Incidents API Definitions
Criteria
Request object informing system of request filtering criteria.
| Name | Description | Schema |
|---|---|---|
|
actorIdType |
Filter events based on the inclusive actor identifier type recorded. Case sensitive |
enum (USER, IP_ADDRESS) |
|
actorIds |
List of inclusive actor identifiers that are either user name or IP address (may be tokenized depending on product configuration), which will be applied to limit response. Empty list implies all users and IP addresses for authenticated tenant. |
< string > array |
| category optional |
Threat category associated with the incident. | < string > array |
|
deviceTypes |
Filter events based on selected list of inclusive device types. Default (empty) :== all. Case sensitive values :== [ AndroidMobile | BlackberryMobile | iPadMobile | iPhoneMobile | iPodMobile | JavaApplication | LinuxDesktop | MacDesktop | PlaystationGaming | SymbianMobile | WiiGaming | WindowsDesktop | WindowsPhoneMobile | Unknown ] |
< string > array |
|
endTime |
Filter for ending date-time, exclusive. Default (empty) :== now. Format :== yyyy-mm-ddThh:mm:ss[Z([+-]hh:mm)] |
string (date-time) |
|
incidentCriteria |
||
|
permissionType |
Filter events based on whether the event was allowed or not. Case sensitive. |
enum (ALLOWED, DENIED) |
|
protocolTypes |
Filter events based on list of inclusive protocol used. The values for protocols are kept in a database table; here are some case sensitive values :== [ dns | http | https | ntp | Unknown ] |
< string > array |
|
serviceCategories |
Filter events based on list of inclusive service categories used. The values for categories are kept in a database table; here are some case sensitive values :== [ Backup and Archiving | Business Intelligence | Cloud Infrastructure | Cloud Storage | Collaboration | Content Sharing | CRM | Development | e-Commerce | ERP | Finance | Health Care | HR | IaaS Admin Console | IT Services | Legal | Logistics | Marketing | Media | Networking | Procurement | Project Management | Security | Service Desk and Support | Service Proxy | Social Media | Tracking | Uncategorized | Virtual Data Rooms | Web Application ] |
< string > array |
|
serviceNames |
List of inclusive service names that will be applied to restrict the response. Empty list implies all services of the authenticated tenant. |
< string > array |
|
serviceRiskMaximum |
Filter events with service risk scores at or greater than this value, inclusive. Higher values reflect more risk. Value must be >= serviceRiskMinimum. |
integer (int32) |
|
serviceRiskMinimum |
Filter events with service risk scores at or less than this value, inclusive. Higher values reflect more risk. Value must be <= serviceRiskMaximum. |
integer (int32) |
|
startTime |
Filter for starting date-time, inclusive. Default (empty) :== now. Format :== yyyy-mm-ddThh:mm:ss[Z([+-]hh:mm)] |
string (date-time) |
|
uploadDataMinimum |
Filter events to those that have at least upload data of this minimum size, inclusive. |
integer (int64) |
|
userRiskMaximum |
Filter events with user risk scores at or greater than this value, inclusive. Higher values reflect more risk. Value must be >= userRiskMinimum. |
integer (int32) |
|
userRiskMinimum |
Filter events with user risk scores at or less than this value, inclusive. Higher values reflect more risk. Value must be <= userRiskMaximum. |
integer (int32) |
Error
Unexpected error code and description.
| Name | Description | Schema |
|---|---|---|
|
code |
HTTP status codes :== 2xx success, 4xx client error, or 5xx server error. |
integer (int32) |
|
details |
Additional smaller errors that caused the main error. |
< Error > array |
|
message |
English equivalence of HTTP status code used. |
string |
|
target |
Optional comma-separated field name(s) with issue to resolve. |
string |
Incident
The incident.
| Name | Description | Schema |
|---|---|---|
|
activityNames |
List of names of activities that caused the incident. |
< string > array |
|
actorId |
Actor identifier that was involved in the incident which may either be user name or IP address (may be tokenized depending on product configuration); see actorIdType. |
string |
|
actorIdType |
Indicates if the actor identifier is user name or IP address. |
enum (User, IpAddress) |
|
incidentGroup |
Concatenated incidentType.category.name fields. |
string |
|
incidentId |
Unique identifier for this particular incident, which includes a three-letter prefix and dash to identify the type of incident: SHW – Shadow Anomaly |
string |
|
incidentRiskScore |
Risk score associated with the incident. |
number (double) |
|
incidentRiskSeverity |
Indication showing amount of risk involved in the incident. Values ::= [ low | medium | high ] |
string |
|
information |
List of other key:value pairs that are associated with the incident. For a list of the keys, use the queryIncidentInformationKeys command. |
< KeyValue > array |
|
responses |
List of actionable responses for the incident. |
< string > array |
|
serviceNames |
List of names of services that were involved in the incident. |
< string > array |
|
status |
Current state of incident. Values ::= [ new | opened | false positive | resolved | suppressed | archived ] |
string |
|
timeCreated |
Time the incident was created. Format :== yyyy-mm-ddThh:mm:ss.sssZ |
string (date-time) |
|
timeModified |
Time the incident was last modified. Start time and end time filters work with this modified time. Format :== yyyy-mm-ddThh:mm:ss.sssZ |
string (date-time) |
IncidentCategory
Identifies an incident group by incidentType and category for purposes of filtering. The incidentType is required. Category is optional, if not provided then all categories for incidentType will be included.
| Name | Description | Schema |
|---|---|---|
|
category |
Qualifying category within incidentType; categories are only valid for parenthesized incidentType. Case sensitive values ::= [ Access (Alert) | Admin (Alert) | Audit (Alert) | CompromisedAccount (Threat) | Data (Alert) | InsiderThreat (Threat) | Policy (Alert) | PrivilegeAccess (Threat) | Vulnerability (Alert) ] |
string |
|
incidentType |
A type of incident. Incident type 'Event' is not yet supported. Case sensitive values ::= [ Alert | Event* | Threat ] |
string |
IncidentCriteria
Request criteria informing system of inclusive incident filtering. Only categories may be specified per request.
| Name | Description | Schema |
|---|---|---|
|
categories |
Inclusively filter incidents based on a incident group of incidentType and category. |
< IncidentCategory > array |
|
product |
Inclusively filter incidents based on the product. |
enum (SANCTIONED, SHADOW) |
|
fields |
Inclusively filter sanctioned incidents based on incident fields. Multiple fields are ANDed and multiple values are ORed. The only field names currently supported are policyName, policyId, contentItemName, contentItemId, and status. Only built-in status values are supported for the filter query. |
< string, < string > array > map Example
"incidentCriteria": {
"fields": {
"policyName": ["PII", "Encrypted files"]
}
}
|
|
historicaluserriskscore optional |
Inclusively filter sanctioned DLP incidents based on the Low (1-3), Medium (4-6), and High-risk (7-9) scores assigned to sanctioned DLP users. |
IncidentInformationKeysByType
The list of information keys available per incident type. The information keys consist of two fields, key ::= key to access value from information map, and value ::= description of the value that will be retrieved.
| Name | Description | Schema |
|---|---|---|
|
informationKeys |
Example: |
< KeyValue > array |
|
type |
Type of incident. Values :== [ AuditViolation (Alert.Audit…) | PolicyViolation (Alert.Policy.Dlp) | SanctionedAnomaly (Alert…) | ShadowAnomaly (Alert…) | Threat (Threat…) | VulnerabilityViolation (Alert.Policy.Vulnerability) ] |
string |
IncidentResponse
The response information and incidents.
| Name | Schema |
|---|---|
|
incidents |
< Incident > array |
|
responseInfo |
Anomaly
Information about the anomaly.
| Name | Description | Schema |
|---|---|---|
| anomalyCategory optional |
Lists the anomaly category an incident belongs to. | < string > array |
| anomalyCount optional |
Number of underlying anomalies | < string > array |
| anomalyIds optional |
Comma separated list of underlying anomaly IDs. ANO- prefix is added to identify that incidents are anomaly. | < string > arra |
Example:
<14>Aug 15 16:58:16 EC-test00.app.qa.sjc.shn activityNames
[-1],actorId=tp_realtime_activity_enrichment_0_1558064392_19817@shn.com,actorIdType=USER,incidentGroup=Alert.Access.
AnomalousAccessLocation,incidentId=ANO-94483,incidentRiskScore=10.0,incidentRiskSeverity=high,
anomalyCategory="Access Anomalies",anomalyCause="CUSTOMER BLACKLIST",anomalyValue=NA,
informationCities="[shimajiri, nowshera, oslo, moscow, beijing]",countries="[NO, RU, JP, CN, PK]",isPartOfThreat=false,
informationServicesAndAccountIds="
{""Box"":""""}
",informationSourceIpOrgs="[knet techonlogy beijing co. ltd.,
kddi corporation, telenor norge as, channel one russia worldwide, pakistan telecommuication company limited]",
sourceIps="[80.64.104.97, 39.43.30.58, 14.12.145.139, 1.2.2.78, 2.148.4.85]",threatCategory="Compromised Accounts",
thresholdDuration=weekly,thresholdValue=-1,responses="[Admin Login, Admin Login, Admin Login, Admin Login, Admin Login]",
serviceNames=[Box],status=opened,timeCreated="May 17 2019 03:31:52.000 UTC",timeModified="May 17 2019 03:51:01.525 UTC"
Audit
| Name | Description | Schema |
|---|---|---|
| alert.policy.audit | incidentGroup name (previously alert.audit.category) . | < string > array |
Example:
<14>Aug 15 17:06:04 EC-test00.app.qa.sjc.shn activityNames=[],actorId=N/A,actorIdType=USER, incidentGroup=Alert.Policy.Audit,incidentId=AUD-2014,incidentRiskScore=3.0,incidentRiskSeverity=low, informationAccountId=dc960d72-efdf-4b89-adb8-4c78eb969c83,category=SecurityCenterRecommendations, informationConfigType=SUBSCRIPTION,informationContentItemId=dc960d72-efdf-4b89-adb8-4c78eb969c83, informationContentItemName="Microsoft Azure",informationContentItemType=SUBSCRIPTION,informationPolicyId=405763, informationPolicyName="MFA for accounts with read permissions on subscription not enabled",instanceId=6840, instanceName=Azure,responses="[Violation Detected]",serviceNames="[Microsoft Azure]",status=new, timeCreated="Jun 14 2019 06:56:13.518 UTC",timeModified="Aug 15 2019 08:05:59.826 UTC"
KeyValue
A pair of key and value (standard map entry).
| Name | Description | Schema |
|---|---|---|
|
key |
Name of value. |
string |
|
value |
Actual value. |
object |
ResponseInfo
Additional information regarding the response.
| Name | Description | Schema |
|---|---|---|
|
actualLimit |
Number of items being returned in this response. |
integer (int32) |
|
apiElapsedMillis |
Number of milliseconds this response took to execute internally. |
integer (int64) |
|
error |
||
|
nextOffset |
Offset to be passed as parameter 'offset' to read next block of current query. If nextOffset set to '-1' then no more entries to be read. In time-based queries this field will be set to 'null'. |
integer (int64) |
|
nextStartTime |
Starting time to be passed as Criteria 'startTime' to read next block continuing current query. This value will be 'null' if not a time-based query else indicating no more entries. Format :== yyyy-mm-ddThh:mm:ss[Z([+-]hh:mm)]. |
string (date-time) |
|
source |
An identifier of the host(s) that were involved in gathering the response. FOR DEBUG PURPOSES. |
string |