemetry process state type: string telemetry_process_tamper_limit: title: Telemetry process tamper limit type: boolean telemetry_process_tamper_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry process tamper limit value type: integer x-nullable: true telemetry_process_tamper_state: enum: - disabled - on_alert title: Telemetry process tamper state type: string telemetry_raw_device_access_limit: title: Telemetry raw device access limit type: boolean telemetry_raw_device_access_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw device access limit value type: integer x-nullable: true telemetry_raw_device_access_state: enum: - disabled - on_alert title: Telemetry raw device access state type: string telemetry_raw_socket_creation_limit: title: Telemetry raw socket creation limit type: boolean telemetry_raw_socket_creation_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry raw socket creation limit value type: integer x-nullable: true telemetry_raw_socket_creation_state: enum: - disabled - on_alert title: Telemetry raw socket creation state type: string telemetry_registry_limit: title: Telemetry registry limit type: boolean telemetry_registry_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry registry limit value type: integer x-nullable: true telemetry_registry_state: enum: - disabled - on_alert title: Telemetry registry state type: string telemetry_remotethread: title: Telemetry remotethread type: boolean telemetry_remotethread_limit: title: Telemetry remotethread limit type: boolean telemetry_remotethread_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry remotethread limit value type: integer x-nullable: true telemetry_remotethread_state: enum: - disabled - live - on_alert title: Telemetry remotethread state type: string telemetry_scheduled_tasks_limit: title: Telemetry scheduled tasks limit type: boolean telemetry_scheduled_tasks_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry scheduled tasks limit value type: integer x-nullable: true telemetry_scheduled_tasks_state: enum: - disabled - live - on_alert title: Telemetry scheduled tasks state type: string telemetry_service_limit: title: Telemetry service limit type: boolean telemetry_service_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry service limit value type: integer x-nullable: true telemetry_service_state: enum: - disabled - live - on_alert title: Telemetry service state type: string telemetry_url_request_limit: title: Telemetry url request limit type: boolean telemetry_url_request_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry url request limit value type: integer x-nullable: true telemetry_url_request_state: enum: - disabled - on_alert title: Telemetry url request state type: string telemetry_usb_activity_limit: title: Telemetry usb activity limit type: boolean telemetry_usb_activity_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry usb activity limit value type: integer x-nullable: true telemetry_usb_activity_state: enum: - disabled - live - on_alert title: Telemetry usb activity state type: string telemetry_user_group_limit: title: Telemetry user group limit type: boolean telemetry_user_group_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry user group limit value type: integer x-nullable: true telemetry_user_group_state: enum: - disabled - live - on_alert title: Telemetry user group state type: string telemetry_wmi_event_limit: title: Telemetry wmi event limit type: boolean telemetry_wmi_event_limit_value: maximum: 2147483647 minimum: -2147483648 title: Telemetry wmi event limit value type: integer x-nullable: true telemetry_wmi_event_state: enum: - disabled - on_alert title: Telemetry wmi event state type: string tenant: minLength: 1 readOnly: true title: Tenant type: string thread_download_enabled: title: Thread download enabled type: boolean updated_fields: additionalProperties: type: string x-nullable: true title: Updated fields type: object use_driver: readOnly: true title: Use driver type: boolean use_isolation: title: Use isolation type: boolean use_process_block: readOnly: true title: Use process block type: string vulnerability_policy: format: uuid title: Vulnerability policy type: string x-nullable: true windows_eventlog_config: default: detection_events: Application|Application Error: excluded: [] included: [] Application|Application Hang: excluded: [] included: [] Application|MSSQLSERVER: excluded: [] included: - 15457 Application|Microsoft-Windows-User Profiles Service: excluded: [] included: [] Application|Microsoft-Windows-WMI: excluded: [] included: [] Application|Microsoft-Windows-Winlogon: excluded: [] included: [] Application|MsiInstaller: excluded: [] included: [] Application|SecurityCenter: excluded: [] included: [] Application|Windows Error Reporting: excluded: [] included: [] Application|Wow64 Emulation Layer: excluded: [] included: [] Microsoft-Windows-CodeIntegrity/Operational|Microsoft-Windows-CodeIntegrity: excluded: [] included: [] Microsoft-Windows-NTLM/Operational|Microsoft-Windows-NTLM: excluded: [] included: [] Microsoft-Windows-PowerShell/Operational|Microsoft-Windows-PowerShell: excluded: [] included: [] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational|Microsoft-Windows-TerminalServices-LocalSessionManager: excluded: [] included: [] ? Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational|Microsoft-Windows-TerminalServices-RemoteConnectionManager : excluded: [] included: [] Security|Microsoft-Windows-Eventlog: excluded: [] included: [] Security|Microsoft-Windows-Security-Auditing: excluded: [] included: - 4608 - 4609 - 4610 - 4611 - 4612 - 4614 - 4615 - 4616 - 4618 - 4621 - 4622 - 4624 - 4625 - 4634 - 4647 - 4648 - 4649 - 4697 - 4698 - 4699 - 4700 - 4701 - 4702 - 4703 - 4704 - 4705 - 4706 - 4707 - 4713 - 4716 - 4717 - 4718 - 4719 - 4720 - 4722 - 4723 - 4724 - 4725 - 4726 - 4727 - 4728 - 4729 - 4730 - 4731 - 4732 - 4733 - 4734 - 4735 - 4737 - 4738 - 4739 - 4740 - 4741 - 4742 - 4743 - 4744 - 4745 - 4746 - 4747 - 4748 - 4749 - 4750 - 4751 - 4752 - 4753 - 4754 - 4755 - 4756 - 4757 - 4758 - 4759 - 4760 - 4761 - 4762 - 4764 - 4765 - 4766 - 4767 - 4768 - 4769 - 4770 - 4771 - 4772 - 4773 - 4774 - 4776 - 4777 - 4778 - 4779 - 4781 - 4793 - 4797 - 4798 - 4799 - 4800 - 4801 - 4802 - 4803 - 4820 - 4821 - 4822 - 4823 - 4824 - 4825 - 4826 - 4865 - 4866 - 4867 - 4870 - 4886 - 4887 - 4888 - 4893 - 4898 - 4902 - 4904 - 4905 - 4907 - 4931 - 4932 - 4933 - 4946 - 4948 - 4956 - 4964 - 4985 - 5024 - 5025 - 5029 - 5030 - 5033 - 5034 - 5035 - 5037 - 5059 - 5136 - 5137 - 5138 - 5139 - 5140 - 5145 - 6144 - 6145 - 6272 - 6273 - 6278 - 6416 - 6423 - 6424 System|Microsoft Antimalware: excluded: [] included: [] System|Microsoft-Windows-Bits-Client: excluded: [] included: [] System|Microsoft-Windows-Directory-Services-SAM: excluded: [] included: [] System|Microsoft-Windows-DistributedCOM: excluded: [] included: [] System|Microsoft-Windows-Eventlog: excluded: [] included: [] System|Microsoft-Windows-GroupPolicy: excluded: [] included: [] System|Microsoft-Windows-Kernel-General: excluded: [] included: [] System|Microsoft-Windows-Kernel-Power: excluded: [] included: [] System|Microsoft-Windows-TaskScheduler: excluded: [] included: [] System|Microsoft-Windows-WER-SystemErrorReporting: excluded: [] included: [] System|Microsoft-Windows-WindowsUpdateClient: excluded: [] included: [] System|Microsoft-Windows-Wininit: excluded: [] included: [] System|Microsoft-Windows-Winlogon: excluded: [] included: [] System|Service Control Manager: excluded: [] included: [] System|User32: excluded: [] included: [] Windows Powershell|PowerShell: excluded: [] included: [] telemetry_events: Application|Application Error: excluded: [] included: [] Application|Application Hang: excluded: [] included: [] Application|MSSQLSERVER: excluded: [] included: - 15457 Application|Microsoft-Windows-User Profiles Service: excluded: [] included: [] Application|Microsoft-Windows-WMI: excluded: [] included: [] Application|Microsoft-Windows-Winlogon: excluded: [] included: [] Application|MsiInstaller: excluded: [] included: [] Application|SecurityCenter: excluded: [] included: [] Application|Windows Error Reporting: excluded: [] included: [] Application|Wow64 Emulation Layer: excluded: [] included: [] Microsoft-Windows-CodeIntegrity/Operational|Microsoft-Windows-CodeIntegrity: excluded: [] included: [] Microsoft-Windows-NTLM/Operational|Microsoft-Windows-NTLM: excluded: [] included: [] Microsoft-Windows-PowerShell/Operational|Microsoft-Windows-PowerShell: excluded: [] included: [] Microsoft-Windows-TerminalServices-LocalSessionManager/Operational|Microsoft-Windows-TerminalServices-LocalSessionManager: excluded: [] included: [] ? Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational|Microsoft-Windows-TerminalServices-RemoteConnectionManager : excluded: [] included: [] Security|Microsoft-Windows-Eventlog: excluded: [] included: [] Security|Microsoft-Windows-Security-Auditing: excluded: [] included: - 4608 - 4609 - 4610 - 4611 - 4612 - 4614 - 4615 - 4616 - 4618 - 4621 - 4622 - 4624 - 4625 - 4634 - 4647 - 4648 - 4649 - 4697 - 4698 - 4699 - 4700 - 4701 - 4702 - 4703 - 4704 - 4705 - 4706 - 4707 - 4713 - 4716 - 4717 - 4718 - 4719 - 4720 - 4722 - 4723 - 4724 - 4725 - 4726 - 4727 - 4728 - 4729 - 4730 - 4731 - 4732 - 4733 - 4734 - 4735 - 4737 - 4738 - 4739 - 4740 - 4741 - 4742 - 4743 - 4744 - 4745 - 4746 - 4747 - 4748 - 4749 - 4750 - 4751 - 4752 - 4753 - 4754 - 4755 - 4756 - 4757 - 4758 - 4759 - 4760 - 4761 - 4762 - 4764 - 4765 - 4766 - 4767 - 4768 - 4769 - 4770 - 4771 - 4772 - 4773 - 4774 - 4776 - 4777 - 4778 - 4779 - 4781 - 4793 - 4797 - 4798 - 4799 - 4800 - 4801 - 4802 - 4803 - 4820 - 4821 - 4822 - 4823 - 4824 - 4825 - 4826 - 4865 - 4866 - 4867 - 4870 - 4886 - 4887 - 4888 - 4893 - 4898 - 4902 - 4904 - 4905 - 4907 - 4931 - 4932 - 4933 - 4946 - 4948 - 4956 - 4964 - 4985 - 5024 - 5025 - 5029 - 5030 - 5033 - 5034 - 5035 - 5037 - 5059 - 5136 - 5137 - 5138 - 5139 - 5140 - 5145 - 6144 - 6145 - 6272 - 6273 - 6278 - 6416 - 6423 - 6424 System|Microsoft Antimalware: excluded: [] included: [] System|Microsoft-Windows-Bits-Client: excluded: [] included: [] System|Microsoft-Windows-Directory-Services-SAM: excluded: [] included: [] System|Microsoft-Windows-DistributedCOM: excluded: [] included: [] System|Microsoft-Windows-Eventlog: excluded: [] included: [] System|Microsoft-Windows-GroupPolicy: excluded: [] included: [] System|Microsoft-Windows-Kernel-General: excluded: [] included: [] System|Microsoft-Windows-Kernel-Power: excluded: [] included: [] System|Microsoft-Windows-TaskScheduler: excluded: [] included: [] System|Microsoft-Windows-WER-SystemErrorReporting: excluded: [] included: [] System|Microsoft-Windows-WindowsUpdateClient: excluded: [] included: [] System|Microsoft-Windows-Wininit: excluded: [] included: [] System|Microsoft-Windows-Winlogon: excluded: [] included: [] System|Service Control Manager: excluded: [] included: [] System|User32: excluded: [] included: [] Windows Powershell|PowerShell: excluded: [] included: [] description: |- Holds the dynamic subscription configuration for eventlogs. Stores which event ids to subscribe, for each event log channel. properties: detection_events: additionalProperties: items: description: Lists of event ids to include and exclude for a given channel. properties: excluded: description: A list of event ids to exclude. items: type: integer type: array included: description: |- A list of event ids to include. An empty list should be considered a None, which will automatically subscribe to all events ids of the associated channel. items: type: integer type: array type: object type: array description: |- Event log channels and ids to subscribe for detection only. Events generated that match this configuration, will be sent to the detection engines. type: object telemetry_events: additionalProperties: items: description: Lists of event ids to include and exclude for a given channel. properties: excluded: description: A list of event ids to exclude. items: type: integer type: array included: description: |- A list of event ids to include. An empty list should be considered a None, which will automatically subscribe to all events ids of the associated channel. items: type: integer type: array type: object type: array description: |- Event log channels and ids to subscribe for. Events generated that match this configuration will be sent to the backend if the event log telemetry is enabled. type: object required: - detection_events - telemetry_events title: Windows Eventlog Config type: object windows_exclusions: minimum: 0 readOnly: true title: Windows exclusions type: integer windows_read_watched_paths: default: - '*\PROGRAM FILES*' - '*\PROGRAMDATA\*' - '*\USERS\*' - '*\WINDOWS\SYSTEM32\DRIVERS\ETC\*' - '*\WINDOWS\SYSTEM32\TASKS\*' items: minLength: 1 type: string minItems: 0 type: array windows_registry_read_blacklist: default: [] items: minLength: 1 type: string minItems: 0 type: array windows_registry_read_whitelist: default: - HKLM\SAM\SAM\DOMAINS\ACCOUNT\USERS\*\* - HKLM\SECURITY\CACHE\* - HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\* - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\DATA - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\GBG - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\JD - HKLM\SYSTEM\CONTROLSET???\CONTROL\LSA\SKEW1 - HKLM\SYSTEM\CONTROLSET???\SERVICES\SYSMONDRV\PARAMETERS\* - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\DATA - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\GBG - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\JD - HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\SKEW1 - HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CERTSVC\CONFIGURATION\*\POLICYMODULES\CERTIFICATEAUTHORITY_MICROSOFTDEFAULT.POLICY\EDITFLAGS - HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSMONDRV\PARAMETERS\* - HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AAD\STORAGE\* - HKU\*\SOFTWARE\OPENSSH\AGENT\KEYS\* - HKU\*\SOFTWARE\ORL\WINVNC3\PASSWORD\* - HKU\*\SOFTWARE\SIMONTATHAM\* items: minLength: 1 type: string minItems: 0 type: array windows_self_protection: title: Windows self protection type: boolean windows_self_protection_feature_firewall: title: Windows self protection feature firewall type: boolean windows_self_protection_feature_hosts: title: Windows self protection feature hosts type: boolean windows_self_protection_feature_safe_mode: title: Windows self protection feature safe mode type: boolean windows_write_watched_paths: default: - '*\PROGRAM FILES*' - '*\PROGRAMDATA\*' - '*\USERS\*' - '*\WINDOWS\SYSTEM32\DRIVERS\ETC\*' - '*\WINDOWS\SYSTEM32\TASKS\*' items: minLength: 1 type: string minItems: 0 type: array yara_mode: maximum: 3 minimum: 0 title: Yara mode type: integer yara_ruleset: format: uuid title: Yara ruleset type: string x-nullable: true yara_scan_libraries_load: title: Yara scan libraries load type: boolean yara_scan_written_executable: title: Yara scan written executable type: boolean yara_scan_written_files: title: Yara scan written files type: boolean yara_skip_signed_ms: title: Yara skip signed ms type: boolean yara_skip_signed_others: title: Yara skip signed others type: boolean required: - name - updated_fields type: object _ProcessListResponse: properties: '@timestamp': format: date-time title: '@timestamp' type: string _hasChildren: title: haschildren type: boolean _path: items: type: string x-nullable: true type: array _space: minLength: 1 title: space type: string agent: $ref: '#/definitions/DataAgent' binaryinfo: $ref: '#/definitions/BinaryInfoWithPath' cmdline: minLength: 1 title: Cmdline type: string connections: $ref: '#/definitions/Connection' cpu_percent: title: Cpu percent type: number create_time: format: date-time title: Create time type: string critical: title: Critical type: boolean exe: minLength: 1 title: Exe type: string fd: $ref: '#/definitions/FileDescriptor' handles: $ref: '#/definitions/Handle' hashes_requested: title: Hashes requested type: boolean id: minLength: 1 title: Id type: string integrity_level: minLength: 1 title: Integrity level type: string iskernel: title: Iskernel type: boolean item_status: title: Item status type: integer job_id: minLength: 1 title: Job id type: string job_instance_action: minLength: 1 title: Job instance action type: string job_instance_id: minLength: 1 title: Job instance id type: string job_instance_task_id: title: Job instance task id type: integer maybe_hollow: title: Maybe hollow type: boolean mem_private_bytes: title: Mem private bytes type: integer mem_working_set: title: Mem working set type: integer modules: $ref: '#/definitions/Module' name: minLength: 1 title: Name type: string pid: title: Pid type: integer ppid: title: Ppid type: integer process_bits: title: Process bits type: integer session: title: Session type: integer signature_requested: title: Signature requested type: boolean status: minLength: 1 title: Status type: string suspicious: title: Suspicious type: boolean tenant: minLength: 1 title: Tenant type: string threads: $ref: '#/definitions/Thread' username: minLength: 1 title: Username type: string required: - '@timestamp' - _path - _space - agent - binaryinfo - cmdline - connections - cpu_percent - create_time - critical - exe - fd - handles - hashes_requested - id - integrity_level - iskernel - item_status - job_id - job_instance_action - job_instance_id - job_instance_task_id - maybe_hollow - mem_private_bytes - mem_working_set - modules - name - pid - ppid - process_bits - session - signature_requested - status - suspicious - tenant - threads - username type: object _ResponseBackupCodes: properties: backup_codes: items: minLength: 1 type: string type: array required: - backup_codes type: object _RevisionByEngine: properties: correlation_revision: title: Correlation revision type: integer driver_blocklists_revision: title: Driver blocklists revision type: integer ioc_revision: title: Ioc revision type: integer sigma_revision: title: Sigma revision type: integer usb_device_control_revision: title: Usb device control revision type: integer whitelist_revision: title: Whitelist revision type: integer yara_revision: title: Yara revision type: integer required: - correlation_revision - driver_blocklists_revision - ioc_revision - sigma_revision - usb_device_control_revision - whitelist_revision - yara_revision type: object _Revisions: properties: alerter_revisions: $ref: '#/definitions/_AlerterRevision' required: - alerter_revisions type: object _RuleBulkUpdate: properties: block_on_agent: title: Block on agent type: boolean enabled: title: Enabled type: boolean endpoint_detection: title: Endpoint detection type: boolean global_state: enum: - alert - backend_alert - block - default - disabled - quarantine title: Global state type: string quarantine_on_agent: title: Quarantine on agent type: boolean rule_confidence_override: enum: - moderate - strong - weak title: Rule confidence override type: string x-nullable: true rule_ids: items: minLength: 1 type: string type: array rule_level_override: enum: - critical - high - informational - low - medium title: Rule level override type: string x-nullable: true type: object _RulesetAll: properties: count: minimum: 0 title: Count type: integer results: items: $ref: '#/definitions/RulesetLight' type: array required: - count - results type: object _SearchBinary: properties: binaryinfoSha256: minLength: 1 title: Binaryinfosha256 type: string download_status: readOnly: true title: Download status type: string fullpaths: minLength: 1 title: Fullpaths type: string required: - binaryinfoSha256 - fullpaths type: object _SearchPersistence: properties: count: title: Count type: integer types: additionalProperties: $ref: '#/definitions/SearchBinaryPersistence' title: Types type: object required: - count - types type: object _SigmaPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/SigmaRule' type: array source: $ref: '#/definitions/SigmaSource' required: - count - results type: object _SigmaRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/SigmaRulesetRule' type: array source: $ref: '#/definitions/SigmaSource' required: - count - results type: object _SigmaRulesetResponse: properties: actions: $ref: '#/definitions/Actions' rule_ids: items: minLength: 1 type: string type: array set_default: title: Set default type: boolean source: $ref: '#/definitions/SigmaRulesetSource' state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - rule_ids - set_default - source - state type: object _SigmaSourceRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/SigmaRulesetSource' type: array required: - count - results type: object _Status: properties: elasticsearch: title: Elasticsearch type: boolean global: title: Global type: boolean postgresql: title: Postgresql type: boolean redis: title: Redis type: boolean required: - elasticsearch - global - postgresql - redis type: object _SubnetDiscoveredBy: properties: id: minLength: 1 title: Id type: string name: title: Name type: string required: - id type: object x-nullable: true _SubnetHistoryChart: properties: counts: items: $ref: '#/definitions/_KpiCount' readOnly: true type: array date: format: date-time readOnly: true title: Date type: string job_instance_id: minLength: 1 readOnly: true title: Job instance id type: string type: object _SubnetScanHistory: properties: job_instance: $ref: '#/definitions/JobInstance' kpis: $ref: '#/definitions/KPI' scan_date: format: date-time readOnly: true title: Scan date type: string scanning_agent: $ref: '#/definitions/_LightAgent' type: object _TelemetryConfigItem: properties: allowed_values: items: enum: - disabled - live - on_alert type: string type: array os_types: items: enum: - kubernetes - linux - macos - unknown - windows type: string type: array required: - allowed_values - os_types type: object _Tenant: properties: base_domain: minLength: 1 title: Base domain type: string x-nullable: true base_port: minLength: 1 title: Base port type: string id: minLength: 1 title: Id type: string x-nullable: true is_supervisor: title: Is supervisor type: boolean is_tenant: title: Is tenant type: boolean supervisor_stack_id: minLength: 1 title: Supervisor stack id type: string x-nullable: true tenants: additionalProperties: type: string x-nullable: true title: Tenants type: object required: - base_domain - base_port - id - is_supervisor - is_tenant - supervisor_stack_id - tenants type: object _ThreadsList: properties: count: title: Count type: integer results: items: $ref: '#/definitions/Thread' type: array required: - count - results type: object _UUID: properties: id: format: uuid title: Id type: string x-nullable: true required: - id type: object _UpdateChar: properties: id: minLength: 1 title: Id type: string required: - id type: object _Updates: properties: new_group_ids: items: minLength: 1 type: string type: array policy_id: minLength: 1 title: Policy id type: string required: - new_group_ids - policy_id type: object _UpgradeStatus: properties: chunk_total: title: Chunk total type: integer x-nullable: true filename: minLength: 1 title: Filename type: string x-nullable: true last_chunk_uploaded: title: Last chunk uploaded type: integer x-nullable: true last_update: format: date-time readOnly: true title: Last update type: string x-nullable: true os: enum: - empty - failure - pending - processing - success title: Os type: string product: enum: - empty - failure - pending - processing - success title: Product type: string status: enum: - cancelled - empty - failure - merging_image - pending - processing_os - processing_product - success - uploading title: Status type: string required: - filename - os - product - status type: object _UploadStatus: properties: code: enum: - duplicate_rule - invalid_sigma_content - parse_error_yaml title: Code type: string content: minLength: 1 title: Content type: string filename: minLength: 1 title: Filename type: string id: format: uuid title: Id type: string is_overwritten: default: false title: Is overwritten type: boolean status: default: false title: Status type: boolean type: object _UploadStatusSerialier: properties: filename: minLength: 1 title: Filename type: string msg: minLength: 1 title: Msg type: string status: title: Status type: boolean required: - filename - msg - status type: object _UploadYamlRole: properties: filename: minLength: 1 title: Filename type: string msg: minLength: 1 title: Msg type: string status: title: Status type: boolean required: - filename - msg - status type: object _UserID: properties: user_ids: items: type: integer type: array type: object _Version: properties: version: minLength: 1 title: Version type: string required: - version type: object _VulnerabilityPolicyCopyResponse: properties: details: minLength: 1 title: Details type: string new_id: minLength: 1 title: New id type: string new_name: minLength: 1 title: New name type: string required: - details - new_id - new_name type: object _VulnerabilityPolicyInUseResponse: properties: agent_policies: items: $ref: '#/definitions/AgentPolicyIdAndName' type: array code: default: unknown_error enum: - default_policy_protection - endpoint_policy_not_found - multiple_policy_deleted - no_policy_deleted - not_owned_policy - policy_in_use - policy_update_failed - policy_with_same_name_exists - unknown_error title: Code type: string details: minLength: 1 title: Details type: string required: - agent_policies - details type: object _WhitelistHistoryListing: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/WhitelistRuleHistoryRecord' type: array required: - count - results type: object _YARARulesetResponse: properties: actions: $ref: '#/definitions/Actions' rule_ids: items: minLength: 1 type: string type: array set_default: title: Set default type: boolean source: $ref: '#/definitions/YaraRulesetSource' state: enum: - alert - backend_alert - block - default - disabled - quarantine title: State type: string required: - rule_ids - set_default - source - state type: object _YaraPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/YaraFile' type: array source: $ref: '#/definitions/YaraSource' required: - count - results type: object _YaraRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/YaraRulesetRule' type: array source: $ref: '#/definitions/YaraSource' required: - count - results type: object _YaraSourceRulesetPagination: properties: count: title: Count type: integer next: minLength: 1 title: Next type: string x-nullable: true previous: minLength: 1 title: Previous type: string x-nullable: true results: items: $ref: '#/definitions/YaraRulesetSource' type: array required: - count - results type: object __DataAgentSerializer: properties: agentid: minLength: 1 title: Agentid type: string hostname: minLength: 1 title: Hostname type: string osproducttype: minLength: 1 title: Osproducttype type: string ostype: minLength: 1 title: Ostype type: string version: minLength: 1 title: Version type: string required: - agentid - hostname type: object __SubnetDetailsSerializer: properties: auto_scan: title: Auto scan type: boolean blacklisted: readOnly: true title: Blacklisted type: boolean description: title: Description type: string x-nullable: true exclusions: items: $ref: '#/definitions/SubnetExclusion' readOnly: true type: array existing_agent_count: readOnly: true title: Existing agent count type: integer x-nullable: true first_seen: format: date-time readOnly: true title: First seen type: string gateway_ipaddress: minLength: 1 readOnly: true title: Gateway ipaddress type: string x-nullable: true gateway_macaddress: minLength: 1 readOnly: true title: Gateway macaddress type: string x-nullable: true gateway_oui: minLength: 1 title: Gateway oui type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string inclusions: items: $ref: '#/definitions/SubnetInclusion' readOnly: true type: array is_scannable: readOnly: true title: Is scannable type: boolean last_scan: $ref: '#/definitions/LastScan' last_seen: format: date-time readOnly: true title: Last seen type: string last_successful_scan: $ref: '#/definitions/LastScan' missing_agent_count: readOnly: true title: Missing agent count type: integer x-nullable: true name: title: Name type: string x-nullable: true randomized_mac_address_count: readOnly: true title: Randomized mac address count type: integer x-nullable: true total_agent_count: readOnly: true title: Total agent count type: integer whitelisted: readOnly: true title: Whitelisted type: boolean type: object __SubnetSerializer: properties: auto_scan: title: Auto scan type: boolean blacklisted: readOnly: true title: Blacklisted type: boolean description: title: Description type: string x-nullable: true existing_agent_count: readOnly: true title: Existing agent count type: integer x-nullable: true first_seen: format: date-time readOnly: true title: First seen type: string gateway_ipaddress: minLength: 1 readOnly: true title: Gateway ipaddress type: string x-nullable: true gateway_macaddress: minLength: 1 readOnly: true title: Gateway macaddress type: string x-nullable: true gateway_oui: minLength: 1 title: Gateway oui type: string x-nullable: true id: format: uuid readOnly: true title: Id type: string is_scannable: readOnly: true title: Is scannable type: boolean last_scan: $ref: '#/definitions/LastScan' last_seen: format: date-time readOnly: true title: Last seen type: string last_successful_scan: $ref: '#/definitions/LastScan' missing_agent_count: readOnly: true title: Missing agent count type: integer x-nullable: true name: title: Name type: string x-nullable: true randomized_mac_address_count: readOnly: true title: Randomized mac address count type: integer x-nullable: true total_agent_count: readOnly: true title: Total agent count type: integer whitelisted: readOnly: true title: Whitelisted type: boolean type: object info: description: Hurukai API title: Hurukai version: 5.5.46 paths: /alerter_revisions/: get: description: "" operationId: alerter_revisions_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_Revisions' tags: - alerter_revisions parameters: [] /auth/code/request/: parameters: [] post: description: "" operationId: auth_code_request_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFAMethodCode' responses: "200": description: "" schema: properties: qr_link: description: QR code for Google authenticator type: string type: object tags: - authentication /auth/login/: parameters: [] post: description: "" operationId: auth_login_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_Login' responses: "200": description: "" schema: properties: auth_token: description: string type: string ephemeral_token: description: only if mfa type: string method: description: only if mfa type: string other_methods: description: only if mfa items: description: string type: string type: array type: object "400": description: "" schema: properties: code: type: string error: type: string remaining_attempts: type: integer type: object "403": description: "" schema: properties: ban_end: type: string code: type: integer detail: type: string type: object tags: - authentication /auth/login/code/: parameters: [] post: description: "" operationId: auth_login_code_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CodeLogin' responses: "200": description: "" schema: $ref: '#/definitions/Token' tags: - authentication /auth/logout/: parameters: [] post: description: Use this endpoint to logout user (remove user authentication token). operationId: auth_logout_create parameters: [] responses: "204": description: "" tags: - authentication /auth/mfa/change-primary-method/: parameters: [] post: description: "" operationId: auth_mfa_change-primary-method_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/ChangePrimaryMethodValidator' responses: "204": description: "" tags: - authentication /auth/mfa/config/: get: description: "" operationId: auth_mfa_config_list parameters: [] responses: "200": description: "" tags: - authentication parameters: [] /auth/mfa/user-active-methods/: get: description: "" operationId: auth_mfa_user-active-methods_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UserMFAMethod' type: array required: - count - results type: object tags: - authentication parameters: [] /auth/{method}/activate/: parameters: - in: path name: method required: true type: string post: description: |- View handling new MFA method activation requests. If validation passes, new MFAMethod (inactive) object is created. operationId: auth_activate_create parameters: [] responses: "200": description: "" schema: properties: qr_link: description: QR code for Google authenticator type: string type: object tags: - authentication /auth/{method}/activate/confirm/: parameters: - in: path name: method required: true type: string post: description: "" operationId: auth_activate_confirm_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFAMethodActivationConfirmationValidator' responses: "200": description: "" schema: properties: backup_codes: description: List of backup codes items: type: string type: array type: object tags: - authentication /auth/{method}/codes/regenerate/: parameters: - in: path name: method required: true type: string post: description: "" operationId: auth_codes_regenerate_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_MFAMethodBackupCodesGeneration' responses: "200": description: "" schema: $ref: '#/definitions/_ResponseBackupCodes' tags: - authentication /auth/{method}/deactivate/: parameters: - in: path name: method required: true type: string post: description: "" operationId: auth_deactivate_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_MFAMethodDeactivationValidator' responses: "204": description: "" tags: - authentication /config/: get: description: "" operationId: config_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AllConfig' tags: - configuration parameters: [] /config/agent_cleaning/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_agent_cleaning_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_agent_cleaning_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentCleaning' responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' "400": description: Bad request summary: Update section configuration tags: - configuration /config/agent_cleaning/defaults/: get: description: Get default section configuration operationId: config_agent_cleaning_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' tags: - configuration parameters: [] /config/alerter_ioc/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_alerter_ioc_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_alerter_ioc_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCConfig' responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' "400": description: Bad request summary: Update section configuration tags: - configuration /config/alerter_ioc/defaults/: get: description: Get default section configuration operationId: config_alerter_ioc_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' tags: - configuration parameters: [] /config/assemblyline/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_assemblyline_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_assemblyline_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAssemblyline' responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/assemblyline/defaults/: get: description: Get default connector configuration operationId: config_assemblyline_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' tags: - configuration parameters: [] /config/assemblyline/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_assemblyline_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAssemblyline' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/binaries_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_binaries_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_binaries_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BinariesRetention' responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' "400": description: Bad request summary: Update section configuration tags: - configuration /config/binaries_retention/defaults/: get: description: Get default section configuration operationId: config_binaries_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' tags: - configuration parameters: [] /config/cape/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_cape_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_cape_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditCape' responses: "200": description: "" schema: $ref: '#/definitions/GetCape' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/cape/defaults/: get: description: Get default connector configuration operationId: config_cape_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' tags: - configuration parameters: [] /config/cape/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_cape_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditCape' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/collector/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_collector_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_collector_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Collector' responses: "200": description: "" schema: $ref: '#/definitions/Collector' "400": description: Bad request summary: Update section configuration tags: - configuration /config/collector/defaults/: get: description: Get default section configuration operationId: config_collector_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' tags: - configuration parameters: [] /config/connector_misp/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_connector_misp_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_connector_misp_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditMisp' responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/connector_misp/defaults/: get: description: Get default connector configuration operationId: config_connector_misp_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' tags: - configuration parameters: [] /config/connector_misp/errors/: get: description: Get individual attribute errors as CSV operationId: config_connector_misp_errors parameters: [] responses: "200": description: individual attribute errors of the MISP connector, as CSV "404": description: attribute errors of the MISP connector not found tags: - configuration parameters: [] /config/connector_misp/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_connector_misp_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditMisp' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/customization/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_customization_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_customization_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Customization' responses: "200": description: "" schema: $ref: '#/definitions/Customization' "400": description: Bad request summary: Update section configuration tags: - configuration /config/customization/defaults/: get: description: Get default section configuration operationId: config_customization_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' tags: - configuration parameters: [] /config/download/: get: consumes: - application/json - application/yaml description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` or its YAML equivalent. operationId: config_download_list parameters: [] produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' summary: Download config in JSON or YAML format tags: - configuration parameters: [] patch: consumes: - application/json - application/yaml description: Configuration field not present in the request are left untouched. operationId: config_download_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ConfigDownload' produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' "400": description: Bad request summary: Update the stored configuration with the given one. tags: - configuration put: consumes: - application/json - application/yaml description: Existing configuration is completely deleted before being replaced. operationId: config_download_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ConfigDownload' produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' "400": description: Bad request summary: Replace the stored configuration with the given one. tags: - configuration /config/downloader/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_downloader_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_downloader_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Downloader' responses: "200": description: "" schema: $ref: '#/definitions/Downloader' "400": description: Bad request summary: Update section configuration tags: - configuration /config/downloader/defaults/: get: description: Get default section configuration operationId: config_downloader_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' tags: - configuration parameters: [] /config/es_ilm_indices__policies/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_es_ilm_indices__policies_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_es_ilm_indices__policies_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESILMIndicesPolicies' responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' "400": description: Bad request summary: Update section configuration tags: - configuration /config/es_ilm_indices__policies/defaults/: get: description: Get default section configuration operationId: config_es_ilm_indices__policies_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' tags: - configuration parameters: [] /config/es_indices__replicas/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_es_indices__replicas_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_es_indices__replicas_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESIndicesReplicas' responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' "400": description: Bad request summary: Update section configuration tags: - configuration /config/es_indices__replicas/defaults/: get: description: Get default section configuration operationId: config_es_indices__replicas_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' tags: - configuration parameters: [] /config/event_stacktrace/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_event_stacktrace_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_event_stacktrace_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EventStackTrace' responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' "400": description: Bad request summary: Update section configuration tags: - configuration /config/event_stacktrace/defaults/: get: description: Get default section configuration operationId: config_event_stacktrace_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' tags: - configuration parameters: [] /config/export/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_export_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' summary: Get connector configuration tags: - configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: config_export_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - enum: - rfc3164 - rfc5424 in: formData name: rfc required: false type: string x-nullable: true - enum: - ssl-tcp - tcp - udp in: formData name: protocol required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - default: hurukai in: formData minLength: 1 name: app_name required: false type: string - default: hurukai in: formData minLength: 1 name: source_host required: false type: string - in: formData minLength: 1 name: structured_data required: false type: string x-nullable: true - default: false in: formData name: exclude_rule_content required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExport' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/export/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: config_export_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' tags: - configuration parameters: [] /config/export/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: config_export_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - enum: - rfc3164 - rfc5424 in: formData name: rfc required: false type: string x-nullable: true - enum: - ssl-tcp - tcp - udp in: formData name: protocol required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - default: hurukai in: formData minLength: 1 name: app_name required: false type: string - default: hurukai in: formData minLength: 1 name: source_host required: false type: string - in: formData minLength: 1 name: structured_data required: false type: string x-nullable: true - default: false in: formData name: exclude_rule_content required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/export_elastic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_export_elastic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_export_elastic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportElastic' responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/export_elastic/defaults/: get: description: Get default connector configuration operationId: config_export_elastic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' tags: - configuration parameters: [] /config/export_elastic/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_export_elastic_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportElastic' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/export_s3/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_export_s3_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' summary: Get connector configuration tags: - configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: config_export_s3_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: url required: false type: string x-nullable: true - in: formData minLength: 1 name: bucket required: false type: string x-nullable: true - in: formData minLength: 1 name: object_prefix required: false type: string x-nullable: true - in: formData minLength: 1 name: access_key required: false type: string x-nullable: true - in: formData minLength: 1 name: secret_key required: false type: string x-nullable: true - in: formData minLength: 1 name: region required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/export_s3/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: config_export_s3_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' tags: - configuration parameters: [] /config/export_s3/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: config_export_s3_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: url required: false type: string x-nullable: true - in: formData minLength: 1 name: bucket required: false type: string x-nullable: true - in: formData minLength: 1 name: object_prefix required: false type: string x-nullable: true - in: formData minLength: 1 name: access_key required: false type: string x-nullable: true - in: formData minLength: 1 name: secret_key required: false type: string x-nullable: true - in: formData minLength: 1 name: region required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/export_secops/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_export_secops_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_export_secops_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSecops' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/export_secops/defaults/: get: description: Get default connector configuration operationId: config_export_secops_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' tags: - configuration parameters: [] /config/export_secops/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_export_secops_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSecops' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/export_splunk/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_export_splunk_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_export_splunk_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSplunk' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/export_splunk/defaults/: get: description: Get default connector configuration operationId: config_export_splunk_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' tags: - configuration parameters: [] /config/export_splunk/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_export_splunk_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSplunk' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/glimps/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_glimps_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_glimps_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditGlimps' responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/glimps/defaults/: get: description: Get default connector configuration operationId: config_glimps_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' tags: - configuration parameters: [] /config/glimps/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_glimps_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditGlimps' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/hibou/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_hibou_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_hibou_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Hibou' responses: "200": description: "" schema: $ref: '#/definitions/Hibou' "400": description: Bad request summary: Update section configuration tags: - configuration /config/hibou/defaults/: get: description: Get default section configuration operationId: config_hibou_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' tags: - configuration parameters: [] /config/irma/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_irma_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_irma_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditIrma' responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/irma/defaults/: get: description: Get default connector configuration operationId: config_irma_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' tags: - configuration parameters: [] /config/irma/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_irma_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditIrma' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/ldap_auth/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_ldap_auth_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' summary: Get connector configuration tags: - configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: config_ldap_auth_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - default: false in: formData name: use_tls required: false type: boolean - in: formData name: validate_server_certificate required: true type: boolean - default: false in: formData name: use_client_side_certs required: false type: boolean - in: formData minLength: 1 name: base_dn required: false type: string x-nullable: true - in: formData name: active_directory_domain required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_username required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_password required: false type: string x-nullable: true - format: uuid in: formData name: default_group required: false type: string x-nullable: true - default: active_directory in: formData minLength: 1 name: type required: false type: string - default: person in: formData minLength: 1 name: user_object_class required: false type: string - default: sAMAccountName in: formData minLength: 1 name: user_field_id required: false type: string - in: formData name: client_public_key required: false type: file x-nullable: true - in: formData name: client_private_key required: false type: file x-nullable: true - in: formData name: ca_certifications required: false type: file x-nullable: true - in: formData name: test_username required: false type: string x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/ldap_auth/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: config_ldap_auth_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' tags: - configuration parameters: [] /config/ldap_auth/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: config_ldap_auth_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - default: false in: formData name: use_tls required: false type: boolean - in: formData name: validate_server_certificate required: true type: boolean - default: false in: formData name: use_client_side_certs required: false type: boolean - in: formData minLength: 1 name: base_dn required: false type: string x-nullable: true - in: formData name: active_directory_domain required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_username required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_password required: false type: string x-nullable: true - format: uuid in: formData name: default_group required: false type: string x-nullable: true - default: active_directory in: formData minLength: 1 name: type required: false type: string - default: person in: formData minLength: 1 name: user_object_class required: false type: string - default: sAMAccountName in: formData minLength: 1 name: user_field_id required: false type: string - in: formData name: client_public_key required: false type: file x-nullable: true - in: formData name: client_private_key required: false type: file x-nullable: true - in: formData name: ca_certifications required: false type: file x-nullable: true - in: formData name: test_username required: false type: string x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/mfa/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_mfa_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_mfa_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFA' responses: "200": description: "" schema: $ref: '#/definitions/MFA' "400": description: Bad request summary: Update section configuration tags: - configuration /config/mfa/defaults/: get: description: Get default section configuration operationId: config_mfa_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' tags: - configuration parameters: [] /config/network_discovery/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_network_discovery_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_network_discovery_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetWDiscovery' responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' "400": description: Bad request summary: Update section configuration tags: - configuration /config/network_discovery/defaults/: get: description: Get default section configuration operationId: config_network_discovery_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' tags: - configuration parameters: [] /config/new_threat_aggregation/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_new_threat_aggregation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_new_threat_aggregation_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewThreatAggregation' responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' "400": description: Bad request summary: Update section configuration tags: - configuration /config/new_threat_aggregation/defaults/: get: description: Get default section configuration operationId: config_new_threat_aggregation_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' tags: - configuration parameters: [] /config/orion/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_orion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_orion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditOrion' responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/orion/defaults/: get: description: Get default connector configuration operationId: config_orion_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' tags: - configuration parameters: [] /config/orion/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_orion_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditOrion' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/password_security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_password_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_password_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PasswordSecurity' responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' "400": description: Bad request summary: Update section configuration tags: - configuration /config/password_security/defaults/: get: description: Get default section configuration operationId: config_password_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' tags: - configuration parameters: [] /config/pdf_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_pdf_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_pdf_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PDFRetention' responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' "400": description: Bad request summary: Update section configuration tags: - configuration /config/pdf_retention/defaults/: get: description: Get default section configuration operationId: config_pdf_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' tags: - configuration parameters: [] /config/proxy/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_proxy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_proxy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditProxy' responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/proxy/defaults/: get: description: Get default connector configuration operationId: config_proxy_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' tags: - configuration parameters: [] /config/proxy/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_proxy_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditProxy' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/ransomguard/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_ransomguard_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_ransomguard_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Ransomguard' responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' "400": description: Bad request summary: Update section configuration tags: - configuration /config/ransomguard/defaults/: get: description: Get default section configuration operationId: config_ransomguard_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' tags: - configuration parameters: [] /config/ransomguard_heuristic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_ransomguard_heuristic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_ransomguard_heuristic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RansomguardHeuristic' responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' "400": description: Bad request summary: Update section configuration tags: - configuration /config/ransomguard_heuristic/defaults/: get: description: Get default section configuration operationId: config_ransomguard_heuristic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' tags: - configuration parameters: [] /config/remote_shell/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_remote_shell_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_remote_shell_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShell' responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' "400": description: Bad request summary: Update section configuration tags: - configuration /config/remote_shell/defaults/: get: description: Get default section configuration operationId: config_remote_shell_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' tags: - configuration parameters: [] /config/security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Security' responses: "200": description: "" schema: $ref: '#/definitions/Security' "400": description: Bad request summary: Update section configuration tags: - configuration /config/security/defaults/: get: description: Get default section configuration operationId: config_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' tags: - configuration parameters: [] /config/sidewatch/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_sidewatch_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_sidewatch_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Sidewatch' responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' "400": description: Bad request summary: Update section configuration tags: - configuration /config/sidewatch/defaults/: get: description: Get default section configuration operationId: config_sidewatch_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' tags: - configuration parameters: [] /config/telemetries/: get: description: "" operationId: config_telemetries_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/TelemetryConfigResponse' "400": description: Bad request tags: - configuration parameters: [] /config/thehive/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_thehive_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_thehive_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditThehive' responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/thehive/defaults/: get: description: Get default connector configuration operationId: config_thehive_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' tags: - configuration parameters: [] /config/thehive/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_thehive_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditThehive' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /config/threat_intelligence/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_threat_intelligence_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_threat_intelligence_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatIntelligence' responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' "400": description: Bad request summary: Update section configuration tags: - configuration /config/threat_intelligence/defaults/: get: description: Get default section configuration operationId: config_threat_intelligence_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' tags: - configuration parameters: [] /config/threat_status_binding/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_threat_status_binding_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' summary: Get section configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_threat_status_binding_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatStatusBinding' responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' "400": description: Bad request summary: Update section configuration tags: - configuration /config/threat_status_binding/defaults/: get: description: Get default section configuration operationId: config_threat_status_binding_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' tags: - configuration parameters: [] /config/virustotal/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: config_virustotal_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' summary: Get connector configuration tags: - configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: config_virustotal_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditVirusTotal' responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' "400": description: Bad request summary: Update connector configuration tags: - configuration /config/virustotal/defaults/: get: description: Get default connector configuration operationId: config_virustotal_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' tags: - configuration parameters: [] /config/virustotal/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: config_virustotal_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditVirusTotal' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - configuration /configuration/: get: consumes: - application/json - application/yaml description: "" operationId: configuration_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AllConfigSectionDownload' tags: - configuration parameters: [] patch: consumes: - application/json - application/yaml description: Configuration field not present in the request are left untouched. operationId: configuration_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AllConfigSectionDownload' responses: "200": description: "" schema: $ref: '#/definitions/AllConfigSectionDownload' "400": description: Bad request summary: Update the stored configuration with the given one. tags: - configuration put: consumes: - application/json - application/yaml description: Existing configuration is completely deleted before being replaced. operationId: configuration_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AllConfigSectionDownload' responses: "200": description: "" schema: $ref: '#/definitions/AllConfigSectionDownload' "400": description: Bad request summary: Replace the stored configuration with the given one. tags: - configuration /configuration/network_discovery: get: description: "" operationId: configuration_network_discovery_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/NetworkDiscoveryConfig' tags: - configuration parameters: [] patch: description: "" operationId: configuration_network_discovery_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetworkDiscoveryConfig' responses: "200": description: "" schema: $ref: '#/definitions/NetworkDiscoveryConfig' tags: - configuration /data/Job/: get: description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: instance required: false type: number - in: query name: done required: false type: number - in: query name: waiting required: false type: number - in: query name: running required: false type: number - in: query name: canceled required: false type: number - in: query name: error required: false type: number - in: query name: creator.username required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Job' type: array required: - count - results type: object summary: Job endpoints tags: - investigation parameters: [] post: deprecated: true description: Handle creation of one or more jobs, on agents and/or groups of agents. operationId: data_Job_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/JobCreation' responses: "201": description: "" schema: items: $ref: '#/definitions/JobLight' type: array tags: - investigation /data/Job/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_Job_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/Job/stats_all/: get: deprecated: true description: Get the state of all jobs instances (success, error, running, ...) operationId: data_Job_stats_all parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Job' type: array required: - count - results type: object tags: - investigation parameters: [] /data/Job/{id}/: delete: description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_delete parameters: [] responses: "204": description: "" summary: Job endpoints tags: - investigation get: description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Job' summary: Job endpoints tags: - investigation parameters: - in: path name: id required: true type: string patch: description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Job' responses: "200": description: "" schema: $ref: '#/definitions/Job' summary: Job endpoints tags: - investigation put: description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Job' responses: "200": description: "" schema: $ref: '#/definitions/Job' summary: Job endpoints tags: - investigation /data/Job/{id}/cancel/: parameters: - in: path name: id required: true type: string post: deprecated: true description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_cancel parameters: [] responses: "200": description: Cancel requested "404": description: No instance to cancel summary: Job endpoints tags: - investigation /data/Job/{id}/logs/: delete: deprecated: true description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_logs parameters: [] responses: "204": description: "" summary: Job endpoints tags: - investigation parameters: - in: path name: id required: true type: string /data/Job/{id}/relaunch/: parameters: - in: path name: id required: true type: string post: deprecated: true description: Relaunch jobs that are cancelled or errored out operationId: data_Job_relaunch parameters: [] responses: "200": description: Relaunch requested "404": description: No instance to relaunch tags: - investigation /data/Job/{id}/remove/: parameters: - in: path name: id required: true type: string post: deprecated: true description: |- `Job/` endpoints are deprecated. For future development, you should use the new `job/batch` endpoints instead. Those endpoints expose more features, and do not split jobs by action. Jobs created by new endpoints (=> and the frontend) can not be accessed using the old endpoints, but jobs created by the old endpoints can be accessed with all endpoints. This old endpoint can still be used safely in scripts, its removal is not planned. It should be updated with new job types. operationId: data_Job_remove parameters: [] responses: "200": description: Job removed "404": description: No instance to removed summary: Job endpoints tags: - investigation /data/JobInstance/: get: description: "" operationId: data_JobInstance_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: title required: false type: string - in: query name: description required: false type: string - in: query name: creator required: false type: string - in: query name: agent_id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/JobInstance' type: array required: - count - results type: object tags: - investigation parameters: [] /data/JobInstance/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_JobInstance_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/JobInstance/{id}/: delete: description: "" operationId: data_JobInstance_delete parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - investigation get: description: "" operationId: data_JobInstance_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/JobInstance' tags: - investigation parameters: - description: A unique value identifying this job instance. in: path name: id required: true type: string /data/JobInstance/{id}/cancel/: parameters: - description: A unique value identifying this job instance. in: path name: id required: true type: string post: description: "" operationId: data_JobInstance_cancel parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - investigation /data/JobInstance/{id}/relaunch/: parameters: - description: A unique value identifying this job instance. in: path name: id required: true type: string post: description: Relaunch jobs that are cancelled or errored out operationId: data_JobInstance_relaunch parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - investigation /data/JobInstance/{id}/requestDumpProcess/: parameters: - description: A unique value identifying this job instance. in: path name: id required: true type: string post: description: "" operationId: data_JobInstance_requestDumpProcess parameters: - in: body name: data required: true schema: $ref: '#/definitions/JobInstance' - in: query name: pid required: true type: integer responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - investigation /data/JobInstance/{id}/requestKillProcess/: parameters: - description: A unique value identifying this job instance. in: path name: id required: true type: string post: description: "" operationId: data_JobInstance_requestKillProcess parameters: - in: body name: data required: true schema: $ref: '#/definitions/JobInstance' - in: query name: pid required: true type: integer responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - investigation /data/administration/AgentLog/: get: description: "" operationId: data_administration_AgentLog_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentLog' type: array required: - count - results type: object tags: - administration parameters: [] /data/administration/AgentLog/delete_all/: delete: description: "" operationId: data_administration_AgentLog_delete_all parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - administration parameters: [] /data/administration/AgentLog/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_AgentLog_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/AgentLog/{id}/: get: description: "" operationId: data_administration_AgentLog_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentLog' tags: - administration parameters: - in: path name: id required: true type: string /data/administration/AgentPassword/: get: description: "" operationId: data_administration_AgentPassword_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: number - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: preferred required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: total_auth required: false type: number - description: "" in: query name: last_auth_date required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentPassword' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_AgentPassword_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentPassword' responses: "201": description: "" schema: $ref: '#/definitions/AgentPassword' tags: - administration /data/administration/AgentPassword/{id}/: delete: description: "" operationId: data_administration_AgentPassword_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_AgentPassword_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentPassword' tags: - administration parameters: - description: A unique integer value identifying this agent password. in: path name: id required: true type: string patch: description: "" operationId: data_administration_AgentPassword_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentPasswordUpdate' responses: "200": description: "" schema: $ref: '#/definitions/AgentPasswordUpdate' tags: - administration put: description: "" operationId: data_administration_AgentPassword_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentPasswordUpdate' responses: "200": description: "" schema: $ref: '#/definitions/AgentPasswordUpdate' tags: - administration /data/administration/AgentPassword/{id}/reset_usage_count/: parameters: - description: A unique integer value identifying this agent password. in: path name: id required: true type: string post: description: Reset the usage count of the password operationId: data_administration_AgentPassword_reset_usage_count parameters: [] responses: "204": description: "" tags: - administration /data/administration/AgentPassword/{id}/set_preferred/: parameters: - description: A unique integer value identifying this agent password. in: path name: id required: true type: string post: description: Replace current preferred password operationId: data_administration_AgentPassword_set_preferred parameters: [] responses: "204": description: "" tags: - administration /data/administration/AuditLog/: get: description: "" operationId: data_administration_AuditLog_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuditLog' type: array required: - count - results type: object tags: - administration parameters: [] /data/administration/AuditLog/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_AuditLog_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/AuditLog/{id}/: get: description: "" operationId: data_administration_AuditLog_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuditLog' tags: - administration parameters: - in: path name: id required: true type: string /data/administration/AutoNotification/: get: description: "" operationId: data_administration_AutoNotification_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AutoNotification' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_AutoNotification_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/AutoNotification' responses: "201": description: "" schema: $ref: '#/definitions/AutoNotification' tags: - administration /data/administration/AutoNotification/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_AutoNotification_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/AutoNotification/{id}/: delete: description: "" operationId: data_administration_AutoNotification_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_AutoNotification_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AutoNotification' tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_AutoNotification_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AutoNotification' responses: "200": description: "" schema: $ref: '#/definitions/AutoNotification' tags: - administration put: description: "" operationId: data_administration_AutoNotification_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AutoNotification' responses: "200": description: "" schema: $ref: '#/definitions/AutoNotification' tags: - administration /data/administration/Bundle/: get: description: "" operationId: data_administration_Bundle_list parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/Bundle' type: array tags: - administration parameters: [] /data/administration/Bundle/current/: get: description: "" operationId: data_administration_Bundle_current_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Bundle' tags: - administration parameters: [] /data/administration/CircuitBreaker/: get: description: "" operationId: data_administration_CircuitBreaker_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: upgrade_date required: false type: string - description: "" in: query name: upgrade_version required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string - in: query name: agent.ostype required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CircuitBreaker' type: array required: - count - results type: object tags: - administration parameters: [] /data/administration/CircuitBreaker/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_administration_CircuitBreaker_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: upgrade_date required: false type: string - description: "" in: query name: upgrade_version required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/CircuitBreaker/history/: delete: description: "" operationId: data_administration_CircuitBreaker_history_delete parameters: - in: query minLength: 1 name: event_id required: false type: string - format: date-time in: query name: before required: false type: string - format: date-time in: query name: after required: false type: string responses: {} tags: - administration get: description: "" operationId: data_administration_CircuitBreaker_history_read parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: upgrade_date required: false type: string - description: "" in: query name: upgrade_version required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: event_id required: false type: string - format: date-time in: query name: before required: false type: string - format: date-time in: query name: after required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/CircuitBreakerStats' type: array tags: - administration parameters: [] /data/administration/CircuitBreaker/reset/: parameters: [] post: description: Reset the circuit breaker state for the given OS type. operationId: data_administration_CircuitBreaker_reset parameters: - in: body name: data required: true schema: $ref: '#/definitions/CircuitBreakerReset' responses: "204": description: Circuit breaker reset tags: - administration /data/administration/CircuitBreaker/status/: get: description: "" operationId: data_administration_CircuitBreaker_status_read parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: upgrade_date required: false type: string - description: "" in: query name: upgrade_version required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/CircuitBreakerStats' tags: - administration parameters: [] patch: description: "" operationId: data_administration_CircuitBreaker_status_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/_CircuitBreakerStatsQuery' responses: "200": description: "" schema: $ref: '#/definitions/CircuitBreakerStats' tags: - administration /data/administration/CircuitBreaker/{id}/: get: description: "" operationId: data_administration_CircuitBreaker_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CircuitBreaker' tags: - administration parameters: - in: path name: id required: true type: string /data/administration/Diagnostic/: get: description: "" operationId: data_administration_Diagnostic_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: task_id required: false type: string - description: "" in: query name: periodic_task_name required: false type: string - description: "" in: query name: task_name required: false type: string - description: "" in: query name: task_args required: false type: string - description: "" in: query name: task_kwargs required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: worker required: false type: string - description: "" in: query name: content_type required: false type: string - description: "" in: query name: content_encoding required: false type: string - description: "" in: query name: result required: false type: string - description: "" in: query name: date_created required: false type: string - description: "" in: query name: date_done required: false type: string - description: "" in: query name: traceback required: false type: string - description: "" in: query name: meta required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/DiagnosticLatestList' tags: - administration parameters: [] /data/administration/Diagnostic/active/: get: description: Details on running backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_administration_Diagnostic_active parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: task_id required: false type: string - description: "" in: query name: periodic_task_name required: false type: string - description: "" in: query name: task_name required: false type: string - description: "" in: query name: task_args required: false type: string - description: "" in: query name: task_kwargs required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: worker required: false type: string - description: "" in: query name: content_type required: false type: string - description: "" in: query name: content_encoding required: false type: string - description: "" in: query name: result required: false type: string - description: "" in: query name: date_created required: false type: string - description: "" in: query name: date_done required: false type: string - description: "" in: query name: traceback required: false type: string - description: "" in: query name: meta required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/DiagnosticList' tags: - administration parameters: [] /data/administration/Diagnostic/run/: parameters: [] post: description: |- Create a task to generate a diagnostic file, and return the name of the output file that can be fetched later once the task is complete. operationId: data_administration_Diagnostic_run parameters: - in: body name: data required: true schema: $ref: '#/definitions/DiagnosticFilename' responses: "200": description: "" schema: $ref: '#/definitions/DiagnosticRunResponse' tags: - administration /data/administration/Diagnostic/scheduled/: get: description: Details on running backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_administration_Diagnostic_scheduled parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: task_id required: false type: string - description: "" in: query name: periodic_task_name required: false type: string - description: "" in: query name: task_name required: false type: string - description: "" in: query name: task_args required: false type: string - description: "" in: query name: task_kwargs required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: worker required: false type: string - description: "" in: query name: content_type required: false type: string - description: "" in: query name: content_encoding required: false type: string - description: "" in: query name: result required: false type: string - description: "" in: query name: date_created required: false type: string - description: "" in: query name: date_done required: false type: string - description: "" in: query name: traceback required: false type: string - description: "" in: query name: meta required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/DiagnosticList' tags: - administration parameters: [] /data/administration/Diagnostic/{id}/: get: description: "" operationId: data_administration_Diagnostic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Diagnostic' tags: - administration parameters: - description: A unique integer value identifying this task result. in: path name: id required: true type: string /data/administration/Diagnostic/{id}/download/: get: description: Retrieve the result of an existing diagnostic file. operationId: data_administration_Diagnostic_download parameters: - in: query minLength: 1 name: filename pattern: (.+\.)((tgz$)|(tar\.gz$)) required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/Diagnostic' tags: - administration parameters: - description: A unique integer value identifying this task result. in: path name: id required: true type: string /data/administration/Exception/: get: description: "" operationId: data_administration_Exception_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Exception' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_Exception_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Exception' responses: "201": description: "" schema: $ref: '#/definitions/Exception' tags: - administration /data/administration/Exception/delete_all/: delete: description: "" operationId: data_administration_Exception_delete_all parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - administration parameters: [] /data/administration/Exception/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_Exception_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/Exception/sentry/: parameters: [] post: description: Proxy frontend's sentry envelopes. operationId: data_administration_Exception_sentry parameters: - in: body name: data required: true schema: $ref: '#/definitions/Exception' responses: "200": description: "" tags: - administration /data/administration/Exception/{id}/: delete: description: "" operationId: data_administration_Exception_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_Exception_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Exception' tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_Exception_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Exception' responses: "200": description: "" schema: $ref: '#/definitions/Exception' tags: - administration put: description: "" operationId: data_administration_Exception_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Exception' responses: "200": description: "" schema: $ref: '#/definitions/Exception' tags: - administration /data/administration/MaintenanceNotice/: parameters: [] post: description: Endpoints allowing administrators to create/update maintenance notice operationId: data_administration_MaintenanceNotice_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_EditMaintenanceNotice' responses: "200": description: "" schema: $ref: '#/definitions/_EditMaintenanceNotice' tags: - administration /data/administration/OIDCProvider/: get: description: "" operationId: data_administration_OIDCProvider_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/OIDCProvider' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_OIDCProvider_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/OIDCProvider' responses: "201": description: "" schema: $ref: '#/definitions/OIDCProvider' tags: - administration /data/administration/OIDCProvider/active_provider/: get: description: "" operationId: data_administration_OIDCProvider_active_provider parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_OIDCActiveProviderPagination' tags: - administration parameters: [] /data/administration/OIDCProvider/test/: parameters: [] post: description: "" operationId: data_administration_OIDCProvider_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/ServerMetadataUrl' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - administration /data/administration/OIDCProvider/{id}/: delete: description: "" operationId: data_administration_OIDCProvider_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_OIDCProvider_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/OIDCProvider' tags: - administration parameters: - description: A unique integer value identifying this oidc provider. in: path name: id required: true type: string patch: description: "" operationId: data_administration_OIDCProvider_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/OIDCProvider' responses: "200": description: "" schema: $ref: '#/definitions/OIDCProvider' tags: - administration put: description: "" operationId: data_administration_OIDCProvider_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/OIDCProvider' responses: "200": description: "" schema: $ref: '#/definitions/OIDCProvider' tags: - administration /data/administration/PolicyAutomation/: get: description: "" operationId: data_administration_PolicyAutomation_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/PolicyAutomation' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_PolicyAutomation_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyAutomation' responses: "201": description: "" schema: $ref: '#/definitions/PolicyAutomation' tags: - administration /data/administration/PolicyAutomation/classify_default_agents/: parameters: [] post: description: "" operationId: data_administration_PolicyAutomation_classify_default_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyAutomation' responses: "200": description: "" schema: $ref: '#/definitions/_ClassifyDefaultAgents' tags: - administration /data/administration/PolicyAutomation/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_PolicyAutomation_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/PolicyAutomation/{id}/: delete: description: "" operationId: data_administration_PolicyAutomation_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_PolicyAutomation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PolicyAutomation' tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_PolicyAutomation_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyAutomation' responses: "200": description: "" schema: $ref: '#/definitions/PolicyAutomation' tags: - administration put: description: "" operationId: data_administration_PolicyAutomation_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyAutomation' responses: "200": description: "" schema: $ref: '#/definitions/PolicyAutomation' tags: - administration /data/administration/ProcessRedaction/: get: description: "" operationId: data_administration_ProcessRedaction_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ProcessRedaction' type: array required: - count - results type: object tags: - administration parameters: [] post: description: "" operationId: data_administration_ProcessRedaction_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProcessRedaction' responses: "201": description: "" schema: $ref: '#/definitions/ProcessRedaction' tags: - administration /data/administration/ProcessRedaction/dry_run/: parameters: [] post: description: "" operationId: data_administration_ProcessRedaction_dry_run parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProcessRedaction' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - administration /data/administration/ProcessRedaction/dry_run_all/: parameters: [] post: description: "" operationId: data_administration_ProcessRedaction_dry_run_all parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProcessRedaction' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - administration /data/administration/ProcessRedaction/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_administration_ProcessRedaction_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - administration parameters: [] /data/administration/ProcessRedaction/{id}/: delete: description: "" operationId: data_administration_ProcessRedaction_delete parameters: [] responses: "204": description: "" tags: - administration get: description: "" operationId: data_administration_ProcessRedaction_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ProcessRedaction' tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_ProcessRedaction_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProcessRedaction' responses: "200": description: "" schema: $ref: '#/definitions/ProcessRedaction' tags: - administration put: description: "" operationId: data_administration_ProcessRedaction_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProcessRedaction' responses: "200": description: "" schema: $ref: '#/definitions/ProcessRedaction' tags: - administration /data/administration/agent_auto_upgrade_channel/all/: get: description: Read-only endpoint to retrieve the agent versions of all auto-upgrade channels. operationId: data_administration_agent_auto_upgrade_channel_all parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentAutoUpgradeAllChannels' tags: - administration parameters: [] /data/administration/agent_auto_upgrade_channel/latest/: get: description: Read-only endpoint to retrieve the agent version of the 'latest' auto-upgrade channel. operationId: data_administration_agent_auto_upgrade_channel_latest parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentAutoUpgradeChannel' tags: - administration parameters: [] /data/administration/agent_auto_upgrade_channel/stable/: get: description: Read-only endpoint to retrieve the agent version of the 'stable' auto-upgrade channel. operationId: data_administration_agent_auto_upgrade_channel_stable parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentAutoUpgradeChannel' tags: - administration parameters: [] /data/administration/config/ConfigSection/{id}/: get: description: "" operationId: data_administration_config_ConfigSection_read parameters: [] responses: "200": description: "" tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_config_ConfigSection_partial_update parameters: [] responses: "200": description: "" tags: - administration /data/administration/config/ConnectorConfigSection/{id}/: get: description: "" operationId: data_administration_config_ConnectorConfigSection_read parameters: [] responses: "200": description: "" tags: - administration parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_administration_config_ConnectorConfigSection_partial_update parameters: [] responses: "200": description: "" tags: - administration /data/administration/config/ProductUpgrade/: get: description: "" operationId: data_administration_config_ProductUpgrade_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/UpgradeTaskResultList' tags: - administration parameters: [] /data/administration/config/ProductUpgrade/abort/: delete: description: "" operationId: data_administration_config_ProductUpgrade_abort parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_UpgradeStatus' tags: - administration parameters: [] /data/administration/config/ProductUpgrade/latest/: get: description: "" operationId: data_administration_config_ProductUpgrade_latest parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_UpgradeStatus' tags: - administration parameters: [] /data/administration/config/ProductUpgrade/logs/: get: description: "" operationId: data_administration_config_ProductUpgrade_logs parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/Logs' tags: - administration parameters: [] /data/administration/config/ProductUpgrade/start_upgrade/: parameters: [] patch: description: "" operationId: data_administration_config_ProductUpgrade_start_upgrade parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpgradeTaskResult' responses: "200": description: "" schema: $ref: '#/definitions/_UpgradeStatus' tags: - administration /data/administration/config/ProductUpgrade/upload_image/: parameters: [] post: description: |- Create a task to generate a ProductUpgrade file, and return the name of the output file that can be fetched later once the task is complete. operationId: data_administration_config_ProductUpgrade_upload_image parameters: - in: body name: data required: true schema: $ref: '#/definitions/_ChunkedUpload' responses: "200": description: "" schema: $ref: '#/definitions/_UpgradeStatus' tags: - administration /data/administration/config/ProductUpgrade/{id}/: get: description: "" operationId: data_administration_config_ProductUpgrade_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UpgradeTaskResult' tags: - administration parameters: - description: A unique integer value identifying this task result. in: path name: id required: true type: string /data/airgap/upload/: delete: description: Endpoints allowing administrators to upload airgap update blob operationId: data_airgap_upload_delete parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_AirgapStatus' tags: - airgap get: description: Endpoints allowing administrators to upload airgap update blob operationId: data_airgap_upload_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_AirgapStatus' tags: - airgap parameters: [] post: description: Upload airgap update file to S3 and launch airgap update task. operationId: data_airgap_upload_create parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_AirgapStatus' "400": description: Failure examples: application/json: status: update file format incorrect tags: - airgap /data/alert/alert/AggregationAlert/: get: description: "" operationId: data_alert_alert_AggregationAlert_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AggregationAlert' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/AggregationAlert/aggregate/: get: description: |- The `matrix` field is deprecated, please use `matrix_v2` instead. Query parameter `fields` or `field` is mandatory; if both are given, only `fields` will be used. operationId: data_alert_alert_AggregationAlert_aggregate parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: field required: false type: string - in: query minLength: 1 name: fields required: false type: string - in: query minLength: 1 name: level required: false type: string - in: query name: time required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/AlertAggregateResponse' summary: Get aggregated stats and matrix. tags: - alert parameters: [] /data/alert/alert/AggregationAlert/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_alert_alert_AggregationAlert_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - alert parameters: [] /data/alert/alert/AggregationAlert/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the data. You can choose between: - new - false_positive - investigating - closed operationId: data_alert_alert_AggregationAlert_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_AggregateTag' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging alerts by ids. tags: - alert /data/alert/alert/AggregationAlert/{id}/: get: description: "" operationId: data_alert_alert_AggregationAlert_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AggregationAlert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/AggregationAlert/{id}/comments/: delete: description: "" operationId: data_alert_alert_AggregationAlert_comments_delete parameters: - in: body name: data required: true schema: $ref: '#/definitions/IdComment' responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - alert get: description: "" operationId: data_alert_alert_AggregationAlert_comments_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - alert parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_alert_alert_AggregationAlert_comments_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditBody' responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - alert post: description: "" operationId: data_alert_alert_AggregationAlert_comments_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/BaseComment' responses: "201": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - alert /data/alert/alert/AggregationAlert/{id}/details/: get: description: "" operationId: data_alert_alert_AggregationAlert_details parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AggregationAlertDetail' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/: get: description: "" operationId: data_alert_alert_Alert_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Alert' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Alert/aggregate/: get: description: |- The `matrix` field is deprecated, please use `matrix_v2` instead. Query parameter `fields` or `field` is mandatory; if both are given, only `fields` will be used. operationId: data_alert_alert_Alert_aggregate parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: field required: false type: string - in: query minLength: 1 name: fields required: false type: string - in: query minLength: 1 name: level required: false type: string - in: query name: time required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/AlertAggregateResponse' summary: Get aggregated stats and matrix. tags: - alert parameters: [] /data/alert/alert/Alert/daily_stats/: get: description: Retrieve daily statistics on alerts operationId: data_alert_alert_Alert_daily_stats parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/DailyStats' tags: - alert parameters: [] /data/alert/alert/Alert/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_alert_alert_Alert_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - alert parameters: [] /data/alert/alert/Alert/from_unique_id/: get: description: "" operationId: data_alert_alert_Alert_from_unique_id parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: unique_id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Alert' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Alert/stats/: get: description: "" operationId: data_alert_alert_Alert_stats parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: date in: query name: from_date required: true type: string - format: date in: query name: to required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/Stat' tags: - alert parameters: [] /data/alert/alert/Alert/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the data. You can choose between: - new - false_positive - investigating - closed This endpoints allows you to label alerts, according to the identifiers or the current search (filters). operationId: data_alert_alert_Alert_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/Tag' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "500": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging security events. tags: - alert /data/alert/alert/Alert/whitelisted/: get: description: "" operationId: data_alert_alert_Alert_whitelisted parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: whitelist_id required: true type: string - in: query name: whitelist_revision required: true type: integer - default: true in: query name: is_retroactive_application required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Alert' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Alert/{id}/: get: description: "" operationId: data_alert_alert_Alert_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Alert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/{id}/comment/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Alert_comment parameters: - in: body name: data required: true schema: $ref: '#/definitions/AddCommentThreat' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - alert /data/alert/alert/Alert/{id}/deisolate/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Alert_deisolate parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_IsolationResponse' tags: - alert /data/alert/alert/Alert/{id}/details/: get: description: "" operationId: data_alert_alert_Alert_details parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AlertWithDynamicFields' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/{id}/fields/: get: description: "" operationId: data_alert_alert_Alert_fields parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Alert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/{id}/history/: get: description: "" operationId: data_alert_alert_Alert_history parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AlertStatusHistoryList' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/{id}/isolate/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Alert_isolate parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_IsolationResponse' tags: - alert /data/alert/alert/Alert/{id}/thread_disassemble/: get: description: "" operationId: data_alert_alert_Alert_thread_disassemble parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Alert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Alert/{id}/thread_download/: get: description: "" operationId: data_alert_alert_Alert_thread_download parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Alert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/ExperimentalAlert/: get: description: "" operationId: data_alert_alert_ExperimentalAlert_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ExperimentalAlert' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/ExperimentalAlert/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_alert_alert_ExperimentalAlert_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - alert parameters: [] /data/alert/alert/ExperimentalAlert/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the data. You can choose between: - new - false_positive - investigating - closed This endpoints allows you to label alerts, according to the identifiers or the current search (filters). operationId: data_alert_alert_ExperimentalAlert_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/Tag' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "500": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging security events. tags: - alert /data/alert/alert/ExperimentalAlert/{id}/: get: description: "" operationId: data_alert_alert_ExperimentalAlert_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ExperimentalAlert' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/SubEvent/: get: description: "" operationId: data_alert_alert_SubEvent_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SubEvent' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/SubEvent/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_alert_alert_SubEvent_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - alert parameters: [] /data/alert/alert/SubEvent/{id}/: get: description: "" operationId: data_alert_alert_SubEvent_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SubEvent' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Threat/: get: description: "" operationId: data_alert_alert_Threat_list parameters: - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: origin_stack_id required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: level required: false type: string - description: "" in: query name: closed_date required: false type: string - description: "" in: query name: linked_threat required: false type: string - description: "" in: query name: total_security_event_count required: false type: number - description: A search term. in: query name: search required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: slug required: false type: string - in: query name: threatagents.agent_hostname required: false type: string - enum: - linux - macos - unknown - windows in: query name: threatagents.agent_ostype required: false type: string - in: query name: threatagents.security_event_count required: false type: number - in: query name: threatrules.rule_name required: false type: string - enum: - all - assemblyline - base - cape - correlation - device_control - driver - glimps - hibou - hlai - hlaiscripts - hurukaiav - ioc - irma - kernelguard - orion - ransom - selfprotection - sidewatch - sigma - vt - yara in: query name: threatrules.rule_type required: false type: string - enum: - attack.collection - attack.command_and_control - attack.credential_access - attack.defense_evasion - attack.discovery - attack.execution - attack.exfiltration - attack.impact - attack.initial_access - attack.lateral_movement - attack.persistence - attack.privilege_escalation in: query name: threatrules.rule_tactics required: false type: string - in: query name: threatrules.security_event_count required: false type: number - in: query name: threatusers.user_name required: false type: string - in: query name: threatusers.security_event_count required: false type: number - in: query name: agent_count required: false type: number - in: query name: rule_count required: false type: number - in: query name: impacted_user_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Threat' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Threat/agents/: get: description: "" operationId: data_alert_alert_Threat_agents parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: threat_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ThreatAgent' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Threat/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_alert_alert_Threat_export parameters: - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: origin_stack_id required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: level required: false type: string - description: "" in: query name: closed_date required: false type: string - description: "" in: query name: linked_threat required: false type: string - description: "" in: query name: total_security_event_count required: false type: number - description: A search term. in: query name: search required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - alert parameters: [] /data/alert/alert/Threat/level/: parameters: [] patch: description: "" operationId: data_alert_alert_Threat_level parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateLevelThreat' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - alert /data/alert/alert/Threat/rules/: get: description: "" operationId: data_alert_alert_Threat_rules parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: threat_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ThreatRule' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Threat/rules/details/{id}/: get: description: "" operationId: data_alert_alert_Threat_rules_details parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatRule' tags: - alert parameters: - description: A unique integer value identifying this threat rule. in: path name: id required: true type: string /data/alert/alert/Threat/status/: parameters: [] patch: description: "" operationId: data_alert_alert_Threat_status parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateStatusThreat' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "500": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - alert /data/alert/alert/Threat/users/: get: description: "" operationId: data_alert_alert_Threat_users parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: threat_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ThreatUser' type: array required: - count - results type: object tags: - alert parameters: [] /data/alert/alert/Threat/{id}/: get: description: "" operationId: data_alert_alert_Threat_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatDetail' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Threat/{id}/comment/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Threat_comment parameters: - in: body name: data required: true schema: $ref: '#/definitions/AddCommentThreat' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - alert /data/alert/alert/Threat/{id}/deisolation/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Threat_deisolation parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - alert /data/alert/alert/Threat/{id}/history/: get: description: "" operationId: data_alert_alert_Threat_history parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/HistoryRecordList' tags: - alert parameters: - in: path name: id required: true type: string /data/alert/alert/Threat/{id}/isolation/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_alert_alert_Threat_isolation parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - alert /data/alert/alert/Threat/{id}/note/: delete: description: "" operationId: data_alert_alert_Threat_note_delete parameters: [] responses: "204": description: "" tags: - alert get: description: "" operationId: data_alert_alert_Threat_note_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NoteResponse' tags: - alert parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_alert_alert_Threat_note_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NoteRequestBody' responses: "200": description: "" schema: $ref: '#/definitions/NoteResponse' tags: - alert post: description: "" operationId: data_alert_alert_Threat_note_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/NoteRequestBody' responses: "200": description: "" schema: $ref: '#/definitions/NoteResponse' tags: - alert put: description: "" operationId: data_alert_alert_Threat_note_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NoteRequestBody' responses: "200": description: "" schema: $ref: '#/definitions/NoteResponse' tags: - alert /data/attack_surface/NetworkDiscovery/: get: description: "" operationId: data_attack_surface_NetworkDiscovery_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NDAsset' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/attack_surface/NetworkDiscovery/ScanHistory/{hardware_address}/scans/: get: description: "" operationId: data_attack_surface_NetworkDiscovery_ScanHistory_scans_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: title required: false type: string - in: query name: description required: false type: string - in: query name: creator required: false type: string - in: query name: agent_id required: false type: string - in: query name: scanning_agent.version required: false type: string - in: query name: scanning_agent.ostype required: false type: string - in: query name: scanning_agent.agent_id required: false type: string - in: query name: scanning_agent.hostname required: false type: string - in: query name: subnet_id type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/_DeviceScanHistory' type: array required: - count - results type: object tags: - host_properties parameters: - in: path name: hardware_address required: true type: string /data/attack_surface/NetworkDiscovery/ScanHistory/{hardware_address}/scans/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_NetworkDiscovery_ScanHistory_scans_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: - in: path name: hardware_address required: true type: string /data/attack_surface/NetworkDiscovery/ScanHistory/{subnet_id}/chart/: get: description: "" operationId: data_attack_surface_NetworkDiscovery_ScanHistory_chart_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: title required: false type: string - in: query name: description required: false type: string - in: query name: creator required: false type: string - in: query name: agent_id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/_SubnetHistoryChart' type: array required: - count - results type: object tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/NetworkDiscovery/ScanHistory/{subnet_id}/chart/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_NetworkDiscovery_ScanHistory_chart_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/NetworkDiscovery/ScanHistory/{subnet_id}/entries/: get: description: "" operationId: data_attack_surface_NetworkDiscovery_ScanHistory_entries_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: title required: false type: string - in: query name: description required: false type: string - in: query name: creator required: false type: string - in: query name: agent_id required: false type: string - in: query name: scanning_agent.version required: false type: string - in: query name: scanning_agent.ostype required: false type: string - in: query name: scanning_agent.agent_id required: false type: string - in: query name: scanning_agent.hostname required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/_SubnetScanHistory' type: array required: - count - results type: object tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/NetworkDiscovery/ScanHistory/{subnet_id}/entries/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_NetworkDiscovery_ScanHistory_entries_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: job_id required: false type: string - description: "" in: query name: task_id required: false type: number - description: "" in: query name: action required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: creationtime required: false type: string - description: "" in: query name: starttime required: false type: string - description: "" in: query name: endtime required: false type: string - description: "" in: query name: duration required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/NetworkDiscovery/details/{asset_id}/: get: description: Get the details for a single network discovery asset. operationId: data_attack_surface_NetworkDiscovery_details parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/NDAsset' tags: - host_properties parameters: - in: path name: asset_id required: true type: string /data/attack_surface/NetworkDiscovery/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_attack_surface_NetworkDiscovery_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/NetworkDiscovery/rogue_assets/: get: deprecated: true description: List all assets discovered not covered by an agent operationId: data_attack_surface_NetworkDiscovery_rogue_assets_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NDAsset' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/attack_surface/NetworkDiscovery/rogue_assets/export/: get: deprecated: true description: "" operationId: data_attack_surface_NetworkDiscovery_rogue_assets_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/NetworkDiscovery/rogue_assets/kpis/: get: deprecated: true description: "" operationId: data_attack_surface_NetworkDiscovery_rogue_assets_kpis parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/KPI' tags: - host_properties parameters: [] /data/attack_surface/NetworkDiscovery/rogue_assets/{id}/: get: deprecated: true description: "" operationId: data_attack_surface_NetworkDiscovery_rogue_assets_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NDAsset' tags: - host_properties parameters: - in: path name: id required: true type: string /data/attack_surface/NetworkDiscovery/update_asset/{asset_id}/: parameters: - in: path name: asset_id required: true type: string patch: description: Update the additional information for a single network discovery asset. operationId: data_attack_surface_NetworkDiscovery_update_asset parameters: - in: body name: data required: true schema: $ref: '#/definitions/_AssetUpdate' responses: "200": description: "" schema: $ref: '#/definitions/NDAsset' tags: - host_properties /data/attack_surface/NetworkDiscovery/{hardware_address}/subnets/: get: description: Get the list of all subnets a device was seen in. operationId: data_attack_surface_NetworkDiscovery_subnets parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/_AssetSubnets' type: array required: - count - results type: object tags: - host_properties parameters: - in: path name: hardware_address required: true type: string /data/attack_surface/NetworkDiscovery/{id}/: get: description: "" operationId: data_attack_surface_NetworkDiscovery_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NDAsset' tags: - host_properties parameters: - in: path name: id required: true type: string /data/attack_surface/NetworkDiscovery/{subnet_id}/devices/: get: description: Get the list of all devices seen in a subnet. operationId: data_attack_surface_NetworkDiscovery_devices_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: job_id type: string - in: query name: job_instance_id type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NDAsset' type: array required: - count - results type: object tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/NetworkDiscovery/{subnet_id}/devices/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_attack_surface_NetworkDiscovery_devices_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/Subnet/: get: description: "" operationId: data_attack_surface_Subnet_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: gateway_ip_range__exact required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: gateway_ip_range__exact! required: false type: string - in: query name: gateway_cidr__exact required: false type: string - in: query name: gateway_cidr__exact! required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: total_agent_count required: false type: number - in: query name: blacklisted required: false type: boolean - in: query name: whitelisted required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/__SubnetSerializer' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/attack_surface/Subnet/bulk_action/: parameters: [] post: description: "" operationId: data_attack_surface_Subnet_bulk_action parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetBulkAction' responses: "200": description: "" schema: $ref: '#/definitions/SubnetBulkActionResponse' "400": description: "" schema: $ref: '#/definitions/SubnetBulkActionResponse' tags: - host_properties /data/attack_surface/Subnet/device/{hardware_address}/: get: description: Get the list of all subnets a device was seen in. operationId: data_attack_surface_Subnet_device parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/SubnetAgg' type: array tags: - host_properties parameters: - in: path name: hardware_address required: true type: string /data/attack_surface/Subnet/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_Subnet_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/Subnet/get_oui_codes/: get: description: "" operationId: data_attack_surface_Subnet_get_oui_codes parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/OUICodes' tags: - host_properties parameters: [] /data/attack_surface/Subnet/kpis/: get: description: "" operationId: data_attack_surface_Subnet_kpis parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/KPI' tags: - host_properties parameters: [] /data/attack_surface/Subnet/subnet_kpis/{subnet_id}/: get: description: "" operationId: data_attack_surface_Subnet_subnet_kpis parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: job_id required: false type: string - in: query minLength: 1 name: job_instance_id required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/KPI' tags: - host_properties parameters: - in: path name: subnet_id required: true type: string /data/attack_surface/Subnet/{id}/: get: description: "" operationId: data_attack_surface_Subnet_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/__SubnetDetailsSerializer' tags: - host_properties parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_attack_surface_Subnet_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/__SubnetSerializer' responses: "200": description: "" schema: $ref: '#/definitions/__SubnetSerializer' tags: - host_properties put: description: "" operationId: data_attack_surface_Subnet_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/__SubnetSerializer' responses: "200": description: "" schema: $ref: '#/definitions/__SubnetSerializer' tags: - host_properties /data/attack_surface/Subnet/{id}/last_scan/: get: description: "" operationId: data_attack_surface_Subnet_last_scan parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BatchRetrieve' tags: - host_properties parameters: - in: path name: id required: true type: string /data/attack_surface/SubnetExclusion/: get: description: "" operationId: data_attack_surface_SubnetExclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: ip_address required: false type: string - description: "" in: query name: ip_range_end required: false type: string - description: "" in: query name: mac_addresses required: false type: string - description: "" in: query name: cidr required: false type: string - description: "" in: query name: description required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: ip_range__exact required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: ip_range__exact! required: false type: string - in: query name: cidr__exact required: false type: string - in: query name: cidr__exact! required: false type: string - description: should be a comma-separated list of vendor codes in: query name: vendor_codes__contains required: false type: string - description: should be a comma-separated list of vendor codes in: query name: vendor_codes__contains! required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SubnetExclusion' type: array required: - count - results type: object tags: - host_properties parameters: [] post: description: "" operationId: data_attack_surface_SubnetExclusion_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetExclusion' responses: "201": description: "" schema: $ref: '#/definitions/SubnetExclusion' tags: - host_properties /data/attack_surface/SubnetExclusion/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_SubnetExclusion_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: ip_address required: false type: string - description: "" in: query name: ip_range_end required: false type: string - description: "" in: query name: mac_addresses required: false type: string - description: "" in: query name: cidr required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/SubnetExclusion/{id}/: delete: description: "" operationId: data_attack_surface_SubnetExclusion_delete parameters: [] responses: "204": description: "" tags: - host_properties get: description: "" operationId: data_attack_surface_SubnetExclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SubnetExclusion' tags: - host_properties parameters: - description: A UUID string identifying this subnet exclusion. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_attack_surface_SubnetExclusion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetExclusion' responses: "200": description: "" schema: $ref: '#/definitions/SubnetExclusion' tags: - host_properties put: description: "" operationId: data_attack_surface_SubnetExclusion_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetExclusion' responses: "200": description: "" schema: $ref: '#/definitions/SubnetExclusion' tags: - host_properties /data/attack_surface/SubnetInclusion/: get: description: "" operationId: data_attack_surface_SubnetInclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: ip_address required: false type: string - description: "" in: query name: ip_range_end required: false type: string - description: "" in: query name: mac_addresses required: false type: string - description: "" in: query name: cidr required: false type: string - description: "" in: query name: description required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: ip_range__exact required: false type: string - description: 'should be in this format : 10.0.0.1-10.0.0.255' in: query name: ip_range__exact! required: false type: string - in: query name: cidr__exact required: false type: string - in: query name: cidr__exact! required: false type: string - description: should be a comma-separated list of vendor codes in: query name: vendor_codes__contains required: false type: string - description: should be a comma-separated list of vendor codes in: query name: vendor_codes__contains! required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SubnetInclusion' type: array required: - count - results type: object tags: - host_properties parameters: [] post: description: "" operationId: data_attack_surface_SubnetInclusion_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetInclusion' responses: "201": description: "" schema: $ref: '#/definitions/SubnetInclusion' tags: - host_properties /data/attack_surface/SubnetInclusion/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_SubnetInclusion_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: ip_address required: false type: string - description: "" in: query name: ip_range_end required: false type: string - description: "" in: query name: mac_addresses required: false type: string - description: "" in: query name: cidr required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/SubnetInclusion/{id}/: delete: description: "" operationId: data_attack_surface_SubnetInclusion_delete parameters: [] responses: "204": description: "" tags: - host_properties get: description: "" operationId: data_attack_surface_SubnetInclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SubnetInclusion' tags: - host_properties parameters: - description: A UUID string identifying this subnet inclusion. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_attack_surface_SubnetInclusion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetInclusion' responses: "200": description: "" schema: $ref: '#/definitions/SubnetInclusion' tags: - host_properties put: description: "" operationId: data_attack_surface_SubnetInclusion_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SubnetInclusion' responses: "200": description: "" schema: $ref: '#/definitions/SubnetInclusion' tags: - host_properties /data/attack_surface/UnprotectedAsset/: get: description: "" operationId: data_attack_surface_UnprotectedAsset_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: acknowledged required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: compatibility required: false type: string - description: "" in: query name: os required: false type: string - description: "" in: query name: compatibility_set_by_user required: false type: string - description: "" in: query name: os_set_by_user required: false type: string - description: "" in: query name: inferred_compatibility required: false type: string - description: "" in: query name: inferred_os required: false type: string - description: "" in: query name: detected_agent required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: mac_addr required: false type: string - in: query name: observation_count required: false type: number - in: query name: ip required: false type: string - in: query name: oui_vendor required: false type: string - in: query name: random_hardware_address required: false type: string - in: query name: rmDNS_names required: false type: string - in: query name: rmDNS_additional_records required: false type: string - in: query name: netbios_name required: false type: string - in: query name: netbios_groups required: false type: string - in: query name: subnets_name required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UnprotectedAssetList' type: array required: - count - results type: object tags: - host_properties parameters: [] post: description: "" operationId: data_attack_surface_UnprotectedAsset_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetUpdate' responses: "201": description: "" schema: $ref: '#/definitions/UnprotectedAssetUpdate' tags: - host_properties /data/attack_surface/UnprotectedAsset/bulk_update_compatibility/: parameters: [] post: description: "" operationId: data_attack_surface_UnprotectedAsset_bulk_update_compatibility parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateCompatibility' responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateResponse' "400": description: "" schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateResponse' tags: - host_properties /data/attack_surface/UnprotectedAsset/bulk_update_os/: parameters: [] post: description: "" operationId: data_attack_surface_UnprotectedAsset_bulk_update_os parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateOS' responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateResponse' "400": description: "" schema: $ref: '#/definitions/UnprotectedAssetBulkUpdateResponse' tags: - host_properties /data/attack_surface/UnprotectedAsset/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_attack_surface_UnprotectedAsset_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: acknowledged required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: compatibility required: false type: string - description: "" in: query name: os required: false type: string - description: "" in: query name: compatibility_set_by_user required: false type: string - description: "" in: query name: os_set_by_user required: false type: string - description: "" in: query name: inferred_compatibility required: false type: string - description: "" in: query name: inferred_os required: false type: string - description: "" in: query name: detected_agent required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/attack_surface/UnprotectedAsset/force_update/: parameters: [] post: description: "" operationId: data_attack_surface_UnprotectedAsset_force_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetDetails' responses: {} tags: - host_properties /data/attack_surface/UnprotectedAsset/kpi/: get: description: "" operationId: data_attack_surface_UnprotectedAsset_kpi parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: acknowledged required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: compatibility required: false type: string - description: "" in: query name: os required: false type: string - description: "" in: query name: compatibility_set_by_user required: false type: string - description: "" in: query name: os_set_by_user required: false type: string - description: "" in: query name: inferred_compatibility required: false type: string - description: "" in: query name: inferred_os required: false type: string - description: "" in: query name: detected_agent required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetKPI' tags: - host_properties parameters: [] /data/attack_surface/UnprotectedAsset/{id}/: delete: description: "" operationId: data_attack_surface_UnprotectedAsset_delete parameters: [] responses: "204": description: "" tags: - host_properties get: description: "" operationId: data_attack_surface_UnprotectedAsset_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetDetails' tags: - host_properties parameters: - description: A UUID string identifying this endpoint asset. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_attack_surface_UnprotectedAsset_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetUpdate' responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetUpdate' tags: - host_properties put: description: "" operationId: data_attack_surface_UnprotectedAsset_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UnprotectedAssetUpdate' responses: "200": description: "" schema: $ref: '#/definitions/UnprotectedAssetUpdate' tags: - host_properties /data/attack_surface/UnprotectedAsset/{id}/compatibility_history/: get: description: "" operationId: data_attack_surface_UnprotectedAsset_compatibility_history parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/AssetCompatibilityHistory' type: array tags: - host_properties parameters: - description: A UUID string identifying this endpoint asset. format: uuid in: path name: id required: true type: string /data/attack_surface/UnprotectedAsset/{id}/os_history/: get: description: "" operationId: data_attack_surface_UnprotectedAsset_os_history parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/AssetOSHistory' type: array tags: - host_properties parameters: - description: A UUID string identifying this endpoint asset. format: uuid in: path name: id required: true type: string /data/backend/Task/active/: get: description: Details on running backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_backend_Task_active parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/TaskDetailList' tags: - backend parameters: [] /data/backend/Task/scheduled/: get: description: Details on running backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_backend_Task_scheduled parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/TaskDetailList' tags: - backend parameters: [] /data/backend/TaskResult/: get: description: Details on completed backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_backend_TaskResult_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: task_id required: false type: string - description: "" in: query name: periodic_task_name required: false type: string - description: "" in: query name: task_name required: false type: string - description: "" in: query name: task_args required: false type: string - description: "" in: query name: task_kwargs required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: worker required: false type: string - description: "" in: query name: content_type required: false type: string - description: "" in: query name: content_encoding required: false type: string - description: "" in: query name: result required: false type: string - description: "" in: query name: date_created required: false type: string - description: "" in: query name: date_done required: false type: string - description: "" in: query name: traceback required: false type: string - description: "" in: query name: meta required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/TaskResult' type: array required: - count - results type: object tags: - backend parameters: [] /data/backend/TaskResult/{id}/: get: description: Details on completed backend tasks. This API endpoint exists primarily for debugging live instances and is subject to change at any time. operationId: data_backend_TaskResult_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/TaskResult' tags: - backend parameters: - description: A unique integer value identifying this task result. in: path name: id required: true type: string /data/binary_persistences/Persistence/: get: description: "" operationId: data_binary_persistences_Persistence_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AbstractPersistence' type: array required: - count - results type: object tags: - investigation parameters: [] /data/binary_persistences/Persistence/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_binary_persistences_Persistence_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/binary_persistences/Persistence/{id}/: get: description: "" operationId: data_binary_persistences_Persistence_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AbstractPersistence' tags: - investigation parameters: - in: path name: id required: true type: string /data/configuration/active_directory/: get: description: "" operationId: data_configuration_active_directory_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ActiveDirectory' type: array required: - count - results type: object tags: - configuration parameters: [] post: description: "" operationId: data_configuration_active_directory_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "201": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - configuration /data/configuration/active_directory/domain/: get: description: "" operationId: data_configuration_active_directory_domain parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_Domain' tags: - configuration parameters: [] /data/configuration/active_directory/domain_controllers/: get: description: "" operationId: data_configuration_active_directory_domain_controllers parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: dnsdomainname required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/_DomainController' type: array tags: - configuration parameters: [] /data/configuration/active_directory/force_scan_domain_controllers/: parameters: [] post: description: "" operationId: data_configuration_active_directory_force_scan_domain_controllers parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/active_directory/test/: parameters: [] post: description: "" operationId: data_configuration_active_directory_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/active_directory/{id}/: delete: description: "" operationId: data_configuration_active_directory_delete parameters: [] responses: "204": description: "" tags: - configuration get: description: "" operationId: data_configuration_active_directory_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - configuration parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_configuration_active_directory_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - configuration put: description: "" operationId: data_configuration_active_directory_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - configuration /data/configuration/active_directory/{id}/force_scan/: parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_configuration_active_directory_force_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/active_directory/{id}/force_update_agent_groups/: parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_configuration_active_directory_force_update_agent_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/entra_id/: get: description: "" operationId: data_configuration_entra_id_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/EntraId' type: array required: - count - results type: object tags: - configuration parameters: [] post: description: "" operationId: data_configuration_entra_id_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "201": description: "" schema: $ref: '#/definitions/EntraId' tags: - configuration /data/configuration/entra_id/test/: parameters: [] post: description: "" operationId: data_configuration_entra_id_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/entra_id/{id}/: delete: description: "" operationId: data_configuration_entra_id_delete parameters: [] responses: "204": description: "" tags: - configuration get: description: "" operationId: data_configuration_entra_id_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - configuration parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_configuration_entra_id_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - configuration put: description: "" operationId: data_configuration_entra_id_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - configuration /data/configuration/entra_id/{id}/force_scan/: parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_configuration_entra_id_force_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/configuration/entra_id/{id}/force_update_agent_groups/: parameters: - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_configuration_entra_id_force_update_agent_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - configuration /data/endpoint/Agent/: get: description: "" operationId: data_endpoint_Agent_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - in: query name: groups_size__lt required: false type: number - in: query name: groups_size__lte required: false type: number - in: query name: groups_size__gt required: false type: number - in: query name: groups_size__gte required: false type: number - in: query name: groups_size__match required: false type: number - in: query name: case_id required: false type: string - in: query name: case_id! required: false type: string - in: query name: groups.name__wildcard required: false type: string - in: query name: groups.name__exact required: false type: string - in: query name: threat_id required: false type: string - in: query name: threat_id! required: false type: string - in: query name: telemetry.bpf__wildcard required: false type: string - in: query name: telemetry.bpf__exact required: false type: string - in: query name: telemetry.__wildcard required: false type: string - in: query name: telemetry.__exact required: false type: string - in: query name: telemetry.source required: false type: string - in: query name: device_control_policy_id required: false type: string - in: query name: vdi_mode required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: policy.name required: false type: string - in: query name: policy.id required: false type: string - in: query name: policy.windows_self_protection required: false type: boolean - in: query name: policy.linux_self_protection required: false type: boolean - in: query name: policy.antivirus_policy_name required: false type: string - enum: - access_denied - idle - offline - online in: query name: status required: false type: string - enum: - linux - macos - windows in: query name: ostype required: false type: string - in: query name: additional_info.additional_info1 required: false type: string - in: query name: additional_info.additional_info2 required: false type: string - in: query name: additional_info.additional_info3 required: false type: string - in: query name: additional_info.additional_info4 required: false type: string - in: query name: groups.id required: false type: string - in: query name: encrypted_disk_count required: false type: number - in: query name: disk_count required: false type: number - in: query name: group_count required: false type: number - in: query name: subnet.gateway_ipaddress required: false type: string - in: query name: subnet.gateway_macaddress required: false type: string - in: query name: subnet.name required: false type: string - in: query name: os_install_date required: false type: string - in: query name: hardware_address required: false type: string - in: query name: antivirus_policy_revision required: false type: number - in: query name: antivirus_is_up_to_date required: false type: boolean - in: query name: last_upgrade_attempt required: false type: string - in: query name: last_upgrade_success required: false type: string - in: query name: major_version required: false type: number - in: query name: minor_version required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Agent' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/Agent/ActionHistory/: get: description: "" operationId: data_endpoint_Agent_ActionHistory_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: action_type required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentActionHistory' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/Agent/ActionHistory/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_Agent_ActionHistory_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: action_type required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/Agent/ActionHistory/{id}/: get: description: "" operationId: data_endpoint_Agent_ActionHistory_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentActionHistory' tags: - agent parameters: - description: A UUID string identifying this agent action history. format: uuid in: path name: id required: true type: string /data/endpoint/Agent/RemoteShellCommand/: get: description: "" operationId: data_endpoint_Agent_RemoteShellCommand_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: state required: false type: string - description: "" in: query name: command required: false type: string - description: "" in: query name: response required: false type: string - description: "" in: query name: session_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: id required: false type: string - in: query name: session.agent.id required: false type: string - in: query name: session.agent.hostname required: false type: string - in: query name: session.user.id required: false type: string - in: query name: session.user.username required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RemoteShellCommand' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/Agent/RemoteShellCommand/{id}/: get: description: "" operationId: data_endpoint_Agent_RemoteShellCommand_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellCommand' tags: - agent parameters: - description: A UUID string identifying this remote shell command. format: uuid in: path name: id required: true type: string /data/endpoint/Agent/dashboard_stats/: get: description: "" operationId: data_endpoint_Agent_dashboard_stats parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentDashboardStat' tags: - agent parameters: [] /data/endpoint/Agent/deisolate/: parameters: [] post: description: Request network deisolation on given agents operationId: data_endpoint_Agent_deisolate_many parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdList' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/delete/: delete: description: "" operationId: data_endpoint_Agent_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdList' responses: "200": description: Success examples: application/json: status: agent deleted "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: [] /data/endpoint/Agent/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_Agent_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/Agent/global_stats_resource_cpu/: get: description: "" operationId: data_endpoint_Agent_global_stats_resource_cpu parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentDatasetsStat' tags: - agent parameters: [] /data/endpoint/Agent/global_stats_resource_ram/: get: description: "" operationId: data_endpoint_Agent_global_stats_resource_ram parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentDatasetsStat' tags: - agent parameters: [] /data/endpoint/Agent/isolate/: parameters: [] post: description: Request network isolation on given agents operationId: data_endpoint_Agent_isolate_many parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdList' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/stats_os/: get: description: "" operationId: data_endpoint_Agent_stats_os parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: fields required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/AgentOsStat' "400": description: Missing or invalid field parameter examples: application/json: fields: 'Only allowed parameters: `producttype` and `osproducttype.' tags: - agent parameters: [] /data/endpoint/Agent/stats_policies/: get: description: For telemetries, on alert and live counts as enabled. operationId: data_endpoint_Agent_stats_policies parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentPoliciesStat' summary: Enabled agent counts for all policy options tags: - agent parameters: [] /data/endpoint/Agent/uninstall/: parameters: [] post: description: "" operationId: data_endpoint_Agent_uninstall_many parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdList' responses: "200": description: Success examples: application/json: status: uninstall requested "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/update/: parameters: [] post: description: "" operationId: data_endpoint_Agent_request_update_many parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid target for agent "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{agent_pk}/RemoteShellSession/: get: description: "" operationId: data_endpoint_Agent_RemoteShellSession_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: active required: false type: string - description: "" in: query name: agent_id required: false type: string - description: "" in: query name: user_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: id required: false type: string - in: query name: agent.id required: false type: string - in: query name: agent.hostname required: false type: string - in: query name: user.id required: false type: string - in: query name: user.username required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RemoteShellSessionList' type: array required: - count - results type: object tags: - agent parameters: - in: path name: agent_pk required: true type: string post: description: "" operationId: data_endpoint_Agent_RemoteShellSession_create parameters: [] responses: "201": description: "" schema: $ref: '#/definitions/RemoteShellSession' "403": description: Forbidden "504": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent /data/endpoint/Agent/{agent_pk}/RemoteShellSession/possible_commands/: get: description: "" operationId: data_endpoint_Agent_RemoteShellSession_possible_commands parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: active required: false type: string - description: "" in: query name: agent_id required: false type: string - description: "" in: query name: user_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellPossibleCommands' tags: - agent parameters: - in: path name: agent_pk required: true type: string /data/endpoint/Agent/{agent_pk}/RemoteShellSession/{id}/: get: description: "" operationId: data_endpoint_Agent_RemoteShellSession_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellSessionList' tags: - agent parameters: - in: path name: agent_pk required: true type: string - in: path name: id required: true type: string /data/endpoint/Agent/{agent_pk}/RemoteShellSession/{id}/close/: parameters: - in: path name: agent_pk required: true type: string - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_RemoteShellSession_close parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "404": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent /data/endpoint/Agent/{agent_pk}/RemoteShellSession/{id}/poll/: get: description: "" operationId: data_endpoint_Agent_RemoteShellSession_poll_read parameters: - in: query name: timestamp required: false type: number responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellPollResponse' "404": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent parameters: - in: path name: agent_pk required: true type: string - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_RemoteShellSession_poll_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShellPollRequest' responses: "201": description: "" schema: $ref: '#/definitions/RemoteShellCommand' "400": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent /data/endpoint/Agent/{agent_pk}/applications/: get: description: "" operationId: data_endpoint_Agent_applications_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: publisher required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: cpe_prefix required: false type: string - description: "" in: query name: app_type required: false type: string - description: "" in: query name: package_manager required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: agentId required: true type: string - in: query name: active required: false type: boolean - in: query name: installation_date required: false type: string - in: query name: first_seen required: false type: string - in: query name: last_seen required: false type: string - in: query name: installation_count required: false type: number - in: query name: first_version required: false type: string - in: query name: last_version required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentApplication' type: array required: - count - results type: object tags: - agent parameters: - in: path name: agent_pk required: true type: string /data/endpoint/Agent/{agent_pk}/applications/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_Agent_applications_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: publisher required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: cpe_prefix required: false type: string - description: "" in: query name: app_type required: false type: string - description: "" in: query name: package_manager required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: - in: path name: agent_pk required: true type: string /data/endpoint/Agent/{id}/: delete: description: "" operationId: data_endpoint_Agent_delete parameters: [] responses: "200": description: Success examples: application/json: status: agent deleted "404": description: Not found examples: application/json: detail: Not found. tags: - agent get: description: "" operationId: data_endpoint_Agent_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentDetail' tags: - agent parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_Agent_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentEdit' responses: "200": description: Success examples: application/json: status: agent updated "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent put: description: "" operationId: data_endpoint_Agent_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentEdit' responses: "200": description: Success examples: application/json: status: agent updated "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/applications/{app_id}/installations/: get: description: "" operationId: data_endpoint_Agent_applications_installations parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentInstallation' "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string - in: path name: app_id required: true type: string /data/endpoint/Agent/{id}/cancel_update/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_cancel_update_request parameters: [] responses: "200": description: Success examples: application/json: status: update cancel attempted "400": description: Failure examples: application/json: status: Redis agent data not found "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/change_id/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_change_id parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "404": description: Not found examples: application/json: detail: Not found. "501": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Agent/{id}/clearStore/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_clear_store parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid target for agent tags: - agent /data/endpoint/Agent/{id}/deisolate/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_deisolate parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentDetail' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - agent /data/endpoint/Agent/{id}/disks/: get: description: "" operationId: data_endpoint_Agent_disks parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/AgentDisk' type: array "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/downloadFile/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_downloadFile parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentDownloadFileQuery' responses: "201": description: "" schema: $ref: '#/definitions/JobLight' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Agent/{id}/force_fim_scan/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_force_fim_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentDetail' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Agent/{id}/generate_self_protection_password/: parameters: - in: path name: id required: true type: string post: description: Request to generate a self-protection password for an agent operationId: data_endpoint_Agent_generate_self_protection_password parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentSelfProtectionPasswordQuery' responses: "200": description: "" schema: $ref: '#/definitions/AgentSelfProtectionPassword' "400": description: Failure examples: application/json: status: The agent is not configured to use a self-protection password. "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/isolate/: parameters: - in: path name: id required: true type: string post: description: Request network isolation on a given agent operationId: data_endpoint_Agent_isolate parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentDetail' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - agent /data/endpoint/Agent/{id}/jobinstances/: get: description: "" operationId: data_endpoint_Agent_jobinstances parameters: - in: query minLength: 1 name: data_type required: true type: string - in: query minLength: 1 name: data_subtype required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/AgentJobInstance' type: array "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/latest_fim_report/: get: description: "" operationId: data_endpoint_Agent_latest_fim_report parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LatestFIMReport' "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/local_groups/: get: description: "" operationId: data_endpoint_Agent_local_groups parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentWindowsLocalGroup' "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/local_users/: get: description: "" operationId: data_endpoint_Agent_local_users parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentWindowsLocalUser' "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/logs/: delete: description: "" operationId: data_endpoint_Agent_logs parameters: [] responses: "204": description: "" tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/network_interfaces/: get: description: "" operationId: data_endpoint_Agent_network_interfaces parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/AgentNetInterface' type: array "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/qfes/: get: description: "" operationId: data_endpoint_Agent_qfes parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/AgentWindowsQfe' type: array "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/quarantine/history/: get: description: "" operationId: data_endpoint_Agent_quarantine_quarantine_history parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/QuarantineActionHistory' type: array "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/refresh_host_properties/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_refresh_host_properties parameters: [] responses: "200": description: Success examples: application/json: status: Sent host properties refresh request to agent "400": description: Failure examples: application/json: status: Redis agent data not found "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/refresh_quarantine/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_refresh_quarantine parameters: [] responses: "200": description: Success examples: application/json: status: Sent quarantine refresh request to agent "400": description: Failure examples: application/json: status: Redis agent data not found "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/request_send_telemetry/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_request_send_telemetry parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "404": description: Not found examples: application/json: detail: Not found. "501": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Agent/{id}/request_vulnscan/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_request_vulnscan parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentDetail' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/restart/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_restart parameters: [] responses: "200": description: Success examples: application/json: status: restart requested "404": description: Not found examples: application/json: detail: Not found. "501": description: Incompatible Agent examples: application/json: status: cannot restart python agent tags: - agent /data/endpoint/Agent/{id}/restart_endpoint/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_restart_endpoint parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "404": description: Not found examples: application/json: detail: Not found. "501": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Agent/{id}/retrieve_logs/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_retrieve_logs parameters: [] responses: "200": description: Success examples: application/json: status: Sent request to retrieve saved logs to agent "400": description: Failure examples: application/json: status: Redis agent data not found "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/self_upgrade_logs/: get: description: "" operationId: data_endpoint_Agent_self_upgrade_log parameters: - description: |- Which file to operate on: * 0: self-upgrade.log * 1: setupapi.app.log enum: - 0 - 1 in: query name: file_kind required: true type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentLogFile' "400": description: Failure examples: application/json: status: 'Invalid log file kind `123`, expected one of: 0, 1' "404": description: Not found examples: application/json: detail: Not found. summary: Get the requested file's contents and metadata. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/self_upgrade_logs/data/: get: description: "" operationId: data_endpoint_Agent_self_upgrade_log_data parameters: - description: |- Which file to operate on: * 0: self-upgrade.log * 1: setupapi.app.log enum: - 0 - 1 in: query name: file_kind required: true type: integer responses: "200": description: Success examples: application/json: some log file contents "400": description: Failure examples: application/json: status: 'Invalid log file kind `123`, expected one of: 0, 1' "404": description: Not found examples: application/json: detail: Not found. summary: Get the requested file's content data only for download. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/self_upgrade_logs/remove/: parameters: - in: path name: id required: true type: string post: description: | Sends a message to the agent given in the URL for it to remove its self-upgrade log file. No file kind number is accepted in this request: only `self-upgrade.log` is supported for removal. This is an asynchronous operation with respect to the global agent communication: the message is sent to the distribution queue and this method then responds immediately with the status of that operation. As a consequence, there is no way here to know whether the actual deletion worked or not. Also, this will only work for online agents: there is no retry to the message sending. operationId: data_endpoint_Agent_self_upgrade_logs_remove parameters: [] responses: "200": description: Success examples: application/json: status: Sent request to remove self-upgrade logs to agent "400": description: Failure examples: application/json: status: 'Unexpected request body or params: only one file kind supported here' "404": description: Not found examples: application/json: detail: Not found. summary: Ask the agent to remove its self-upgrade logs. tags: - agent /data/endpoint/Agent/{id}/self_upgrade_logs/retrieve/: parameters: - in: path name: id required: true type: string post: description: | Sends a message to the agent given in the URL for it to upload a self-upgrade log file identified by the kind number provided in this request's body. This is an asynchronous operation with respect to the global agent communication: the message is sent to the distribution queue and this method then responds immediately with the status of that operation. As a consequence, the file's metadata and contents have to be fetched separately. Also, this will only work for online agents: there is no retry to the message sending. operationId: data_endpoint_Agent_self_upgrade_logs_retrieve parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentLogFileQuery' responses: "200": description: Success examples: application/json: status: Sent request to retrieve self-upgrade log `0` to agent "400": description: Failure examples: application/json: status: 'Invalid log file kind `123`, expected one of: 0, 1' "404": description: Not found examples: application/json: detail: Not found. summary: Ask the agent to send a self-upgrade log of some kind. tags: - agent /data/endpoint/Agent/{id}/stats_resource/: get: description: "" operationId: data_endpoint_Agent_stats_resource parameters: - format: date-time in: query name: to required: true type: string - format: date-time in: query name: from required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/AgentDatasetsStat' "400": description: Missing or invalid from/to parameters examples: application/json: from: - Valid datetime format is %Y-%m-%dT%H:%M%z. tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Agent/{id}/uninstall/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_uninstall parameters: [] responses: "200": description: Success examples: application/json: status: uninstall requested "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/update/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_request_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentVersion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid target for agent "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/Agent/{id}/update_additional_infos/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Agent_update_additional_infos parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentAdditionalInfos' responses: "200": description: Success examples: application/json: status: Updated additional infos for the agent "400": description: Failure examples: application/json: status: Redis agent data not found "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/AntivirusPolicy/: get: description: "" operationId: data_endpoint_AntivirusPolicy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: origin_stack_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: antivirus_slug required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: agent_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListAntivirusPolicy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_AntivirusPolicy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateAntivirusPolicy' responses: "201": description: "" schema: $ref: '#/definitions/CreateAntivirusPolicy' tags: - agent /data/endpoint/AntivirusPolicy/delete/: delete: description: To delete multiple antivirus profiles. operationId: data_endpoint_AntivirusPolicy_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/ProfileIdList' responses: "200": description: Success examples: application/json: status: profiles deleted tags: - agent parameters: [] /data/endpoint/AntivirusPolicy/policy_names/: get: description: "" operationId: data_endpoint_AntivirusPolicy_policy_names parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: origin_stack_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/_NamesAntivirusPolicy' type: array tags: - agent parameters: [] /data/endpoint/AntivirusPolicy/{id}/: delete: description: To delete one antivirus profile. operationId: data_endpoint_AntivirusPolicy_delete parameters: [] responses: "204": description: "" "404": description: Not found examples: application/json: detail: Not found. tags: - agent get: description: "" operationId: data_endpoint_AntivirusPolicy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RetrieveAntivirusPolicy' tags: - agent parameters: - in: path name: id required: true type: string patch: description: To update one antivirus profile. operationId: data_endpoint_AntivirusPolicy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAntivirusPolicy' responses: "200": description: "" schema: $ref: '#/definitions/RetrieveAntivirusPolicy' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent put: description: To update one antivirus profile. operationId: data_endpoint_AntivirusPolicy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAntivirusPolicy' responses: "200": description: "" schema: $ref: '#/definitions/RetrieveAntivirusPolicy' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/FIM/FileModification/: get: description: "" operationId: data_endpoint_FIM_FileModification_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: previous_entry_type required: false type: string - description: "" in: query name: previous_size required: false type: number - description: "" in: query name: previous_hash required: false type: string - description: "" in: query name: previous_last_modification_time required: false type: string - description: "" in: query name: previous_uid required: false type: number - description: "" in: query name: previous_gid required: false type: number - description: "" in: query name: previous_access_mode required: false type: number - description: "" in: query name: previous_last_change_time required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: current_size required: false type: number - description: "" in: query name: current_hash required: false type: string - description: "" in: query name: current_last_modification_time required: false type: string - description: "" in: query name: current_uid required: false type: number - description: "" in: query name: current_gid required: false type: number - description: "" in: query name: current_access_mode required: false type: number - description: "" in: query name: current_last_change_time required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: last_scan_with_changes required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: report_id required: true type: string - in: query name: last_update required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: agent.hostname required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFIMFileModification' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/FileModification/bulk_update/: parameters: [] patch: description: "" operationId: data_endpoint_FIM_FileModification_bulk_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkUpdateFIMFileModification' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/FileModification/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_FIM_FileModification_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: previous_entry_type required: false type: string - description: "" in: query name: previous_size required: false type: number - description: "" in: query name: previous_hash required: false type: string - description: "" in: query name: previous_last_modification_time required: false type: string - description: "" in: query name: previous_uid required: false type: number - description: "" in: query name: previous_gid required: false type: number - description: "" in: query name: previous_access_mode required: false type: number - description: "" in: query name: previous_last_change_time required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: current_size required: false type: number - description: "" in: query name: current_hash required: false type: string - description: "" in: query name: current_last_modification_time required: false type: string - description: "" in: query name: current_uid required: false type: number - description: "" in: query name: current_gid required: false type: number - description: "" in: query name: current_access_mode required: false type: number - description: "" in: query name: current_last_change_time required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: last_scan_with_changes required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/FIM/FileModification/stats/level/: get: description: "" operationId: data_endpoint_FIM_FileModification_stats_stats_per_level parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: previous_entry_type required: false type: string - description: "" in: query name: previous_size required: false type: number - description: "" in: query name: previous_hash required: false type: string - description: "" in: query name: previous_last_modification_time required: false type: string - description: "" in: query name: previous_uid required: false type: number - description: "" in: query name: previous_gid required: false type: number - description: "" in: query name: previous_access_mode required: false type: number - description: "" in: query name: previous_last_change_time required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: current_size required: false type: number - description: "" in: query name: current_hash required: false type: string - description: "" in: query name: current_last_modification_time required: false type: string - description: "" in: query name: current_uid required: false type: number - description: "" in: query name: current_gid required: false type: number - description: "" in: query name: current_access_mode required: false type: number - description: "" in: query name: current_last_change_time required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: last_scan_with_changes required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: report_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/FIMFileModificationPerLevelStatsResponse' type: array tags: - agent parameters: [] /data/endpoint/FIM/FileModification/stats/path/: get: description: "" operationId: data_endpoint_FIM_FileModification_stats_stats_per_path parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: previous_entry_type required: false type: string - description: "" in: query name: previous_size required: false type: number - description: "" in: query name: previous_hash required: false type: string - description: "" in: query name: previous_last_modification_time required: false type: string - description: "" in: query name: previous_uid required: false type: number - description: "" in: query name: previous_gid required: false type: number - description: "" in: query name: previous_access_mode required: false type: number - description: "" in: query name: previous_last_change_time required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: current_size required: false type: number - description: "" in: query name: current_hash required: false type: string - description: "" in: query name: current_last_modification_time required: false type: string - description: "" in: query name: current_uid required: false type: number - description: "" in: query name: current_gid required: false type: number - description: "" in: query name: current_access_mode required: false type: number - description: "" in: query name: current_last_change_time required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: last_scan_with_changes required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: report_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/FIMStatsResponse' type: array tags: - agent parameters: [] /data/endpoint/FIM/FileModification/stats/type/: get: description: "" operationId: data_endpoint_FIM_FileModification_stats_stats_per_type parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: previous_entry_type required: false type: string - description: "" in: query name: previous_size required: false type: number - description: "" in: query name: previous_hash required: false type: string - description: "" in: query name: previous_last_modification_time required: false type: string - description: "" in: query name: previous_uid required: false type: number - description: "" in: query name: previous_gid required: false type: number - description: "" in: query name: previous_access_mode required: false type: number - description: "" in: query name: previous_last_change_time required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: current_size required: false type: number - description: "" in: query name: current_hash required: false type: string - description: "" in: query name: current_last_modification_time required: false type: string - description: "" in: query name: current_uid required: false type: number - description: "" in: query name: current_gid required: false type: number - description: "" in: query name: current_access_mode required: false type: number - description: "" in: query name: current_last_change_time required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: last_scan_with_changes required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: report_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/FIMFileModificationPerTypeStatsResponse' type: array tags: - agent parameters: [] /data/endpoint/FIM/FileModification/{id}/: get: description: "" operationId: data_endpoint_FIM_FileModification_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFIMFileModification' tags: - agent parameters: - description: A UUID string identifying this fim file modification. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_FileModification_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMFileModification' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMFileModification' tags: - agent put: description: "" operationId: data_endpoint_FIM_FileModification_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMFileModification' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMFileModification' tags: - agent /data/endpoint/FIM/FileModificationByAgent/: get: description: "" operationId: data_endpoint_FIM_FileModificationByAgent_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: report required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: low_level_count required: false type: number - description: "" in: query name: medium_level_count required: false type: number - description: "" in: query name: high_level_count required: false type: number - description: "" in: query name: critical_level_count required: false type: number - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: last_modification_date required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: report_id required: true type: string - in: query name: modifications_count required: false type: number - in: query name: modifications_accepted_count required: false type: number - in: query name: modifications_rejected_count required: false type: number - in: query name: modifications_not_reviewed_count required: false type: number - in: query name: agent.ostype required: false type: string - in: query name: result required: false type: string - in: query name: agent.hostname required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AggFIMFileModificationByAgent' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/FileModificationByAgent/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_FIM_FileModificationByAgent_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: report required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: low_level_count required: false type: number - description: "" in: query name: medium_level_count required: false type: number - description: "" in: query name: high_level_count required: false type: number - description: "" in: query name: critical_level_count required: false type: number - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: last_modification_date required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/FIM/FileModificationByAgent/{id}/: parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_FileModificationByAgent_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReportByAgent' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMReportByAgent' tags: - agent put: description: "" operationId: data_endpoint_FIM_FileModificationByAgent_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReportByAgent' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/FIM/FileModificationByAgent/{id}/bulk_update/: parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_FileModificationByAgent_bulk_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkUpdateFIMReportByAgent' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/FileModificationByPath/: get: description: "" operationId: data_endpoint_FIM_FileModificationByPath_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: report_id required: true type: string - in: query name: modifications_count required: false type: number - in: query name: modifications_accepted_count required: false type: number - in: query name: modifications_rejected_count required: false type: number - in: query name: modifications_not_reviewed_count required: false type: number - in: query name: endpoints_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AggFIMFileModificationByPath' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/FileModificationByPath/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_FIM_FileModificationByPath_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: current_entry_type required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/FIM/FileModificationByPath/{id}/: parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_FileModificationByPath_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReportByPath' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMReportByPath' tags: - agent put: description: "" operationId: data_endpoint_FIM_FileModificationByPath_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReportByPath' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/FIM/FileModificationByPath/{id}/bulk_update/: parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_FileModificationByPath_bulk_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkUpdateFIMReportByPath' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/PathExclusion/: get: description: "" operationId: data_endpoint_FIM_PathExclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: policy__id required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: path_type required: false type: string - description: "" in: query name: os_type required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: policy.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFIMPathExclusion' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/PathExclusion/delete_many_path_exclusions/: delete: description: "" operationId: data_endpoint_FIMPathExclusion_delete parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkDeleteFIMPathExclusion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent parameters: [] /data/endpoint/FIM/PathExclusion/{id}/: get: description: "" operationId: data_endpoint_FIM_PathExclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ListFIMPathExclusion' tags: - agent parameters: - description: A UUID string identifying this fim path exclusion. format: uuid in: path name: id required: true type: string /data/endpoint/FIM/PathInclusion/: get: description: "" operationId: data_endpoint_FIM_PathInclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: policy__id required: false type: string - description: "" in: query name: path required: false type: string - description: "" in: query name: path_type required: false type: string - description: "" in: query name: scan_type required: false type: string - description: "" in: query name: criticality required: false type: string - description: "" in: query name: os_type required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: policy.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFIMPathInclusion' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/PathInclusion/delete_many_path_inclusions/: delete: description: "" operationId: data_endpoint_FIMPathInclusion_delete parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkDeleteFIMPathInclusion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent parameters: [] /data/endpoint/FIM/PathInclusion/{id}/: get: description: "" operationId: data_endpoint_FIM_PathInclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ListFIMPathInclusion' tags: - agent parameters: - description: A UUID string identifying this fim path inclusion. format: uuid in: path name: id required: true type: string /data/endpoint/FIM/Policy/: get: description: "" operationId: data_endpoint_FIM_Policy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: endpoints_count required: false type: number - in: query name: rule_highest_level required: false type: string - in: query name: tenant required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFIMPolicy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_FIM_Policy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateFIMPolicy' responses: "201": description: "" schema: $ref: '#/definitions/CreateFIMPolicy' tags: - agent /data/endpoint/FIM/Policy/delete/: delete: description: Delete multiple FIM policies. operationId: data_endpoint_FIM_Policy_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteFIM' responses: "204": description: Succesfull Policy(ies) deletion "400": description: Cannot delete a File Integrity Policy used in an Agent Policy schema: $ref: '#/definitions/_FIMPolicyInUseResponse' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/FIM/Policy/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_FIM_Policy_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/FIM/Policy/stats/agent/: get: description: "" operationId: data_endpoint_FIM_Policy_stats_stats_per_agent parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/FIMStatsResponse' type: array tags: - agent parameters: [] /data/endpoint/FIM/Policy/stats/modification/: get: description: "" operationId: data_endpoint_FIM_Policy_stats_stats_per_modification parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: older_than required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/FIMStatsResponse' type: array tags: - agent parameters: [] /data/endpoint/FIM/Policy/{id}/: delete: description: "" operationId: data_endpoint_FIM_Policy_delete parameters: [] responses: "204": description: "" "400": description: Cannot delete a File Integrity Policy used in an Agent Policy schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' "403": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_FIM_Policy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFIMPolicy' tags: - agent parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_Policy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMPolicy' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMPolicy' tags: - agent put: description: "" operationId: data_endpoint_FIM_Policy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMPolicy' responses: "200": description: "" schema: $ref: '#/definitions/DetailFIMPolicy' "400": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' "403": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/FIM/Policy/{id}/create_many_path_exclusions/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_FIM_Policy_create_many_path_exclusions parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkCreateFIMPathExclusion' responses: "201": description: "" schema: items: $ref: '#/definitions/ListFIMPathExclusion' type: array "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/Policy/{id}/create_many_path_inclusions/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_FIM_Policy_create_many_path_inclusions parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkCreateFIMPathInclusion' responses: "201": description: "" schema: items: $ref: '#/definitions/ListFIMPathInclusion' type: array "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/Policy/{id}/delete_all_path_exclusions/: delete: description: "" operationId: data_endpoint_FIM_Policy_delete_all_path_exclusions parameters: [] responses: "200": description: Successfully deleted all path exclusions linked to policy ... "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string /data/endpoint/FIM/Policy/{id}/delete_all_path_inclusions/: delete: description: "" operationId: data_endpoint_FIM_Policy_delete_all_path_inclusions parameters: [] responses: "200": description: Successfully deleted all path inclusions linked to policy ... "404": description: Not found examples: application/json: detail: Not found. tags: - agent parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string /data/endpoint/FIM/Policy/{id}/duplicate/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_FIM_Policy_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/FIMPolicyDuplicateQuery' responses: "200": description: "" schema: $ref: '#/definitions/SubPolicyCopyResponse' "400": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/FIM/Policy/{id}/force_fim_scan/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_FIM_Policy_force_fim_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/DetailFIMPolicy' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/FIM/Policy/{id}/update_many_path_exclusions/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_Policy_update_many_path_exclusions parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkUpdateFIMPathExclusion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/Policy/{id}/update_many_path_inclusions/: parameters: - description: A UUID string identifying this file integrity policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_Policy_update_many_path_inclusions parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkUpdateFIMPathInclusion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - agent /data/endpoint/FIM/Report/: get: description: "" operationId: data_endpoint_FIM_Report_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: report_date required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: last_modification_date required: false type: string - description: "" in: query name: id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: older_than required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: fim_policy.id required: false type: string - in: query name: covered_endpoints_count required: false type: number - in: query name: modified_endpoints_count required: false type: number - in: query name: low_level_count required: false type: number - in: query name: medium_level_count required: false type: number - in: query name: high_level_count required: false type: number - in: query name: critical_level_count required: false type: number - in: query name: modifications_count required: false type: number - in: query name: modifications_accepted_count required: false type: number - in: query name: modifications_rejected_count required: false type: number - in: query name: modifications_not_reviewed_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFIMReport' type: array required: - count - results type: object tags: - agent parameters: [] /data/endpoint/FIM/Report/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_FIM_Report_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: report_date required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: last_modification_date required: false type: string - description: "" in: query name: id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/FIM/Report/stats/: get: description: "" operationId: data_endpoint_FIM_Report_stats parameters: - description: A search term. in: query name: search required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: report_date required: false type: string - description: "" in: query name: highest_criticality required: false type: string - description: "" in: query name: last_modification_date required: false type: string - description: "" in: query name: id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: older_than required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/FIMReportStatsResponse' tags: - agent parameters: [] /data/endpoint/FIM/Report/{id}/: delete: description: "" operationId: data_endpoint_FIM_Report_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_FIM_Report_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFIMReport' tags: - agent parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_FIM_Report_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReport' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMReport' tags: - agent put: description: "" operationId: data_endpoint_FIM_Report_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFIMReport' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFIMReport' tags: - agent /data/endpoint/Group/: get: description: "" operationId: data_endpoint_Group_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: id required: false type: string - in: query name: agent_count required: false type: number - in: query name: roles.name required: false type: string - in: query name: display_name required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Group' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_Group_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "201": description: "" schema: $ref: '#/definitions/Group' tags: - agent /data/endpoint/Group/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_Group_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/Group/{id}/: delete: description: "" operationId: data_endpoint_Group_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_Group_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Group' tags: - agent parameters: - description: A unique value identifying this group. in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_Group_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/Group' tags: - agent put: description: "" operationId: data_endpoint_Group_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/Group' tags: - agent /data/endpoint/Group/{id}/add_agents/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: Add a list of agents to a group. operationId: data_endpoint_Group_add_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentOrGroupListSimple' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Group/{id}/add_agents_with_csv/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: Add a list of agents to a group, with a CSV. operationId: data_endpoint_Group_add_agents_with_csv parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Group/{id}/deisolation/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Group_deisolation parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - agent /data/endpoint/Group/{id}/delete_agents/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: Delete a list of agents from a group. operationId: data_endpoint_Group_delete_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentIdListOrAll' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Group/{id}/isolation/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Group_isolation parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/AgentIsolation' tags: - agent /data/endpoint/Group/{id}/policies/: get: description: "" operationId: data_endpoint_Group_policies parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/Policy' type: array tags: - agent parameters: - description: A unique value identifying this group. in: path name: id required: true type: string /data/endpoint/Group/{id}/uninstall/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Group_uninstall parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: Success examples: application/json: status: uninstall requested properties: status: description: uninstall requested type: string type: object tags: - agent /data/endpoint/Group/{id}/update/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Group_request_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Group' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Group/{id}/update_policy/: parameters: - description: A unique value identifying this group. in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Group_update_policy parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdatePolicyGroup' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid policy_id "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/HurukaiAvPathExclusion/: get: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/PathExclusion' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/PathExclusion' responses: "201": description: "" schema: $ref: '#/definitions/PathExclusion' tags: - agent /data/endpoint/HurukaiAvPathExclusion/create_many/: parameters: [] post: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/PathExclusionList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/HurukaiAvPathExclusion/delete_many_path_exclusions/: delete: description: Delete multiple path exclusions operationId: data_endpoint_HurukaiAvPathExclusion_delete_many_path_exclusions parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkDeleteHLAVPathExclusion' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent parameters: [] /data/endpoint/HurukaiAvPathExclusion/{id}/: delete: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PathExclusion' tags: - agent parameters: - description: A UUID string identifying this path exclusion. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PathExclusion' responses: "200": description: "" schema: $ref: '#/definitions/PathExclusion' tags: - agent put: description: "" operationId: data_endpoint_HurukaiAvPathExclusion_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PathExclusion' responses: "200": description: "" schema: $ref: '#/definitions/PathExclusion' tags: - agent /data/endpoint/NetworkIsolationExclusion/: get: description: "" operationId: data_endpoint_NetworkIsolationExclusion_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: local_application required: false type: string - description: "" in: query name: policy required: false type: string - description: "" in: query name: network_exclusion__protocol required: false type: string - description: "" in: query name: network_exclusion__direction required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: network_exclusion.local_ip.representation required: false type: string - in: query name: network_exclusion.local_ports.representation required: false type: string - in: query name: network_exclusion.remote_ip.representation required: false type: string - in: query name: network_exclusion.remote_ports.representation required: false type: string - enum: - ALL - ICMP - IPV6_ICMP - TCP - UDP in: query name: network_exclusion.protocol required: false type: string - enum: - Both - In - Out in: query name: network_exclusion.direction required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetworkIsolationExclusion' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_NetworkIsolationExclusion_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetworkIsolationExclusion' responses: "201": description: "" schema: $ref: '#/definitions/NetworkIsolationExclusion' tags: - agent /data/endpoint/NetworkIsolationExclusion/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_NetworkIsolationExclusion_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: local_application required: false type: string - description: "" in: query name: policy required: false type: string - description: "" in: query name: network_exclusion__protocol required: false type: string - description: "" in: query name: network_exclusion__direction required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/NetworkIsolationExclusion/{id}/: delete: description: "" operationId: data_endpoint_NetworkIsolationExclusion_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_NetworkIsolationExclusion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetworkIsolationExclusion' tags: - agent parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_NetworkIsolationExclusion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetworkIsolationExclusion' responses: "200": description: "" schema: $ref: '#/definitions/NetworkIsolationExclusion' tags: - agent put: description: "" operationId: data_endpoint_NetworkIsolationExclusion_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetworkIsolationExclusion' responses: "200": description: "" schema: $ref: '#/definitions/NetworkIsolationExclusion' tags: - agent /data/endpoint/Policy/: get: description: "" operationId: data_endpoint_Policy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: loglevel required: false type: string - description: "" in: query name: audit_killswitch required: false type: string - description: "" in: query name: linux_startup_block required: false type: string - description: "" in: query name: windows_self_protection required: false type: string - description: "" in: query name: linux_self_protection required: false type: string - description: "" in: query name: use_isolation required: false type: string - description: "" in: query name: ransomguard_mode required: false type: number - description: "" in: query name: sigma_mode required: false type: number - description: "" in: query name: telemetry_dns_resolution_state required: false type: string - description: "" in: query name: telemetry_process_state required: false type: string - description: "" in: query name: telemetry_network_state required: false type: string - description: "" in: query name: telemetry_log_state required: false type: string - description: "" in: query name: telemetry_remotethread_state required: false type: string - description: "" in: query name: telemetry_driverload_state required: false type: string - description: "" in: query name: telemetry_authentication_state required: false type: string - description: "" in: query name: telemetry_usb_activity_state required: false type: string - description: "" in: query name: telemetry_user_group_state required: false type: string - description: "" in: query name: telemetry_powershell_state required: false type: string - description: "" in: query name: telemetry_registry_state required: false type: string - description: "" in: query name: telemetry_raw_device_access_state required: false type: string - description: "" in: query name: telemetry_named_pipe_state required: false type: string - description: "" in: query name: telemetry_raw_socket_creation_state required: false type: string - description: "" in: query name: telemetry_network_listen_state required: false type: string - description: "" in: query name: telemetry_process_access_state required: false type: string - description: "" in: query name: telemetry_process_tamper_state required: false type: string - description: "" in: query name: telemetry_url_request_state required: false type: string - description: "" in: query name: telemetry_wmi_event_state required: false type: string - description: "" in: query name: telemetry_file_state required: false type: string - description: "" in: query name: telemetry_scheduled_tasks_state required: false type: string - description: "" in: query name: telemetry_service_state required: false type: string - description: "" in: query name: telemetry_amsi_dynamic_scripts_state required: false type: string - description: "" in: query name: telemetry_amsi_other_scans_state required: false type: string - description: "" in: query name: binary_download_enabled required: false type: string - description: "" in: query name: library_download_enabled required: false type: string - description: "" in: query name: thread_download_enabled required: false type: string - description: "" in: query name: feature_callback_tampering required: false type: string - description: "" in: query name: feature_process_tampering required: false type: string - description: "" in: query name: feature_live_process_heuristics required: false type: string - description: "" in: query name: feature_windows_filesystem_events required: false type: string - description: "" in: query name: driverblock_mode required: false type: number - description: "" in: query name: yara_mode required: false type: number - description: "" in: query name: ioc_mode required: false type: number - description: "" in: query name: hlai_mode required: false type: number - description: "" in: query name: agent_upgrade_strategy required: false type: string - description: "" in: query name: fim_policy__id required: false type: string - description: "" in: query name: firewall_policy__id required: false type: string - description: "" in: query name: antivirus_policy__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: fim_policy.id required: false type: string - in: query name: fim_policy required: false type: string - in: query name: device_control_policy.id required: false type: string - in: query name: device_control_policy required: false type: string - in: query name: firewall_policy.id required: false type: string - in: query name: firewall_policy required: false type: string - in: query name: vulnerability_policy.id required: false type: string - in: query name: vulnerability_policy required: false type: string - in: query name: antivirus_policy.id required: false type: string - in: query name: antivirus_policy_name required: false type: string - in: query name: antivirus_policy required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Policy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_Policy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "201": description: "" schema: $ref: '#/definitions/Policy' tags: - agent /data/endpoint/Policy/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_Policy_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: loglevel required: false type: string - description: "" in: query name: audit_killswitch required: false type: string - description: "" in: query name: linux_startup_block required: false type: string - description: "" in: query name: windows_self_protection required: false type: string - description: "" in: query name: linux_self_protection required: false type: string - description: "" in: query name: use_isolation required: false type: string - description: "" in: query name: ransomguard_mode required: false type: number - description: "" in: query name: sigma_mode required: false type: number - description: "" in: query name: telemetry_dns_resolution_state required: false type: string - description: "" in: query name: telemetry_process_state required: false type: string - description: "" in: query name: telemetry_network_state required: false type: string - description: "" in: query name: telemetry_log_state required: false type: string - description: "" in: query name: telemetry_remotethread_state required: false type: string - description: "" in: query name: telemetry_driverload_state required: false type: string - description: "" in: query name: telemetry_authentication_state required: false type: string - description: "" in: query name: telemetry_usb_activity_state required: false type: string - description: "" in: query name: telemetry_user_group_state required: false type: string - description: "" in: query name: telemetry_powershell_state required: false type: string - description: "" in: query name: telemetry_registry_state required: false type: string - description: "" in: query name: telemetry_raw_device_access_state required: false type: string - description: "" in: query name: telemetry_named_pipe_state required: false type: string - description: "" in: query name: telemetry_raw_socket_creation_state required: false type: string - description: "" in: query name: telemetry_network_listen_state required: false type: string - description: "" in: query name: telemetry_process_access_state required: false type: string - description: "" in: query name: telemetry_process_tamper_state required: false type: string - description: "" in: query name: telemetry_url_request_state required: false type: string - description: "" in: query name: telemetry_wmi_event_state required: false type: string - description: "" in: query name: telemetry_file_state required: false type: string - description: "" in: query name: telemetry_scheduled_tasks_state required: false type: string - description: "" in: query name: telemetry_service_state required: false type: string - description: "" in: query name: telemetry_amsi_dynamic_scripts_state required: false type: string - description: "" in: query name: telemetry_amsi_other_scans_state required: false type: string - description: "" in: query name: binary_download_enabled required: false type: string - description: "" in: query name: library_download_enabled required: false type: string - description: "" in: query name: thread_download_enabled required: false type: string - description: "" in: query name: feature_callback_tampering required: false type: string - description: "" in: query name: feature_process_tampering required: false type: string - description: "" in: query name: feature_live_process_heuristics required: false type: string - description: "" in: query name: feature_windows_filesystem_events required: false type: string - description: "" in: query name: driverblock_mode required: false type: number - description: "" in: query name: yara_mode required: false type: number - description: "" in: query name: ioc_mode required: false type: number - description: "" in: query name: hlai_mode required: false type: number - description: "" in: query name: agent_upgrade_strategy required: false type: string - description: "" in: query name: fim_policy__id required: false type: string - description: "" in: query name: firewall_policy__id required: false type: string - description: "" in: query name: antivirus_policy__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/Policy/upload_yaml/: parameters: [] post: description: "" operationId: data_endpoint_Policy_upload_yaml parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "200": description: "" schema: items: $ref: '#/definitions/_UploadStatusSerialier' type: array tags: - agent /data/endpoint/Policy/{id}/: delete: description: "" operationId: data_endpoint_Policy_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_Policy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Policy' tags: - agent parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_Policy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "200": description: "" schema: $ref: '#/definitions/Policy' tags: - agent put: description: "" operationId: data_endpoint_Policy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "200": description: "" schema: $ref: '#/definitions/_PolicyUpdate' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/add_agents/: parameters: - in: path name: id required: true type: string post: description: Add all specified agents to a policy, using their ID or the ID of a group they are currently in. operationId: data_endpoint_Policy_add_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentOrGroupListSimple' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/add_agents_with_csv/: parameters: - in: path name: id required: true type: string post: description: Add a list of agents to a policy, with a CSV. operationId: data_endpoint_Policy_add_agents_with_csv parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/add_group/: parameters: - in: path name: id required: true type: string post: deprecated: true description: Use add_agents instead, and provide the group's ID. operationId: data_endpoint_Policy_add_group parameters: - in: body name: data required: true schema: $ref: '#/definitions/Policy' responses: "201": description: "" schema: $ref: '#/definitions/Policy' summary: Add all agents in the specified groups to a policy tags: - agent /data/endpoint/Policy/{id}/antivirus/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_antivirus parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/delete_agents/: parameters: - in: path name: id required: true type: string post: description: Remove all specified agents from a policy, using their ID or the ID of a group they are currently in. operationId: data_endpoint_Policy_delete_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentOrGroupListSimple' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/device_control/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_device_control parameters: - in: body name: data required: true schema: $ref: '#/definitions/_OptionalUUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/download_yaml/: get: description: "" operationId: data_endpoint_Policy_download_yaml parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Policy' tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Policy/{id}/duplicate/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyName' responses: "200": description: "" schema: $ref: '#/definitions/_PolicyCopyResponse' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/engine_revision/: get: description: "" operationId: data_endpoint_Policy_engine_revision parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_RevisionByEngine' tags: - agent parameters: - in: path name: id required: true type: string /data/endpoint/Policy/{id}/fim/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_fim parameters: - in: body name: data required: true schema: $ref: '#/definitions/_OptionalUUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/firewall/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_firewall parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/Policy/{id}/vulnerability/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_Policy_vulnerability parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/: get: description: "" operationId: data_endpoint_PolicySet_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: agent_policy__id required: false type: string - description: "" in: query name: antivirus_policy__id required: false type: string - description: "" in: query name: device_control_policy__id required: false type: string - description: "" in: query name: fim_policy__id required: false type: string - description: "" in: query name: firewall_policy__id required: false type: string - description: "" in: query name: vulnerability_policy__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: policy required: false type: string - in: query name: policy.id required: false type: string - in: query name: policy_name required: false type: string - in: query name: fim_policy required: false type: string - in: query name: fim_policy.id required: false type: string - in: query name: fim_policy_name required: false type: string - in: query name: device_control_policy required: false type: string - in: query name: device_control_policy.id required: false type: string - in: query name: device_control_policy_name required: false type: string - in: query name: firewall_policy required: false type: string - in: query name: firewall_policy.id required: false type: string - in: query name: firewall_policy_name required: false type: string - in: query name: antivirus_policy required: false type: string - in: query name: antivirus_policy.id required: false type: string - in: query name: antivirus_policy_name required: false type: string - in: query name: vulnerability_policy required: false type: string - in: query name: vulnerability_policy.id required: false type: string - in: query name: vulnerability_policy_name required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/PolicySet' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_PolicySet_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetCreate' responses: "201": description: "" schema: $ref: '#/definitions/PolicySetCreate' tags: - agent /data/endpoint/PolicySet/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_PolicySet_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: agent_policy__id required: false type: string - description: "" in: query name: antivirus_policy__id required: false type: string - description: "" in: query name: device_control_policy__id required: false type: string - description: "" in: query name: fim_policy__id required: false type: string - description: "" in: query name: firewall_policy__id required: false type: string - description: "" in: query name: vulnerability_policy__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/PolicySet/{id}/: delete: description: "" operationId: data_endpoint_PolicySet_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_PolicySet_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PolicySetRetrieve' tags: - agent parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_PolicySet_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetCreate' responses: "200": description: "" schema: $ref: '#/definitions/PolicySetCreate' tags: - agent put: description: "" operationId: data_endpoint_PolicySet_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetCreate' responses: "200": description: "" schema: $ref: '#/definitions/_PolicySetUpdate' tags: - agent /data/endpoint/PolicySet/{id}/add_agents/: parameters: - in: path name: id required: true type: string post: description: Add all specified agents to a policy set, using their ID or the ID of a group they are currently in. operationId: data_endpoint_PolicySet_add_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentOrGroupListSimple' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/add_agents_with_csv/: parameters: - in: path name: id required: true type: string post: description: Add a list of agents to a policy set, with a CSV. operationId: data_endpoint_PolicySet_add_agents_with_csv parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetRetrieve' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/add_group/: parameters: - in: path name: id required: true type: string post: deprecated: true description: Use add_agents instead, and provide the group's ID. operationId: data_endpoint_PolicySet_add_group parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetRetrieve' responses: "201": description: "" schema: $ref: '#/definitions/PolicySetRetrieve' summary: Add all agents in the specified groups to a policy set tags: - agent /data/endpoint/PolicySet/{id}/agent/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_agent parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UpdateChar' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/antivirus/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_antivirus parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/custom/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_custom parameters: - in: body name: data required: true schema: $ref: '#/definitions/_PolicySetCustom' responses: "200": description: "" schema: $ref: '#/definitions/_PolicySetUpdate' tags: - agent /data/endpoint/PolicySet/{id}/delete_agents/: parameters: - in: path name: id required: true type: string post: description: Remove all specified agents from a policy set, using their ID or the ID of a group they are currently in. operationId: data_endpoint_PolicySet_delete_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentOrGroupListSimple' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: invalid input "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/device_control/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_device_control parameters: - in: body name: data required: true schema: $ref: '#/definitions/_OptionalUUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/duplicate/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicySetName' responses: "200": description: "" schema: $ref: '#/definitions/_PolicySetCopyResponse' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/fim/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_fim parameters: - in: body name: data required: true schema: $ref: '#/definitions/_OptionalUUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/firewall/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_firewall parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/PolicySet/{id}/vulnerability/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_endpoint_PolicySet_vulnerability parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UUID' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/RemoteShellExecutable/: get: description: "" operationId: data_endpoint_RemoteShellExecutable_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: size required: false type: number - description: "" in: query name: executable_type required: false type: string - description: "" in: query name: current required: false type: string - description: "" in: query name: version required: false type: number - description: "" in: query name: creator_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: id required: false type: string - in: query name: creator.id required: false type: string - in: query name: creator.username required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RemoteShellExecutable' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_RemoteShellExecutable_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShellExecutableUploadRequest' responses: "201": description: "" schema: $ref: '#/definitions/RemoteShellExecutable' "400": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' "500": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent /data/endpoint/RemoteShellExecutable/{id}/: get: description: "" operationId: data_endpoint_RemoteShellExecutable_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellExecutable' tags: - agent parameters: - description: A UUID string identifying this remote shell executable. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_RemoteShellExecutable_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShellExecutableUpdate' responses: "200": description: "" schema: $ref: '#/definitions/RemoteShellExecutable' "201": description: "" schema: $ref: '#/definitions/RemoteShellExecutable' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/RemoteShellExecutable/{id}/download/: get: description: "" operationId: data_endpoint_RemoteShellExecutable_download parameters: [] responses: "200": description: download schema: type: file "500": description: "" schema: $ref: '#/definitions/RemoteShellErrorCodeResponse' tags: - agent parameters: - description: A UUID string identifying this remote shell executable. format: uuid in: path name: id required: true type: string /data/endpoint/RemoteShellExecutable/{id}/remove/: delete: description: "" operationId: data_endpoint_RemoteShellExecutable_remove parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent parameters: - description: A UUID string identifying this remote shell executable. format: uuid in: path name: id required: true type: string /data/endpoint/device_control/Policy/: get: description: "" operationId: data_endpoint_device_control_Policy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: creator required: false type: string - description: "" in: query name: default_action required: false type: string - description: "" in: query name: security_event_level required: false type: string - description: "" in: query name: is_dry_run_mode_enabled required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: usb_rules_count required: false type: number - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: creator.id required: false type: number - in: query name: creator.username required: false type: string - in: query name: tenant required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DeviceControlPolicy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_device_control_Policy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeviceControlPolicy' responses: "201": description: "" schema: $ref: '#/definitions/DeviceControlPolicy' tags: - agent /data/endpoint/device_control/Policy/delete/: delete: description: |- No direct call to the device control policy broadcast logic is done in destroy logic since you cannot delete an in use Device Control Policy and with this broadcast will always be called during the unassingment logic in the agent policy viewset. operationId: data_endpoint_DeviceControlPolicy_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: Succesfull Device Control Policy(ies) deletion examples: - application/json: code: multiple_policy_deleted deleted_policies: 3 details: All device control policies deleted (3 device control policy(ies)) - application/json: code: multiple_policy_deleted deleted_policies: 2 details: Deleted 2 device control policy(ies) - application/json: code: no_policy_deleted details: No device control policy deleted schema: $ref: '#/definitions/_DeviceControlPolicyMassDeleteResponse' "400": description: Error, cannot delete a Device Control Policy used in an Agent Policy examples: application/json: agent_policy: - agent_policy_id: dummy_agent_policy_uuid agent_policy_name: test_agent_policy_1 - agent_policy_id: dummy_agent_policy_uuid agent_policy_name: test_agent_policy_2 code: policy_in_use details: You cannot delete a Device Control Policy used in one or more Agent Policies schema: $ref: '#/definitions/_DeviceControlPolicyInUseResponse' "403": description: Forbidden summary: To delete multiple device control policies. tags: - agent parameters: [] /data/endpoint/device_control/Policy/{id}/: delete: description: |- No direct call to the device control policy broadcast logic is done in destroy logic since you cannot delete an in use Device Control Policy and with this broadcast will always be called during the unassingment logic in the agent policy viewset. operationId: data_endpoint_device_control_Policy_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a Device Control Policy used in an Agent Policy examples: - application/json: agent_policy: - agent_policy_id: UUID agent_policy_name: test_agent_policy_1 - agent_policy_id: UUID agent_policy_name: test_agent_policy_1 code: policy_in_use details: You cannot delete a Device Control Policy used in one or more Agent Policies schema: $ref: '#/definitions/_DeviceControlPolicyInUseResponse' "403": description: "" schema: $ref: '#/definitions/_DeviceControlCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_device_control_Policy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DeviceControlPolicy' tags: - agent parameters: - description: A UUID string identifying this device control policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_device_control_Policy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeviceControlPolicy' responses: "200": description: "" schema: $ref: '#/definitions/DeviceControlPolicy' tags: - agent put: description: "" operationId: data_endpoint_device_control_Policy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeviceControlPolicy' responses: "200": description: "" schema: $ref: '#/definitions/DeviceControlPolicy' tags: - agent /data/endpoint/device_control/Policy/{id}/duplicate/: parameters: - description: A UUID string identifying this device control policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_device_control_Policy_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/PolicyName' responses: "200": description: "" schema: $ref: '#/definitions/SubPolicyCopyResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/_DeviceControlCodeDetailsResponse' "409": description: "" schema: $ref: '#/definitions/_DeviceControlCodeDetailsResponse' tags: - agent /data/endpoint/device_control/Policy/{id}/order_usb_rules/: parameters: - description: A UUID string identifying this device control policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_device_control_Policy_order_usb_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/_DeviceControlPolicyUsbRuleOrdering' responses: "200": description: "" schema: items: $ref: '#/definitions/UsbRule' type: array "400": description: "" schema: $ref: '#/definitions/_DeviceControlCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/_DeviceControlCodeDetailsResponse' tags: - agent /data/endpoint/device_control/usb/Rule/: get: description: "" operationId: data_endpoint_device_control_usb_Rule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: index required: false type: number - description: "" in: query name: enabled required: false type: string - description: "" in: query name: device_type required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: action required: false type: string - description: "" in: query name: policy_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: creator.id required: false type: number - in: query name: creator.username required: false type: string - in: query name: serial_numbers required: false type: string - in: query name: base_classes.base_class required: false type: string - in: query name: vendor_products type: string - in: query name: custom_products type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UsbRule' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_device_control_usb_Rule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/UsbRule' responses: "201": description: "" schema: $ref: '#/definitions/UsbRule' tags: - agent /data/endpoint/device_control/usb/Rule/create_many_rules/: parameters: [] post: description: "" operationId: data_endpoint_device_control_usb_Rule_create_many_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/BulkCreateUsbRule' responses: "201": description: "" schema: $ref: '#/definitions/UsbRule' tags: - agent /data/endpoint/device_control/usb/Rule/delete/: delete: description: To delete multiple device control USB rules. operationId: data_endpoint_DeviceControlUsbRule_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/device_control/usb/Rule/{id}/: delete: description: "" operationId: data_endpoint_device_control_usb_Rule_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_device_control_usb_Rule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UsbRule' tags: - agent parameters: - description: A UUID string identifying this usb rule. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_device_control_usb_Rule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateUsbRule' responses: "200": description: "" schema: $ref: '#/definitions/UpdateUsbRule' tags: - agent put: description: "" operationId: data_endpoint_device_control_usb_Rule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateUsbRule' responses: "200": description: "" schema: $ref: '#/definitions/UpdateUsbRule' tags: - agent /data/endpoint/device_control/usb/Rule/{id}/duplicate/: parameters: - description: A UUID string identifying this usb rule. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_device_control_usb_Rule_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/UsbRuleDuplication' responses: "200": description: "" schema: $ref: '#/definitions/_DeviceControlPolicyUsbRuleDuplicateResponse' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/firewall/Network/: get: description: "" operationId: data_endpoint_firewall_Network_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: endpoints_count required: false type: number - in: query name: policies_count required: false type: number - in: query name: rules_count required: false type: number - in: query name: blocks_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFirewallNetwork' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_firewall_Network_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateFirewallNetwork' responses: "201": description: "" schema: $ref: '#/definitions/CreateFirewallNetwork' tags: - agent /data/endpoint/firewall/Network/delete/: delete: description: To delete multiple firewall networks. operationId: data_endpoint_FirewallNetwork_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: Succesfull Network(s) deletion examples: - application/json: code: multiple_network_deleted deleted_network_blocks: 1 deleted_networks: 3 details: All firewall networks deleted (3 Firewall Network(s) & 1 linked NetworkBlock(s)). - application/json: code: multiple_network_deleted deleted_network_blocks: 2 deleted_networks: 2 details: Deleted 2 Firewall Network(s) & 2 linked NetworkBlock(s). - application/json: code: no_network_deleted details: No firewall network deleted. schema: $ref: '#/definitions/_FirewallNetworkMassDeleteResponse' "400": description: Error, cannot delete a Network used in a Policy examples: application/json: code: network_in_use details: You cannot delete a Firewall Network used in one or more Policies firewall_policy: - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 schema: $ref: '#/definitions/_FirewallNetworkInUseResponse' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/firewall/Network/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_endpoint_firewall_Network_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - agent parameters: [] /data/endpoint/firewall/Network/{id}/: delete: description: "" operationId: data_endpoint_firewall_Network_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a Network used in a Policy examples: application/json: code: network_in_use details: You cannot delete a Firewall Network used in one or more Policies firewall_policy: - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 schema: $ref: '#/definitions/_FirewallNetworkInUseResponse' "403": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_firewall_Network_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallNetwork' tags: - agent parameters: - description: A UUID string identifying this firewall network. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_firewall_Network_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallNetwork' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFirewallNetwork' tags: - agent put: description: "" operationId: data_endpoint_firewall_Network_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallNetwork' responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallNetwork' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden tags: - agent /data/endpoint/firewall/Network/{id}/duplicate/: parameters: - description: A UUID string identifying this firewall network. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_firewall_Network_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallNetworkName' responses: "200": description: "" schema: $ref: '#/definitions/_FirewallNetworkCopyResponse' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Policy/: get: description: "" operationId: data_endpoint_firewall_Policy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: endpoints_count required: false type: number - in: query name: network_zones_count required: false type: number - in: query name: rules_count required: false type: number - in: query name: tenant required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFirewallPolicy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_firewall_Policy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateFirewallPolicy' responses: "201": description: "" schema: $ref: '#/definitions/CreateFirewallPolicy' tags: - agent /data/endpoint/firewall/Policy/delete/: delete: description: To delete multiple firewall policies. operationId: data_endpoint_FirewallPolicy_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: Succesfull Policy(ies) deletion examples: - application/json: code: multiple_policy_deleted deleted_policies: 3 deleted_profile_to_networks: 1 details: All firewall policies deleted (3 Firewall Policy(ies) & 1 linked ProfileToNetwork(s)). - application/json: code: multiple_policy_deleted deleted_policies: 2 deleted_profile_to_networks: 2 details: Deleted 2 Firewall Policy(ies) & 2 linked ProfileToNetwork(s). - application/json: code: no_policy_deleted details: No firewall policy deleted. schema: $ref: '#/definitions/_FirewallPolicyMassDeleteResponse' "400": description: Error, cannot delete a Firewall Policy used in an Agent Policy examples: application/json: agent_policy: - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 code: policy_in_use details: You cannot delete a Firewall Policy used in one or more Agent Policies schema: $ref: '#/definitions/_FirewallPolicyInUseResponse' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/firewall/Policy/{id}/: delete: description: "" operationId: data_endpoint_firewall_Policy_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a Firewall Policy used in an Agent Policy examples: - application/json: agent_policy: - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 code: policy_in_use details: You cannot delete a Firewall Policy used in one or more Agent Policies - application/json: code: no_policy_deleted details: You cannot delete the default Firewall Policy schema: $ref: '#/definitions/_FirewallPolicyInUseResponse' "403": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_firewall_Policy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallPolicy' tags: - agent parameters: - description: A UUID string identifying this firewall policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_firewall_Policy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallPolicy' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFirewallPolicy' tags: - agent put: description: "" operationId: data_endpoint_firewall_Policy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallPolicy' responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallPolicy' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Policy/{id}/duplicate/: parameters: - description: A UUID string identifying this firewall policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_firewall_Policy_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallPolicyName' responses: "200": description: "" schema: $ref: '#/definitions/SubPolicyCopyResponse' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "409": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Profile/: get: description: "" operationId: data_endpoint_firewall_Profile_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: default_incoming_action required: false type: string - description: "" in: query name: default_outgoing_action required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: rules_count required: false type: number - in: query name: policies_count required: false type: number - in: query name: endpoints_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/FirewallProfile' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_firewall_Profile_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallProfile' responses: "201": description: "" schema: $ref: '#/definitions/FirewallProfile' tags: - agent /data/endpoint/firewall/Profile/delete/: delete: description: To delete multiple firewall profiles. operationId: data_endpoint_FirewallProfile_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: Succesfull Profile(s) deletetion examples: - application/json: code: multiple_profile_deleted deleted_profiles: 7 deleted_rules: 89 details: All firewall profiles deleted (7 Profile(s) & 89 linked Rule(s)). - application/json: code: multiple_profile_deleted deleted_profiles: 1 deleted_rules: 2 details: Deleted 1 Profile(s) & 2 linked Rule(s). - application/json: code: no_profile_deleted details: No firewall profile deleted. schema: $ref: '#/definitions/_FirewallProfileMassDeleteResponse' "400": description: Error, cannot delete a Profile used in a Policy examples: application/json: code: profile_in_use details: You cannot delete a Firewall Profile used in one or more Policies firewall_policy: - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 schema: $ref: '#/definitions/_FirewallProfileInUseResponse' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/firewall/Profile/{id}/: delete: description: "" operationId: data_endpoint_firewall_Profile_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a Profile used in a Policy examples: - application/json: code: profile_in_use details: You cannot delete a Firewall Profile used in one or more Policies firewall_policy: - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 - firewall_policy_id: UUID firewall_policy_name: test_firewall_policy_1 - application/json: code: no_policy_deleted details: You cannot delete the default Firewall Profile schema: $ref: '#/definitions/_FirewallProfileInUseResponse' "403": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_firewall_Profile_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallProfile' tags: - agent parameters: - description: A UUID string identifying this firewall profile. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_firewall_Profile_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallProfile' responses: "200": description: "" schema: $ref: '#/definitions/FirewallProfile' tags: - agent put: description: "" operationId: data_endpoint_firewall_Profile_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallProfile' responses: "200": description: "" schema: $ref: '#/definitions/FirewallProfile' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Profile/{id}/duplicate/: parameters: - description: A UUID string identifying this firewall profile. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_firewall_Profile_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallProfileName' responses: "200": description: "" schema: $ref: '#/definitions/_FirewallProfileCopyResponse' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Profile/{id}/order/: parameters: - description: A UUID string identifying this firewall profile. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_firewall_Profile_order parameters: - in: body name: data required: true schema: $ref: '#/definitions/_FirewallProfileRuleOrdering' responses: "200": description: "" schema: $ref: '#/definitions/ListFirewallRule' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' tags: - agent /data/endpoint/firewall/Rule/: get: description: "" operationId: data_endpoint_firewall_Rule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: index required: false type: number - description: "" in: query name: direction required: false type: string - description: "" in: query name: action required: false type: string - description: "" in: query name: ip_version required: false type: string - description: "" in: query name: local_application required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: local_ip required: false type: string - description: "" in: query name: local_ports required: false type: string - description: "" in: query name: remote_ip required: false type: string - description: "" in: query name: remote_ports required: false type: string - description: "" in: query name: profile_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListFirewallRule' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_firewall_Rule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateFirewallRule' responses: "201": description: "" schema: $ref: '#/definitions/CreateFirewallRule' tags: - agent /data/endpoint/firewall/Rule/delete/: delete: description: To delete multiple firewall rules. operationId: data_endpoint_FirewallRule_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/UUIDList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/firewall/Rule/{id}/: delete: description: "" operationId: data_endpoint_firewall_Rule_delete parameters: [] responses: "204": description: "" tags: - agent get: description: "" operationId: data_endpoint_firewall_Rule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallRule' tags: - agent parameters: - description: A UUID string identifying this firewall rule. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_firewall_Rule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallRule' responses: "200": description: "" schema: $ref: '#/definitions/UpdateFirewallRule' tags: - agent put: description: "" operationId: data_endpoint_firewall_Rule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateFirewallRule' responses: "200": description: "" schema: $ref: '#/definitions/DetailFirewallRule' "400": description: "" schema: $ref: '#/definitions/FirewallCodeDetailsResponse' "403": description: Forbidden tags: - agent /data/endpoint/firewall/Rule/{id}/duplicate/: parameters: - description: A UUID string identifying this firewall rule. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_firewall_Rule_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/FirewallRuleName' responses: "200": description: "" schema: $ref: '#/definitions/_FirewallRuleCopyResponse' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - agent /data/endpoint/vulnerability/Policy/: get: description: "" operationId: data_endpoint_vulnerability_Policy_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: endpoints_count required: false type: number - in: query name: linked_endpoint_policies_count required: false type: number - in: query name: enabled_cves_count_low required: false type: number - in: query name: enabled_cves_count_medium required: false type: number - in: query name: enabled_cves_count_high required: false type: number - in: query name: enabled_cves_count_critical required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListVulnerabilityPolicy' type: array required: - count - results type: object tags: - agent parameters: [] post: description: "" operationId: data_endpoint_vulnerability_Policy_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateVulnerabilityPolicy' responses: "201": description: "" schema: $ref: '#/definitions/CreateVulnerabilityPolicy' tags: - agent /data/endpoint/vulnerability/Policy/delete/: delete: description: Delete multiple vulnerability policies. operationId: data_endpoint_vulnerability_Policy_delete_list parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteVulnerabilityPolicies' responses: "204": description: Succesfull Policy(ies) deletion "400": description: Cannot delete a Vulnerability Policy used in an Agent Policy examples: application/json: agent_policies: - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 code: policy_in_use details: You cannot delete a Vulnerability Policy used in one or more Agent Policies schema: $ref: '#/definitions/_VulnerabilityPolicyInUseResponse' "403": description: Forbidden tags: - agent parameters: [] /data/endpoint/vulnerability/Policy/{id}/: delete: description: "" operationId: data_endpoint_vulnerability_Policy_delete parameters: [] responses: "204": description: "" "400": description: Cannot delete a Vulnerability Policy used in an Agent Policy examples: - application/json: agent_policies: - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 - agent_policy_id: dummy_policy agent_policy_name: test_policy_1 code: policy_in_use details: You cannot delete a Vulnerability Policy used in one or more Agent Policies - application/json: code: default_policy_protection details: You cannot delete the default Vulnerability Policy schema: $ref: '#/definitions/_VulnerabilityPolicyInUseResponse' "403": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent get: description: "" operationId: data_endpoint_vulnerability_Policy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DetailVulnerabilityPolicy' tags: - agent parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_endpoint_vulnerability_Policy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateVulnerabilityPolicy' responses: "200": description: "" schema: $ref: '#/definitions/UpdateVulnerabilityPolicy' tags: - agent put: description: "" operationId: data_endpoint_vulnerability_Policy_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateVulnerabilityPolicy' responses: "200": description: "" schema: $ref: '#/definitions/DetailVulnerabilityPolicy' "400": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' "403": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/vulnerability/Policy/{id}/disable_cve/: parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string post: description: Disable a single CVE for the vulnerability policy operationId: data_endpoint_vulnerability_Policy_disable_cve parameters: - in: body name: data required: true schema: $ref: '#/definitions/CveId' responses: "204": description: "" "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/vulnerability/Policy/{id}/disable_cves/: parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string post: description: Disable multiple CVEs for the vulnerability policy operationId: data_endpoint_vulnerability_Policy_disable_cves parameters: - in: body name: data required: true schema: $ref: '#/definitions/CveIdList' responses: "200": description: "" schema: $ref: '#/definitions/DisableCveBulk' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/vulnerability/Policy/{id}/duplicate/: parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_endpoint_vulnerability_Policy_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/VulnerabilityPolicyName' responses: "200": description: "" schema: $ref: '#/definitions/_VulnerabilityPolicyCopyResponse' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' "409": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/vulnerability/Policy/{id}/enable_cve/: parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string post: description: Enable a single CVE for the vulnerability policy operationId: data_endpoint_vulnerability_Policy_enable_cve parameters: - in: body name: data required: true schema: $ref: '#/definitions/CveId' responses: "204": description: "" "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/endpoint/vulnerability/Policy/{id}/enable_cves/: parameters: - description: A UUID string identifying this vulnerability policy. format: uuid in: path name: id required: true type: string post: description: Enable multiple CVEs for the vulnerability policy operationId: data_endpoint_vulnerability_Policy_enable_cves parameters: - in: body name: data required: true schema: $ref: '#/definitions/CveIdList' responses: "200": description: "" schema: $ref: '#/definitions/EnableCveBulk' "403": description: Forbidden "404": description: "" schema: $ref: '#/definitions/SubPolicyCodeDetailsResponse' tags: - agent /data/host_properties/applications/: get: description: "" operationId: data_host_properties_applications_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: publisher required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: cpe_prefix required: false type: string - description: "" in: query name: app_type required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: active_installations required: false type: number - description: "" in: query name: total_installations required: false type: number - description: "" in: query name: first_installation_date required: false type: string - description: "" in: query name: last_installation_date required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: oldest_version required: false type: string - description: "" in: query name: newest_version required: false type: string - description: "" in: query name: most_used_version required: false type: string - description: "" in: query name: most_used_version_count required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppStatistics' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/applications/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_applications_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: publisher required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: cpe_prefix required: false type: string - description: "" in: query name: app_type required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: active_installations required: false type: number - description: "" in: query name: total_installations required: false type: number - description: "" in: query name: first_installation_date required: false type: string - description: "" in: query name: last_installation_date required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: oldest_version required: false type: string - description: "" in: query name: newest_version required: false type: string - description: "" in: query name: most_used_version required: false type: string - description: "" in: query name: most_used_version_count required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/applications/refresh/: parameters: [] post: description: Refresh the materialized view for application statistics data operationId: data_host_properties_applications_refresh_mv parameters: - in: body name: data required: true schema: $ref: '#/definitions/AppStatistics' responses: "200": description: Application materialized view refreshing task started "400": description: Error message tags: - host_properties /data/host_properties/applications/refresh_state/: get: description: Get the last refresh status object for the materialized view for application statistics data operationId: data_host_properties_applications_refresh_state parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: publisher required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: cpe_prefix required: false type: string - description: "" in: query name: app_type required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: active_installations required: false type: number - description: "" in: query name: total_installations required: false type: number - description: "" in: query name: first_installation_date required: false type: string - description: "" in: query name: last_installation_date required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: oldest_version required: false type: string - description: "" in: query name: newest_version required: false type: string - description: "" in: query name: most_used_version required: false type: string - description: "" in: query name: most_used_version_count required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/MaterializedViewStatus' "404": description: No refresh run found tags: - host_properties parameters: [] /data/host_properties/applications/{id}/: get: description: "" operationId: data_host_properties_applications_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppStatistics' tags: - host_properties parameters: - description: A UUID string identifying this app statistic materialized view. format: uuid in: path name: id required: true type: string /data/host_properties/installations/: get: description: "" operationId: data_host_properties_installations_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: application required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: installation_date required: false type: string - description: "" in: query name: installed_for required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: installed_as_dependency required: false type: string - description: "" in: query name: source_package_name required: false type: string - description: "" in: query name: source_package_version required: false type: string - description: "" in: query name: status required: false type: string - in: query name: agent.groups.name__wildcard required: false type: string - in: query name: agent.groups.name__exact required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string - in: query name: agent.osproducttype required: false type: string - in: query name: agent.domainname required: false type: string - in: query name: agent.policy.id required: false type: string - in: query name: agent.policy.name required: false type: string - in: query name: agent.groups.id required: false type: string - in: query name: application.id required: false type: string - in: query name: application.name required: false type: string - in: query name: application.publisher required: false type: string - enum: - linux - macos - windows in: query name: application.ostype required: false type: string - in: query name: application.description required: false type: string - enum: - uwp - win32 in: query name: application.app_type required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Installation' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/installations/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_installations_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: application required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: installation_date required: false type: string - description: "" in: query name: installed_for required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: installed_as_dependency required: false type: string - description: "" in: query name: source_package_name required: false type: string - description: "" in: query name: source_package_version required: false type: string - description: "" in: query name: status required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/installations/version_graph/: get: description: "" operationId: data_host_properties_installations_version_graph parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: application required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: installation_date required: false type: string - description: "" in: query name: installed_for required: false type: string - description: "" in: query name: first_seen required: false type: string - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: installed_as_dependency required: false type: string - description: "" in: query name: source_package_name required: false type: string - description: "" in: query name: source_package_version required: false type: string - description: "" in: query name: status required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: date in: query name: from_date required: true type: string - format: date in: query name: to_date required: true type: string - format: uuid in: query name: application_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/InstallationVersionGraphResponse' type: array "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - host_properties parameters: [] /data/host_properties/installations/{id}/: get: description: "" operationId: data_host_properties_installations_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Installation' tags: - host_properties parameters: - description: A UUID string identifying this installation. format: uuid in: path name: id required: true type: string /data/host_properties/local_groups/windows/: get: description: "" operationId: data_host_properties_local_groups_windows_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: kind required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: parent_group required: false type: string - description: "" in: query name: local_users required: false type: string - description: "" in: query name: remote_users required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string - in: query name: user_count required: false type: number - in: query name: parent_group.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsLocalGroup' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/local_groups/windows/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_local_groups_windows_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: kind required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: parent_group required: false type: string - description: "" in: query name: local_users required: false type: string - description: "" in: query name: remote_users required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/local_groups/windows/{id}/: get: description: "" operationId: data_host_properties_local_groups_windows_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsLocalGroup' tags: - host_properties parameters: - description: A unique value identifying this windows local group. in: path name: id required: true type: string /data/host_properties/local_users/windows/: get: description: "" operationId: data_host_properties_local_users_windows_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: rid required: false type: number - description: "" in: query name: full_name required: false type: string - description: "" in: query name: privilege_level required: false type: string - description: "" in: query name: password_last_set required: false type: string - description: "" in: query name: password_expired required: false type: string - description: "" in: query name: num_logons required: false type: number - description: "" in: query name: last_logon required: false type: string - description: "" in: query name: bad_password_count required: false type: number - description: "" in: query name: comment required: false type: string - description: "" in: query name: flags required: false type: number - description: "" in: query name: password_doesnt_expire required: false type: string - description: "" in: query name: account_disabled required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsLocalUser' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/local_users/windows/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_local_users_windows_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: rid required: false type: number - description: "" in: query name: full_name required: false type: string - description: "" in: query name: privilege_level required: false type: string - description: "" in: query name: password_last_set required: false type: string - description: "" in: query name: password_expired required: false type: string - description: "" in: query name: num_logons required: false type: number - description: "" in: query name: last_logon required: false type: string - description: "" in: query name: bad_password_count required: false type: number - description: "" in: query name: comment required: false type: string - description: "" in: query name: flags required: false type: number - description: "" in: query name: password_doesnt_expire required: false type: string - description: "" in: query name: account_disabled required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/local_users/windows/{id}/: get: description: "" operationId: data_host_properties_local_users_windows_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsLocalUser' tags: - host_properties parameters: - description: A unique value identifying this windows local user. in: path name: id required: true type: string /data/host_properties/net_interfaces/: get: description: "" operationId: data_host_properties_net_interfaces_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: guid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetInterface' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/net_interfaces/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_net_interfaces_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: guid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/net_interfaces/{id}/: get: description: "" operationId: data_host_properties_net_interfaces_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetInterface' tags: - host_properties parameters: - description: A UUID string identifying this net interface. format: uuid in: path name: id required: true type: string /data/host_properties/os_support/: get: description: "" operationId: data_host_properties_os_support_list parameters: [] responses: "200": description: |- Host Properties OS compatibility list Shows which host properties types are available for specific operating systems. examples: application/json: - host_properties_type: application supported_os: - linux - windows - host_properties_type: disk supported_os: - linux - macos - windows - host_properties_type: group supported_os: - windows - host_properties_type: net_interface supported_os: - linux - macos - windows - host_properties_type: qfe supported_os: - windows - host_properties_type: quarantine supported_os: - linux - macos - windows - host_properties_type: user supported_os: - windows schema: items: $ref: '#/definitions/HostPropertiesOSSupport' type: array tags: - host_properties parameters: [] /data/host_properties/qfes/: get: description: "" operationId: data_host_properties_qfes_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: hot_fix_id required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: caption required: false type: string - description: "" in: query name: installed_by required: false type: string - description: "" in: query name: installed_on required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsQfe' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/qfes/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_qfes_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: agent required: false type: string - description: "" in: query name: hot_fix_id required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: caption required: false type: string - description: "" in: query name: installed_by required: false type: string - description: "" in: query name: installed_on required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/qfes/{id}/: get: description: "" operationId: data_host_properties_qfes_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsQfe' tags: - host_properties parameters: - description: A UUID string identifying this windows qfe. format: uuid in: path name: id required: true type: string /data/host_properties/remote_users/windows/: get: description: "" operationId: data_host_properties_remote_users_windows_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: domain required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.hostname required: false type: string - in: query name: agent.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsRemoteUser' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/remote_users/windows/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_remote_users_windows_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: sid required: false type: string - description: "" in: query name: domain required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/remote_users/windows/{id}/: get: description: "" operationId: data_host_properties_remote_users_windows_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsRemoteUser' tags: - host_properties parameters: - description: A unique value identifying this windows remote user. in: path name: id required: true type: string /data/host_properties/subnets/: get: description: "" operationId: data_host_properties_subnets_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: first_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: total_agent_count required: false type: number - in: query name: blacklisted required: false type: boolean - in: query name: whitelisted required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/__SubnetSerializer' type: array required: - count - results type: object tags: - host_properties parameters: [] /data/host_properties/subnets/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_host_properties_subnets_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: gateway_ipaddress required: false type: string - description: "" in: query name: gateway_macaddress required: false type: string - description: "" in: query name: gateway_oui required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: auto_scan required: false type: string - description: "" in: query name: existing_agent_count required: false type: number - description: "" in: query name: missing_agent_count required: false type: number - description: "" in: query name: randomized_mac_address_count required: false type: number - description: "" in: query name: last_seen required: false type: string - description: "" in: query name: first_seen required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - host_properties parameters: [] /data/host_properties/subnets/{id}/: get: description: "" operationId: data_host_properties_subnets_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/__SubnetSerializer' tags: - host_properties parameters: - description: A UUID string identifying this subnet. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_host_properties_subnets_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/__SubnetSerializer' responses: "200": description: "" schema: $ref: '#/definitions/__SubnetSerializer' tags: - host_properties put: description: "" operationId: data_host_properties_subnets_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/__SubnetSerializer' responses: "200": description: "" schema: $ref: '#/definitions/__SubnetSerializer' tags: - host_properties /data/identity_management/IdentityDevice/: get: description: "" operationId: data_identity_management_IdentityDevice_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: sid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IdentityDevice' type: array required: - count - results type: object tags: - identity parameters: [] /data/identity_management/IdentityDevice/{id}/: get: description: "" operationId: data_identity_management_IdentityDevice_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IdentityDevice' tags: - identity parameters: - description: A UUID string identifying this identity device. format: uuid in: path name: id required: true type: string /data/identity_management/IdentityDomain/: get: description: "" operationId: data_identity_management_IdentityDomain_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IdentityDomain' type: array required: - count - results type: object tags: - identity parameters: [] /data/identity_management/IdentityDomain/{id}/: get: description: "" operationId: data_identity_management_IdentityDomain_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IdentityDomain' tags: - identity parameters: - description: A UUID string identifying this identity domain. format: uuid in: path name: id required: true type: string /data/identity_management/IdentityOrganizationalUnit/: get: description: "" operationId: data_identity_management_IdentityOrganizationalUnit_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IdentityOrganizationalUnit' type: array required: - count - results type: object tags: - identity parameters: [] /data/identity_management/IdentityOrganizationalUnit/{id}/: get: description: "" operationId: data_identity_management_IdentityOrganizationalUnit_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IdentityOrganizationalUnit' tags: - identity parameters: - description: A UUID string identifying this identity organizational unit. format: uuid in: path name: id required: true type: string /data/investigation/artefact/Artefact/: get: description: "" operationId: data_investigation_artefact_Artefact_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Artefact' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/artefact/Artefact/download/: get: description: "" operationId: data_investigation_artefact_Artefact_download_from_jobinstance_id parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: artefact schema: type: file tags: - investigation parameters: [] /data/investigation/artefact/Artefact/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_artefact_Artefact_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/artefact/Artefact/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_artefact_Artefact_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/artefact/Artefact/{id}/: get: description: "" operationId: data_investigation_artefact_Artefact_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Artefact' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/artefact/Artefact/{id}/download/: get: description: "" operationId: data_investigation_artefact_Artefact_download parameters: [] responses: "200": description: artefact schema: type: file tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/artefact/ArtefactAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_artefact_ArtefactAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Artefact' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/artefact/ArtefactAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_artefact_ArtefactAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/artefact/ArtefactAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_artefact_ArtefactAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/artefact/ArtefactAggregate/{id}/: get: description: "" operationId: data_investigation_artefact_ArtefactAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Artefact' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/case/InvestigationCase/: get: description: "" operationId: data_investigation_case_InvestigationCase_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/InvestigationCase' type: array required: - count - results type: object tags: - investigation parameters: [] post: description: "" operationId: data_investigation_case_InvestigationCase_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/InvestigationCase' responses: "201": description: "" schema: $ref: '#/definitions/InvestigationCase' tags: - investigation /data/investigation/case/InvestigationCase/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_case_InvestigationCase_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/case/InvestigationCase/{id}/: delete: description: "" operationId: data_investigation_case_InvestigationCase_delete parameters: [] responses: "204": description: "" tags: - investigation get: description: "" operationId: data_investigation_case_InvestigationCase_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/InvestigationCase' tags: - investigation parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_investigation_case_InvestigationCase_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/InvestigationCase' responses: "200": description: "" schema: $ref: '#/definitions/InvestigationCase' tags: - investigation put: description: "" operationId: data_investigation_case_InvestigationCase_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/InvestigationCase' responses: "200": description: "" schema: $ref: '#/definitions/InvestigationCase' tags: - investigation /data/investigation/case/InvestigationCase/{id}/add_agents/: parameters: - in: path name: id required: true type: string post: description: Append agent operationId: data_investigation_case_InvestigationCase_add_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/_ManageAgentRequest' responses: "200": description: "" schema: $ref: '#/definitions/_AddAgentResponse' tags: - investigation /data/investigation/case/InvestigationCase/{id}/add_timeline/: parameters: - in: path name: id required: true type: string post: description: Append timeline events operationId: data_investigation_case_InvestigationCase_add_timeline parameters: - in: body name: data required: true schema: $ref: '#/definitions/_AddTimelineRequest' responses: "200": description: "" schema: $ref: '#/definitions/_AddTimelineResponse' tags: - investigation /data/investigation/case/InvestigationCase/{id}/comments/: delete: description: "" operationId: data_investigation_case_InvestigationCase_comments_delete parameters: - in: body name: data required: true schema: $ref: '#/definitions/IdComment' responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - investigation get: description: "" operationId: data_investigation_case_InvestigationCase_comments_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - investigation parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_investigation_case_InvestigationCase_comments_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditBody' responses: "200": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - investigation post: description: "" operationId: data_investigation_case_InvestigationCase_comments_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/BaseComment' responses: "201": description: "" schema: $ref: '#/definitions/CommentResponse' tags: - investigation /data/investigation/case/InvestigationCase/{id}/delete_agents/: parameters: - in: path name: id required: true type: string post: description: Remove agents operationId: data_investigation_case_InvestigationCase_delete_agents parameters: - in: body name: data required: true schema: $ref: '#/definitions/_ManageAgentRequest' responses: "200": description: "" schema: $ref: '#/definitions/_DeleteAgentResponse' tags: - investigation /data/investigation/case/InvestigationCase/{id}/delete_timeline/: parameters: - in: path name: id required: true type: string post: description: Remove timeline elements operationId: data_investigation_case_InvestigationCase_delete_timeline parameters: - in: body name: data required: true schema: $ref: '#/definitions/_AddTimelineRequest' responses: "200": description: "" schema: $ref: '#/definitions/_DeleteTimelineResponse' tags: - investigation /data/investigation/hunting/AgentDiagnostic/: get: description: "" operationId: data_investigation_hunting_AgentDiagnostic_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentDiagnostic' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AgentDiagnostic/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AgentDiagnostic_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AgentDiagnostic/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AgentDiagnostic_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AgentDiagnostic/{id}/: get: description: "" operationId: data_investigation_hunting_AgentDiagnostic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentDiagnostic' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AgentDiagnosticAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AgentDiagnosticAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentDiagnostic' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AgentDiagnosticAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AgentDiagnosticAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AgentDiagnosticAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AgentDiagnosticAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AgentDiagnosticAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AgentDiagnosticAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentDiagnostic' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AmCache/: get: description: "" operationId: data_investigation_hunting_AmCache_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AmCache' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AmCache/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AmCache_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AmCache/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AmCache_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AmCache/{id}/: get: description: "" operationId: data_investigation_hunting_AmCache_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AmCache' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AmCacheAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AmCacheAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AmCache' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AmCacheAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AmCacheAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AmCacheAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AmCacheAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AmCacheAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AmCacheAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AmCache' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AntivirusScan/: get: description: "" operationId: data_investigation_hunting_AntivirusScan_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AntivirusScan' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AntivirusScan/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AntivirusScan_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AntivirusScan/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AntivirusScan_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AntivirusScan/{id}/: get: description: "" operationId: data_investigation_hunting_AntivirusScan_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AntivirusScan' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AntivirusScanAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AntivirusScanAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AntivirusScan' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AntivirusScanAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AntivirusScanAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AntivirusScanAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AntivirusScanAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AntivirusScanAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AntivirusScanAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AntivirusScan' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppCertDll/: get: description: "" operationId: data_investigation_hunting_AppCertDll_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppCertDll' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AppCertDll/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppCertDll_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppCertDll/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppCertDll_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AppCertDll/{id}/: get: description: "" operationId: data_investigation_hunting_AppCertDll_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppCertDll' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppCertDllAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AppCertDllAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppCertDll' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AppCertDllAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppCertDllAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppCertDllAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppCertDllAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AppCertDllAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AppCertDllAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppCertDll' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppCompatInstalledSDB/: get: description: "" operationId: data_investigation_hunting_AppCompatInstalledSDB_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppCompatInstalledSDB' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AppCompatInstalledSDB/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppCompatInstalledSDB_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppCompatInstalledSDB/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppCompatInstalledSDB_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AppCompatInstalledSDB/{id}/: get: description: "" operationId: data_investigation_hunting_AppCompatInstalledSDB_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppCompatInstalledSDB' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppCompatInstalledSDBAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AppCompatInstalledSDBAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppCompatInstalledSDB' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AppCompatInstalledSDBAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppCompatInstalledSDBAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppCompatInstalledSDBAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppCompatInstalledSDBAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AppCompatInstalledSDBAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AppCompatInstalledSDBAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppCompatInstalledSDB' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppInitDll/: get: description: "" operationId: data_investigation_hunting_AppInitDll_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppInitDll' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/AppInitDll/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppInitDll_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppInitDll/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppInitDll_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/AppInitDll/{id}/: get: description: "" operationId: data_investigation_hunting_AppInitDll_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppInitDll' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/AppInitDllAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_AppInitDllAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AppInitDll' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/AppInitDllAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_AppInitDllAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/AppInitDllAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_AppInitDllAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/AppInitDllAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_AppInitDllAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AppInitDll' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Bootkit/: get: description: "" operationId: data_investigation_hunting_Bootkit_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Bootkit' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Bootkit/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Bootkit_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Bootkit/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Bootkit_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Bootkit/{id}/: get: description: "" operationId: data_investigation_hunting_Bootkit_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Bootkit' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/BootkitAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_BootkitAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Bootkit' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/BootkitAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_BootkitAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/BootkitAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_BootkitAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/BootkitAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_BootkitAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Bootkit' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/CLSID/: get: description: "" operationId: data_investigation_hunting_CLSID_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CLSID' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/CLSID/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_CLSID_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/CLSID/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_CLSID_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/CLSID/{id}/: get: description: "" operationId: data_investigation_hunting_CLSID_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CLSID' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/CLSIDAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_CLSIDAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CLSID' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/CLSIDAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_CLSIDAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/CLSIDAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_CLSIDAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/CLSIDAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_CLSIDAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CLSID' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ControlVariousValues/: get: description: "" operationId: data_investigation_hunting_ControlVariousValues_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ControlVariousValues' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ControlVariousValues/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ControlVariousValues_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ControlVariousValues/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ControlVariousValues_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ControlVariousValues/{id}/: get: description: "" operationId: data_investigation_hunting_ControlVariousValues_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ControlVariousValues' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ControlVariousValuesAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ControlVariousValuesAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ControlVariousValues' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ControlVariousValuesAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ControlVariousValuesAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ControlVariousValuesAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ControlVariousValuesAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ControlVariousValuesAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ControlVariousValuesAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ControlVariousValues' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/CredentialProvider/: get: description: "" operationId: data_investigation_hunting_CredentialProvider_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CredentialProvider' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/CredentialProvider/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_CredentialProvider_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/CredentialProvider/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_CredentialProvider_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/CredentialProvider/{id}/: get: description: "" operationId: data_investigation_hunting_CredentialProvider_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CredentialProvider' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/CredentialProviderAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_CredentialProviderAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CredentialProvider' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/CredentialProviderAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_CredentialProviderAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/CredentialProviderAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_CredentialProviderAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/CredentialProviderAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_CredentialProviderAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CredentialProvider' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/DeviceBootSectors/: get: description: "" operationId: data_investigation_hunting_DeviceBootSectors_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DeviceBootSectors' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/DeviceBootSectors/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_DeviceBootSectors_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/DeviceBootSectors/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_DeviceBootSectors_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/DeviceBootSectors/{id}/: get: description: "" operationId: data_investigation_hunting_DeviceBootSectors_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DeviceBootSectors' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/DeviceBootSectorsAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_DeviceBootSectorsAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DeviceBootSectors' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/DeviceBootSectorsAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_DeviceBootSectorsAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/DeviceBootSectorsAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_DeviceBootSectorsAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/DeviceBootSectorsAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_DeviceBootSectorsAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DeviceBootSectors' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Driver/: get: description: "" operationId: data_investigation_hunting_Driver_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Driver' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Driver/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Driver_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Driver/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Driver_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Driver/{id}/: get: description: "" operationId: data_investigation_hunting_Driver_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Driver' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/DriverAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_DriverAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Driver' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/DriverAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_DriverAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/DriverAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_DriverAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/DriverAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_DriverAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Driver' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Environment/: get: description: "" operationId: data_investigation_hunting_Environment_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Environment' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Environment/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Environment_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Environment/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Environment_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Environment/{id}/: get: description: "" operationId: data_investigation_hunting_Environment_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Environment' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/EnvironmentAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_EnvironmentAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Environment' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/EnvironmentAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_EnvironmentAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/EnvironmentAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_EnvironmentAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/EnvironmentAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_EnvironmentAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Environment' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ImageFileExecutionOption/: get: description: "" operationId: data_investigation_hunting_ImageFileExecutionOption_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ImageFileExecutionOption' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ImageFileExecutionOption/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ImageFileExecutionOption_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ImageFileExecutionOption/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ImageFileExecutionOption_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ImageFileExecutionOption/{id}/: get: description: "" operationId: data_investigation_hunting_ImageFileExecutionOption_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ImageFileExecutionOption' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ImageFileExecutionOptionAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ImageFileExecutionOptionAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ImageFileExecutionOption' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ImageFileExecutionOptionAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ImageFileExecutionOptionAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ImageFileExecutionOptionAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ImageFileExecutionOptionAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ImageFileExecutionOptionAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ImageFileExecutionOptionAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ImageFileExecutionOption' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Interface/: get: description: "" operationId: data_investigation_hunting_Interface_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Interface' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Interface/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Interface_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Interface/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Interface_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Interface/{id}/: get: description: "" operationId: data_investigation_hunting_Interface_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Interface' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/InterfaceAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_InterfaceAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Interface' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/InterfaceAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_InterfaceAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/InterfaceAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_InterfaceAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/InterfaceAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_InterfaceAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Interface' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/KernelModule/: get: description: "" operationId: data_investigation_hunting_KernelModule_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/KernelModule' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/KernelModule/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_KernelModule_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/KernelModule/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_KernelModule_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/KernelModule/{id}/: get: description: "" operationId: data_investigation_hunting_KernelModule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/KernelModule' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/KernelModuleAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_KernelModuleAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/KernelModule' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/KernelModuleAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_KernelModuleAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/KernelModuleAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_KernelModuleAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/KernelModuleAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_KernelModuleAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/KernelModule' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/KnownDLL/: get: description: "" operationId: data_investigation_hunting_KnownDLL_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/KnownDLL' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/KnownDLL/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_KnownDLL_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/KnownDLL/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_KnownDLL_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/KnownDLL/{id}/: get: description: "" operationId: data_investigation_hunting_KnownDLL_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/KnownDLL' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/KnownDLLAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_KnownDLLAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/KnownDLL' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/KnownDLLAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_KnownDLLAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/KnownDLLAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_KnownDLLAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/KnownDLLAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_KnownDLLAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/KnownDLL' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/LSAPackage/: get: description: "" operationId: data_investigation_hunting_LSAPackage_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/LSAPackage' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/LSAPackage/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_LSAPackage_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/LSAPackage/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_LSAPackage_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/LSAPackage/{id}/: get: description: "" operationId: data_investigation_hunting_LSAPackage_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LSAPackage' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/LSAPackageAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_LSAPackageAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/LSAPackage' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/LSAPackageAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_LSAPackageAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/LSAPackageAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_LSAPackageAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/LSAPackageAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_LSAPackageAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LSAPackage' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/LegacyService/: get: description: "" operationId: data_investigation_hunting_LegacyService_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/LegacyService' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/LegacyService/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_LegacyService_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/LegacyService/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_LegacyService_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/LegacyService/{id}/: get: description: "" operationId: data_investigation_hunting_LegacyService_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LegacyService' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/LegacyServiceAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_LegacyServiceAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/LegacyService' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/LegacyServiceAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_LegacyServiceAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/LegacyServiceAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_LegacyServiceAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/LegacyServiceAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_LegacyServiceAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LegacyService' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ListDir/: get: description: "" operationId: data_investigation_hunting_ListDir_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListDir' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ListDir/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ListDir_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ListDir/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ListDir_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ListDir/{id}/: get: description: "" operationId: data_investigation_hunting_ListDir_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ListDir' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ListDirAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ListDirAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ListDir' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ListDirAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ListDirAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ListDirAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ListDirAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ListDirAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ListDirAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ListDir' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/MFT/: get: description: "" operationId: data_investigation_hunting_MFT_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/MFT' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/MFT/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_MFT_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/MFT/get_directory/: get: description: "" operationId: data_investigation_hunting_MFT_get_directory parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: volumename required: false type: string - in: query minLength: 1 name: job_instance_id required: false type: string - in: query minLength: 1 name: path required: false type: string - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/MFTGetDirectoryResponse' type: array tags: - investigation parameters: [] /data/investigation/hunting/MFT/mountpoints/: get: description: "" operationId: data_investigation_hunting_MFT_mountpoints parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: job_instance_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/ResponseMountpoints' type: array tags: - investigation parameters: [] /data/investigation/hunting/MFT/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_MFT_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/MFT/{id}/: get: description: "" operationId: data_investigation_hunting_MFT_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFT' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/MFTAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_MFTAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/MFT' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/MFTAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_MFTAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/MFTAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_MFTAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/MFTAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_MFTAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFT' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/NetworkDiscovery/: get: description: "" operationId: data_investigation_hunting_NetworkDiscovery_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetworkDiscovery' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/NetworkDiscovery/device/{hardware_address}/: get: description: Get the list of all subnets a device was seen in. operationId: data_investigation_hunting_NetworkDiscovery_device parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/SubnetAgg' type: array tags: - investigation parameters: - in: path name: hardware_address required: true type: string /data/investigation/hunting/NetworkDiscovery/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_NetworkDiscovery_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/NetworkDiscovery/subnet/{subnet_id}/: get: description: "" operationId: data_investigation_hunting_NetworkDiscovery_subnet parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NDAsset' type: array required: - count - results type: object tags: - investigation parameters: - in: path name: subnet_id required: true type: string /data/investigation/hunting/NetworkDiscovery/subnet/{subnet_id}/stats/: get: description: Get the first and last observation time for a subnet. operationId: data_investigation_hunting_NetworkDiscovery_subnet_stats parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/SubnetStats' tags: - investigation parameters: - in: path name: subnet_id required: true type: string /data/investigation/hunting/NetworkDiscovery/{id}/: get: description: "" operationId: data_investigation_hunting_NetworkDiscovery_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetworkDiscovery' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/NetworkShare/: get: description: "" operationId: data_investigation_hunting_NetworkShare_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetworkShare' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/NetworkShare/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_NetworkShare_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/NetworkShare/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_NetworkShare_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/NetworkShare/{id}/: get: description: "" operationId: data_investigation_hunting_NetworkShare_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetworkShare' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/NetworkShareAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_NetworkShareAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetworkShare' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/NetworkShareAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_NetworkShareAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/NetworkShareAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_NetworkShareAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/NetworkShareAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_NetworkShareAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetworkShare' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/PersistanceFile/: get: description: "" operationId: data_investigation_hunting_PersistanceFile_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/PersistanceFile' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/PersistanceFile/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_PersistanceFile_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/PersistanceFile/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_PersistanceFile_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/PersistanceFile/{id}/: get: description: "" operationId: data_investigation_hunting_PersistanceFile_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PersistanceFile' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/PersistanceFileAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_PersistanceFileAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/PersistanceFile' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/PersistanceFileAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_PersistanceFileAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/PersistanceFileAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_PersistanceFileAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/PersistanceFileAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_PersistanceFileAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PersistanceFile' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Pipe/: get: description: "" operationId: data_investigation_hunting_Pipe_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Pipe' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Pipe/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Pipe_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Pipe/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Pipe_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Pipe/{id}/: get: description: "" operationId: data_investigation_hunting_Pipe_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Pipe' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/PipeAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_PipeAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Pipe' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/PipeAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_PipeAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/PipeAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_PipeAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/PipeAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_PipeAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Pipe' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Prefetch/: get: description: "" operationId: data_investigation_hunting_Prefetch_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Prefetch' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Prefetch/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Prefetch_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Prefetch/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Prefetch_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Prefetch/{id}/: get: description: "" operationId: data_investigation_hunting_Prefetch_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Prefetch' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/PrefetchAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_PrefetchAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Prefetch' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/PrefetchAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_PrefetchAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/PrefetchAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_PrefetchAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/PrefetchAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_PrefetchAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Prefetch' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Process/: get: description: "" operationId: data_investigation_hunting_Process_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Process' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Process/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Process_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Process/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Process_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Process/toList/: get: description: "" operationId: data_investigation_hunting_Process_toList parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: job_instance_id required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/_ProcessListResponse' type: array tags: - investigation parameters: [] /data/investigation/hunting/Process/{id}/: get: description: "" operationId: data_investigation_hunting_Process_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Process' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Process/{id}/connections/: get: description: "" operationId: data_investigation_hunting_Process_connections parameters: - in: query name: limit required: false type: integer - in: query name: offset required: false type: integer - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_ConnectionsList' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Process/{id}/handles/: get: description: "" operationId: data_investigation_hunting_Process_handles parameters: - in: query name: limit required: false type: integer - in: query name: offset required: false type: integer - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_HandlesList' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Process/{id}/modules/: get: description: "" operationId: data_investigation_hunting_Process_modules parameters: - in: query name: limit required: false type: integer - in: query name: offset required: false type: integer - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_ModulesList' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Process/{id}/threads/: get: description: "" operationId: data_investigation_hunting_Process_threads parameters: - in: query name: limit required: false type: integer - in: query name: offset required: false type: integer - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_ThreadsList' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ProcessAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ProcessAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Process' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ProcessAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ProcessAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ProcessAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ProcessAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ProcessAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ProcessAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Process' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/QuickFixEngineering/: get: description: "" operationId: data_investigation_hunting_QuickFixEngineering_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/QuickFixEngineering' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/QuickFixEngineering/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_QuickFixEngineering_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/QuickFixEngineering/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_QuickFixEngineering_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/QuickFixEngineering/{id}/: get: description: "" operationId: data_investigation_hunting_QuickFixEngineering_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/QuickFixEngineering' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/QuickFixEngineeringAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_QuickFixEngineeringAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/QuickFixEngineering' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/QuickFixEngineeringAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_QuickFixEngineeringAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/QuickFixEngineeringAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_QuickFixEngineeringAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/QuickFixEngineeringAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_QuickFixEngineeringAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/QuickFixEngineering' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/RunKey/: get: description: "" operationId: data_investigation_hunting_RunKey_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RunKey' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/RunKey/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_RunKey_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/RunKey/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_RunKey_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/RunKey/{id}/: get: description: "" operationId: data_investigation_hunting_RunKey_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RunKey' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/RunKeyAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_RunKeyAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RunKey' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/RunKeyAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_RunKeyAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/RunKeyAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_RunKeyAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/RunKeyAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_RunKeyAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RunKey' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskBinary/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskBinary_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskBinary' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskBinary/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskBinary_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskBinary/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskBinary_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ScheduledTaskBinary/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskBinary_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskBinary' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskBinaryAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ScheduledTaskBinaryAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskBinary' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskBinaryAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskBinaryAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskBinaryAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskBinaryAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ScheduledTaskBinaryAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskBinaryAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskBinary' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskGlu/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskGlu_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskGlu' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskGlu/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskGlu_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskGlu/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskGlu_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ScheduledTaskGlu/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskGlu_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskGlu' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskGluAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ScheduledTaskGluAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskGlu' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskGluAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskGluAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskGluAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskGluAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ScheduledTaskGluAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskGluAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskGlu' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskXML/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskXML_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskXML' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskXML/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskXML_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskXML/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskXML_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ScheduledTaskXML/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskXML_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskXML' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ScheduledTaskXMLAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ScheduledTaskXMLAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ScheduledTaskXML' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskXMLAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ScheduledTaskXMLAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ScheduledTaskXMLAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ScheduledTaskXMLAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ScheduledTaskXMLAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ScheduledTaskXMLAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ScheduledTaskXML' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SecurityProvider/: get: description: "" operationId: data_investigation_hunting_SecurityProvider_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SecurityProvider' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/SecurityProvider/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SecurityProvider_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SecurityProvider/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SecurityProvider_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/SecurityProvider/{id}/: get: description: "" operationId: data_investigation_hunting_SecurityProvider_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SecurityProvider' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SecurityProviderAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_SecurityProviderAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SecurityProvider' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/SecurityProviderAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SecurityProviderAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SecurityProviderAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SecurityProviderAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/SecurityProviderAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_SecurityProviderAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SecurityProvider' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Service/: get: description: "" operationId: data_investigation_hunting_Service_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Service' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Service/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Service_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Service/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Service_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Service/{id}/: get: description: "" operationId: data_investigation_hunting_Service_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Service' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ServiceAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ServiceAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Service' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ServiceAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ServiceAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ServiceAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ServiceAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ServiceAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ServiceAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Service' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ServiceControlManager/: get: description: "" operationId: data_investigation_hunting_ServiceControlManager_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ServiceControlManager' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ServiceControlManager/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ServiceControlManager_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ServiceControlManager/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ServiceControlManager_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ServiceControlManager/{id}/: get: description: "" operationId: data_investigation_hunting_ServiceControlManager_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ServiceControlManager' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ServiceControlManagerAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ServiceControlManagerAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ServiceControlManager' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ServiceControlManagerAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ServiceControlManagerAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ServiceControlManagerAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ServiceControlManagerAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ServiceControlManagerAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ServiceControlManagerAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ServiceControlManager' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Session/: get: description: "" operationId: data_investigation_hunting_Session_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Session' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Session/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Session_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Session/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Session_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Session/{id}/: get: description: "" operationId: data_investigation_hunting_Session_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Session' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SessionAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_SessionAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Session' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/SessionAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SessionAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SessionAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SessionAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/SessionAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_SessionAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Session' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SessionManager_Execute/: get: description: "" operationId: data_investigation_hunting_SessionManager_Execute_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SessionManager_Execute' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_Execute/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SessionManager_Execute_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_Execute/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SessionManager_Execute_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/SessionManager_Execute/{id}/: get: description: "" operationId: data_investigation_hunting_SessionManager_Execute_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SessionManager_Execute' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SessionManager_ExecuteAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_SessionManager_ExecuteAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SessionManager_Execute' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_ExecuteAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SessionManager_ExecuteAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_ExecuteAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SessionManager_ExecuteAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/SessionManager_ExecuteAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_SessionManager_ExecuteAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SessionManager_Execute' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SessionManager_PendingFileRenameOperation/: get: description: "" operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperation_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SessionManager_PendingFileRenameOperation' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_PendingFileRenameOperation/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperation_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_PendingFileRenameOperation/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperation_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/SessionManager_PendingFileRenameOperation/{id}/: get: description: "" operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SessionManager_PendingFileRenameOperation' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SessionManager_PendingFileRenameOperationAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperationAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SessionManager_PendingFileRenameOperation' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_PendingFileRenameOperationAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperationAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SessionManager_PendingFileRenameOperationAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperationAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/SessionManager_PendingFileRenameOperationAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_SessionManager_PendingFileRenameOperationAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SessionManager_PendingFileRenameOperation' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Shellbag/: get: description: "" operationId: data_investigation_hunting_Shellbag_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Shellbag' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Shellbag/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Shellbag_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Shellbag/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Shellbag_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Shellbag/{id}/: get: description: "" operationId: data_investigation_hunting_Shellbag_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Shellbag' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ShellbagAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ShellbagAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Shellbag' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ShellbagAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ShellbagAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ShellbagAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ShellbagAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ShellbagAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ShellbagAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Shellbag' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ShimCache/: get: description: "" operationId: data_investigation_hunting_ShimCache_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ShimCache' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/ShimCache/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ShimCache_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ShimCache/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ShimCache_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/ShimCache/{id}/: get: description: "" operationId: data_investigation_hunting_ShimCache_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ShimCache' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/ShimCacheAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_ShimCacheAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ShimCache' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/ShimCacheAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_ShimCacheAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/ShimCacheAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_ShimCacheAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/ShimCacheAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_ShimCacheAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ShimCache' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Startup/: get: description: "" operationId: data_investigation_hunting_Startup_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Startup' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Startup/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Startup_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Startup/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Startup_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Startup/{id}/: get: description: "" operationId: data_investigation_hunting_Startup_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Startup' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/StartupAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_StartupAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Startup' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/StartupAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_StartupAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/StartupAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_StartupAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/StartupAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_StartupAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Startup' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SysinternalsUsage/: get: description: "" operationId: data_investigation_hunting_SysinternalsUsage_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SysinternalsUsage' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/SysinternalsUsage/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SysinternalsUsage_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SysinternalsUsage/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SysinternalsUsage_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/SysinternalsUsage/{id}/: get: description: "" operationId: data_investigation_hunting_SysinternalsUsage_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SysinternalsUsage' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/SysinternalsUsageAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_SysinternalsUsageAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SysinternalsUsage' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/SysinternalsUsageAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_SysinternalsUsageAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/SysinternalsUsageAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_SysinternalsUsageAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/SysinternalsUsageAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_SysinternalsUsageAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SysinternalsUsage' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/UserLogin/: get: description: "" operationId: data_investigation_hunting_UserLogin_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UserLogin' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/UserLogin/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_UserLogin_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/UserLogin/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_UserLogin_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/UserLogin/{id}/: get: description: "" operationId: data_investigation_hunting_UserLogin_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UserLogin' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/UserLoginAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_UserLoginAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UserLogin' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/UserLoginAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_UserLoginAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/UserLoginAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_UserLoginAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/UserLoginAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_UserLoginAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UserLogin' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Wdigest/: get: description: "" operationId: data_investigation_hunting_Wdigest_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Wdigest' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Wdigest/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Wdigest_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Wdigest/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Wdigest_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Wdigest/{id}/: get: description: "" operationId: data_investigation_hunting_Wdigest_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Wdigest' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WdigestAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WdigestAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Wdigest' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WdigestAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WdigestAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WdigestAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WdigestAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WdigestAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WdigestAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Wdigest' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellExecuteHook/: get: description: "" operationId: data_investigation_hunting_WindowsShellExecuteHook_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellExecuteHook' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExecuteHook/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellExecuteHook_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExecuteHook/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellExecuteHook_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellExecuteHook/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellExecuteHook_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellExecuteHook' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellExecuteHookAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellExecuteHookAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellExecuteHook' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExecuteHookAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellExecuteHookAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExecuteHookAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellExecuteHookAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellExecuteHookAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellExecuteHookAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellExecuteHook' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellExtension/: get: description: "" operationId: data_investigation_hunting_WindowsShellExtension_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellExtension' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExtension/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellExtension_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExtension/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellExtension_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellExtension/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellExtension_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellExtension' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellExtensionAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellExtensionAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellExtension' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExtensionAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellExtensionAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellExtensionAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellExtensionAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellExtensionAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellExtensionAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellExtension' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellIconOverlayIdentifier/: get: description: "" operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifier_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellIconOverlayIdentifier' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellIconOverlayIdentifier/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifier_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellIconOverlayIdentifier/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifier_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellIconOverlayIdentifier/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifier_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellIconOverlayIdentifier' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellIconOverlayIdentifierAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifierAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellIconOverlayIdentifier' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellIconOverlayIdentifierAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifierAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellIconOverlayIdentifierAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifierAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellIconOverlayIdentifierAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellIconOverlayIdentifierAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellIconOverlayIdentifier' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellLoadAndRun/: get: description: "" operationId: data_investigation_hunting_WindowsShellLoadAndRun_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellLoadAndRun' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellLoadAndRun/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellLoadAndRun_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellLoadAndRun/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellLoadAndRun_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellLoadAndRun/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellLoadAndRun_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellLoadAndRun' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellLoadAndRunAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellLoadAndRunAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellLoadAndRun' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellLoadAndRunAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellLoadAndRunAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellLoadAndRunAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellLoadAndRunAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellLoadAndRunAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellLoadAndRunAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellLoadAndRun' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellServiceObject/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObject_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellServiceObject' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObject/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellServiceObject_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObject/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellServiceObject_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellServiceObject/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObject_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellServiceObject' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellServiceObjectAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellServiceObjectAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellServiceObject' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellServiceObjectAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellServiceObjectAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellServiceObjectAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObjectAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellServiceObject' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellServiceObjectDelayLoad/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoad_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellServiceObjectDelayLoad' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectDelayLoad/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoad_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectDelayLoad/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoad_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WindowsShellServiceObjectDelayLoad/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoad_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellServiceObjectDelayLoad' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WindowsShellServiceObjectDelayLoadAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoadAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WindowsShellServiceObjectDelayLoad' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectDelayLoadAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoadAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WindowsShellServiceObjectDelayLoadAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoadAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WindowsShellServiceObjectDelayLoadAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WindowsShellServiceObjectDelayLoadAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WindowsShellServiceObjectDelayLoad' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Winlogon/: get: description: "" operationId: data_investigation_hunting_Winlogon_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Winlogon' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Winlogon/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Winlogon_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Winlogon/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Winlogon_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Winlogon/{id}/: get: description: "" operationId: data_investigation_hunting_Winlogon_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Winlogon' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WinlogonAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WinlogonAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Winlogon' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WinlogonAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WinlogonAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WinlogonAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WinlogonAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WinlogonAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WinlogonAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Winlogon' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WinlogonNotify/: get: description: "" operationId: data_investigation_hunting_WinlogonNotify_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WinlogonNotify' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WinlogonNotify/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WinlogonNotify_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WinlogonNotify/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WinlogonNotify_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WinlogonNotify/{id}/: get: description: "" operationId: data_investigation_hunting_WinlogonNotify_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WinlogonNotify' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WinlogonNotifyAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WinlogonNotifyAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WinlogonNotify' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WinlogonNotifyAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WinlogonNotifyAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WinlogonNotifyAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WinlogonNotifyAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WinlogonNotifyAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WinlogonNotifyAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WinlogonNotify' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WinsockHelper/: get: description: "" operationId: data_investigation_hunting_WinsockHelper_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WinsockHelper' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/WinsockHelper/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WinsockHelper_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WinsockHelper/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WinsockHelper_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/WinsockHelper/{id}/: get: description: "" operationId: data_investigation_hunting_WinsockHelper_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WinsockHelper' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WinsockHelperAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WinsockHelperAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/WinsockHelper' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WinsockHelperAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WinsockHelperAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WinsockHelperAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WinsockHelperAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WinsockHelperAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WinsockHelperAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/WinsockHelper' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/Wmi/: get: description: "" operationId: data_investigation_hunting_Wmi_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Wmi' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/hunting/Wmi/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_Wmi_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/Wmi/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_Wmi_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/hunting/Wmi/{id}/: get: description: "" operationId: data_investigation_hunting_Wmi_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Wmi' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/hunting/WmiAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_hunting_WmiAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Wmi' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/hunting/WmiAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_hunting_WmiAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/hunting/WmiAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_hunting_WmiAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/hunting/WmiAggregate/{id}/: get: description: "" operationId: data_investigation_hunting_WmiAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Wmi' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/ioc/IOC/: get: description: "" operationId: data_investigation_ioc_IOC_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IOC' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/ioc/IOC/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_ioc_IOC_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/ioc/IOC/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_ioc_IOC_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/ioc/IOC/{id}/: get: description: "" operationId: data_investigation_ioc_IOC_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOC' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/ioc/IOCAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_ioc_IOCAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IOC' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/ioc/IOCAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_ioc_IOCAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/ioc/IOCAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_ioc_IOCAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/ioc/IOCAggregate/{id}/: get: description: "" operationId: data_investigation_ioc_IOCAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOC' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/ioc/Yara/: get: description: "" operationId: data_investigation_ioc_Yara_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Yara' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/ioc/Yara/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_ioc_Yara_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/ioc/Yara/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_ioc_Yara_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatus' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by ids. tags: - investigation /data/investigation/ioc/Yara/{id}/: get: description: "" operationId: data_investigation_ioc_Yara_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Yara' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/ioc/YaraAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_investigation_ioc_YaraAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Yara' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - investigation parameters: [] /data/investigation/ioc/YaraAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_ioc_YaraAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/ioc/YaraAggregate/tag/: parameters: [] post: description: |- Changing the tag means changing the status of the investigation data. You can choose between: - 0 = Unclassified - 1 = Unknow - 2 = Clean - 3 = Suspicious - 4 = Malicious operationId: data_investigation_ioc_YaraAggregate_tag parameters: - in: body name: data required: true schema: $ref: '#/definitions/_InvestigationStatusStats' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' summary: Endpoint for tagging elements by the current search. tags: - investigation /data/investigation/ioc/YaraAggregate/{id}/: get: description: "" operationId: data_investigation_ioc_YaraAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Yara' tags: - investigation parameters: - in: path name: id required: true type: string /data/investigation/job/Simple/: get: description: "" operationId: data_investigation_job_Simple_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Simple' type: array required: - count - results type: object tags: - investigation parameters: [] /data/investigation/job/Simple/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_investigation_job_Simple_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - investigation parameters: [] /data/investigation/job/Simple/{id}/: get: description: "" operationId: data_investigation_job_Simple_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Simple' tags: - investigation parameters: - in: path name: id required: true type: string /data/job/batch/: get: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: archived required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: "" in: query name: template_id required: false type: string - description: "" in: query name: creationtime required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: instance required: false type: number - in: query name: done required: false type: number - in: query name: waiting required: false type: number - in: query name: running required: false type: number - in: query name: canceled required: false type: number - in: query name: error required: false type: number - in: query name: agent_count required: false type: number - in: query name: creator.username required: false type: string - in: query name: creator.id required: false type: string - in: query name: jobs required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/BatchList' type: array required: - count - results type: object summary: Batch endpoints tags: - investigation parameters: [] post: description: Jobs will be executed in the specified order. operationId: data_job_batch_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchCreate' responses: "201": description: "" schema: $ref: '#/definitions/SimpleBatchRetrieve' "400": description: Invalid request "404": description: not found "422": description: None of the given agents were able to execute the given job(s) summary: Create a job batch tags: - investigation /data/job/batch/archive/: parameters: [] post: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_archive parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: not found summary: Batch endpoints tags: - investigation /data/job/batch/cancel/: parameters: [] post: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_cancel parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: Not found summary: Batch endpoints tags: - investigation /data/job/batch/delete/: parameters: [] post: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_delete parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: Not found summary: Batch endpoints tags: - investigation /data/job/batch/os_compatibility/: get: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_os_compatibility parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: archived required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: "" in: query name: template_id required: false type: string - description: "" in: query name: creationtime required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: |- Job OS compatibility list Shows which job types are available for specific operating systems. examples: application/json: - action: IOCScan supported_os: - linux - macos - windows - action: yaraScan supported_os: - linux - macos - windows - action: avScan supported_os: - linux - macos - windows - action: agentDiagnostic supported_os: - linux - macos - windows - action: agentMinidump supported_os: - linux - macos - windows - action: parseFilesystem supported_os: - linux - macos - windows - action: memoryDumper supported_os: - linux - windows - action: downloadFile supported_os: - linux - macos - windows - action: downloadDirectory supported_os: - linux - macos - windows - action: collectRAWEvidences supported_os: - linux - macos - windows - action: networkSniffer supported_os: - linux - macos - windows - action: processDumper supported_os: - linux - windows - action: searchProcessDumper supported_os: - linux - windows - action: getLoadedDriverList supported_os: - windows - action: getProcessList supported_os: - linux - macos - windows - action: getPipeList supported_os: - windows - action: networkDiscovery supported_os: - linux - macos - windows - action: getNetworkShare supported_os: - windows - action: getSessions supported_os: - windows - action: getQFE supported_os: - windows - action: listDirectory supported_os: - linux - macos - windows - action: getHives supported_os: - windows - action: getScheduledTasks supported_os: - windows - action: getStartupFileList supported_os: - windows - action: getWMI supported_os: - windows - action: getRawWMI supported_os: - windows - action: persistanceScanner supported_os: - linux - action: getPrefetch supported_os: - windows - action: filepathDeleter supported_os: - linux - macos - windows - action: knownProcessFinderKiller supported_os: - linux - macos - windows - action: wildcardProcessFinderKiller supported_os: - linux - macos - windows - action: registryOperation supported_os: - windows - action: deleteService supported_os: - windows - action: deleteScheduledTask supported_os: - windows - action: quarantineAdd supported_os: - linux - macos - windows - action: quarantineDelete supported_os: - linux - macos - windows - action: quarantineRestore supported_os: - linux - macos - windows - action: quarantineAcquireFile supported_os: - linux - macos - windows - action: profileMemory supported_os: - linux - macos - windows schema: items: $ref: '#/definitions/JobOSSupport' type: array summary: Batch endpoints tags: - investigation parameters: [] /data/job/batch/relaunch/: parameters: [] post: description: Relaunch jobs that are done operationId: data_job_batch_relaunch parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: not found tags: - investigation /data/job/batch/retry/: parameters: [] post: description: Retry jobs that are cancelled or errored out operationId: data_job_batch_retry parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: not found tags: - investigation /data/job/batch/stats/: get: description: Get the state of all jobs instances (success, error, running, ...) operationId: data_job_batch_stats parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: archived required: false type: string - description: "" in: query name: source_type required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: is_scheduled required: false type: string - description: "" in: query name: endpoint_username required: false type: string - description: "" in: query name: template_id required: false type: string - description: "" in: query name: creationtime required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/BatchStats' tags: - investigation parameters: [] /data/job/batch/template/: get: description: "" operationId: data_job_batch_template_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_update required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_modifier.username required: false type: string - in: query name: last_modifier.id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/BatchTemplateRetrieve' type: array required: - count - results type: object tags: - investigation parameters: [] post: description: "" operationId: data_job_batch_template_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchTemplateCreate' responses: "201": description: "" schema: $ref: '#/definitions/BatchTemplateCreate' tags: - investigation /data/job/batch/template/from_batch/: parameters: [] post: description: "" operationId: data_job_batch_template_from_batch parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchTemplateCreateFromBatch' responses: "201": description: "" schema: $ref: '#/definitions/BatchTemplateRetrieve' "400": description: Invalid request "403": description: Forbidden "404": description: not found tags: - investigation /data/job/batch/template/{id}/: delete: description: "" operationId: data_job_batch_template_delete parameters: [] responses: "204": description: "" tags: - investigation get: description: "" operationId: data_job_batch_template_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BatchTemplateRetrieve' tags: - investigation parameters: - description: A unique value identifying this batch template. in: path name: id required: true type: string patch: description: "" operationId: data_job_batch_template_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchTemplateEdit' responses: "200": description: "" schema: $ref: '#/definitions/BatchTemplateEdit' tags: - investigation put: description: "" operationId: data_job_batch_template_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchTemplateCreate' responses: "200": description: "" schema: $ref: '#/definitions/BatchTemplateCreate' tags: - investigation /data/job/batch/unarchive/: parameters: [] post: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_unarchive parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchSelect' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: Invalid request "404": description: not found summary: Batch endpoints tags: - investigation /data/job/batch/{batch_pk}/task/{id}/: delete: description: "" operationId: data_job_batch_task_delete parameters: [] responses: "204": description: "" "404": description: No task matches the provided parameters tags: - investigation parameters: - in: path name: batch_pk required: true type: string - in: path name: id required: true type: string /data/job/batch/{batch_pk}/task/{id}/relaunch/: parameters: - in: path name: batch_pk required: true type: string - in: path name: id required: true type: string post: description: Relaunch jobs that are done operationId: data_job_batch_task_relaunch parameters: [] responses: "204": description: "" "404": description: No task matches the provided parameters tags: - investigation /data/job/batch/{batch_pk}/task/{id}/retry/: parameters: - in: path name: batch_pk required: true type: string - in: path name: id required: true type: string post: description: Retry jobs that are canceled or errored out operationId: data_job_batch_task_retry parameters: [] responses: "204": description: "" "404": description: No task matches the provided parameters tags: - investigation /data/job/batch/{id}/: get: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BatchRetrieve' summary: Batch endpoints tags: - investigation parameters: - in: path name: id required: true type: string patch: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchEdit' responses: "200": description: "" schema: $ref: '#/definitions/BatchEdit' summary: Batch endpoints tags: - investigation put: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchEdit' responses: "200": description: "" schema: $ref: '#/definitions/BatchEdit' summary: Batch endpoints tags: - investigation /data/job/batch/{id}/add_actions/: parameters: - in: path name: id required: true type: string post: description: Add actions to an existing job operationId: data_job_batch_add_actions parameters: - in: body name: data required: true schema: items: $ref: '#/definitions/AllAction' type: array responses: "200": description: "" schema: $ref: '#/definitions/SimpleBatchRetrieve' "400": description: Invalid request "403": description: Job version is not compatible "404": description: not found tags: - investigation /data/job/batch/{id}/add_targets/: parameters: - in: path name: id required: true type: string post: description: Agents that are already in this job will be ignored, whether they are specified by ID, or as part of a group. operationId: data_job_batch_add_targets parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchTarget' responses: "200": description: "" schema: $ref: '#/definitions/SimpleBatchRetrieve' "400": description: Invalid request "404": description: not found summary: Add targets to an existing job tags: - investigation /data/job/batch/{id}/duplicate/: parameters: - in: path name: id required: true type: string post: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/BatchDuplicate' responses: "201": description: "" schema: $ref: '#/definitions/SimpleBatchRetrieve' "400": description: Invalid request "404": description: not found summary: Batch endpoints tags: - investigation /data/job/batch/{id}/targets/: get: description: |- Batches are like jobs, except that they can contain multiple different actions. A user can see any batch if they have access to at least one of its actions. They won't be able to access sensitive data, like job results or params, unless they have the read permission for the action Changing (create, edit, delete) a Batch requires write permission on all of its actions. operationId: data_job_batch_targets parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: items: $ref: '#/definitions/PaginatedBatchAgentList' type: array summary: Batch endpoints tags: - investigation parameters: - in: path name: id required: true type: string /data/llm/chat/conversation/: get: description: "" operationId: data_llm_chat_conversation_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: user required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: archived required: false type: string - description: "" in: query name: public required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: requests.message required: false type: string - in: query name: requests.response required: false type: string - in: query name: user.username required: false type: string - in: query name: user.id required: false type: string - in: query name: first_context.location_type required: false type: string - in: query name: first_context.object_id required: false type: string - in: query name: first_context.filter_args required: false type: string - in: query name: first_context.section_id required: false type: string produces: - application/json - text/event-stream responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ChatList' type: array required: - count - results type: object tags: - llm parameters: [] post: description: 'SSE streaming (Accept: text/event-stream) is unstable and may be removed with no notice.' operationId: data_llm_chat_conversation_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewChat' produces: - application/json - text/event-stream responses: "201": description: "" schema: $ref: '#/definitions/Chat' summary: Start a new conversation tags: - llm /data/llm/chat/conversation/{id}/: delete: description: "" operationId: data_llm_chat_conversation_delete parameters: [] produces: - application/json - text/event-stream responses: "204": description: "" tags: - llm get: description: "" operationId: data_llm_chat_conversation_read parameters: [] produces: - application/json - text/event-stream responses: "200": description: "" schema: $ref: '#/definitions/Chat' tags: - llm parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_llm_chat_conversation_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Chat' produces: - application/json - text/event-stream responses: "200": description: "" schema: $ref: '#/definitions/Chat' tags: - llm put: description: "" operationId: data_llm_chat_conversation_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Chat' produces: - application/json - text/event-stream responses: "200": description: "" schema: $ref: '#/definitions/Chat' tags: - llm /data/llm/chat/conversation/{id}/request/: parameters: - in: path name: id required: true type: string post: description: 'SSE streaming (Accept: text/event-stream) is unstable and may be removed with no notice.' operationId: data_llm_chat_conversation_chat_request parameters: - in: body name: data required: true schema: $ref: '#/definitions/Chat' produces: - application/json - text/event-stream responses: "201": description: "" schema: $ref: '#/definitions/ChatRequest' summary: Ask a new request in an existing conversation tags: - llm /data/llm/chat/feedback/: get: description: "" operationId: data_llm_chat_feedback_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ChatFeedback' type: array required: - count - results type: object tags: - llm parameters: [] post: description: "" operationId: data_llm_chat_feedback_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/ChatFeedback' responses: "201": description: "" schema: $ref: '#/definitions/ChatFeedback' tags: - llm /data/llm/chat/request/: parameters: [] post: description: 'SSE streaming (Accept: text/event-stream) is unstable and may be removed with no notice.' operationId: data_llm_chat_request_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewChatRequest' responses: "201": description: "" schema: $ref: '#/definitions/ChatRequest' summary: Ask a new request (OUTSIDE of a conversation) tags: - llm /data/llm/chat/request/{id}/: get: description: "" operationId: data_llm_chat_request_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ChatRequest' tags: - llm parameters: - description: A UUID string identifying this chat request. format: uuid in: path name: id required: true type: string /data/llm/conversation/: get: description: LLM ViewSet. Defines endpoints for interacting with Kio. Deprecated, will be replaced with /api/llm/chat operationId: data_llm_conversation_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: user required: false type: string - description: "" in: query name: title required: false type: string - description: "" in: query name: archived required: false type: string - description: "" in: query name: public required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: requests.message required: false type: string - in: query name: requests.response required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Conversation' type: array required: - count - results type: object tags: - llm parameters: [] post: deprecated: true description: Start a new conversation operationId: data_llm_conversation_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewConversation' responses: "201": description: "" schema: $ref: '#/definitions/Conversation' tags: - llm /data/llm/conversation/{id}/: delete: description: LLM ViewSet. Defines endpoints for interacting with Kio. Deprecated, will be replaced with /api/llm/chat operationId: data_llm_conversation_delete parameters: [] responses: "204": description: "" tags: - llm get: description: LLM ViewSet. Defines endpoints for interacting with Kio. Deprecated, will be replaced with /api/llm/chat operationId: data_llm_conversation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Conversation' tags: - llm parameters: - description: A UUID string identifying this chat conversation. format: uuid in: path name: id required: true type: string /data/llm/conversation/{id}/request/: parameters: - description: A UUID string identifying this chat conversation. format: uuid in: path name: id required: true type: string post: deprecated: true description: Ask a new request in an existing conversation operationId: data_llm_conversation_new_request parameters: - in: body name: data required: true schema: $ref: '#/definitions/Conversation' responses: "201": description: "" schema: $ref: '#/definitions/InnerRequest' tags: - llm /data/llm/feedback/: parameters: [] post: description: LLM viewset. Defines an additional endpoint for providing feedback on Kio. Deprecated, will be replaced with /api/llm/chat operationId: data_llm_feedback_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Feedback' responses: "201": description: "" schema: $ref: '#/definitions/Feedback' tags: - llm /data/llm/request/{id}/: get: description: LLM viewset. Defines an additional endpoint for interacting with Kio. Deprecated, will be replaced with /api/llm/chat operationId: data_llm_request_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Request' tags: - llm parameters: - description: A UUID string identifying this chat request. format: uuid in: path name: id required: true type: string /data/permission/: get: description: "" operationId: data_permission_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Permission' type: array required: - count - results type: object tags: - user parameters: [] post: description: "" operationId: data_permission_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Permission' responses: "201": description: "" schema: $ref: '#/definitions/Permission' tags: - user /data/permission/{id}/: delete: description: "" operationId: data_permission_delete parameters: [] responses: "204": description: "" tags: - user get: description: "" operationId: data_permission_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Permission' tags: - user parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_permission_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Permission' responses: "200": description: "" schema: $ref: '#/definitions/Permission' tags: - user put: description: "" operationId: data_permission_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Permission' responses: "200": description: "" schema: $ref: '#/definitions/Permission' tags: - user /data/quarantine/history/: get: description: "" operationId: data_quarantine_history_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: action required: false type: string - description: "" in: query name: action_result required: false type: string - description: "" in: query name: action_result_message required: false type: string - description: "" in: query name: action_result_reason required: false type: string - description: "" in: query name: file_path required: false type: string - description: "" in: query name: file_hash required: false type: string - description: "" in: query name: file_uid required: false type: string - description: "" in: query name: action_uid required: false type: string - description: "" in: query name: job_uid required: false type: string - description: "" in: query name: job_instance_number required: false type: number - description: "" in: query name: error_message required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: date required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.id required: false type: string - in: query name: agent.hostname required: false type: string - in: query name: agent.osproducttype required: false type: string - in: query name: agent.ostype required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/QuarantineActionHistory' type: array required: - count - results type: object tags: - quarantine parameters: [] /data/quarantine/history/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_quarantine_history_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: action required: false type: string - description: "" in: query name: action_result required: false type: string - description: "" in: query name: action_result_message required: false type: string - description: "" in: query name: action_result_reason required: false type: string - description: "" in: query name: file_path required: false type: string - description: "" in: query name: file_hash required: false type: string - description: "" in: query name: file_uid required: false type: string - description: "" in: query name: action_uid required: false type: string - description: "" in: query name: job_uid required: false type: string - description: "" in: query name: job_instance_number required: false type: number - description: "" in: query name: error_message required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: date required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - quarantine parameters: [] /data/quarantine/history/{id}/: get: description: "" operationId: data_quarantine_history_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/QuarantineActionHistory' tags: - quarantine parameters: - description: A UUID string identifying this quarantine action history. format: uuid in: path name: id required: true type: string /data/quarantine/item/: get: description: "" operationId: data_quarantine_item_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: item_md5 required: false type: string - description: "" in: query name: item_sha1 required: false type: string - description: "" in: query name: item_sha256 required: false type: string - description: "" in: query name: item_sha512 required: false type: string - description: "" in: query name: date required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: local_id required: false type: string - description: "" in: query name: original_file_size required: false type: number - description: "" in: query name: original_file_path required: false type: string - description: "" in: query name: new_file_path required: false type: string - description: "" in: query name: user_sid required: false type: string - description: "" in: query name: acl required: false type: string - description: "" in: query name: full_security_descriptor required: false type: string - description: "" in: query name: mode required: false type: string - description: "" in: query name: user_id required: false type: number - description: "" in: query name: group_id required: false type: number - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: comment required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: agent.id required: false type: string - in: query name: agent.hostname required: false type: string - in: query name: agent.osproducttype required: false type: string - in: query name: agent.ostype required: false type: string - in: query name: status_jobinstance.state required: false type: number - in: query name: status_jobinstance.action required: false type: string - in: query name: status_jobinstance.starttime required: false type: string - in: query name: status_jobinstance.endtime required: false type: string - in: query name: status_jobinstance.job_id required: false type: string - in: query name: acquired required: false type: boolean - in: query name: download_jobinstance.state required: false type: number - in: query name: download_jobinstance.action required: false type: string - in: query name: download_jobinstance.starttime required: false type: string - in: query name: download_jobinstance.endtime required: false type: string - in: query name: download_jobinstance.job_id required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/QuarantinedItem' type: array required: - count - results type: object tags: - quarantine parameters: [] /data/quarantine/item/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_quarantine_item_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: item_md5 required: false type: string - description: "" in: query name: item_sha1 required: false type: string - description: "" in: query name: item_sha256 required: false type: string - description: "" in: query name: item_sha512 required: false type: string - description: "" in: query name: date required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: local_id required: false type: string - description: "" in: query name: original_file_size required: false type: number - description: "" in: query name: original_file_path required: false type: string - description: "" in: query name: new_file_path required: false type: string - description: "" in: query name: user_sid required: false type: string - description: "" in: query name: acl required: false type: string - description: "" in: query name: full_security_descriptor required: false type: string - description: "" in: query name: mode required: false type: string - description: "" in: query name: user_id required: false type: number - description: "" in: query name: group_id required: false type: number - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: comment required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - quarantine parameters: [] /data/quarantine/item/{id}/: get: description: "" operationId: data_quarantine_item_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/QuarantinedItem' tags: - quarantine parameters: - description: A UUID string identifying this quarantined item. format: uuid in: path name: id required: true type: string /data/quarantine/item/{id}/download/: get: description: "" operationId: data_quarantine_item_download parameters: [] responses: "200": description: FileResponse "404": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - quarantine parameters: - description: A UUID string identifying this quarantined item. format: uuid in: path name: id required: true type: string /data/quarantine/item/{id}/request_upload/: parameters: - description: A UUID string identifying this quarantined item. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_quarantine_item_request_upload parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/JobLight' "500": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - quarantine /data/reports/DynamicAnalysis/: get: description: "" operationId: data_reports_DynamicAnalysis_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DynamicAnalysis' type: array required: - count - results type: object tags: - Reports parameters: [] /data/reports/DynamicAnalysis/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_reports_DynamicAnalysis_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - Reports parameters: [] /data/reports/DynamicAnalysis/send/{hash}/: parameters: - in: path name: hash required: true type: string post: description: "" operationId: data_reports_DynamicAnalysis_send_to_dynamic_analysis parameters: - in: body name: data required: true schema: $ref: '#/definitions/SimpleTenant' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - Reports /data/reports/DynamicAnalysis/{id}/: get: description: "" operationId: data_reports_DynamicAnalysis_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DynamicAnalysis' tags: - Reports parameters: - in: path name: id required: true type: string /data/reports/StaticAnalysis/: get: description: "" operationId: data_reports_StaticAnalysis_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/StaticAnalysis' type: array required: - count - results type: object tags: - Reports parameters: [] /data/reports/StaticAnalysis/analyze/{sha256}/: parameters: - in: path name: sha256 required: true type: string post: description: |2 Start static analysis of a file. the analysis starts immediately if the file is already in S3, otherwise, we request the upload of the file to S3 with auto_analyze = True possible analysis status values : { "0": "FINISHED", "1": "RUNNING", "2": "TIMED_OUT", "3": "DOES_NOT_EXIST", "4": "WAITING_FOR_FILE_UPLOAD", "5": "CONTENTS_NOT_FOUND", "6": "NOT_DOWNLOADED", "7": "FILE_AVAILABILITY_ERROR", "8": "FILE_UPLOAD_TIMEOUT", "9": "IMCOMPATIBLE_FILE_TYPE", "255": "UNKNOWN_ERROR" } possible file_availability values : { "0": "NO_ERROR", "1": "NO_TELEMETRY_FOUND", "2": "NO_CONNECTED_AGENTS", "3": "ALREADY_DOWNLOADED", "4": "FILE_MISSING", "5": "AGENT_NOT_PROVIDED", "6": "AGENT_NOT_FOUND", "7": "NOT_DOWNLOADED", "8": "FILE_TOO_BIG", "9": "NO_PERMISSION", "255": "UNKNOWN_ERROR" } operationId: data_reports_StaticAnalysis_force_static_analysis parameters: - in: body name: data required: true schema: $ref: '#/definitions/SimpleTenant' responses: "200": description: "" schema: $ref: '#/definitions/AnalysisStatus' tags: - Reports /data/reports/StaticAnalysis/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_reports_StaticAnalysis_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - Reports parameters: [] /data/reports/StaticAnalysis/send/{hash}/: parameters: - in: path name: hash required: true type: string post: description: Deprecated, use /analyze// instead operationId: data_reports_StaticAnalysis_send_to_static_analysis parameters: - in: body name: data required: true schema: $ref: '#/definitions/SimpleTenant' responses: "200": description: "" schema: $ref: '#/definitions/AnalysisStatus' tags: - Reports /data/reports/StaticAnalysis/tree/{sha256}/: get: description: |2 Get the extracted file tree from a static analysis report. possible analysis status values : { "0": "FINISHED", "1": "RUNNING", "2": "TIMED_OUT", "3": "DOES_NOT_EXIST", "4": "WAITING_FOR_FILE_UPLOAD", "5": "CONTENTS_NOT_FOUND", "6": "NOT_DOWNLOADED", "7": "FILE_AVAILABILITY_ERROR", "8": "FILE_UPLOAD_TIMEOUT", "9": "IMCOMPATIBLE_FILE_TYPE", "255": "UNKNOWN_ERROR" } operationId: data_reports_StaticAnalysis_get_extracted_file_tree parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/ExtractedFilesTree' tags: - Reports parameters: - in: path name: sha256 required: true type: string /data/reports/StaticAnalysis/{id}/: get: description: "" operationId: data_reports_StaticAnalysis_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/StaticAnalysis' tags: - Reports parameters: - in: path name: id required: true type: string /data/reports/Strings/: get: description: "" operationId: data_reports_Strings_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ExtractedString' type: array required: - count - results type: object tags: - Reports parameters: [] /data/reports/Strings/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_reports_Strings_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - Reports parameters: [] /data/reports/Strings/{id}/: get: description: "" operationId: data_reports_Strings_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ExtractedString' tags: - Reports parameters: - in: path name: id required: true type: string /data/resource/AgentResource/: get: description: "" operationId: data_resource_AgentResource_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AgentResource' type: array required: - count - results type: object tags: - resource parameters: [] /data/resource/AgentResource/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_resource_AgentResource_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - resource parameters: [] /data/resource/AgentResource/{id}/: get: description: "" operationId: data_resource_AgentResource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentResource' tags: - resource parameters: - in: path name: id required: true type: string /data/role/: get: description: "" operationId: data_role_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: is_supervisor_role required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: user_count required: false type: number - in: query name: group_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Role' type: array required: - count - results type: object tags: - user parameters: [] post: description: "" operationId: data_role_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Role' responses: "201": description: "" schema: $ref: '#/definitions/Role' tags: - user /data/role/upload_yaml/: parameters: [] post: description: "" operationId: data_role_upload_yaml parameters: - in: body name: data required: true schema: $ref: '#/definitions/Role' responses: "200": description: "" schema: items: $ref: '#/definitions/_UploadYamlRole' type: array tags: - user /data/role/{id}/: delete: description: "" operationId: data_role_delete parameters: [] responses: "204": description: "" tags: - user get: description: "" operationId: data_role_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Role' tags: - user parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Role' responses: "200": description: "" schema: $ref: '#/definitions/Role' tags: - user put: description: "" operationId: data_role_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Role' responses: "200": description: "" schema: $ref: '#/definitions/Role' tags: - user /data/role/{id}/add_groups/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_add_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/_GroupID' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: group or role not found tags: - user /data/role/{id}/add_users/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_add_users parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UserID' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: role or user not found tags: - user /data/role/{id}/download_yaml/: get: description: "" operationId: data_role_download_yaml parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Role' tags: - user parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string /data/role/{id}/permissions/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_permissions parameters: - in: body name: data required: true schema: $ref: '#/definitions/PermissionUpdate' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: role not found tags: - user /data/role/{id}/remove_groups/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_remove_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/_GroupID' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: group or role not found tags: - user /data/role/{id}/remove_users/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: description: "" operationId: data_role_remove_users parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UserID' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: role or user not found tags: - user /data/role/{id}/updatePerm/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: deprecated: true description: "" operationId: data_role_updatePerm parameters: - in: body name: data required: true schema: $ref: '#/definitions/Role' responses: "200": description: "" schema: $ref: '#/definitions/Role' tags: - user /data/role/{id}/update_permissions/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string patch: deprecated: true description: "" operationId: data_role_update_permissions parameters: - in: body name: data required: true schema: $ref: '#/definitions/Permissions' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: group or role not found tags: - user /data/role/{id}/update_users/: parameters: - description: A unique integer value identifying this role. in: path name: id required: true type: string post: description: |- The users in the request that are missing from the role will be added, and the users in the role that aren't in the request will be removed. If the list is empty, all users will be removed from the group. If a user is already in a group, it will be removed. operationId: data_role_update_users parameters: - in: body name: data required: true schema: $ref: '#/definitions/_UserID' responses: "200": description: "" schema: $ref: '#/definitions/Role' "404": description: role or user not found summary: Set the members of a role. tags: - user /data/search/FindProcessesByNetwork/: get: description: "" operationId: data_search_FindProcessesByNetwork_list parameters: [] responses: "200": description: "" tags: - search parameters: [] /data/search/Search/: get: description: "" operationId: data_search_Search_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - search parameters: [] /data/search/Search/explorer/: get: description: Endpoint to retrieve data by a value. operationId: data_search_Search_explorer parameters: - enum: - hash - name - path - root_thumbprint - signer_thumbprint in: query name: type required: true type: string - in: query minLength: 1 name: value required: true type: string - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/Search' tags: - search parameters: [] /data/search/Search/explorer/export/: get: description: Export csv containing binaries matching a value. operationId: data_search_Search_explorer_explorer_export parameters: - enum: - hash - name - path - root_thumbprint - signer_thumbprint in: query name: type required: true type: string - in: query minLength: 1 name: value required: true type: string - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/Search' type: array tags: - search parameters: [] /data/search/Search/explorer_with_list/: get: description: Endpoint to retrieve data by multiple values. operationId: data_search_Search_explorer_with_list parameters: - enum: - hash - name - path - root_thumbprint - signer_thumbprint in: query name: type required: true type: string - in: query items: type: string x-nullable: true name: values required: true type: array - in: query minLength: 1 name: ordering required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_ExplorerListResponse' tags: - search parameters: [] /data/supervisor_config/tenant/{tenant}/active_directory/: get: description: "" operationId: data_supervisor_config_tenant_active_directory_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ActiveDirectory' type: array required: - count - results type: object tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string post: description: "" operationId: data_supervisor_config_tenant_active_directory_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "201": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/active_directory/domain/: get: description: "" operationId: data_supervisor_config_tenant_active_directory_domain parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_Domain' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /data/supervisor_config/tenant/{tenant}/active_directory/domain_controllers/: get: description: "" operationId: data_supervisor_config_tenant_active_directory_domain_controllers parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: dnsdomainname required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/_DomainController' type: array tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /data/supervisor_config/tenant/{tenant}/active_directory/force_scan_domain_controllers/: parameters: - in: path name: tenant required: true type: string post: description: "" operationId: data_supervisor_config_tenant_active_directory_force_scan_domain_controllers parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/active_directory/test/: parameters: - in: path name: tenant required: true type: string post: description: "" operationId: data_supervisor_config_tenant_active_directory_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/active_directory/{id}/: delete: description: "" operationId: data_supervisor_config_tenant_active_directory_delete parameters: [] responses: "204": description: "" tags: - supervisor_configuration get: description: "" operationId: data_supervisor_config_tenant_active_directory_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_supervisor_config_tenant_active_directory_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - supervisor_configuration put: description: "" operationId: data_supervisor_config_tenant_active_directory_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ActiveDirectory' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/active_directory/{id}/force_scan/: parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_supervisor_config_tenant_active_directory_force_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/active_directory/{id}/force_update_agent_groups/: parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_supervisor_config_tenant_active_directory_force_update_agent_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveDirectory' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/entra_id/: get: description: "" operationId: data_supervisor_config_tenant_entra_id_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/EntraId' type: array required: - count - results type: object tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string post: description: "" operationId: data_supervisor_config_tenant_entra_id_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "201": description: "" schema: $ref: '#/definitions/EntraId' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/entra_id/test/: parameters: - in: path name: tenant required: true type: string post: description: "" operationId: data_supervisor_config_tenant_entra_id_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/entra_id/{id}/: delete: description: "" operationId: data_supervisor_config_tenant_entra_id_delete parameters: [] responses: "204": description: "" tags: - supervisor_configuration get: description: "" operationId: data_supervisor_config_tenant_entra_id_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_supervisor_config_tenant_entra_id_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - supervisor_configuration put: description: "" operationId: data_supervisor_config_tenant_entra_id_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/EntraId' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/entra_id/{id}/force_scan/: parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_supervisor_config_tenant_entra_id_force_scan parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/supervisor_config/tenant/{tenant}/entra_id/{id}/force_update_agent_groups/: parameters: - in: path name: tenant required: true type: string - description: A UUID string identifying this config section. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_supervisor_config_tenant_entra_id_force_update_agent_groups parameters: - in: body name: data required: true schema: $ref: '#/definitions/EntraId' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - supervisor_configuration /data/telemetry/AmsiScan/: get: description: "" operationId: data_telemetry_AmsiScan_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AmsiScan' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/AmsiScan/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_AmsiScan_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/AmsiScan/{id}/: get: description: "" operationId: data_telemetry_AmsiScan_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AmsiScan' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Binary/: get: description: "" operationId: data_telemetry_Binary_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Binary' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Binary/download/{hash}/: get: description: "" operationId: data_telemetry_Binary_download parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: archived required: false type: boolean responses: "200": description: File Attachment schema: type: file tags: - telemetry parameters: - in: path name: hash required: true type: string /data/telemetry/Binary/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Binary_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Binary/{id}/: get: description: "" operationId: data_telemetry_Binary_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Binary' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Binary/{id}/upload/: parameters: - in: path name: id required: true type: string put: description: "" operationId: data_telemetry_Binary_upload parameters: - in: body name: data required: true schema: $ref: '#/definitions/Binary' responses: "200": description: "" schema: $ref: '#/definitions/Binary' tags: - telemetry /data/telemetry/DNSResolution/: get: description: "" operationId: data_telemetry_DNSResolution_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DNSResolution' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/DNSResolution/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_DNSResolution_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/DNSResolution/{id}/: get: description: "" operationId: data_telemetry_DNSResolution_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DNSResolution' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/DriverLoad/: get: description: "" operationId: data_telemetry_DriverLoad_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DriverLoad' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/DriverLoad/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_DriverLoad_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/DriverLoad/{id}/: get: description: "" operationId: data_telemetry_DriverLoad_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DriverLoad' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/EventLog/: get: deprecated: true description: "" operationId: data_telemetry_EventLog_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/EventLog' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/EventLog/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_EventLog_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/EventLog/{id}/: get: deprecated: true description: "" operationId: data_telemetry_EventLog_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventLog' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/File/: get: description: "" operationId: data_telemetry_File_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/File' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/File/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_File_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/File/is_available/{sha256}/: get: description: |2 Check if file is available for download on client or uploadable to S3. the check for uploadability to S3 only happens if the file is not already uploaded to S3 possible file_availability values : { "0": "NO_ERROR", "1": "NO_TELEMETRY_FOUND", "2": "NO_CONNECTED_AGENTS", "3": "ALREADY_DOWNLOADED", "4": "FILE_MISSING", "5": "AGENT_NOT_PROVIDED", "6": "AGENT_NOT_FOUND", "7": "NOT_DOWNLOADED", "8": "FILE_TOO_BIG", "9": "NO_PERMISSION", "255": "UNKNOWN_ERROR" } possible downloaded values : { "-1": "NOT_DOWNLOADED", "0": "DOWNLOAD_OK", "1": "FILE_NOT_FOUND", "2": "OPEN_FAILED", "3": "FILE_TOO_BIG", "255": "UNKNOWN_ERROR" } operationId: data_telemetry_File_is_file_available parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/FileAvailability' tags: - telemetry parameters: - in: path name: sha256 required: true type: string /data/telemetry/File/request_upload/: parameters: [] post: description: |2 Request file upload to S3 from a specific agent with a specific path. possible file_availability values : { "0": "NO_ERROR", "1": "NO_TELEMETRY_FOUND", "2": "NO_CONNECTED_AGENTS", "3": "ALREADY_DOWNLOADED", "4": "FILE_MISSING", "5": "AGENT_NOT_PROVIDED", "6": "AGENT_NOT_FOUND", "7": "NOT_DOWNLOADED", "8": "FILE_TOO_BIG", "9": "NO_PERMISSION", "255": "UNKNOWN_ERROR" } operationId: data_telemetry_File_request_file_upload_by_path parameters: - in: body name: data required: true schema: $ref: '#/definitions/PathDownloadRequest' responses: "200": description: "" schema: $ref: '#/definitions/DownloadRequestResponse' tags: - telemetry /data/telemetry/File/request_upload/{sha256}/: parameters: - in: path name: sha256 required: true type: string post: description: |2 Request upload of file to S3 from its sha256. The file needs to either : - have been seen by a telemetry or security event linked to an online agent - have been quarantined on an online agent possible file_availability values : { "0": "NO_ERROR", "1": "NO_TELEMETRY_FOUND", "2": "NO_CONNECTED_AGENTS", "3": "ALREADY_DOWNLOADED", "4": "FILE_MISSING", "5": "AGENT_NOT_PROVIDED", "6": "AGENT_NOT_FOUND", "7": "NOT_DOWNLOADED", "8": "FILE_TOO_BIG", "9": "NO_PERMISSION", "255": "UNKNOWN_ERROR" } operationId: data_telemetry_File_request_file_upload parameters: - in: body name: data required: true schema: $ref: '#/definitions/DownloadRequest' responses: "200": description: "" schema: $ref: '#/definitions/DownloadRequestResponse' tags: - telemetry /data/telemetry/File/{id}/: get: description: "" operationId: data_telemetry_File_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/File' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/FileDownload/: get: description: "" operationId: data_telemetry_FileDownload_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/File' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/FileDownload/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_FileDownload_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/FileDownload/{id}/: get: description: "" operationId: data_telemetry_FileDownload_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/File' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/FullEventLog/: get: description: "" operationId: data_telemetry_FullEventLog_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/FullEventLog' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/FullEventLog/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_FullEventLog_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/FullEventLog/{id}/: get: description: "" operationId: data_telemetry_FullEventLog_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/FullEventLog' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/FullEventLogAggregate/: get: description: |- Reunion of all elements that are equal, on a given list of fields. Each element will be assigned an additional field `count` corresponding to the number of elements with the same characteristics. operationId: data_telemetry_FullEventLogAggregate_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: agg_cols required: true type: array responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/FullEventLog' type: array required: - count - results type: object summary: Endpoint for aggregating the current search. tags: - telemetry parameters: [] /data/telemetry/FullEventLogAggregate/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_FullEventLogAggregate_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/FullEventLogAggregate/{id}/: get: description: "" operationId: data_telemetry_FullEventLogAggregate_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/FullEventLog' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Group/: get: description: "" operationId: data_telemetry_Group_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/GroupEvent' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Group/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Group_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Group/{id}/: get: description: "" operationId: data_telemetry_Group_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GroupEvent' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/InjectedThread/: get: description: "" operationId: data_telemetry_InjectedThread_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/InjectedThread' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/InjectedThread/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_InjectedThread_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/InjectedThread/{id}/: get: description: "" operationId: data_telemetry_InjectedThread_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/InjectedThread' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/InjectedThread/{id}/disassemble/: get: description: "" operationId: data_telemetry_InjectedThread_disassemble parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/InjectedThread' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/InjectedThread/{id}/download/: get: description: "" operationId: data_telemetry_InjectedThread_download parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/InjectedThread' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/KubePodEvent/: get: description: "" operationId: data_telemetry_KubePodEvent_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ECSTelemetry' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/KubePodEvent/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_KubePodEvent_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/KubePodEvent/{id}/: get: description: "" operationId: data_telemetry_KubePodEvent_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ECSTelemetry' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/LibraryLoad/: get: description: "" operationId: data_telemetry_LibraryLoad_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/LibraryLoad' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/LibraryLoad/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_LibraryLoad_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/LibraryLoad/{id}/: get: description: "" operationId: data_telemetry_LibraryLoad_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LibraryLoad' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/NamedPipe/: get: description: "" operationId: data_telemetry_NamedPipe_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NamedPipe' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/NamedPipe/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_NamedPipe_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/NamedPipe/{id}/: get: description: "" operationId: data_telemetry_NamedPipe_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NamedPipe' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Network/: get: description: "" operationId: data_telemetry_Network_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - default: false in: query name: add_dns_resolution required: false type: boolean - default: false in: query name: exclude_local_connections required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Network' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Network/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Network_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Network/{id}/: get: description: "" operationId: data_telemetry_Network_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Network' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/NetworkListen/: get: description: "" operationId: data_telemetry_NetworkListen_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/NetworkListen' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/NetworkListen/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_NetworkListen_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/NetworkListen/{id}/: get: description: "" operationId: data_telemetry_NetworkListen_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetworkListen' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Powershell/: get: description: "" operationId: data_telemetry_Powershell_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Powershell' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Powershell/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Powershell_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Powershell/{id}/: get: description: "" operationId: data_telemetry_Powershell_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Powershell' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/ProcessAccess/: get: description: "" operationId: data_telemetry_ProcessAccess_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ProcessAccess' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/ProcessAccess/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_ProcessAccess_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/ProcessAccess/{id}/: get: description: "" operationId: data_telemetry_ProcessAccess_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ProcessAccess' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/ProcessDuplicateHandle/: get: description: "" operationId: data_telemetry_ProcessDuplicateHandle_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ECSTelemetry' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/ProcessDuplicateHandle/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_ProcessDuplicateHandle_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/ProcessDuplicateHandle/{id}/: get: description: "" operationId: data_telemetry_ProcessDuplicateHandle_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ECSTelemetry' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/ProcessTamper/: get: description: "" operationId: data_telemetry_ProcessTamper_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ProcessTamper' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/ProcessTamper/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_ProcessTamper_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/ProcessTamper/{id}/: get: description: "" operationId: data_telemetry_ProcessTamper_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ProcessTamper' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Processes/: get: description: "" operationId: data_telemetry_Processes_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DocProcessesSerializer' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Processes/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Processes_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Processes/{id}/: get: description: "" operationId: data_telemetry_Processes_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DocProcessesSerializer' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Processes/{id}/graph/: get: description: "" operationId: data_telemetry_Processes_graph parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ProcessesGraph' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Processes/{id}/requestDumpProcess/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_telemetry_Processes_request_dump_process parameters: - in: body name: data required: true schema: $ref: '#/definitions/DocProcessesSerializer' - in: query name: pid required: true type: integer responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - telemetry /data/telemetry/Processes/{id}/requestKillProcess/: parameters: - in: path name: id required: true type: string post: description: "" operationId: data_telemetry_Processes_request_kill_process parameters: - in: body name: data required: true schema: $ref: '#/definitions/DocProcessesSerializer' - in: query name: pid required: true type: integer responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - telemetry /data/telemetry/Processes/{id}/tree/: get: description: "" operationId: data_telemetry_Processes_tree parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DocProcessesSerializer' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/RawDeviceAccess/: get: description: "" operationId: data_telemetry_RawDeviceAccess_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RawDeviceAccess' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/RawDeviceAccess/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_RawDeviceAccess_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/RawDeviceAccess/{id}/: get: description: "" operationId: data_telemetry_RawDeviceAccess_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RawDeviceAccess' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/RawSocketCreation/: get: description: "" operationId: data_telemetry_RawSocketCreation_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RawSocketCreation' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/RawSocketCreation/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_RawSocketCreation_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/RawSocketCreation/{id}/: get: description: "" operationId: data_telemetry_RawSocketCreation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RawSocketCreation' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/Registry/: get: description: "" operationId: data_telemetry_Registry_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Registry' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/Registry/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_Registry_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/Registry/{id}/: get: description: "" operationId: data_telemetry_Registry_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Registry' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/RemoteThread/: get: description: "" operationId: data_telemetry_RemoteThread_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/RemoteThread' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/RemoteThread/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_RemoteThread_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/RemoteThread/{id}/: get: description: "" operationId: data_telemetry_RemoteThread_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteThread' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/ScheduledTask/: get: description: "" operationId: data_telemetry_ScheduledTask_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ECSTelemetry' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/ScheduledTask/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_ScheduledTask_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/ScheduledTask/{id}/: get: description: "" operationId: data_telemetry_ScheduledTask_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ECSTelemetry' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/ThreadDump/: get: description: "" operationId: data_telemetry_ThreadDump_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ThreadDump' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/ThreadDump/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_ThreadDump_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/ThreadDump/{id}/: get: description: "" operationId: data_telemetry_ThreadDump_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreadDump' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/USBActivity/: get: description: |- The device product/vendor names are sourced either from the Linux USB ID database, or the USB device's firmware If the product/vendor ID matches to an entry in the Linux USB ID database, that name is used. Otherwise, the name reported by the firmware is used. The Linux USB ID database is used first because the names it provides are usually more useful than the ones provided by firmwares. More documentation is available at: - https://www.usb.org/defined-class-codes - more information on USB classes/protocols - http://www.linux-usb.org/ - Linux USB ID database (also includes additional USB class/protocol descriptions) operationId: data_telemetry_USBActivity_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/USBActivity' type: array required: - count - results type: object summary: USB Activity telemetry tags: - telemetry parameters: [] /data/telemetry/USBActivity/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_USBActivity_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/USBActivity/{id}/: get: description: |- The device product/vendor names are sourced either from the Linux USB ID database, or the USB device's firmware If the product/vendor ID matches to an entry in the Linux USB ID database, that name is used. Otherwise, the name reported by the firmware is used. The Linux USB ID database is used first because the names it provides are usually more useful than the ones provided by firmwares. More documentation is available at: - https://www.usb.org/defined-class-codes - more information on USB classes/protocols - http://www.linux-usb.org/ - Linux USB ID database (also includes additional USB class/protocol descriptions) operationId: data_telemetry_USBActivity_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/USBActivity' summary: USB Activity telemetry tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/UrlRequest/: get: description: "" operationId: data_telemetry_UrlRequest_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UrlRequest' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/UrlRequest/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_UrlRequest_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/UrlRequest/{id}/: get: description: "" operationId: data_telemetry_UrlRequest_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UrlRequest' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/User/: get: description: "" operationId: data_telemetry_User_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/UserEvent' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/User/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_User_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/User/{id}/: get: description: "" operationId: data_telemetry_User_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UserEvent' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/WindowsService/: get: description: "" operationId: data_telemetry_WindowsService_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/ECSTelemetry' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/WindowsService/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_WindowsService_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/WindowsService/{id}/: get: description: "" operationId: data_telemetry_WindowsService_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ECSTelemetry' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/WmiEvent/: get: description: "" operationId: data_telemetry_WmiEvent_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/TelemetryWmiEvent' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/WmiEvent/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_WmiEvent_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/WmiEvent/{id}/: get: description: "" operationId: data_telemetry_WmiEvent_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/TelemetryWmiEvent' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/authentication/AuthenticationLinux/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLinux_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuthenticationLinux' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLinux/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_authentication_AuthenticationLinux_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLinux/{id}/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLinux_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuthenticationLinux' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/authentication/AuthenticationLogin/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLogin_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuthenticationLogin' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLogin/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_authentication_AuthenticationLogin_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLogin/{id}/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLogin_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuthenticationLogin' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/authentication/AuthenticationLogout/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLogout_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuthenticationLogout' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLogout/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_authentication_AuthenticationLogout_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationLogout/{id}/: get: description: "" operationId: data_telemetry_authentication_AuthenticationLogout_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuthenticationLogout' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/authentication/AuthenticationMacos/: get: description: "" operationId: data_telemetry_authentication_AuthenticationMacos_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuthenticationMacos' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationMacos/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_authentication_AuthenticationMacos_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationMacos/{id}/: get: description: "" operationId: data_telemetry_authentication_AuthenticationMacos_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuthenticationMacos' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/authentication/AuthenticationWindows/: get: description: "" operationId: data_telemetry_authentication_AuthenticationWindows_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AuthenticationWindows' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationWindows/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_authentication_AuthenticationWindows_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationWindows/graph/: get: description: "" operationId: data_telemetry_authentication_AuthenticationWindows_graph parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_MainGraph' tags: - telemetry parameters: [] /data/telemetry/authentication/AuthenticationWindows/{id}/: get: description: "" operationId: data_telemetry_authentication_AuthenticationWindows_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AuthenticationWindows' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/file/Library/: get: description: "" operationId: data_telemetry_file_Library_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Library' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/file/Library/download/{hash}/: get: description: "" operationId: data_telemetry_file_Library_download parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: archived required: false type: boolean responses: "200": description: File Attachment schema: type: file tags: - telemetry parameters: - in: path name: hash required: true type: string /data/telemetry/file/Library/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_file_Library_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/file/Library/{id}/: get: description: "" operationId: data_telemetry_file_Library_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Library' tags: - telemetry parameters: - in: path name: id required: true type: string /data/telemetry/file/Library/{id}/upload/: parameters: - in: path name: id required: true type: string put: description: "" operationId: data_telemetry_file_Library_upload parameters: - in: body name: data required: true schema: $ref: '#/definitions/Library' responses: "200": description: "" schema: $ref: '#/definitions/Library' tags: - telemetry /data/telemetry/timeline/Favorite/: parameters: [] post: description: Create a new timeline favorite; throw an error if it already exists. operationId: data_telemetry_timeline_Favorite_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/TimelineFavorite' responses: "201": description: "" schema: $ref: '#/definitions/TimelineFavorite' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - telemetry /data/telemetry/timeline/Favorite/{id}/: delete: description: Delete a timeline favorite. operationId: data_telemetry_timeline_Favorite_delete parameters: [] responses: "204": description: favorite successfully deleted "404": description: favorite doesn't exist tags: - telemetry parameters: - description: A UUID string identifying this timeline favorite. format: uuid in: path name: id required: true type: string /data/telemetry/timeline/Timeline/: get: deprecated: true description: Deprecated endpoint for related timeline operationId: data_telemetry_timeline_Timeline_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AbstractTimeline' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/timeline/Timeline/export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_timeline_Timeline_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/timeline/Timeline/new_export/: get: description: Endpoint for exporting the current search as a CSV file. operationId: data_telemetry_timeline_Timeline_new_export parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - telemetry parameters: [] /data/telemetry/timeline/Timeline/new_timeline/: get: description: List of timeline events operationId: data_telemetry_timeline_Timeline_new_timeline parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/AbstractTimeline' type: array required: - count - results type: object tags: - telemetry parameters: [] /data/telemetry/timeline/Timeline/version_graph/: get: description: Endpoint for related timeline graph operationId: data_telemetry_timeline_Timeline_version_graph parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: agent_id required: true type: string - format: date in: query name: from_date required: false type: string - format: date in: query name: to_date required: false type: string - description: A string parameter that will be split into a list of string, using the ',' as split separator. in: query minLength: 1 name: event_type required: false type: string responses: "200": description: "" schema: items: $ref: '#/definitions/TimelineGraph' type: array "400": description: Invalid form examples: application/json: field_name: - error message - other error message "404": description: Not found examples: application/json: detail: Not found. tags: - telemetry parameters: [] /data/telemetry/timeline/Timeline/{id}/: get: description: "" operationId: data_telemetry_timeline_Timeline_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AbstractTimeline' tags: - telemetry parameters: - in: path name: id required: true type: string /data/threat_intelligence/CorrelationRule/: get: description: "" operationId: data_threat_intelligence_CorrelationRule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: whitelist_count required: false type: number - in: query name: rule_name required: false type: string - in: query name: rule_description required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - deprecated - experimental - stable - test - unsupported in: query name: rule_status required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: errors required: false type: string - in: query name: warnings required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/CorrelationPagination' tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_CorrelationRule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateCorrelationRule' responses: "201": description: "" schema: $ref: '#/definitions/CreateRuleResponse' tags: - threat Intelligence /data/threat_intelligence/CorrelationRule/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_CorrelationRule_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/CorrelationRule/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_CorrelationRule_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: whitelist_count required: false type: number - in: query name: rule_name required: false type: string - in: query name: rule_description required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - deprecated - experimental - stable - test - unsupported in: query name: rule_status required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: errors required: false type: string - in: query name: warnings required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/CorrelationRule/update/: parameters: [] post: description: Update fields for multiple rules at once operationId: data_threat_intelligence_CorrelationRule_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/_RuleBulkUpdate' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/CorrelationRule/update_rules/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: Deprecated call maintained for retrocompatability. operationId: data_threat_intelligence_CorrelationRule_update_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/CorrelationRule/update_ruleset/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: "" operationId: data_threat_intelligence_CorrelationRule_update_ruleset parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/CorrelationRule/{id}/: delete: description: "" operationId: data_threat_intelligence_CorrelationRule_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a correlation rule used by one or more other correlation rules examples: application/json: code: linked_correlation_rule correlation_rule: correlation_rule_id: cee3ffd8-cc9b-4055-be65-30924765f938 correlation_rule_name: cmd then powersploit correlation_source_id: cfebb3f0-63f0-4ffc-9128-2c1d240b246d correlation_source_name: correlation source A details: You cannot delete a correlation rule used by one or more other correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B schema: $ref: '#/definitions/CorrelationRuleLinkedToCorrelationRuleResponse' tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_CorrelationRule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRule' tags: - threat Intelligence parameters: - description: A unique value identifying this correlation rule. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_CorrelationRule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/CorrelationRule' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRule' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_CorrelationRule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/CorrelationRule' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationRule' tags: - threat Intelligence /data/threat_intelligence/CorrelationSource/: get: description: "" operationId: data_threat_intelligence_CorrelationSource_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CorrelationSource' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_CorrelationSource_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CorrelationSource' responses: "201": description: "" schema: $ref: '#/definitions/CorrelationSource' tags: - threat Intelligence /data/threat_intelligence/CorrelationSource/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_CorrelationSource_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/CorrelationSource/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_CorrelationSource_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_CorrelationSourceRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/CorrelationSource/{id}/: delete: description: |- If the rule source contains at least one rule that is a dependency of at least one Correlation rule in another correlation source, we block the deletion. If all the dependencies are from the rule source itself, the deletion is performed as usual. operationId: data_threat_intelligence_CorrelationSource_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a correlation source that contain correlation rules used by one or more other correlation rules examples: application/json: code: linked_correlation_rule correlation_rule: correlation_rule_id: cee3ffd8-cc9b-4055-be65-30924765f938 correlation_rule_name: cmd then powersploit correlation_source_id: cfebb3f0-63f0-4ffc-9128-2c1d240b246d correlation_source_name: correlation source A details: You cannot delete a correlation rule used by one or more other correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B schema: $ref: '#/definitions/CorrelationRuleLinkedToCorrelationRuleResponse' summary: Delete the rule source. tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_CorrelationSource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CorrelationSource' tags: - threat Intelligence parameters: - description: A unique value identifying this correlation source. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_CorrelationSource_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/CorrelationSource' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationSource' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_CorrelationSource_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/CorrelationSource' responses: "200": description: "" schema: $ref: '#/definitions/CorrelationSource' tags: - threat Intelligence /data/threat_intelligence/CorrelationSource/{id}/items/: delete: description: |- If at least one of the rules to delete is a dependency of at least one Correlation rule, we block the deletion (full success or fail). operationId: data_threat_intelligence_CorrelationSource_items parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteSourceItemsBody' responses: "200": description: "" schema: $ref: '#/definitions/DeleteSourceItemsBody' "400": description: Error, cannot delete a correlation rule used by one or more other correlation rules examples: application/json: code: linked_correlation_rule correlation_rule: correlation_rule_id: cee3ffd8-cc9b-4055-be65-30924765f938 correlation_rule_name: cmd then powersploit correlation_source_id: cfebb3f0-63f0-4ffc-9128-2c1d240b246d correlation_source_name: correlation source A details: You cannot delete a correlation rule used by one or more other correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B schema: $ref: '#/definitions/CorrelationRuleLinkedToCorrelationRuleResponse' summary: Delete one or more rules from the rule source. tags: - threat Intelligence parameters: - description: A unique value identifying this correlation source. in: path name: id required: true type: string /data/threat_intelligence/DriverBlocklist/: get: description: "" operationId: data_threat_intelligence_DriverBlocklist_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - enum: - filename - filepath - hash in: query name: type required: false type: string - in: query name: value required: false type: string - in: query name: comment required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: hl_status required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_DriverBlocklistPagination' tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_DriverBlocklist_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/DriverBlocklist' responses: "201": description: "" schema: $ref: '#/definitions/DriverBlocklist' tags: - threat Intelligence /data/threat_intelligence/DriverBlocklist/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_DriverBlocklist_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/DriverBlocklist/list_ruleset/{ruleset_id}/: get: description: List driverblocklists with ruleset rule data. operationId: data_threat_intelligence_DriverBlocklist_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - enum: - filename - filepath - hash in: query name: type required: false type: string - in: query name: value required: false type: string - in: query name: comment required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: hl_status required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_DriverBlocklistRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/DriverBlocklist/update/: parameters: [] post: description: Update fields for multiple rules at once operationId: data_threat_intelligence_DriverBlocklist_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/_RuleBulkUpdate' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/DriverBlocklist/update_rules/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: deprecated: true description: Deprecated call maintained for retrocompatability. operationId: data_threat_intelligence_DriverBlocklist_update_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_DriverRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/DriverBlocklist/update_ruleset/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: "" operationId: data_threat_intelligence_DriverBlocklist_update_ruleset parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_DriverRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/DriverBlocklist/{id}/: delete: description: "" operationId: data_threat_intelligence_DriverBlocklist_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_DriverBlocklist_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklist' tags: - threat Intelligence parameters: - description: A unique value identifying this driver blocklist. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_DriverBlocklist_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DriverBlocklist' responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklist' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_DriverBlocklist_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DriverBlocklist' responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklist' tags: - threat Intelligence /data/threat_intelligence/DriverBlocklistSource/: get: description: "" operationId: data_threat_intelligence_DriverBlocklistSource_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/DriverBlocklistSource' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/DriverBlocklistSource/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_DriverBlocklistSource_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/DriverBlocklistSource/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_DriverBlocklistSource_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number responses: "200": description: "" schema: $ref: '#/definitions/_DriverBlocklistRulesetSourcePagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/DriverBlocklistSource/{id}/: get: description: "" operationId: data_threat_intelligence_DriverBlocklistSource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklistSource' tags: - threat Intelligence parameters: - description: A unique value identifying this driver blocklist source. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_DriverBlocklistSource_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DriverBlocklistSource' responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklistSource' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_DriverBlocklistSource_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/DriverBlocklistSource' responses: "200": description: "" schema: $ref: '#/definitions/DriverBlocklistSource' tags: - threat Intelligence /data/threat_intelligence/IOCRule/: get: description: "" operationId: data_threat_intelligence_IOCRule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - enum: - domain_name - filename - filepath - hash - ip_both - ip_dst - ip_src - url in: query name: type required: false type: string - in: query name: value required: false type: string - in: query name: comment required: false type: string - in: query name: info required: false type: string - in: query name: category required: false type: string - in: query name: description required: false type: string - in: query name: references required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_IOCPagination' tags: - threat Intelligence parameters: [] post: description: Create an IOC in a source (HTTP 200), or import a CSV file into a source (HTTP 201). operationId: data_threat_intelligence_IOCRule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_CreateIOCRule' responses: "200": description: "" schema: $ref: '#/definitions/IOCRule' "201": description: "" schema: $ref: '#/definitions/IOCImportResponse' "400": description: "" schema: $ref: '#/definitions/IOCImportResponse' tags: - threat Intelligence /data/threat_intelligence/IOCRule/blacklist_process/: parameters: [] post: description: |- Same as default create method but we don't need to specify `source_id`. The IOCIndicator is automatically added to an IOCSource called "process blacklist". If this source does not exist, it is created . operationId: data_threat_intelligence_IOCRule_blacklist_process parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCRule' responses: "201": description: "" schema: $ref: '#/definitions/IOCImportResponse' tags: - threat Intelligence /data/threat_intelligence/IOCRule/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_IOCRule_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/IOCRule/list_ruleset/{ruleset_id}/: get: description: List IOCs with ruleset rule data. operationId: data_threat_intelligence_IOCRule_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: "" in: query name: name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - enum: - domain_name - filename - filepath - hash - ip_both - ip_dst - ip_src - url in: query name: type required: false type: string - in: query name: value required: false type: string - in: query name: comment required: false type: string - in: query name: info required: false type: string - in: query name: category required: false type: string - in: query name: description required: false type: string - in: query name: references required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_IOCRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/IOCRule/update/: parameters: [] post: description: Update fields for multiple rules at once operationId: data_threat_intelligence_IOCRule_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/_RuleBulkUpdate' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/IOCRule/update_rules/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: deprecated: true description: Deprecated call maintained for retrocompatability. operationId: data_threat_intelligence_IOCRule_update_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_IOCRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/IOCRule/update_ruleset/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: "" operationId: data_threat_intelligence_IOCRule_update_ruleset parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_IOCRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/IOCRule/{id}/: delete: description: "" operationId: data_threat_intelligence_IOCRule_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_IOCRule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCRule' tags: - threat Intelligence parameters: - description: A unique value identifying this ioc rule. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_IOCRule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCRule' responses: "200": description: "" schema: $ref: '#/definitions/IOCRule' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_IOCRule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCRule' responses: "200": description: "" schema: $ref: '#/definitions/IOCRule' tags: - threat Intelligence /data/threat_intelligence/IOCSource/: get: description: "" operationId: data_threat_intelligence_IOCSource_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/IOCSource' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_IOCSource_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCSource' responses: "201": description: "" schema: $ref: '#/definitions/IOCSource' tags: - threat Intelligence /data/threat_intelligence/IOCSource/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_IOCSource_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/IOCSource/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_IOCSource_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_IOCSourceRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/IOCSource/{id}/: delete: description: "" operationId: data_threat_intelligence_IOCSource_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_IOCSource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCSource' tags: - threat Intelligence parameters: - description: A unique value identifying this ioc source. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_IOCSource_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCSource' responses: "200": description: "" schema: $ref: '#/definitions/IOCSource' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_IOCSource_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCSource' responses: "200": description: "" schema: $ref: '#/definitions/IOCSource' tags: - threat Intelligence /data/threat_intelligence/IOCSource/{id}/items/: delete: description: "" operationId: data_threat_intelligence_IOCSource_items parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteSourceItemsBody' responses: "200": description: "" schema: $ref: '#/definitions/DeleteSourceItemsBody' tags: - threat Intelligence parameters: - description: A unique value identifying this ioc source. in: path name: id required: true type: string /data/threat_intelligence/IOCSource/{id}/rules/: get: deprecated: true description: This endpoint is deprecated. Use `data/threat_intelligence/IOCRule/?source_id=` instead. operationId: data_threat_intelligence_IOCSource_rules parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCSource' tags: - threat Intelligence parameters: - description: A unique value identifying this ioc source. in: path name: id required: true type: string /data/threat_intelligence/Ruleset/: get: description: "" operationId: data_threat_intelligence_Ruleset_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: engine required: false type: string - description: "" in: query name: creation_date required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/Ruleset' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_Ruleset_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/Ruleset' responses: "201": description: "" schema: $ref: '#/definitions/Ruleset' tags: - threat Intelligence /data/threat_intelligence/Ruleset/all/: get: description: Endpoint to list all ruleset without pagination. operationId: data_threat_intelligence_Ruleset_all parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: engine required: false type: string - description: "" in: query name: creation_date required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_RulesetAll' tags: - threat Intelligence parameters: [] /data/threat_intelligence/Ruleset/{id}/: delete: description: "" operationId: data_threat_intelligence_Ruleset_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_Ruleset_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ruleset' tags: - threat Intelligence parameters: - description: A UUID string identifying this ruleset. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_Ruleset_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RulesetUpdate' responses: "200": description: "" schema: $ref: '#/definitions/RulesetUpdate' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_Ruleset_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RulesetUpdate' responses: "200": description: "" schema: $ref: '#/definitions/RulesetUpdate' tags: - threat Intelligence /data/threat_intelligence/Ruleset/{id}/duplicate/: parameters: - description: A UUID string identifying this ruleset. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_threat_intelligence_Ruleset_duplicate parameters: - in: body name: data required: true schema: $ref: '#/definitions/DuplicateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/Ruleset' tags: - threat Intelligence /data/threat_intelligence/Ruleset/{id}/update_all/: parameters: - description: A UUID string identifying this ruleset. format: uuid in: path name: id required: true type: string post: description: "" operationId: data_threat_intelligence_Ruleset_update_all parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateAllRuleset' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/Ruleset/{id}/update_policies/: parameters: - description: A UUID string identifying this ruleset. format: uuid in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_Ruleset_update_policies parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdatePolicy' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/Ruleset/{id}/update_source/{source_id}/: parameters: - description: A UUID string identifying this ruleset. format: uuid in: path name: id required: true type: string - in: path name: source_id required: true type: string patch: description: "" operationId: data_threat_intelligence_Ruleset_update_source parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateRulesetSource' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/SigmaRule/: get: description: "" operationId: data_threat_intelligence_SigmaRule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: whitelist_count required: false type: number - in: query name: rule_name required: false type: string - in: query name: rule_description required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - deprecated - experimental - stable - test - unsupported in: query name: rule_status required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: errors required: false type: string - in: query name: warnings required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_SigmaPagination' tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_SigmaRule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_CreateSigmaRule' responses: "201": description: "" schema: $ref: '#/definitions/CreateRuleResponse' tags: - threat Intelligence /data/threat_intelligence/SigmaRule/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_SigmaRule_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/SigmaRule/list_ruleset/{ruleset_id}/: get: description: List rules with ruleset rule data. operationId: data_threat_intelligence_SigmaRule_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: whitelist_count required: false type: number - in: query name: rule_name required: false type: string - in: query name: rule_description required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - deprecated - experimental - stable - test - unsupported in: query name: rule_status required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: errors required: false type: string - in: query name: warnings required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_SigmaRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/SigmaRule/update/: parameters: [] post: description: Update fields for multiple rules at once operationId: data_threat_intelligence_SigmaRule_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/_RuleBulkUpdate' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/SigmaRule/update_rules/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: deprecated: true description: Deprecated call maintained for retrocompatability. operationId: data_threat_intelligence_SigmaRule_update_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_SigmaRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/SigmaRule/update_ruleset/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: "" operationId: data_threat_intelligence_SigmaRule_update_ruleset parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_SigmaRulesetResponse' tags: - threat Intelligence /data/threat_intelligence/SigmaRule/{id}/: delete: description: "" operationId: data_threat_intelligence_SigmaRule_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a sigma rule used by one or more correlation rules examples: application/json: code: linked_sigma_rule details: You cannot delete a sigma rule used by one or more correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B sigma_rule: sigma_rule_id: 35a896d1-0cb8-4b20-9dba-2c55a8f440a5 sigma_rule_name: powersploit sigma_source_id: ebae6f85-e097-4987-8524-4398240e7d9a sigma_source_name: sigma source A schema: $ref: '#/definitions/SigmaRuleLinkedToCorrelationRuleResponse' tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_SigmaRule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SigmaRule' tags: - threat Intelligence parameters: - description: A unique value identifying this sigma rule. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_SigmaRule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SigmaRule' responses: "200": description: "" schema: $ref: '#/definitions/SigmaRule' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_SigmaRule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SigmaRule' responses: "200": description: "" schema: $ref: '#/definitions/SigmaRule' tags: - threat Intelligence /data/threat_intelligence/SigmaSource/: get: description: "" operationId: data_threat_intelligence_SigmaSource_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/SigmaSource' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_SigmaSource_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/SigmaSource' responses: "201": description: "" schema: $ref: '#/definitions/SigmaSource' tags: - threat Intelligence /data/threat_intelligence/SigmaSource/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_SigmaSource_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/SigmaSource/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_SigmaSource_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_SigmaSourceRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/SigmaSource/{id}/: delete: description: |- If the rule source contains at least one rule that is a dependency of at least one Correlation rule, we block the deletion. operationId: data_threat_intelligence_SigmaSource_delete parameters: [] responses: "204": description: "" "400": description: Error, cannot delete a sigma source that contain sigma rules used by one or more correlation rules examples: application/json: code: linked_sigma_rule details: You cannot delete a sigma rule used by one or more correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B sigma_rule: sigma_rule_id: 35a896d1-0cb8-4b20-9dba-2c55a8f440a5 sigma_rule_name: powersploit sigma_source_id: ebae6f85-e097-4987-8524-4398240e7d9a sigma_source_name: sigma source A schema: $ref: '#/definitions/SigmaRuleLinkedToCorrelationRuleResponse' summary: Delete the rule source. tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_SigmaSource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SigmaSource' tags: - threat Intelligence parameters: - description: A unique value identifying this sigma source. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_SigmaSource_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SigmaSource' responses: "200": description: "" schema: $ref: '#/definitions/SigmaSource' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_SigmaSource_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SigmaSource' responses: "200": description: "" schema: $ref: '#/definitions/SigmaSource' tags: - threat Intelligence /data/threat_intelligence/SigmaSource/{id}/items/: delete: description: |- If at least one of the rules to delete is a dependency of at least one Correlation rule, we block the deletion (full success or fail). operationId: data_threat_intelligence_SigmaSource_items parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteSourceItemsBody' responses: "200": description: "" schema: $ref: '#/definitions/DeleteSourceItemsBody' "400": description: Error, cannot delete a sigma rule used by one or more correlation rules examples: application/json: code: linked_sigma_rule details: You cannot delete a sigma rule used by one or more correlation rules linked_correlation: - correlation_rule_id: 586588f0-ff80-469c-9c0c-493fb42d72f9 correlation_rule_name: double ls correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B - correlation_rule_id: ae673282-9d52-4b07-920d-e3cbd2958c37 correlation_rule_name: notepad loads kernel32 and user32 correlation_source_id: 35d913b3-f575-4d23-93f7-b2e78c0bfbea correlation_source_name: correlation source B sigma_rule: sigma_rule_id: 35a896d1-0cb8-4b20-9dba-2c55a8f440a5 sigma_rule_name: powersploit sigma_source_id: ebae6f85-e097-4987-8524-4398240e7d9a sigma_source_name: sigma source A schema: $ref: '#/definitions/SigmaRuleLinkedToCorrelationRuleResponse' summary: Delete one or more rules from the rule source. tags: - threat Intelligence parameters: - description: A unique value identifying this sigma source. in: path name: id required: true type: string /data/threat_intelligence/TelemetryFilter/: get: deprecated: true description: "" operationId: data_threat_intelligence_TelemetryFilter_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_retroactivity required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: target required: false type: string - description: "" in: query name: sigma_rule required: false type: string - description: "" in: query name: correlation_rule required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sigma_rule_id required: false type: string - description: "" in: query name: correlation_rule_id required: false type: string - description: "" in: query name: provided_by_hlab required: false type: string - description: "" in: query name: last_disabled_by required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: usage_count_last_7_days required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" tags: - threat Intelligence parameters: [] post: deprecated: true description: "" operationId: data_threat_intelligence_TelemetryFilter_create parameters: [] responses: "201": description: "" tags: - threat Intelligence /data/threat_intelligence/Vulnerability/active_cve/: get: description: |- * Details of the CVE itself * The affected endpoint * List of the vulnerable installations for this endpoint operationId: data_threat_intelligence_Vulnerability_active_cve_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__osversion required: false type: string - description: "" in: query name: agent__domainname required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: vulnerable_installations__application__name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/ActiveCveListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object summary: Get details about all CVE that are present at least on one endpoint. tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/active_cve/distribution/: get: description: "" operationId: data_threat_intelligence_Vulnerability_active_cve_distribution parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__osversion required: false type: string - description: "" in: query name: agent__domainname required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: vulnerable_installations__application__name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: agent_id required: false type: string - in: query name: include_hidden_cves required: false type: boolean responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityKpisDistribution' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/active_cve/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_active_cve_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__osproducttype required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__osversion required: false type: string - description: "" in: query name: agent__domainname required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: vulnerable_installations__application__name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/affected_agents/: get: description: Get list of agent affected by a specific CVE operationId: data_threat_intelligence_Vulnerability_affected_agents parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: cve_id required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/AgentsAffectedByVulnListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/agent/: get: description: Get all active vulnerabilities for a given agent operationId: data_threat_intelligence_Vulnerability_agent parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: source_identifier required: false type: string - description: "" in: query name: published required: false type: string - description: "" in: query name: last_modified required: false type: string - description: "" in: query name: cvss_metric_vector_string required: false type: string - description: "" in: query name: cvss_metric_base_score required: false type: number - description: "" in: query name: cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cvss_metric_impact_score required: false type: number - description: "" in: query name: cvss_metric_severity required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: agent_id required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/AgentVulnerabilitiesListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byApplication/: get: description: "" operationId: data_threat_intelligence_Vulnerability_byApplication_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/VulnerableApplicationWithCountAggregation' type: array required: - count - results type: object "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byApplication/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_byApplication_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byCVE/: get: description: |- A read-only endpoint that returns a list of CVEs with the number of distinct endpoints that have the CVE, the highest score, the last report date, and the list of applications that have the CVE. The queryset is annotated with the following fields: - nb_endpoints: The number of distinct endpoints that have the CVE. - applications: The list of applications that have the CVE. operationId: data_threat_intelligence_Vulnerability_byCVE_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - description: Number of impacted endpoints in: query name: nb_endpoints type: integer - description: Number of impacted applications in: query items: string name: nb_applications type: array responses: "200": description: "" schema: $ref: '#/definitions/CveVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byCVE/export/: get: description: |- A read-only endpoint that returns a list of CVEs with the number of distinct endpoints that have the CVE, the highest score, the last report date, and the list of applications that have the CVE. The queryset is annotated with the following fields: - nb_endpoints: The number of distinct endpoints that have the CVE. - applications: The list of applications that have the CVE. operationId: data_threat_intelligence_Vulnerability_byCVE_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byCVEForEndpoint/: get: description: For a given endpoint, returns basic informations regarding its affected CVEs operationId: data_threat_intelligence_Vulnerability_byCVEForEndpoint_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: endpoint_id required: true type: string - in: query name: include_hidden_cves required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CveVulnerabilitiesAggregationForEndpoint' type: array required: - count - results type: object "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byCVEForEndpoint/export: get: description: For a given endpoint, returns basic informations regarding its affected CVEs operationId: data_threat_intelligence_Vulnerability_byCVEForEndpoint_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byEndpoint/: get: description: "" operationId: data_threat_intelligence_Vulnerability_byEndpoint_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: osversion required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: groups required: false type: string - description: "" in: query name: latest_vulnscan_date required: false type: string - description: "" in: query name: vulnerabilityscanresult__cve__id required: false type: string - description: "" in: query name: vulnerabilityscanresult__vulnerable_installations__application__name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: include_hidden_cves type: boolean responses: "200": description: "" schema: $ref: '#/definitions/AgentVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/byEndpoint/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_byEndpoint_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: ostype required: false type: string - description: "" in: query name: osversion required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: groups required: false type: string - description: "" in: query name: latest_vulnscan_date required: false type: string - description: "" in: query name: vulnerabilityscanresult__cve__id required: false type: string - description: "" in: query name: vulnerabilityscanresult__vulnerable_installations__application__name required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/cve/: get: description: |- * Details of the CVE itself * Score of the CVE * Affected applications (vendor and product part of a CPE string) operationId: data_threat_intelligence_Vulnerability_cve_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: cvss_metric_severity required: false type: string - description: "" in: query name: cvss_metric_base_score required: false type: number - description: "" in: query name: description required: false type: string - description: "" in: query name: last_modified required: false type: string - description: "" in: query name: published required: false type: string - description: "" in: query name: cpes__prefix required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/CveDetails' type: array required: - count - results type: object "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object summary: Get details about all CVE in the database. tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/cve/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_cve_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: cvss_metric_severity required: false type: string - description: "" in: query name: cvss_metric_base_score required: false type: number - description: "" in: query name: description required: false type: string - description: "" in: query name: last_modified required: false type: string - description: "" in: query name: published required: false type: string - description: "" in: query name: cpes__prefix required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/cve/update_visibility/: parameters: [] post: description: "" operationId: data_threat_intelligence_Vulnerability_cve_update_visibility parameters: - in: body name: data required: true schema: $ref: '#/definitions/CveUpdateVisibility' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/Vulnerability/cve/{id}/: get: description: |- * Details of the CVE itself * Score of the CVE * Affected applications (vendor and product part of a CPE string) operationId: data_threat_intelligence_Vulnerability_cve_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/CveDetails' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object summary: Get details about a specific CVE. tags: - threat Intelligence parameters: - in: path name: id required: true type: string /data/threat_intelligence/Vulnerability/reports/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: report_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: nb_cves required: false type: number - description: "" in: query name: nb_vulnerabilities required: false type: number - description: "" in: query name: nb_endpoints required: false type: number - description: "" in: query name: nb_cves_low_level required: false type: number - description: "" in: query name: nb_cves_medium_level required: false type: number - description: "" in: query name: nb_cves_high_level required: false type: number - description: "" in: query name: nb_cves_critical_level required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: nb_low_level required: false type: number - in: query name: nb_medium_level required: false type: number - in: query name: nb_high_level required: false type: number - in: query name: nb_critical_level required: false type: number responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/VulnerabilityReports' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/agent/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_agent_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/AgentVulnerabilityPerReportListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/agent/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_agent_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/agent/total_cve_count_graph/: get: description: Count CVE by severity for each day between `from_date` and `to_date` operationId: data_threat_intelligence_Vulnerability_reports_agent_total_cve_count_graph parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: date in: query name: from_date required: true type: string - format: date in: query name: to_date required: true type: string - format: uuid in: query name: agent_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/VulnerabilityReportCountOverTimeCveGraphResponse' type: array tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byApplication/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byApplication_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/ApplicationVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byApplication/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byApplication_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byCVE/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byCVE_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: report__id required: false type: string - description: "" in: query name: report__nb_endpoints required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__description required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__published required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - description: Number of impacted endpoints in: query name: nb_endpoints type: integer responses: "200": description: "" schema: $ref: '#/definitions/CveVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byCVE/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byCVE_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: report__id required: false type: string - description: "" in: query name: report__nb_endpoints required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__description required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__published required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byCVEForEndpoint/: get: description: For a given endpoint, returns basic informations regarding its affected CVEs on the report operationId: data_threat_intelligence_Vulnerability_reports_byCVEForEndpoint_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: endpoint_id required: true type: string - format: uuid in: query name: report_id required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/CveVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byCVEForEndpoint/export: get: description: For a given endpoint, returns basic informations regarding its affected CVEs on the report operationId: data_threat_intelligence_Vulnerability_reports_byCVEForEndpoint_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byEndpoint/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byEndpoint_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/ReportAgentVulnerabilitiesAggregationListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/byEndpoint/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_byEndpoint_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/cve/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_cve_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: report__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityReportCvesListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/cve/distribution/: get: description: Get the distribution of the report's CVE aggregated by ranges of score operationId: data_threat_intelligence_Vulnerability_reports_cve_distribution parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: report__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: uuid in: query name: report_id required: false type: string - in: query name: include_hidden_cves required: false type: boolean responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityKpisDistribution' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/cve/export/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_cve_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: cve__id required: false type: string - description: "" in: query name: cve__hidden required: false type: string - description: "" in: query name: cve__source_identifier required: false type: string - description: "" in: query name: cve__published required: false type: string - description: "" in: query name: cve__last_modified required: false type: string - description: "" in: query name: cve__cvss_metric_version required: false type: string - description: "" in: query name: cve__cvss_metric_vector_string required: false type: string - description: "" in: query name: cve__cvss_metric_base_score required: false type: number - description: "" in: query name: cve__cvss_metric_exploitability_score required: false type: number - description: "" in: query name: cve__cvss_metric_impact_score required: false type: number - description: "" in: query name: cve__cvss_metric_severity required: false type: string - description: "" in: query name: agent__id required: false type: string - description: "" in: query name: agent__hostname required: false type: string - description: "" in: query name: agent__ostype required: false type: string - description: "" in: query name: agent__groups__id required: false type: string - description: "" in: query name: report__id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_Vulnerability_reports_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: name required: false type: string - description: "" in: query name: report_date required: false type: string - description: "" in: query name: status required: false type: string - description: "" in: query name: nb_cves required: false type: number - description: "" in: query name: nb_vulnerabilities required: false type: number - description: "" in: query name: nb_endpoints required: false type: number - description: "" in: query name: nb_cves_low_level required: false type: number - description: "" in: query name: nb_cves_medium_level required: false type: number - description: "" in: query name: nb_cves_high_level required: false type: number - description: "" in: query name: nb_cves_critical_level required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/total_agents_count_graph/: get: description: Count Agents affected by CVE for each day between `from_date` and `to_date` operationId: data_threat_intelligence_Vulnerability_reports_total_agents_count_graph parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: date in: query name: from_date required: true type: string - format: date in: query name: to_date required: true type: string - in: query minLength: 1 name: cve_id required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/VulnerabilityReportCountOverTimeAgentsGraphResponse' type: array tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/total_cve_count_graph/: get: description: Count CVE by severity for each day between `from_date` and `to_date` operationId: data_threat_intelligence_Vulnerability_reports_total_cve_count_graph parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - format: date in: query name: from_date required: true type: string - format: date in: query name: to_date required: true type: string responses: "200": description: "" schema: items: $ref: '#/definitions/VulnerabilityReportCountOverTimeCveGraphResponse' type: array tags: - threat Intelligence parameters: [] /data/threat_intelligence/Vulnerability/reports/{id}/: get: description: "" operationId: data_threat_intelligence_Vulnerability_reports_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityReports' tags: - threat Intelligence parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_Vulnerability_reports_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/UpdateVulnerabilityReport' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_Vulnerability_reports_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/VulnerabilityReports' responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityReports' tags: - threat Intelligence /data/threat_intelligence/Vulnerability/vulns_agents/: get: description: Always takes the latest scan to date operationId: data_threat_intelligence_Vulnerability_vulns_agents parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: domainname required: false type: string - description: "" in: query name: dnsdomainname required: false type: string - description: "" in: query name: hostname required: false type: string - description: "" in: query name: osmajor required: false type: number - description: "" in: query name: osminor required: false type: number - description: "" in: query name: osproducttype required: false type: string - description: "" in: query name: firstseen required: false type: string - description: "" in: query name: lastseen required: false type: string - description: "" in: query name: version required: false type: string - description: "" in: query name: pinned_version required: false type: string - description: "" in: query name: rollback_version required: false type: string - description: "" in: query name: bitness required: false type: string - description: "" in: query name: domain required: false type: string - description: "" in: query name: installdate required: false type: string - description: "" in: query name: ipaddress required: false type: string - description: "" in: query name: external_ipaddress required: false type: string - description: "" in: query name: osbuild required: false type: number - description: "" in: query name: osid required: false type: string - description: "" in: query name: osrevision required: false type: number - description: "" in: query name: osversion required: false type: string - description: "" in: query name: producttype required: false type: string - description: "" in: query name: servicepack required: false type: string - description: "" in: query name: total_memory required: false type: number - description: "" in: query name: cpu_count required: false type: number - description: "" in: query name: cpu_frequency required: false type: number - description: "" in: query name: avg_cpu required: false type: number - description: "" in: query name: avg_memory required: false type: number - description: "" in: query name: avg_system_cpu required: false type: number - description: "" in: query name: avg_system_memory required: false type: number - description: "" in: query name: starttime required: false type: string - description: "" in: query name: machine_boottime required: false type: string - description: "" in: query name: machine_serial required: false type: string - description: "" in: query name: subnet__gateway_ipaddress required: false type: string - description: "" in: query name: subnet__gateway_macaddress required: false type: string - description: "" in: query name: subnet__name required: false type: string - description: "" in: query name: isolation_state required: false type: string - description: "" in: query name: antivirus_name required: false type: string - description: "" in: query name: antivirus_version required: false type: string - description: "" in: query name: antivirus_rules_version required: false type: string - description: "" in: query name: antivirus_last_update_date required: false type: string - description: "" in: query name: antivirus_rules_last_update_date required: false type: string - description: "" in: query name: additional_info required: false type: string - description: "" in: query name: additional_info__additional_info1 required: false type: string - description: "" in: query name: additional_info__additional_info2 required: false type: string - description: "" in: query name: additional_info__additional_info3 required: false type: string - description: "" in: query name: additional_info__additional_info4 required: false type: string - description: "" in: query name: description required: false type: string - description: "" in: query name: effective_antivirus_policy_id required: false type: string - description: "" in: query name: effective_antivirus_policy_revision required: false type: number - description: "" in: query name: boot_loop_protection_end_date required: false type: string - description: "" in: query name: boot_loop_protection_boot_count required: false type: number - description: "" in: query name: telemetry_last_update required: false type: string - description: "" in: query name: should_change_id required: false type: string - description: "" in: query name: protocol required: false type: number - description: "" in: query name: host required: false type: string - description: "" in: query name: port required: false type: number - description: "" in: query name: public_server_signature required: false type: string - description: "" in: query name: proxy_protocol required: false type: number - description: "" in: query name: proxy_host required: false type: string - description: "" in: query name: proxy_port required: false type: number - description: "" in: query name: vdi_salt required: false type: string - description: "" in: query name: update_method required: false type: number - description: "" in: query name: upgrade_status required: false type: string - description: "" in: query name: upgrade_failure_reason required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/VulnerabilityScanResultByAgentListing' "403": description: Feature not enabled on this stack examples: application/json: error: Feature not enabled on this stack schema: properties: error: type: string required: - error type: object summary: Get the count of vulnerabilities for each agent tags: - threat Intelligence parameters: [] /data/threat_intelligence/WhitelistRule/: get: description: "" operationId: data_threat_intelligence_WhitelistRule_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_retroactivity required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: target required: false type: string - description: "" in: query name: sigma_rule required: false type: string - description: "" in: query name: correlation_rule required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sigma_rule_id required: false type: string - description: "" in: query name: correlation_rule_id required: false type: string - description: "" in: query name: provided_by_hlab required: false type: string - description: "" in: query name: last_disabled_by required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: usage_count_last_7_days required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: sigma_rule_name required: false type: string - in: query name: correlation_rule_name required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: criteria.field required: false type: string - in: query name: criteria.operator required: false type: string - in: query name: criteria.case_insensitive required: false type: boolean - in: query name: criteria.value required: false type: string - in: query name: last_disabled_by.id required: false type: number - in: query name: last_disabled_by.username required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/GetWhitelistRule' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_WhitelistRule_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateWhitelistRule' responses: "201": description: "" schema: $ref: '#/definitions/GetWhitelistRule' tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/apply_retroactively/dry_run/: parameters: [] post: description: "" operationId: data_threat_intelligence_WhitelistRule_apply_retroactively_apply_retroactively parameters: - in: body name: data required: true schema: $ref: '#/definitions/CreateTemporaryWhitelistRule' responses: "200": description: "" schema: $ref: '#/definitions/DryRunResponse' tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/delete/: parameters: [] post: description: "" operationId: data_threat_intelligence_WhitelistRule_delete_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/WhitelistMassDelete' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/export/: get: description: "" operationId: data_threat_intelligence_WhitelistRule_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_retroactivity required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: target required: false type: string - description: "" in: query name: sigma_rule required: false type: string - description: "" in: query name: correlation_rule required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sigma_rule_id required: false type: string - description: "" in: query name: correlation_rule_id required: false type: string - description: "" in: query name: provided_by_hlab required: false type: string - description: "" in: query name: last_disabled_by required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: usage_count_last_7_days required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/WhitelistRule/fields/: get: description: "" operationId: data_threat_intelligence_WhitelistRule_fields parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: target required: false type: string - in: query name: alert_subtype required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_GetWhitelistRuleFieldsResponse' tags: - threat Intelligence parameters: [] /data/threat_intelligence/WhitelistRule/summary/: get: description: "" operationId: data_threat_intelligence_WhitelistRule_summary parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_retroactivity required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: target required: false type: string - description: "" in: query name: sigma_rule required: false type: string - description: "" in: query name: correlation_rule required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sigma_rule_id required: false type: string - description: "" in: query name: correlation_rule_id required: false type: string - description: "" in: query name: provided_by_hlab required: false type: string - description: "" in: query name: last_disabled_by required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: usage_count_last_7_days required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - default: false in: query name: include_hlab required: false type: boolean responses: "200": description: "" schema: $ref: '#/definitions/WhitelistRuleSummary' tags: - threat Intelligence parameters: [] /data/threat_intelligence/WhitelistRule/unapply_retroactively/: parameters: [] post: description: "" operationId: data_threat_intelligence_WhitelistRule_unapply_retroactively parameters: - in: body name: data required: true schema: $ref: '#/definitions/QueryUnapplyRetroactively' responses: "200": description: "" tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/update/: parameters: [] post: description: "" operationId: data_threat_intelligence_WhitelistRule_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/WhitelistMassToggle' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/{id}/: delete: description: "" operationId: data_threat_intelligence_WhitelistRule_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_WhitelistRule_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetWhitelistRule' tags: - threat Intelligence parameters: - in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_WhitelistRule_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditWhitelistRule' responses: "200": description: "" schema: $ref: '#/definitions/EditWhitelistRule' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_WhitelistRule_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ReplaceWhitelistRule' responses: "200": description: "" schema: $ref: '#/definitions/ReplaceWhitelistRule' tags: - threat Intelligence /data/threat_intelligence/WhitelistRule/{id}/history/: get: description: "" operationId: data_threat_intelligence_WhitelistRule_history parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: last_update required: false type: string - description: "" in: query name: creation_date required: false type: string - description: "" in: query name: last_retroactivity required: false type: string - description: "" in: query name: last_modifier required: false type: string - description: "" in: query name: target required: false type: string - description: "" in: query name: sigma_rule required: false type: string - description: "" in: query name: correlation_rule required: false type: string - description: "" in: query name: comment required: false type: string - description: "" in: query name: sigma_rule_id required: false type: string - description: "" in: query name: correlation_rule_id required: false type: string - description: "" in: query name: provided_by_hlab required: false type: string - description: "" in: query name: last_disabled_by required: false type: string - description: "" in: query name: enabled required: false type: string - description: "" in: query name: usage_count_last_7_days required: false type: number - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_WhitelistHistoryListing' tags: - threat Intelligence parameters: - in: path name: id required: true type: string /data/threat_intelligence/YaraFile/: get: description: "" operationId: data_threat_intelligence_YaraFile_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_names required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: rule_classifications required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - in: query name: rule_score required: false type: number responses: "200": description: "" schema: $ref: '#/definitions/_YaraPagination' tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_YaraFile_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_CreateYaraFile' responses: "201": description: "" schema: $ref: '#/definitions/CreateRuleResponse' tags: - threat Intelligence /data/threat_intelligence/YaraFile/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_YaraFile_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/YaraFile/list_ruleset/{ruleset_id}/: get: description: List files with ruleset rule data. operationId: data_threat_intelligence_YaraFile_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: source_id required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: id required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - in: query name: hl_status required: false type: string - in: query name: rule_level required: false type: string - in: query name: rule_level_override required: false type: string - in: query name: rule_level_overridden required: false type: boolean - in: query name: rule_effective_level required: false type: string - in: query name: rule_effective_confidence required: false type: string - in: query name: source.id required: false type: string - in: query name: source.name required: false type: string - in: query name: ruleset_rule_default required: false type: boolean - in: query name: ruleset_rule.enabled required: false type: boolean - in: query name: ruleset_rule.block_on_agent required: false type: boolean - in: query name: ruleset_rule.quarantine_on_agent required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: name required: false type: string - in: query name: content required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_names required: false type: string - enum: - linux - macos - unknown - windows in: query name: rule_os required: false type: string - enum: - moderate - strong - weak in: query name: rule_confidence required: false type: string - in: query name: rule_classifications required: false type: string - in: query name: rule_tactic_tags required: false type: string - in: query name: rule_technique_tags required: false type: string - in: query name: rule_score required: false type: number responses: "200": description: "" schema: $ref: '#/definitions/_YaraRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/YaraFile/update/: parameters: [] post: description: Update fields for multiple rules at once operationId: data_threat_intelligence_YaraFile_update_bulk parameters: - in: body name: data required: true schema: $ref: '#/definitions/_RuleBulkUpdate' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - threat Intelligence /data/threat_intelligence/YaraFile/update_rules/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: deprecated: true description: Deprecated call maintained for retrocompatability. operationId: data_threat_intelligence_YaraFile_update_rules parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_YARARulesetResponse' tags: - threat Intelligence /data/threat_intelligence/YaraFile/update_ruleset/{ruleset_id}/: parameters: - in: path name: ruleset_id required: true type: string patch: description: "" operationId: data_threat_intelligence_YaraFile_update_ruleset parameters: - in: body name: data required: true schema: $ref: '#/definitions/RuleUpdateRuleset' responses: "200": description: "" schema: $ref: '#/definitions/_YARARulesetResponse' tags: - threat Intelligence /data/threat_intelligence/YaraFile/{id}/: delete: description: "" operationId: data_threat_intelligence_YaraFile_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_YaraFile_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/YaraFile' tags: - threat Intelligence parameters: - description: A unique value identifying this yara file. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_YaraFile_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/YaraFile' responses: "200": description: "" schema: $ref: '#/definitions/YaraFile' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_YaraFile_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/YaraFile' responses: "200": description: "" schema: $ref: '#/definitions/YaraFile' tags: - threat Intelligence /data/threat_intelligence/YaraSource/: get: description: "" operationId: data_threat_intelligence_YaraSource_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/YaraSource' type: array required: - count - results type: object tags: - threat Intelligence parameters: [] post: description: "" operationId: data_threat_intelligence_YaraSource_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/YaraSource' responses: "201": description: "" schema: $ref: '#/definitions/YaraSource' tags: - threat Intelligence /data/threat_intelligence/YaraSource/export/: get: description: Endpoint for exporting the current queryset as a CSV file. operationId: data_threat_intelligence_YaraSource_export parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query items: type: string x-nullable: true name: fields required: false type: array - default: 100 in: query maximum: 500000 minimum: 0 name: length required: false type: integer - default: true in: query name: escaped required: false type: boolean responses: "200": description: csv export schema: type: file tags: - threat Intelligence parameters: [] /data/threat_intelligence/YaraSource/list_ruleset/{ruleset_id}/: get: description: "" operationId: data_threat_intelligence_YaraSource_list_ruleset parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: last_update required: false type: string - in: query name: creation_date required: false type: string - in: query name: last_modifier.id required: false type: number - in: query name: last_modifier.username required: false type: string - in: query name: name required: false type: string - in: query name: description required: false type: string - in: query name: enabled required: false type: boolean - in: query name: block_on_agent required: false type: boolean - in: query name: quarantine_on_agent required: false type: boolean - in: query name: endpoint_detection required: false type: boolean - enum: - alert - backend_alert - block - disabled - quarantine in: query name: global_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: state required: false type: string - enum: - alert - backend_alert - block - disabled - quarantine in: query name: effective_state required: false type: string - enum: - alert - backend_alert - block - default - disabled - quarantine in: query name: new_rule_state required: false type: string - in: query name: alert_rule_count required: false type: number - in: query name: block_rule_count required: false type: number - in: query name: quarantine_rule_count required: false type: number - in: query name: disabled_rule_count required: false type: number - in: query name: default_rule_count required: false type: number - in: query name: rule_level_default required: false type: string - in: query name: origin_stack.id required: false type: string - in: query name: tenant required: false type: string - in: query name: rule_count required: false type: number - in: query name: rule_stable_count required: false type: number - in: query name: rule_testing_count required: false type: number - in: query name: rule_experimental_count required: false type: number - enum: - moderate - strong - weak in: query name: rule_confidence_default required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/_YaraSourceRulesetPagination' tags: - threat Intelligence parameters: - in: path name: ruleset_id required: true type: string /data/threat_intelligence/YaraSource/{id}/: delete: description: "" operationId: data_threat_intelligence_YaraSource_delete parameters: [] responses: "204": description: "" tags: - threat Intelligence get: description: "" operationId: data_threat_intelligence_YaraSource_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/YaraSource' tags: - threat Intelligence parameters: - description: A unique value identifying this yara source. in: path name: id required: true type: string patch: description: "" operationId: data_threat_intelligence_YaraSource_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/YaraSource' responses: "200": description: "" schema: $ref: '#/definitions/YaraSource' tags: - threat Intelligence put: description: "" operationId: data_threat_intelligence_YaraSource_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/YaraSource' responses: "200": description: "" schema: $ref: '#/definitions/YaraSource' tags: - threat Intelligence /data/threat_intelligence/YaraSource/{id}/items/: delete: description: "" operationId: data_threat_intelligence_YaraSource_items parameters: - in: body name: data required: true schema: $ref: '#/definitions/DeleteSourceItemsBody' responses: "200": description: "" schema: $ref: '#/definitions/DeleteSourceItemsBody' tags: - threat Intelligence parameters: - description: A unique value identifying this yara source. in: path name: id required: true type: string /data/user/: get: description: "" operationId: data_user_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: username required: false type: string - description: "" in: query name: last_login required: false type: string - description: "" in: query name: groups__role__uuid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query name: roles.name required: false type: string - in: query name: role_count required: false type: number - in: query name: tfa_is_activate required: false type: boolean - in: query name: hluser.created_by_sso required: false type: boolean - in: query name: is_active required: false type: boolean responses: "200": description: "" schema: properties: count: type: integer next: format: uri type: string x-nullable: true previous: format: uri type: string x-nullable: true results: items: $ref: '#/definitions/HlUserSerializer' type: array required: - count - results type: object tags: - user parameters: [] post: description: "" operationId: data_user_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/HlUserSerializer' responses: "201": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user /data/user/deactivate_mfa/: parameters: [] post: description: "" operationId: data_user_deactivate_mfa parameters: - in: body name: data required: true schema: $ref: '#/definitions/UsersList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - user /data/user/delete_users/: parameters: [] post: description: "" operationId: data_user_delete_users parameters: - in: body name: data required: true schema: $ref: '#/definitions/UsersList' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - user /data/user/password_security/: get: description: "" operationId: data_user_password_security parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: username required: false type: string - description: "" in: query name: last_login required: false type: string - description: "" in: query name: groups__role__uuid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurityConfig' tags: - user parameters: [] /data/user/reset_password/: parameters: [] post: description: "" operationId: data_user_reset_password parameters: - in: body name: data required: true schema: $ref: '#/definitions/ResetPassword' responses: "400": description: "" schema: $ref: '#/definitions/PasswordValidationError' tags: - user /data/user/set_mfa/: parameters: [] post: description: "" operationId: data_user_set_mfa parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFAEnableByUser' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - user /data/user/test_password/: parameters: [] post: description: "" operationId: data_user_test_password parameters: - in: body name: data required: true schema: $ref: '#/definitions/TestPassword' responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' "400": description: "" schema: $ref: '#/definitions/PasswordValidationError' tags: - user /data/user/toggle_active_state/: parameters: [] post: description: "" operationId: data_user_toggle_active_state parameters: - in: body name: data required: true schema: $ref: '#/definitions/ActiveUserbyIDs' responses: "200": description: "" schema: $ref: '#/definitions/ResponseStatus' "400": description: "" schema: $ref: '#/definitions/ResponseStatus' tags: - user /data/user/verify_token/: get: description: "" operationId: data_user_verify_token parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: username required: false type: string - description: "" in: query name: last_login required: false type: string - description: "" in: query name: groups__role__uuid required: false type: string - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - description: Password reset token to verify in: query name: token required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/VerifyResetTokenResponse' "400": description: "" schema: $ref: '#/definitions/VerifyResetTokenResponse' tags: - user parameters: [] /data/user/{id}/: delete: description: "" operationId: data_user_delete parameters: [] responses: "204": description: "" tags: - user get: description: "" operationId: data_user_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user parameters: - description: A unique integer value identifying this user. in: path name: id required: true type: string patch: description: "" operationId: data_user_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/HlUserSerializer' responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user put: description: "" operationId: data_user_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/HlUserSerializer' responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user /data/user/{id}/api_token/: parameters: - description: A unique integer value identifying this user. in: path name: id required: true type: string post: description: Recreate a new API token, for the user passing in parameter of the request. operationId: data_user_api_token parameters: - in: body name: data required: true schema: $ref: '#/definitions/RequestToken' responses: "200": description: "" schema: $ref: '#/definitions/ResponseToken' tags: - user /data/user/{id}/password/: parameters: - description: A unique integer value identifying this user. in: path name: id required: true type: string patch: description: "" operationId: data_user_password parameters: - in: body name: data required: true schema: $ref: '#/definitions/Password' responses: "200": description: "" schema: $ref: '#/definitions/Password' "400": description: "" schema: $ref: '#/definitions/PasswordValidationError' tags: - user /data/user/{id}/profile/: get: description: "" operationId: data_user_profile parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user parameters: - description: A unique integer value identifying this user. in: path name: id required: true type: string /data/user/{id}/reset_password_link/: parameters: - description: A unique integer value identifying this user. in: path name: id required: true type: string post: description: "" operationId: data_user_reset_password_link parameters: - in: body name: data required: true schema: $ref: '#/definitions/ResetPasswordLinkRequest' responses: "200": description: "" schema: $ref: '#/definitions/ResetPasswordLinkResponse' "400": description: "" schema: $ref: '#/definitions/ResetPasswordLinkResponse' tags: - user /feature_flags/: get: description: "" operationId: feature_flags_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/FeatureFlags' tags: - feature_flags parameters: [] /installer/: get: deprecated: true description: "" operationId: installer_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/LegacyInstallerInfo' tags: - administration parameters: [] /installer/availability/: get: description: "" operationId: installer_availability_list parameters: - in: query minLength: 1 name: version required: true type: string - enum: - x86 - x86_64 in: query name: arch required: false type: string - enum: - deb - elf - msi - pkg - rpm in: query name: filetype required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/DownloadInstallerAvailability' tags: - administration parameters: [] /installer/cdn-download/: get: description: "" operationId: installer_cdn-download_list parameters: - in: query minLength: 1 name: version required: true type: string - enum: - x86 - x86_64 in: query name: arch required: false type: string - enum: - deb - elf - msi - pkg - rpm in: query name: filetype required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/CDNDownload' tags: - administration parameters: [] /installer/cdn-download/status: get: description: "" operationId: installer_cdn-download_status_list parameters: - in: query minLength: 1 name: version required: true type: string - enum: - x86 - x86_64 in: query name: arch required: false type: string - enum: - deb - elf - msi - pkg - rpm in: query name: filetype required: true type: string responses: "200": description: "" schema: $ref: '#/definitions/CDNDownload' tags: - administration parameters: [] /installer/download/: get: description: "" operationId: installer_download_list parameters: - description: Number of results to return per page. in: query name: limit required: false type: integer - description: The initial index from which to return the results. in: query name: offset required: false type: integer - in: query minLength: 1 name: version required: true type: string - enum: - x86 - x86_64 in: query name: arch required: false type: string - enum: - deb - elf - msi - pkg - rpm in: query name: filetype required: true type: string responses: "200": description: "" tags: - administration parameters: [] /installer/parameters/: get: description: "" operationId: installer_parameters_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Installer' tags: - administration parameters: [] /misc/disassemble/: parameters: [] post: description: POST HTTP method, return a list of disassembly from dump. operationId: misc_disassemble_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/_DisassembleParams' responses: "200": description: "" schema: items: $ref: '#/definitions/_Disassembly' type: array tags: - misc /misc/generate_passwords/: get: description: GET HTTP method, return a list of randomly generated passwords. operationId: misc_generate_passwords_list parameters: - default: 20 in: query minimum: 8 name: length required: false type: integer - default: 1 in: query minimum: 1 name: number required: false type: integer responses: "200": description: "" schema: $ref: '#/definitions/_GeneratedPasswords' tags: - misc parameters: [] /monitoring_alerts/: get: description: "" operationId: monitoring_alerts_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_MonitoringAlerts' tags: - monitoring_alerts parameters: [] /news/highlight_features/: get: description: "" operationId: news_highlight_features_list parameters: [] responses: "200": description: "" schema: items: $ref: '#/definitions/HighlightFeature' type: array tags: - news parameters: [] /news/maintenance_notice/: get: description: Endpoint allowing any authenticated user to retrieve the current maintenance notice operationId: news_maintenance_notice_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMaintenanceNotice' tags: - news parameters: [] /sso/oidc/{slug}/callback: get: description: "" operationId: sso_oidc_callback_list parameters: - in: query name: state required: true type: string - in: query name: code required: true type: string - in: query name: error required: false type: string - in: query name: error_description required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/Token' "400": description: Bad Request examples: application/json: detail: Invalid OAuth client, please check your configuration. "403": description: Forbidden examples: application/json: detail: Token mismatch. "404": description: Not found examples: application/json: detail: Someone tried to request OIDC SSO callback endpoint without a slug. "500": description: Server Error examples: application/json: error: Something went wrong during authentication with provider. tags: - sso parameters: - in: path name: slug required: true type: string /sso/oidc/{slug}/login: get: description: "" operationId: sso_oidc_login_list parameters: [] responses: "302": description: This endpoint is redirecting user to the provider "404": description: Not found examples: application/json: detail: Someone tried to request OIDC SSO login enpoint without a slug. "500": description: Server Error examples: application/json: error: Something went wrong when login with provider. tags: - sso parameters: - in: path name: slug required: true type: string /status/: get: description: "" operationId: status_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_Status' tags: - information parameters: [] /supervisor_config/: get: description: "" operationId: supervisor_config_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AllConfig' tags: - supervisor_configuration parameters: [] /supervisor_config/agent_cleaning/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_agent_cleaning_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_agent_cleaning_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentCleaning' responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/agent_cleaning/defaults/: get: description: Get default section configuration operationId: supervisor_config_agent_cleaning_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' tags: - supervisor_configuration parameters: [] /supervisor_config/alerter_ioc/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_alerter_ioc_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_alerter_ioc_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCConfig' responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/alerter_ioc/defaults/: get: description: Get default section configuration operationId: supervisor_config_alerter_ioc_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' tags: - supervisor_configuration parameters: [] /supervisor_config/assemblyline/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_assemblyline_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_assemblyline_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAssemblyline' responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/assemblyline/defaults/: get: description: Get default connector configuration operationId: supervisor_config_assemblyline_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' tags: - supervisor_configuration parameters: [] /supervisor_config/assemblyline/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_assemblyline_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAssemblyline' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/binaries_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_binaries_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_binaries_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BinariesRetention' responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/binaries_retention/defaults/: get: description: Get default section configuration operationId: supervisor_config_binaries_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' tags: - supervisor_configuration parameters: [] /supervisor_config/cape/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_cape_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_cape_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditCape' responses: "200": description: "" schema: $ref: '#/definitions/GetCape' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/cape/defaults/: get: description: Get default connector configuration operationId: supervisor_config_cape_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' tags: - supervisor_configuration parameters: [] /supervisor_config/cape/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_cape_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditCape' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/collector/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_collector_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_collector_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Collector' responses: "200": description: "" schema: $ref: '#/definitions/Collector' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/collector/defaults/: get: description: Get default section configuration operationId: supervisor_config_collector_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' tags: - supervisor_configuration parameters: [] /supervisor_config/connector_misp/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_connector_misp_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_connector_misp_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditMisp' responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/connector_misp/defaults/: get: description: Get default connector configuration operationId: supervisor_config_connector_misp_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' tags: - supervisor_configuration parameters: [] /supervisor_config/connector_misp/errors/: get: description: Get individual attribute errors as CSV operationId: supervisor_config_connector_misp_errors parameters: [] responses: "200": description: individual attribute errors of the MISP connector, as CSV "404": description: attribute errors of the MISP connector not found tags: - supervisor_configuration parameters: [] /supervisor_config/connector_misp/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_connector_misp_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditMisp' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/customization/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_customization_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_customization_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Customization' responses: "200": description: "" schema: $ref: '#/definitions/Customization' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/customization/defaults/: get: description: Get default section configuration operationId: supervisor_config_customization_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' tags: - supervisor_configuration parameters: [] /supervisor_config/download/: get: consumes: - application/json - application/yaml description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` or its YAML equivalent. operationId: supervisor_config_download_list parameters: [] produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' summary: Download config in JSON or YAML format tags: - supervisor_configuration parameters: [] patch: consumes: - application/json - application/yaml description: Configuration field not present in the request are left untouched. operationId: supervisor_config_download_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ConfigDownload' produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' "400": description: Bad request summary: Update the stored configuration with the given one. tags: - supervisor_configuration put: consumes: - application/json - application/yaml description: Existing configuration is completely deleted before being replaced. operationId: supervisor_config_download_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ConfigDownload' produces: - application/json - application/yaml responses: "200": description: "" schema: $ref: '#/definitions/ConfigDownload' "400": description: Bad request summary: Replace the stored configuration with the given one. tags: - supervisor_configuration /supervisor_config/downloader/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_downloader_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_downloader_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Downloader' responses: "200": description: "" schema: $ref: '#/definitions/Downloader' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/downloader/defaults/: get: description: Get default section configuration operationId: supervisor_config_downloader_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' tags: - supervisor_configuration parameters: [] /supervisor_config/es_ilm_indices__policies/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_es_ilm_indices__policies_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_es_ilm_indices__policies_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESILMIndicesPolicies' responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/es_ilm_indices__policies/defaults/: get: description: Get default section configuration operationId: supervisor_config_es_ilm_indices__policies_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' tags: - supervisor_configuration parameters: [] /supervisor_config/es_indices__replicas/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_es_indices__replicas_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_es_indices__replicas_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESIndicesReplicas' responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/es_indices__replicas/defaults/: get: description: Get default section configuration operationId: supervisor_config_es_indices__replicas_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' tags: - supervisor_configuration parameters: [] /supervisor_config/event_stacktrace/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_event_stacktrace_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_event_stacktrace_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EventStackTrace' responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/event_stacktrace/defaults/: get: description: Get default section configuration operationId: supervisor_config_event_stacktrace_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' tags: - supervisor_configuration parameters: [] /supervisor_config/export/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_export_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_export_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - enum: - rfc3164 - rfc5424 in: formData name: rfc required: false type: string x-nullable: true - enum: - ssl-tcp - tcp - udp in: formData name: protocol required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - default: hurukai in: formData minLength: 1 name: app_name required: false type: string - default: hurukai in: formData minLength: 1 name: source_host required: false type: string - in: formData minLength: 1 name: structured_data required: false type: string x-nullable: true - default: false in: formData name: exclude_rule_content required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExport' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/export/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_export_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' tags: - supervisor_configuration parameters: [] /supervisor_config/export/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_export_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - enum: - rfc3164 - rfc5424 in: formData name: rfc required: false type: string x-nullable: true - enum: - ssl-tcp - tcp - udp in: formData name: protocol required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - default: hurukai in: formData minLength: 1 name: app_name required: false type: string - default: hurukai in: formData minLength: 1 name: source_host required: false type: string - in: formData minLength: 1 name: structured_data required: false type: string x-nullable: true - default: false in: formData name: exclude_rule_content required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/export_elastic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_export_elastic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_export_elastic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportElastic' responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/export_elastic/defaults/: get: description: Get default connector configuration operationId: supervisor_config_export_elastic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' tags: - supervisor_configuration parameters: [] /supervisor_config/export_elastic/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_export_elastic_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportElastic' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/export_s3/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_export_s3_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_export_s3_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: url required: false type: string x-nullable: true - in: formData minLength: 1 name: bucket required: false type: string x-nullable: true - in: formData minLength: 1 name: object_prefix required: false type: string x-nullable: true - in: formData minLength: 1 name: access_key required: false type: string x-nullable: true - in: formData minLength: 1 name: secret_key required: false type: string x-nullable: true - in: formData minLength: 1 name: region required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/export_s3/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_export_s3_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' tags: - supervisor_configuration parameters: [] /supervisor_config/export_s3/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_export_s3_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: url required: false type: string x-nullable: true - in: formData minLength: 1 name: bucket required: false type: string x-nullable: true - in: formData minLength: 1 name: object_prefix required: false type: string x-nullable: true - in: formData minLength: 1 name: access_key required: false type: string x-nullable: true - in: formData minLength: 1 name: secret_key required: false type: string x-nullable: true - in: formData minLength: 1 name: region required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/export_secops/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_export_secops_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_export_secops_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSecops' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/export_secops/defaults/: get: description: Get default connector configuration operationId: supervisor_config_export_secops_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' tags: - supervisor_configuration parameters: [] /supervisor_config/export_secops/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_export_secops_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSecops' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/export_splunk/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_export_splunk_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_export_splunk_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSplunk' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/export_splunk/defaults/: get: description: Get default connector configuration operationId: supervisor_config_export_splunk_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' tags: - supervisor_configuration parameters: [] /supervisor_config/export_splunk/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_export_splunk_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSplunk' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/glimps/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_glimps_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_glimps_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditGlimps' responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/glimps/defaults/: get: description: Get default connector configuration operationId: supervisor_config_glimps_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' tags: - supervisor_configuration parameters: [] /supervisor_config/glimps/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_glimps_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditGlimps' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/hibou/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_hibou_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_hibou_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Hibou' responses: "200": description: "" schema: $ref: '#/definitions/Hibou' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/hibou/defaults/: get: description: Get default section configuration operationId: supervisor_config_hibou_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' tags: - supervisor_configuration parameters: [] /supervisor_config/irma/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_irma_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_irma_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditIrma' responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/irma/defaults/: get: description: Get default connector configuration operationId: supervisor_config_irma_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' tags: - supervisor_configuration parameters: [] /supervisor_config/irma/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_irma_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditIrma' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/ldap_auth/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_ldap_auth_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_ldap_auth_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - default: false in: formData name: use_tls required: false type: boolean - in: formData name: validate_server_certificate required: true type: boolean - default: false in: formData name: use_client_side_certs required: false type: boolean - in: formData minLength: 1 name: base_dn required: false type: string x-nullable: true - in: formData name: active_directory_domain required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_username required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_password required: false type: string x-nullable: true - format: uuid in: formData name: default_group required: false type: string x-nullable: true - default: active_directory in: formData minLength: 1 name: type required: false type: string - default: person in: formData minLength: 1 name: user_object_class required: false type: string - default: sAMAccountName in: formData minLength: 1 name: user_field_id required: false type: string - in: formData name: client_public_key required: false type: file x-nullable: true - in: formData name: client_private_key required: false type: file x-nullable: true - in: formData name: ca_certifications required: false type: file x-nullable: true - in: formData name: test_username required: false type: string x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/ldap_auth/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_ldap_auth_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' tags: - supervisor_configuration parameters: [] /supervisor_config/ldap_auth/test/: parameters: [] post: consumes: - multipart/form-data description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_ldap_auth_test parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - default: false in: formData name: use_tls required: false type: boolean - in: formData name: validate_server_certificate required: true type: boolean - default: false in: formData name: use_client_side_certs required: false type: boolean - in: formData minLength: 1 name: base_dn required: false type: string x-nullable: true - in: formData name: active_directory_domain required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_username required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_password required: false type: string x-nullable: true - format: uuid in: formData name: default_group required: false type: string x-nullable: true - default: active_directory in: formData minLength: 1 name: type required: false type: string - default: person in: formData minLength: 1 name: user_object_class required: false type: string - default: sAMAccountName in: formData minLength: 1 name: user_field_id required: false type: string - in: formData name: client_public_key required: false type: file x-nullable: true - in: formData name: client_private_key required: false type: file x-nullable: true - in: formData name: ca_certifications required: false type: file x-nullable: true - in: formData name: test_username required: false type: string x-nullable: true responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/mfa/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_mfa_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_mfa_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFA' responses: "200": description: "" schema: $ref: '#/definitions/MFA' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/mfa/defaults/: get: description: Get default section configuration operationId: supervisor_config_mfa_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' tags: - supervisor_configuration parameters: [] /supervisor_config/network_discovery/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_network_discovery_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_network_discovery_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetWDiscovery' responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/network_discovery/defaults/: get: description: Get default section configuration operationId: supervisor_config_network_discovery_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' tags: - supervisor_configuration parameters: [] /supervisor_config/new_threat_aggregation/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_new_threat_aggregation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_new_threat_aggregation_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewThreatAggregation' responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/new_threat_aggregation/defaults/: get: description: Get default section configuration operationId: supervisor_config_new_threat_aggregation_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' tags: - supervisor_configuration parameters: [] /supervisor_config/orion/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_orion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_orion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditOrion' responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/orion/defaults/: get: description: Get default connector configuration operationId: supervisor_config_orion_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' tags: - supervisor_configuration parameters: [] /supervisor_config/orion/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_orion_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditOrion' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/password_security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_password_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_password_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PasswordSecurity' responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/password_security/defaults/: get: description: Get default section configuration operationId: supervisor_config_password_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' tags: - supervisor_configuration parameters: [] /supervisor_config/pdf_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_pdf_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_pdf_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PDFRetention' responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/pdf_retention/defaults/: get: description: Get default section configuration operationId: supervisor_config_pdf_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' tags: - supervisor_configuration parameters: [] /supervisor_config/proxy/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_proxy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_proxy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditProxy' responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/proxy/defaults/: get: description: Get default connector configuration operationId: supervisor_config_proxy_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' tags: - supervisor_configuration parameters: [] /supervisor_config/proxy/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_proxy_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditProxy' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/ransomguard/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_ransomguard_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_ransomguard_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Ransomguard' responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/ransomguard/defaults/: get: description: Get default section configuration operationId: supervisor_config_ransomguard_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' tags: - supervisor_configuration parameters: [] /supervisor_config/ransomguard_heuristic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_ransomguard_heuristic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_ransomguard_heuristic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RansomguardHeuristic' responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/ransomguard_heuristic/defaults/: get: description: Get default section configuration operationId: supervisor_config_ransomguard_heuristic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' tags: - supervisor_configuration parameters: [] /supervisor_config/remote_shell/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_remote_shell_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_remote_shell_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShell' responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/remote_shell/defaults/: get: description: Get default section configuration operationId: supervisor_config_remote_shell_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' tags: - supervisor_configuration parameters: [] /supervisor_config/security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Security' responses: "200": description: "" schema: $ref: '#/definitions/Security' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/security/defaults/: get: description: Get default section configuration operationId: supervisor_config_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' tags: - supervisor_configuration parameters: [] /supervisor_config/sidewatch/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_sidewatch_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_sidewatch_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Sidewatch' responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/sidewatch/defaults/: get: description: Get default section configuration operationId: supervisor_config_sidewatch_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' tags: - supervisor_configuration parameters: [] /supervisor_config/tenant/{tenant}/agent_cleaning/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_agent_cleaning_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_agent_cleaning_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AgentCleaning' responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/agent_cleaning/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_agent_cleaning_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/AgentCleaning' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/alerter_ioc/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_alerter_ioc_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_alerter_ioc_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/IOCConfig' responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/alerter_ioc/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_alerter_ioc_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/IOCConfig' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/assemblyline/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_assemblyline_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_assemblyline_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditAssemblyline' responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/assemblyline/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_assemblyline_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetAssemblyline' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/binaries_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_binaries_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_binaries_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/BinariesRetention' responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/binaries_retention/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_binaries_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/BinariesRetention' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/cape/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_cape_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_cape_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditCape' responses: "200": description: "" schema: $ref: '#/definitions/GetCape' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/cape/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_cape_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetCape' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/collector/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_collector_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_collector_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Collector' responses: "200": description: "" schema: $ref: '#/definitions/Collector' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/collector/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_collector_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Collector' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/connector_misp/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_connector_misp_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_connector_misp_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditMisp' responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/connector_misp/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_connector_misp_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetMisp' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/customization/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_customization_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_customization_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Customization' responses: "200": description: "" schema: $ref: '#/definitions/Customization' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/customization/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_customization_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Customization' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/downloader/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_downloader_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_downloader_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Downloader' responses: "200": description: "" schema: $ref: '#/definitions/Downloader' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/downloader/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_downloader_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Downloader' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/es_ilm_indices__policies/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_es_ilm_indices__policies_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_es_ilm_indices__policies_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESILMIndicesPolicies' responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/es_ilm_indices__policies/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_es_ilm_indices__policies_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESILMIndicesPolicies' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/es_indices__replicas/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_es_indices__replicas_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_es_indices__replicas_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ESIndicesReplicas' responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/es_indices__replicas/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_es_indices__replicas_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ESIndicesReplicas' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/event_stacktrace/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_event_stacktrace_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_event_stacktrace_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EventStackTrace' responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/event_stacktrace/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_event_stacktrace_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/EventStackTrace' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/export/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_export_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_tenant_export_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - enum: - rfc3164 - rfc5424 in: formData name: rfc required: false type: string x-nullable: true - enum: - ssl-tcp - tcp - udp in: formData name: protocol required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - agent - agentlog - alert - amsi_scan - auditlog - authentication - bpf - connectionlog - dns_resolution - driverload - eventlog - experimental_alert - file - group - informational_alert - injectedthread - investigation - kube_pod_event - library_load - named_pipe - network - network_listen - powershell - process - process_access - process_duplicate_handle - process_ptrace - process_tamper - raw_device_access - raw_socket_creation - registry - remotethread - resource - scheduled_task - threat - url_request - usb_activity - user - win32k_get_async_key_state - win32k_register_raw_input_devices - win32k_set_windows_hook_ex - windows_service - wmi_event type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - default: hurukai in: formData minLength: 1 name: app_name required: false type: string - default: hurukai in: formData minLength: 1 name: source_host required: false type: string - in: formData minLength: 1 name: structured_data required: false type: string x-nullable: true - default: false in: formData name: exclude_rule_content required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExport' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/export/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_tenant_export_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExport' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/export_elastic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_export_elastic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_export_elastic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportElastic' responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/export_elastic/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_export_elastic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportElastic' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/export_s3/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_export_s3_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_tenant_export_s3_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: url required: false type: string x-nullable: true - in: formData minLength: 1 name: bucket required: false type: string x-nullable: true - in: formData minLength: 1 name: object_prefix required: false type: string x-nullable: true - in: formData minLength: 1 name: access_key required: false type: string x-nullable: true - in: formData minLength: 1 name: secret_key required: false type: string x-nullable: true - in: formData minLength: 1 name: region required: false type: string x-nullable: true - collectionFormat: multi default: [] in: formData items: enum: - alert - authentication - dns_resolution - experimental_alert - file - informational_alert - injectedthread - library_load - network - network_listen - process - raw_socket_creation - remotethread - url_request type: string name: logs required: false type: array x-nullable: true - default: false in: formData name: ssl_verify required: false type: boolean - in: formData name: ssl_cacert required: false type: file x-nullable: true - in: formData name: ssl_cert required: false type: file x-nullable: true - in: formData name: ssl_key required: false type: file x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/export_s3/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_tenant_export_s3_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportS3' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/export_secops/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_export_secops_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_export_secops_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSecops' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/export_secops/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_export_secops_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSecops' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/export_splunk/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_export_splunk_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_export_splunk_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditExportSplunk' responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/export_splunk/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_export_splunk_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetExportSplunk' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/glimps/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_glimps_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_glimps_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditGlimps' responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/glimps/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_glimps_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetGlimps' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/hibou/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_hibou_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_hibou_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Hibou' responses: "200": description: "" schema: $ref: '#/definitions/Hibou' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/hibou/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_hibou_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Hibou' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/irma/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_irma_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_irma_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditIrma' responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/irma/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_irma_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetIrma' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/ldap_auth/: get: consumes: - multipart/form-data description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_ldap_auth_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: consumes: - multipart/form-data description: Missing fields are set to their default value. operationId: supervisor_config_tenant_ldap_auth_partial_update parameters: - default: false in: formData name: enabled required: false type: boolean - in: formData minLength: 1 name: host required: false type: string x-nullable: true - in: formData maximum: 65535 minimum: 1 name: port required: false type: integer x-nullable: true - default: false in: formData name: use_tls required: false type: boolean - in: formData name: validate_server_certificate required: true type: boolean - default: false in: formData name: use_client_side_certs required: false type: boolean - in: formData minLength: 1 name: base_dn required: false type: string x-nullable: true - in: formData name: active_directory_domain required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_username required: false type: string x-nullable: true - in: formData minLength: 1 name: search_account_password required: false type: string x-nullable: true - format: uuid in: formData name: default_group required: false type: string x-nullable: true - default: active_directory in: formData minLength: 1 name: type required: false type: string - default: person in: formData minLength: 1 name: user_object_class required: false type: string - default: sAMAccountName in: formData minLength: 1 name: user_field_id required: false type: string - in: formData name: client_public_key required: false type: file x-nullable: true - in: formData name: client_private_key required: false type: file x-nullable: true - in: formData name: ca_certifications required: false type: file x-nullable: true - in: formData name: test_username required: false type: string x-nullable: true responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/ldap_auth/defaults/: get: consumes: - multipart/form-data description: Get default connector configuration operationId: supervisor_config_tenant_ldap_auth_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetLDAPAuth' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/mfa/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_mfa_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_mfa_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/MFA' responses: "200": description: "" schema: $ref: '#/definitions/MFA' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/mfa/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_mfa_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/MFA' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/network_discovery/: get: description: "" operationId: supervisor_config_tenant_network_discovery_list parameters: - description: A search term. in: query name: search required: false type: string - description: Which field to use when ordering the results. in: query name: ordering required: false type: string - description: "" in: query name: id required: false type: string - description: "" in: query name: type required: false type: string - description: "" in: query name: name required: false type: string responses: "200": description: "" schema: $ref: '#/definitions/NetworkDiscoveryConfig' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: "" operationId: supervisor_config_tenant_network_discovery_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NetworkDiscoveryConfig' responses: "200": description: "" schema: $ref: '#/definitions/NetworkDiscoveryConfig' tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/network_discovery/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_network_discovery_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NetWDiscovery' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/new_threat_aggregation/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_new_threat_aggregation_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_new_threat_aggregation_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/NewThreatAggregation' responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/new_threat_aggregation/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_new_threat_aggregation_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/NewThreatAggregation' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/orion/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_orion_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_orion_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditOrion' responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/orion/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_orion_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetOrion' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/password_security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_password_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_password_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PasswordSecurity' responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/password_security/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_password_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PasswordSecurity' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/pdf_retention/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_pdf_retention_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_pdf_retention_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/PDFRetention' responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/pdf_retention/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_pdf_retention_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/PDFRetention' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/proxy/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_proxy_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_proxy_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditProxy' responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/proxy/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_proxy_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetProxy' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/ransomguard/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_ransomguard_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_ransomguard_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Ransomguard' responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/ransomguard/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_ransomguard_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Ransomguard' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/ransomguard_heuristic/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_ransomguard_heuristic_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_ransomguard_heuristic_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RansomguardHeuristic' responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/ransomguard_heuristic/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_ransomguard_heuristic_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RansomguardHeuristic' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/remote_shell/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_remote_shell_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_remote_shell_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/RemoteShell' responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/remote_shell/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_remote_shell_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/RemoteShell' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/security/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_security_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_security_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Security' responses: "200": description: "" schema: $ref: '#/definitions/Security' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/security/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_security_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Security' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/sidewatch/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_sidewatch_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_sidewatch_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Sidewatch' responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/sidewatch/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_sidewatch_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/Sidewatch' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/thehive/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_thehive_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_thehive_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditThehive' responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/thehive/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_thehive_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/threat_intelligence/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_threat_intelligence_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_threat_intelligence_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatIntelligence' responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/threat_intelligence/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_threat_intelligence_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/threat_status_binding/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_threat_status_binding_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' summary: Get section configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_threat_status_binding_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatStatusBinding' responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/threat_status_binding/defaults/: get: description: Get default section configuration operationId: supervisor_config_tenant_threat_status_binding_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/tenant/{tenant}/virustotal/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_tenant_virustotal_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' summary: Get connector configuration tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string patch: description: Missing fields are set to their default value. operationId: supervisor_config_tenant_virustotal_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditVirusTotal' responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/tenant/{tenant}/virustotal/defaults/: get: description: Get default connector configuration operationId: supervisor_config_tenant_virustotal_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' tags: - supervisor_configuration parameters: - in: path name: tenant required: true type: string /supervisor_config/thehive/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_thehive_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_thehive_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditThehive' responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/thehive/defaults/: get: description: Get default connector configuration operationId: supervisor_config_thehive_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetThehive' tags: - supervisor_configuration parameters: [] /supervisor_config/thehive/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_thehive_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditThehive' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_config/threat_intelligence/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_threat_intelligence_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_threat_intelligence_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatIntelligence' responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/threat_intelligence/defaults/: get: description: Get default section configuration operationId: supervisor_config_threat_intelligence_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatIntelligence' tags: - supervisor_configuration parameters: [] /supervisor_config/threat_status_binding/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_threat_status_binding_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' summary: Get section configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_threat_status_binding_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/ThreatStatusBinding' responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' "400": description: Bad request summary: Update section configuration tags: - supervisor_configuration /supervisor_config/threat_status_binding/defaults/: get: description: Get default section configuration operationId: supervisor_config_threat_status_binding_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/ThreatStatusBinding' tags: - supervisor_configuration parameters: [] /supervisor_config/virustotal/: get: description: |- If the stored configuration is invalid, an additional field `errors` is returned with the format: ```json {"field": ["error1", "error2"], "field2": ["error3", "error4"]} ``` operationId: supervisor_config_virustotal_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' summary: Get connector configuration tags: - supervisor_configuration parameters: [] patch: description: Missing fields are set to their default value. operationId: supervisor_config_virustotal_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditVirusTotal' responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' "400": description: Bad request summary: Update connector configuration tags: - supervisor_configuration /supervisor_config/virustotal/defaults/: get: description: Get default connector configuration operationId: supervisor_config_virustotal_defaults parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/GetVirusTotal' tags: - supervisor_configuration parameters: [] /supervisor_config/virustotal/test/: parameters: [] post: description: Test connector connection with provided settings. Does not save any change. operationId: supervisor_config_virustotal_test parameters: - in: body name: data required: true schema: $ref: '#/definitions/EditVirusTotal' responses: "200": description: Configuration is valid schema: $ref: '#/definitions/ConnectorTest' "400": description: Bad request schema: $ref: '#/definitions/ConnectorTest' summary: Test connector connection tags: - supervisor_configuration /supervisor_configuration/: get: consumes: - application/json - application/yaml description: "" operationId: supervisor_configuration_list parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/SupervisorAllConfigSectionDownload' tags: - supervisor_configuration parameters: [] patch: consumes: - application/json - application/yaml description: Configuration field not present in the request are left untouched. operationId: supervisor_configuration_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SupervisorAllConfigSectionDownload' responses: "200": description: "" schema: $ref: '#/definitions/SupervisorAllConfigSectionDownload' "400": description: Bad request summary: Update the stored configuration with the given one. tags: - supervisor_configuration put: consumes: - application/json - application/yaml description: Existing configuration is completely deleted before being replaced. operationId: supervisor_configuration_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/SupervisorAllConfigSectionDownload' responses: "200": description: "" schema: $ref: '#/definitions/SupervisorAllConfigSectionDownload' "400": description: Bad request summary: Replace the stored configuration with the given one. tags: - supervisor_configuration /tenant/: get: description: "" operationId: tenant_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_Tenant' tags: - information parameters: [] /user/api_documentation_allowed/: get: description: Basic view called by nginx prior to allowing an http request to reach the api documentation. operationId: user_api_documentation_allowed_list parameters: [] responses: "200": description: "" tags: - user parameters: [] /user/api_token/: parameters: [] post: description: Recreate a new API token, for the user who send the request. operationId: user_api_token_create parameters: - in: body name: data required: true schema: $ref: '#/definitions/RequestToken' responses: "200": description: "" schema: $ref: '#/definitions/ResponseToken' tags: - user /user/app_settings/{path}: delete: description: "| path | What will be deleted (**in bold**) |\n| ------ | ------ |\n| | {**\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3**} |\n| `b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3}, **\"b\": 2**,\"c\": 3} |\n| `a/b` | {\"a\": {\"a\": 1, **\"b\": {\"a\": 1, \"b\": 2, \"c\": 3}**, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `a/b/b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, **\"b\": 2**, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `%20%F0%9F%9A%80%E5%93%87` | {**\" \U0001F680哇\": 42**, \"a\": 1} |\n\nThere is no character restriction, any unicode should work. Don't forget to urlencode the path though." operationId: user_app_settings_delete parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/UserAppSettings' summary: Delete a key in the user-specific application settings. tags: - user parameters: - in: path name: path required: true type: string patch: description: "This call will try to merge the content of the specified key using the provided data.\nIn case of conflict, the provided data will be preferred.\n\nOnly the first level will be merged, sub-list and sub-dicts will not be merged.\n\n| path | What will be updated (**in bold**) |\n| ------ | ------ |\n| | {**\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3**} |\n| `b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3}, \"b\": **2**,\"c\": 3} |\n| `a/b` | {\"a\": {\"a\": 1, \"b\": **{\"a\": 1, \"b\": 2, \"c\": 3}**, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `a/b/b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": **2**, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `%20%F0%9F%9A%80%E5%93%87` | {\" \U0001F680哇\": **42**, \"a\": 1} |\n\nThere is no character restriction, any unicode should work. Don't forget to urlencode the path though." operationId: user_app_settings_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AppSettingsJson' responses: "200": description: "" schema: $ref: '#/definitions/UserAppSettings' summary: Update user-specific application settings in an arbitrary JSON format. tags: - user put: description: "This call will replace the content of the specified key using the provided data.\n\n| path | What will be changed (**in bold**) |\n| ------ | ------ |\n| | {**\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3**} |\n| `b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": 2, \"c\": 3}, \"c\": 3}, \"b\": **2**,\"c\": 3} |\n| `a/b` | {\"a\": {\"a\": 1, \"b\": **{\"a\": 1, \"b\": 2, \"c\": 3}**, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `a/b/b` | {\"a\": {\"a\": 1, \"b\": {\"a\": 1, \"b\": **2**, \"c\": 3}, \"c\": 3},\"b\": 2,\"c\": 3} |\n| `%20%F0%9F%9A%80%E5%93%87` | {\" \U0001F680哇\": **42**, \"a\": 1} |\n\nThere is no character restriction, any unicode should work. Don't forget to urlencode the path though." operationId: user_app_settings_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/AppSettingsJson' responses: "200": description: "" schema: $ref: '#/definitions/UserAppSettings' summary: Change user-specific application settings in an arbitrary JSON format. tags: - user /user/datavisualization_allowed/: get: description: Basic view called by nginx prior to allowing an http request to reach the data visualization (kibana) service. operationId: user_datavisualization_allowed_list parameters: [] responses: "200": description: "" tags: - user parameters: [] /user/documentation_allowed/: get: description: Basic view called by nginx prior to allowing an http request to reach the documentation. operationId: user_documentation_allowed_list parameters: [] responses: "200": description: "" tags: - user parameters: [] /user/monitoring_allowed/: get: description: Basic view called by nginx prior to allowing an http request to reach the monitoring (grafana) service. operationId: user_monitoring_allowed_list parameters: [] responses: "200": description: "" tags: - user parameters: [] /user/news_allowed/: get: description: Basic view called by nginx prior to allowing an http request to reach the assets for feature highlights. operationId: user_news_allowed_list parameters: [] responses: "200": description: "" tags: - user parameters: [] /user/password/: parameters: [] patch: description: "" operationId: user_password_partial_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Password' responses: "200": description: "" schema: $ref: '#/definitions/Password' tags: - user put: description: "" operationId: user_password_update parameters: - in: body name: data required: true schema: $ref: '#/definitions/Password' responses: "200": description: "" schema: $ref: '#/definitions/Password' tags: - user /user/profile/: get: description: "" operationId: user_profile_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/HlUserSerializer' tags: - user parameters: [] /version/: get: description: "" operationId: version_read parameters: [] responses: "200": description: "" schema: $ref: '#/definitions/_Version' tags: - information parameters: [] produces: - application/json security: - Token: [] securityDefinitions: Token: in: header name: Authorization type: apiKey swagger: "2.0"