Skip to content

Instantly share code, notes, and snippets.

@geekscrapy

geekscrapy/lighthouse.json

Last active October 21, 2020 20:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save geekscrapy/35831b0d3b021bc679bb4806e673c9ea to your computer and use it in GitHub Desktop.
Save geekscrapy/35831b0d3b021bc679bb4806e673c9ea to your computer and use it in GitHub Desktop.
Download ZIP
feye lighthouse openapi schema (e835ea422177e891cb04dba68f35659a)
Raw
lighthouse.json
This file has been truncated, but you can view the full file.
{
"x-zally-ignore": [
104,
118,
120,
129,
130,
134,
143,
145,
150,
172,
174,
176,
235,
101,
105,
107,
146,
151,
215,
219
],
"openapi": "3.0.0",
"info": {
"title": "HX API",
"description": "The HX Series application programming interface (API) allows users to automate certain actions and integrate security information and event management (SIEM)\nsolutions from FireEye and other companies. The API provides access to information about endpoints, acquisitions, alerts, source alerts, conditions, indicators,\nand containment. The HX Series API uses role-based access control (RBAC) and representational state transfer (REST) architecture.\n\n\n\n### User Role Access Privileges\n|Privileges | api_admin | api_analyst |\n|---------------------------------------|-----------|-------------|\n|API access |Yes |Yes |\n|View acquisitions |Yes |Yes |\n|View cloned agents |Yes |Yes |\n|Configure agents |Yes |**No** |\n|Manage and view alerts |Yes |Yes |\n|Approve and cancel containment |Yes |**No** |\n|View audits |Yes |Yes |\n|Create data acquisitions |Yes |Yes |\n|Run enterprise searches |Yes |Yes |\n|Create file acquisitions |Yes |Yes |\n|Create host lists |Yes |Yes |\n|View host lists |Yes |Yes |\n|Create, update, and delete host sets |Yes |**No** |\n|View host sets |Yes |Yes |\n|Create and view indicators |Yes |Yes |\n",
"version": "3.0.0",
"contact": {
"name": "FireEye",
"email": "developers@fireeye.com",
"url": "https://fireeye.dev/"
}
},
"servers": [
{
"url": "/hx/api/v3/"
}
],
"tags": [
{
"name": "Acquisitions",
"description": "The Acquisition API endpoints allow users to obtain and manage host machine data. Allowing for an investigation on a running host.\n#### Acquisition Types \n- File Acquisitions: \n\t- A file acquisition instructs the Endpoint Security server to obtain a file. \n\t- File acquisition packages are password-protected .zip files. The password for unlocking file acquisition packages is **unzip-me** \n- Triage Acquisitions: \n\t- Triage collections contain information from within the lookback cache as well as additional forensic audit information, such as URL download history, file download history, process and ports listings, and standard system information. \n- Bulk Acquisitions: \n\t- A Bulk Acquisition allows you to use a audit script against a hostset containing many agents.\n- Data/Live Acquisitions: \n\t- A Data or Live Acquisition is a process by which volatile and nonvolatile forensic information is collected from a running system for the purposes of triage and investigative analysis. This process gathers many artifacts from the disk and memory.\n",
"x-tag-expanded": false
},
{
"name": "Agent",
"description": "Endpoints providing sysinfo and last poll details",
"x-tag-expanded": false
},
{
"name": "Alerts",
"description": "An alert is a match between an indicator condition and host activity observed by an agent that indicates the presence on the host of the activity specified in the condition. A host can have multiple matches on the same condition. An alert might identify the presence of either potential malware or benign conditions (false positives). The alerts endpoints allow you to list alerts filtered by various criteria or to get a particular alert. You can also suppress alerts.",
"x-tag-expanded": false
},
{
"name": "Authentication",
"description": "Authenticate and authorize users and systems that want to use the HX Series API.",
"x-tag-expanded": false
},
{
"name": "Conditions",
"description": "Create tests for specific activity that might identify a compromised host.",
"x-tag-expanded": false
},
{
"name": "Containment",
"description": "Prevent further compromise of a host system and its components by restricting the hostʼs ability to communicate.",
"x-tag-expanded": false
},
{
"name": "Custom Configuration Channels",
"description": "Manually supply agent configuration file settings to multiple hosts.",
"x-tag-expanded": false
},
{
"name": "Host information",
"description": "To check the computer endpoints, servers, or other related enterprise components (collectively known as hosts) connected to your Endpoint Security server, you need to install a small software component (known as an agent) on each one. After the agents are installed, you can use the Endpoint Security API to get a list of all hosts connected to your Endpoint Security server, get summary information for each host, get the full system information for a host., or delete duplicate agents. You can also use the host information endpoints to create an acquisition for a specified host and to list triage, file, or data acquisitions.",
"x-tag-expanded": false
},
{
"name": "Host sets",
"description": "Hosts can be grouped into host sets to make it easier to perform Endpoint Security operations on multiple hosts at a time. You can use the API host set endpoints to list host sets, update host sets, list the hosts in a host set, sort host sets, filter host sets, search host sets for a value, and delete host sets. <br>You can create two types of host sets: <ul><li>Static host set<br>Static host sets are groups of hosts that you create and edit by directly adding and removing hosts using their identifiers. Membership in a static set is stable. Membership changes only if you edit the set to add or remove hosts. Static host sets allow you to define and control small groups of hosts for which you cannot easily build a dynamic host set. In addition, even if the host identifier changes, the original host identifier continues to belong to the host set. This stability requires that you actively maintain these host sets.</li> <li>Dynamic host set<br>Dynamic host sets consist of groups of hosts created by filtering on host attributes. Dynamic host sets can also be defined as a combination of other dynamic or static host sets by performing union, intersect or complement set operations on them. Membership in a dynamic host set changes whenever the following happens: <ul><li>A new eligible host is provisioned</li><li>Filtering criteria are changed</li><li>Members are directly added or removed</li></ul></li></ul>",
"x-tag-expanded": false
},
{
"name": "Indicators",
"description": "Create, read, update, and delete indicators of compromise. Indicators can be created automatically from alerts generated in network devices.",
"x-tag-expanded": false
},
{
"name": "Indicator Categories",
"description": "Group indicators into categories to make it easier to find and modify them. <br>",
"x-tag-expanded": false
},
{
"name": "Policies",
"x-tag-expanded": false,
"description": "Policies allow you to adapt the behavior of the agent to different endpoints.<br><br>You can assign policies and put policies that have priority set in priority order before making changes to settings. You may need to make several changes at the same time, and intermediate changes may result in incorrect policies being assigned to hosts if policies take effect immediately."
},
{
"name": "Quarantines",
"description": "When malware protection and malware remediation (quarantine) are enabled, infected files are automatically copied to a quarantine area. After relocating an infected file to quarantine, malware protection attempts to clean the file by removing the malicious code. If attempts to clean the file fail, malware protection automatically deletes the infected file from its original location on the host endpoint.Quarantined files are stored in the quarantine area on the host endpoint until you manually delete them or they exceed the quarantine file aging period. The default aging period is 90 days. For complete information on specifying malware protection settings, see the FireEye Endpoint Agent Administration Guide.",
"x-tag-expanded": false
},
{
"name": "Scripts",
"description": "Scripts allow you to customize the data that is collected from bulk and custom acquisitions. Use the scripts endpoints to list public scripts or to get the contents of the public scripts in XML, JSON, or .zip format. ",
"x-tag-expanded": false
},
{
"name": "Scan",
"description": "Users can initiate malware scans on their Mac OSX host endpoints. Malware scans are configured as either a Full Scan or Custom Scan. A Full Scan includes all local and mounted disk drives, while a Custom Scan gives you the option of specifying folder names or file paths.",
"x-tag-expanded": false
},
{
"name": "Search",
"description": "Find indicators across all hosts connected to your HX Series appliance.",
"x-tag-expanded": false
},
{
"name": "Source Alerts",
"description": "Source alerts are notices of suspicious activity sent to the Endpoint Security server when you use the Endpoint Security server with another FireEye product or service or another integrated service. When the Endpoint Security server receives alerts from these sources, it parses their reports, and creates relevant conditions and indicators based on actionable information they provide. Agents verify matches for these conditions on their hosts both when the Endpoint Security server first processes a source alert and when agents monitor future activity.",
"x-tag-expanded": false
},
{
"name": "Version",
"description": "Check the appliance ID and software and hardware version of your HX Series appliance.",
"x-tag-expanded": false
}
],
"security": [
{
"basicAuth": []
},
{
"tokenAuth": []
}
],
"components": {
"securitySchemes": {
"basicAuth": {
"scheme": "basic",
"type": "http",
"description": "Users with api_admin or api_analyst roles should be used to access the API"
},
"tokenAuth": {
"type": "apiKey",
"name": "X-FeApi-Token",
"in": "header",
"description": "X-FeApi-Token can be created using the /token endpoint"
}
},
"responses": {
"acquisitions.bulk_acq.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"scripts": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"type": "string",
"description": "URI to retrieve the data package."
}
}
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was last updated."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was created."
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"total_size": {
"type": "integer",
"description": ""
},
"run_time": {
"type": "object",
"description": "Object containing avg, min, and max run time of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"task_size": {
"type": "object",
"description": "Object containing avg, min, and max size of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"running_state": {
"type": "object",
"description": "Object containing counts for acquisitions in various states.",
"properties": {
"NEW": {
"type": "integer"
},
"QUEUED": {
"type": "integer"
},
"FAILED": {
"type": "integer"
},
"COMPLETE": {
"type": "integer"
},
"ABORTED": {
"type": "integer"
},
"DELETED": {
"type": "integer"
},
"REFRESH": {
"type": "integer"
},
"CANCELLED": {
"type": "integer"
}
}
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"list_bulk_acqs": {
"summary": "list_bulk_acqs",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": 1,
"state": "RUNNING",
"scripts": [
{
"_id": "c927584dbb4b31932e28e5c7e23f914975095777",
"url": "/hx/api/v3/scripts/c927584dbb4b31932e28e5c7e23f914975095777",
"download": "/hx/api/v3/scripts/c927584dbb4b31932e28e5c7e23f914975095777.json",
"platform": "*"
}
],
"comment": null,
"update_time": "2020-07-15T09:18:10.712Z",
"create_time": "2020-07-15T09:18:10.712Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"max_size_in_mb": null,
"_revision": "20200715091810712583104115",
"disable_cef": false,
"url": "/hx/api/v3/acqs/bulk/1",
"host_set": null,
"stats": {
"total_size": 0,
"run_time": {
"avg": null,
"min": null,
"max": null
},
"task_size": {
"avg": null,
"min": null,
"max": null
},
"running_state": {
"NEW": 0,
"QUEUED": 2,
"FAILED": 0,
"COMPLETE": 0,
"ABORTED": 0,
"DELETED": 0,
"REFRESH": 0,
"CANCELLED": 0
}
}
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/acqs/bulk"
}
}
}
}
}
},
"acquisitions.bulk_acq.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"acquisitions.bulk_acq.unprocessable": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.offset",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/acqs/bulk",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.bulk_acq.not_acceptable": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_acceptable": {
"summary": "not_acceptable",
"value": {
"details": [
{
"type": "error",
"code": 1302,
"message": "No support for the types specified in the Accept header.",
"details": {
"supported": [
"application/octet-stream"
]
}
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id.zip",
"message": "Not Acceptable"
}
}
}
}
}
},
"acquisitions.bulk_acq.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_acceptable": {
"summary": "not_acceptable",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition Agent result package not found."
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id.zip",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.bulk_acq_host_action.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"bulk_acq": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.bulk_acq_host_action_single.success": {
"description": "Bulk Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"bulk_acq": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"post_action_bulk_acq_for_host": {
"summary": "post_action_bulk_acq_for_host",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id/actions/action",
"data": {
"state": "REFRESH",
"queued_at": null,
"selected": true,
"complete_at": null,
"error": null,
"_revision": "20200716094253078120105242",
"url": "/hx/api/v3/acqs/bulk/3/hosts/j9TEJMSEUK3cQFQgGlGOXP",
"host": {
"_id": "j9TEJMSEUK3cQFQgGlGOXP",
"url": "/hx/api/v3/hosts/j9TEJMSEUK3cQFQgGlGOXP",
"hostname": "WIN9e5150315a4a"
},
"bulk_acq": {
"_id": 3,
"url": "/hx/api/v3/acqs/bulk/3"
},
"result": null,
"result_ordinal": null
},
"message": "Accepted"
}
}
}
}
}
},
"acquisitions.bulk_acq_host_action_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "warn",
"code": 2010,
"path": "action",
"message": "should be equal to one of the allowed values",
"details": {
"allowedValues": [
"refresh",
"cancel"
]
}
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id/actions/action",
"message": "Not Found (With Warnings)"
}
}
}
}
}
},
"acquisitions.bulk_acq_host_bulk_single.success": {
"description": "Bulk Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"bulk_acq": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"result": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"bytes": {
"type": "integer"
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"single_bulk_acquisition_host_record": {
"summary": "single_bulk_acquisition_host_record",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id",
"data": {
"state": "QUEUED",
"queued_at": "2020-07-16T08:32:22.227Z",
"selected": true,
"complete_at": null,
"error": null,
"_revision": "20200716083222227615104619",
"url": "/hx/api/v3/acqs/bulk/1/hosts/4ptueRw1epeegMA4WOTE2H",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H",
"hostname": "WIN4d24967dc1e8"
},
"bulk_acq": {
"_id": 1,
"url": "/hx/api/v3/acqs/bulk/1"
},
"result": null,
"result_ordinal": null
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.bulk_acq_host_bulk_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition Host not found.",
"path": "agent_id"
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"state": {
"type": "string",
"description": "State of bulk acquisition job for the host.",
"enum": [
"NEW",
"QUEUED",
"FAILED",
"COMPLETE",
"ABORTED",
"DELETED",
"REFRESH",
"CANCELLED"
]
},
"queued_at": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was queued."
},
"selected": {
"type": "boolean",
"description": "Whether the agent belongs to the host set."
},
"complete_at": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"error": {
"type": "string",
"description": "Error message."
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"bulk_acq": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"result": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"bytes": {
"type": "integer"
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"host_status_for_bulk_acq": {
"summary": "host_status_for_bulk_acq",
"value": {
"data": {
"total": 2,
"query": {},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"state": "COMPLETE",
"queued_at": "2020-07-15T09:57:26.367Z",
"selected": true,
"complete_at": "2020-07-15T09:57:39.841Z",
"error": null,
"_revision": "20200715095739841125104440",
"url": "/hx/api/v3/acqs/bulk/2/hosts/K79P7fvR75kdlXkeZ5TfvY",
"host": {
"_id": "K79P7fvR75kdlXkeZ5TfvY",
"url": "/hx/api/v3/hosts/K79P7fvR75kdlXkeZ5TfvY",
"hostname": "WINd31147685f3a"
},
"bulk_acq": {
"_id": 2,
"url": "/hx/api/v3/acqs/bulk/2"
},
"result": {
"url": "/hx/api/v3/acqs/bulk/2/hosts/K79P7fvR75kdlXkeZ5TfvY.zip",
"bytes": 359
},
"result_ordinal": 1
},
{
"state": "COMPLETE",
"queued_at": "2020-07-15T09:57:26.352Z",
"selected": true,
"complete_at": "2020-07-15T09:57:44.805Z",
"error": null,
"_revision": "20200715095744805807104442",
"url": "/hx/api/v3/acqs/bulk/2/hosts/mv9UE6gD4Ujg4rpOga8haV",
"host": {
"_id": "mv9UE6gD4Ujg4rpOga8haV",
"url": "/hx/api/v3/hosts/mv9UE6gD4Ujg4rpOga8haV",
"hostname": "WIN842f06a304b7"
},
"bulk_acq": {
"_id": 2,
"url": "/hx/api/v3/acqs/bulk/2"
},
"result": {
"url": "/hx/api/v3/acqs/bulk/2/hosts/mv9UE6gD4Ujg4rpOga8haV.zip",
"bytes": 359
},
"result_ordinal": 2
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/acqs/bulk/id/hosts"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition not found.",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts.bulk_acq_host_state_unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bulk_acq_host_state_unprocessable": {
"summary": "bulk_acq_host_state_unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2024,
"path": "query.state",
"message": "Instance is not one of the possible values",
"details": [
"NEW",
"QUEUED",
"FAILED",
"COMPLETE",
"CANCELLED",
"ABORTED",
"DELETED",
"REFRESH"
]
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts_single.success": {
"description": "File Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"state": {
"type": "string",
"description": "State of bulk acquisition job for the host.",
"enum": [
"NEW",
"QUEUED",
"FAILED",
"COMPLETE",
"ABORTED",
"DELETED",
"REFRESH",
"CANCELLED"
]
},
"queued_at": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was queued."
},
"selected": {
"type": "boolean",
"description": "Whether the agent belongs to the host set."
},
"complete_at": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"error": {
"type": "string",
"description": "Error message."
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
}
}
},
"bulk_acq": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"result": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"bytes": {
"type": "integer"
}
}
},
"result_ordinal": {
"type": "integer",
"description": "Unique value assigned to each host in a bulk acquisition."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"put_host_into_bulk_acq": {
"summary": "put_host_into_bulk_acq",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id",
"data": {
"state": "COMPLETE",
"queued_at": "2020-07-16T08:32:22.235Z",
"selected": true,
"complete_at": "2020-07-16T08:34:08.902Z",
"error": null,
"_revision": "20200716083408902864104635",
"url": "/hx/api/v3/acqs/bulk/1/hosts/KD94sbc4zTeenx7mtBBZ3U",
"host": {
"_id": "KD94sbc4zTeenx7mtBBZ3U",
"url": "/hx/api/v3/hosts/KD94sbc4zTeenx7mtBBZ3U",
"hostname": "xagt30185558"
},
"bulk_acq": {
"_id": 1,
"url": "/hx/api/v3/acqs/bulk/1"
},
"result": {
"url": "/hx/api/v3/acqs/bulk/1/hosts/KD94sbc4zTeenx7mtBBZ3U.zip",
"bytes": 108848
},
"result_ordinal": 1
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition not found.",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.bulk_acq_hosts_single.conflict": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"conflict": {
"summary": "conflict",
"value": {
"details": [
{
"type": "error",
"code": 1011,
"message": "The specified bulk acquisition is managed using a host set. Manual manipulation (PUT/DELETE) of the bulk acquisition host list is not permitted."
}
],
"route": "/hx/api/v3/acqs/bulk/id/hosts/agent_id",
"message": "Conflict"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"scripts": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"type": "string",
"description": "URI to retrieve the data package."
}
}
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was last updated."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was created."
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"total_size": {
"type": "integer",
"description": ""
},
"run_time": {
"type": "object",
"description": "Object containing avg, min, and max run time of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"task_size": {
"type": "object",
"description": "Object containing avg, min, and max size of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"running_state": {
"type": "object",
"description": "Object containing counts for acquisitions in various states.",
"properties": {
"NEW": {
"type": "integer"
},
"QUEUED": {
"type": "integer"
},
"FAILED": {
"type": "integer"
},
"COMPLETE": {
"type": "integer"
},
"ABORTED": {
"type": "integer"
},
"DELETED": {
"type": "integer"
},
"REFRESH": {
"type": "integer"
},
"CANCELLED": {
"type": "integer"
}
}
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"post_bulk_acq_response": {
"summary": "post_bulk_acq_response",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/bulk",
"data": {
"_id": 1,
"state": "RUNNING",
"scripts": [
{
"_id": "c927584dbb4b31932e28e5c7e23f914975095777",
"url": "/hx/api/v3/scripts/c927584dbb4b31932e28e5c7e23f914975095777",
"download": "/hx/api/v3/scripts/c927584dbb4b31932e28e5c7e23f914975095777.json",
"platform": "*"
}
],
"comment": null,
"update_time": "2020-07-15T09:18:10.712Z",
"create_time": "2020-07-15T09:18:10.712Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"max_size_in_mb": null,
"_revision": "20200715091810712583104115",
"disable_cef": false,
"url": "/hx/api/v3/acqs/bulk/1",
"host_set": null,
"stats": {
"total_size": 0,
"run_time": {
"avg": null,
"min": null,
"max": null
},
"task_size": {
"avg": null,
"min": null,
"max": null
},
"running_state": {
"NEW": 2,
"QUEUED": 0,
"FAILED": 0,
"COMPLETE": 0,
"ABORTED": 0,
"DELETED": 0,
"REFRESH": 0,
"CANCELLED": 0
}
}
},
"message": "Created"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.bulk_acq_change_state_success": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "State of bulk acquisition job.",
"enum": [
"RUNNING",
"STOPPED"
]
},
"scripts": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"type": "string",
"description": "URI to retrieve the data package."
}
}
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was last updated."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time when acquisition was created."
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"total_size": {
"type": "integer",
"description": ""
},
"run_time": {
"type": "object",
"description": "Object containing avg, min, and max run time of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"task_size": {
"type": "object",
"description": "Object containing avg, min, and max size of acquisitions.",
"properties": {
"avg": {
"type": "integer"
},
"min": {
"type": "integer"
},
"max": {
"type": "integer"
}
}
},
"running_state": {
"type": "object",
"description": "Object containing counts for acquisitions in various states.",
"properties": {
"NEW": {
"type": "integer"
},
"QUEUED": {
"type": "integer"
},
"FAILED": {
"type": "integer"
},
"COMPLETE": {
"type": "integer"
},
"ABORTED": {
"type": "integer"
},
"DELETED": {
"type": "integer"
},
"REFRESH": {
"type": "integer"
},
"CANCELLED": {
"type": "integer"
}
}
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bulk_acq_change_state_success": {
"summary": "bulk_acq_change_state_success",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/bulk/id/actions/action",
"data": {
"_id": 2,
"state": "STOPPED",
"scripts": [
{
"_id": "90533f35f16ea595335ceec38f01049fe305188b",
"url": "/hx/api/v3/scripts/90533f35f16ea595335ceec38f01049fe305188b",
"download": "/hx/api/v3/scripts/90533f35f16ea595335ceec38f01049fe305188b.xml",
"platform": "*"
}
],
"comment": null,
"update_time": "2020-07-15T10:41:02.603Z",
"create_time": "2020-07-15T09:57:12.622Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"max_size_in_mb": null,
"_revision": "20200715104102603891104800",
"disable_cef": false,
"url": "/hx/api/v3/acqs/bulk/2",
"host_set": null,
"stats": {
"total_size": 718,
"run_time": {
"avg": 15.96303,
"min": 13.47315,
"max": 18.45291
},
"task_size": {
"avg": "359.0000000000000000",
"min": "359",
"max": "359"
},
"running_state": {
"NEW": 0,
"QUEUED": 0,
"FAILED": 0,
"COMPLETE": 2,
"ABORTED": 0,
"DELETED": 0,
"REFRESH": 0,
"CANCELLED": 0
}
}
},
"message": "Accepted"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.bulk_acq_change_state_unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bulk_acq_change_state_unprocessable": {
"summary": "bulk_acq_change_state_unprocessable",
"value": {
"details": [
{
"type": "warn",
"code": 2010,
"path": "action",
"message": "should be equal to one of the allowed values",
"details": {
"allowedValues": [
"start",
"stop",
"refresh"
]
}
},
{
"type": "error",
"code": 2024,
"path": "query.state",
"message": "Instance is not one of the possible values",
"details": [
"ALL",
"FAILED",
"COMPLETE",
"DELETED",
"CANCELLED"
]
}
],
"route": "/hx/api/v3/acqs/bulk/id/actions/action",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.bulk_acq_change_state_not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bulk_acq_change_state_not_found": {
"summary": "bulk_acq_change_state_not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition not found.",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/bulk/id/actions/action",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.unprocessable_script": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable_script": {
"summary": "unprocessable_script",
"value": {
"details": [
{
"type": "error",
"code": 2001,
"message": "Either 'script' or 'scripts' is required."
}
],
"route": "/hx/api/v3/acqs/bulk",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.forbidden": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"forbidden": {
"summary": "forbidden",
"value": {
"details": [
{
"type": "error",
"code": 1101,
"message": "Not allowed to set script privacy.",
"path": "script.is_private"
}
],
"route": "/hx/api/v3/acqs/bulk",
"message": "Forbidden"
}
}
}
}
}
},
"acquisitions.bulk_acq_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Bulk Acquisition not found.",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/bulk/id",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.unprocessable_script": {
"description": "Unprocessable Entity - Request unsuccessful because the script or script format was missing, the script was not in Base64 format, a property was unknown, both a host and a host set were specified, or a host or host set was specified without providing an ID.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.script_too_large": {
"description": "Bad Request - Script is too large.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.precondition_failed": {
"description": "Precondition Failed",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.conflict": {
"description": "Conflict - Request unsuccessful because the host set was assigned at creation time, which means that agents cannot be manually added or removed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"acquisitions.file_acq.success": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_file_acq_list": {
"summary": "get_file_acq_list",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {
"request_time": -1
},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": 9,
"_revision": "20200716104925375313105779",
"error_message": "The acquisition completed with issues.",
"comment": "this is a comment",
"state": "COMPLETE",
"md5": "d44251cd305329e1595f670f2a6824d1",
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": "2020-07-16T10:49:25.375Z",
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/acqs/files"
}
}
}
}
}
},
"acquisitions.file_acq.get_host_files": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_host_files": {
"summary": "get_host_files",
"value": {
"data": {
"total": 1,
"query": {
"host._id": "4ptueRw1epeegMA4WOTE2H"
},
"sort": {
"request_time": -1
},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": 9,
"_revision": "20200716104925375313105779",
"error_message": "The acquisition completed with issues.",
"comment": "this is a comment",
"state": "COMPLETE",
"md5": "d44251cd305329e1595f670f2a6824d1",
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": "2020-07-16T10:49:25.375Z",
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/hosts/agent_id/files"
}
}
}
}
}
},
"acquisitions.file_acq.unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.limit",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/acqs/files",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.file_acq.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Host not found.",
"path": "agent_id"
}
],
"route": "/hx/api/v3/hosts/agent_id/files",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.file_acq_single.success": {
"description": "File Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"create_file_acq": {
"summary": "create_file_acq",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/files",
"data": {
"_id": 9,
"_revision": "20200716104729029648105761",
"error_message": null,
"comment": "this is a comment",
"state": "NEW",
"md5": null,
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": null,
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
},
"message": "Created"
}
}
}
}
}
},
"acquisitions.file_acq_single.get_file_acq_by_id": {
"description": "File Acquisition by Id response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_file_acq_by_id": {
"summary": "get_file_acq_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/files/id",
"data": {
"_id": 9,
"_revision": "20200716104925375313105779",
"error_message": "The acquisition completed with issues.",
"comment": "this is a comment",
"state": "COMPLETE",
"md5": "d44251cd305329e1595f670f2a6824d1",
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": "2020-07-16T10:49:25.375Z",
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.file_acq_single.created": {
"description": "File Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"create_file_acq": {
"summary": "create_file_acq",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/files",
"data": {
"_id": 9,
"_revision": "20200716104729029648105761",
"error_message": null,
"comment": "this is a comment",
"state": "NEW",
"md5": null,
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": null,
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
},
"message": "Created"
}
}
}
}
}
},
"acquisitions.file_acq_single.bad_request": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bad_request": {
"summary": "bad_request",
"value": {
"details": [
{
"type": "error",
"code": 1304,
"message": "Unable to parse request body",
"details": "Unexpected token $ in JSON at position 30"
}
],
"message": "Bad Request"
}
}
}
}
}
},
"acquisitions.file_acq_single.unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2001,
"path": "req_filename",
"message": "should have required property 'req_filename'",
"details": {
"missingProperty": "req_filename"
}
},
{
"type": "error",
"code": 2001,
"path": "req_path",
"message": "should have required property 'req_path'",
"details": {
"missingProperty": "req_path"
}
}
],
"route": "/hx/api/v3/hosts/agent_id/files",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.file_acq_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "File acquisition not found.",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/files/id",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.live_acq.success": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"list_live_acqs": {
"summary": "list_live_acqs",
"value": {
"data": {
"total": 3,
"query": {},
"sort": {},
"offset": 0,
"limit": 1,
"entries": [
{
"_id": 1,
"_revision": "20200716093914141658105209",
"error_message": "The triage completed with issues.",
"comment": "",
"state": "COMPLETE",
"name": "Quick File Listing",
"md5": null,
"request_time": "2020-07-16T09:34:16.377Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"zip_passphrase": null,
"external_id": null,
"finish_time": "2020-07-16T09:39:14.141Z",
"url": "/hx/api/v3/acqs/live/1",
"download": "/hx/api/v3/acqs/live/1.mans",
"host": {
"_id": "dOw5Iy4Gh56faVJ6zOwitf",
"url": "/hx/api/v3/hosts/dOw5Iy4Gh56faVJ6zOwitf"
},
"script": {
"_id": "a308e385e3aa45f544280f784ab40e4705188afe",
"url": "/hx/api/v3/scripts/a308e385e3aa45f544280f784ab40e4705188afe",
"download": "/hx/api/v3/scripts/a308e385e3aa45f544280f784ab40e4705188afe.json"
}
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/acqs/live"
}
}
}
}
}
},
"acquisitions.live_acq.unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.limit",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
},
{
"type": "error",
"code": 2019,
"path": "query.limit",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/acqs/live",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.live_acq.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Host not found.",
"path": "agent_id"
}
],
"route": "/hx/api/v3/hosts/agent_id/live",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.live_acq.get_hosts_live_acqs": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_hosts_live_acqs": {
"summary": "get_hosts_live_acqs",
"value": {
"data": {
"total": 1,
"query": {
"host._id": "4ptueRw1epeegMA4WOTE2H"
},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": 3,
"_revision": "20200716093839368230105196",
"error_message": "The triage completed with issues.",
"comment": "",
"state": "COMPLETE",
"name": "Quick File Listing",
"md5": null,
"request_time": "2020-07-16T09:34:16.435Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"zip_passphrase": null,
"external_id": null,
"finish_time": "2020-07-16T09:38:39.367Z",
"url": "/hx/api/v3/acqs/live/3",
"download": "/hx/api/v3/acqs/live/3.mans",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"script": {
"_id": "c59bd68a274e70bb47491bf35badf7568e1366a9",
"url": "/hx/api/v3/scripts/c59bd68a274e70bb47491bf35badf7568e1366a9",
"download": "/hx/api/v3/scripts/c59bd68a274e70bb47491bf35badf7568e1366a9.xml"
}
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/hosts/agent_id/live"
}
}
}
}
}
},
"acquisitions.live_acq_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_live_acqs_by_id": {
"summary": "get_live_acqs_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/live/id",
"data": {
"_id": 1,
"_revision": "20200716093914141658105209",
"error_message": "The triage completed with issues.",
"comment": "",
"state": "COMPLETE",
"name": "Quick File Listing",
"md5": null,
"request_time": "2020-07-16T09:34:16.377Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"zip_passphrase": null,
"external_id": null,
"finish_time": "2020-07-16T09:39:14.141Z",
"url": "/hx/api/v3/acqs/live/1",
"download": "/hx/api/v3/acqs/live/1.mans",
"host": {
"_id": "dOw5Iy4Gh56faVJ6zOwitf",
"url": "/hx/api/v3/hosts/dOw5Iy4Gh56faVJ6zOwitf"
},
"script": {
"_id": "a308e385e3aa45f544280f784ab40e4705188afe",
"url": "/hx/api/v3/scripts/a308e385e3aa45f544280f784ab40e4705188afe",
"download": "/hx/api/v3/scripts/a308e385e3aa45f544280f784ab40e4705188afe.json"
}
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.live_acq_single.created": {
"description": "Create File Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_path": {
"type": "string",
"description": "Path of the file requested."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"req_use_api": {
"type": "boolean",
"description": "True if this is a API File Acquisition. False if this is a Raw File Acquisition"
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_live_acqs_by_id": {
"summary": "get_live_acqs_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/live",
"data": {
"_id": 14,
"_revision": "20200716140841294471107383",
"error_message": null,
"comment": null,
"state": "NEW",
"name": "Awesome",
"md5": null,
"request_time": "2020-07-16T14:08:41.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"zip_passphrase": null,
"external_id": null,
"finish_time": null,
"url": "/hx/api/v3/acqs/live/14",
"download": "/hx/api/v3/acqs/live/14.mans",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"script": {
"_id": "4d4dd41d85808c32eed164ae0e751671dcc96731",
"url": "/hx/api/v3/scripts/4d4dd41d85808c32eed164ae0e751671dcc96731",
"download": "/hx/api/v3/scripts/4d4dd41d85808c32eed164ae0e751671dcc96731.xml"
}
},
"message": "Created"
}
}
}
}
}
},
"acquisitions.live_acq_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Live Response not found",
"path": "id"
}
],
"route": "/hx/api/v3/acqs/live/id",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.live_acq_single.unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "params.id",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/acqs/live/id",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.triage_acq.success": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp for which the acquisition was requested."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_live_acqs_by_id": {
"summary": "get_live_acqs_by_id",
"value": {
"data": {
"total": 4,
"query": {},
"sort": {},
"offset": 0,
"limit": 1,
"entries": [
{
"_id": 10,
"_revision": "20200716132857207648107060",
"error_message": null,
"state": "RUNNING",
"md5": null,
"request_time": "2020-07-16T13:28:43.887Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"req_timestamp": null,
"comment": "",
"external_id": null,
"finish_time": null,
"indicator": null,
"disable_cef": false,
"url": "/hx/api/v3/acqs/triages/10",
"host": {
"_id": "j9TEJMSEUK3cQFQgGlGOXP",
"url": "/hx/api/v3/hosts/j9TEJMSEUK3cQFQgGlGOXP"
},
"alert": null,
"condition": null
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/acqs/triages"
}
}
}
}
}
},
"acquisitions.triage_acq.get_files_response": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp for which the acquisition was requested."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_files_response_by_id": {
"summary": "get_files_response_by_id",
"value": {
"data": {
"total": 1,
"query": {
"host._id": "4ptueRw1epeegMA4WOTE2H"
},
"sort": {
"request_time": -1
},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": 9,
"_revision": "20200716104925375313105779",
"error_message": "The acquisition completed with issues.",
"comment": "this is a comment",
"state": "COMPLETE",
"md5": "d44251cd305329e1595f670f2a6824d1",
"request_time": "2020-07-16T10:47:29.000Z",
"request_actor": {
"_id": 1000,
"username": "api_admin"
},
"req_path": "C:\\$Extend\\$RmMetadata\\$TxfLog\\",
"req_filename": "$TxfLog.blf",
"req_use_api": null,
"zip_passphrase": "unzip-me",
"external_id": null,
"finish_time": "2020-07-16T10:49:25.375Z",
"indicator": null,
"url": "/hx/api/v3/acqs/files/9",
"host": {
"_id": "4ptueRw1epeegMA4WOTE2H",
"url": "/hx/api/v3/hosts/4ptueRw1epeegMA4WOTE2H"
},
"alert": null,
"condition": null
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/hosts/agent_id/files"
}
}
}
}
}
},
"acquisitions.triage_acq.unprocessable": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "unprocessable",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.limit",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/acqs/triages",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"acquisitions.triage_acq.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Host not found.",
"path": "agent_id"
}
],
"route": "/hx/api/v3/hosts/agent_id/files",
"message": "Not Found"
}
}
}
}
}
},
"acquisitions.triage_acq_single.success": {
"description": "File Acquisition response.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp for which the acquisition was requested."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_triages_acqs_by_id": {
"summary": "get_triages_acqs_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/triages/id",
"data": {
"_id": 10,
"_revision": "20200716133632656552107126",
"error_message": "The triage completed with issues.",
"state": "COMPLETE",
"md5": null,
"request_time": "2020-07-16T13:28:43.887Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"req_timestamp": null,
"comment": "",
"external_id": null,
"finish_time": "2020-07-16T13:36:32.656Z",
"indicator": null,
"disable_cef": false,
"url": "/hx/api/v3/acqs/triages/10",
"host": {
"_id": "j9TEJMSEUK3cQFQgGlGOXP",
"url": "/hx/api/v3/hosts/j9TEJMSEUK3cQFQgGlGOXP"
},
"alert": null,
"condition": null
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.triage_acq_single.created": {
"description": "Created",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"_revision": {
"type": "string",
"description": "Timestamp at time of record creation or update."
},
"error_message": {
"type": "string",
"description": "Error message."
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"request_actor": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"req_timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp for which the acquisition was requested."
},
"comment": {
"type": "string",
"description": "Comment associated with the record."
},
"external_id": {
"type": "string",
"description": "External correlation ID from a SIEM solution."
},
"finish_time": {
"type": "string",
"format": "date-time",
"description": "Time when the acquisition completed."
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"disable_cef": {
"type": "boolean",
"description": "True if logging to CEF is disabled. Default is False."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_triages_acqs_by_id": {
"summary": "get_triages_acqs_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/acqs/triages/id",
"data": {
"_id": 10,
"_revision": "20200716133632656552107126",
"error_message": "The triage completed with issues.",
"state": "COMPLETE",
"md5": null,
"request_time": "2020-07-16T13:28:43.887Z",
"request_actor": {
"_id": 1001,
"username": "admin"
},
"req_timestamp": null,
"comment": "",
"external_id": null,
"finish_time": "2020-07-16T13:36:32.656Z",
"indicator": null,
"disable_cef": false,
"url": "/hx/api/v3/acqs/triages/10",
"host": {
"_id": "j9TEJMSEUK3cQFQgGlGOXP",
"url": "/hx/api/v3/hosts/j9TEJMSEUK3cQFQgGlGOXP"
},
"alert": null,
"condition": null
},
"message": "OK"
}
}
}
}
}
},
"acquisitions.triage_acq_single.not_found": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "not_found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Triage not found."
}
],
"route": "/hx/api/v3/acqs/triages/id",
"message": "Not Found"
}
}
}
}
}
},
"alerts.alert.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"agent": {
"type": "object",
"properties": {}
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"tests": {
"type": "string",
"description": "List of tests that define this condition."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
}
}
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"event_id": {
"type": "string",
"description": "ID of the event from the alert JSON object key.event_id."
},
"event_type": {
"type": "string",
"description": "Type of the event from the alert JSON object key.event_type."
},
"event_values": {
"type": "object",
"description": "JSON object alert content."
},
"event_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"matched_at": {
"type": "string",
"format": "date-time",
"description": "Time the IOC match occurred on the agent."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"source": {
"type": "string",
"description": "Source of the alert (IOC, EXD, MAL, etc)."
},
"subtype": {
"type": "string",
"description": "Engine that generated the alert (av, mg, etc)."
},
"matched_source_alerts": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of matched source alerts. Empty except when returned from /alerts/{id}/full_details."
},
"has_share_mode": {
"type": "string",
"description": "Indicator share mode (unrestricted, restricted, silent, or any).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any"
]
},
"resolution": {
"type": "string",
"description": "Alert resolution (alert, block, or partial_block).",
"enum": [
"alert",
"block",
"partial_block",
"active_threat"
]
},
"is_false_positive": {
"type": "boolean",
"description": "False positive alert (true) or not false positive alert (false)."
},
"decorators": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of Enricher reports."
},
"md5values": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of MD5 hashes of files involved."
},
"decorator_sources": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of Enricher sources."
},
"decorator_statuses": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of Enricher summary statuses."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_filter.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"filter": {
"type": "object",
"description": "JSON object filter definition."
},
"detected_by": {
"type": "string",
"description": "Base name of alert type."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "FireEye or User."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
}
}
}
},
"disposition_created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of most recent disposition."
},
"has_fp_disposition": {
"type": "boolean",
"description": "True if the alert filter contains only False Positive dispositions."
},
"stats": {
"type": "object",
"properties": {
"alert_groups": {
"type": "integer",
"format": "int32",
"description": "Number of distinct alert groups."
},
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts affected."
},
"quarantines": {
"type": "integer",
"format": "int32",
"description": "Number of quarantines."
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_filter_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"filter": {
"type": "object",
"description": "JSON object filter definition."
},
"detected_by": {
"type": "string",
"description": "Base name of alert type."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "FireEye or User."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
}
}
}
},
"disposition_created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of most recent disposition."
},
"has_fp_disposition": {
"type": "boolean",
"description": "True if the alert filter contains only False Positive dispositions."
},
"stats": {
"type": "object",
"properties": {
"alert_groups": {
"type": "integer",
"format": "int32",
"description": "Number of distinct alert groups."
},
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts affected."
},
"quarantines": {
"type": "integer",
"format": "int32",
"description": "Number of quarantines."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_filter_single.success_exists": {
"description": "Success - Alert Filter already exists.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"filter": {
"type": "object",
"description": "JSON object filter definition."
},
"detected_by": {
"type": "string",
"description": "Base name of alert type."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "FireEye or User."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
}
}
}
},
"disposition_created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of most recent disposition."
},
"has_fp_disposition": {
"type": "boolean",
"description": "True if the alert filter contains only False Positive dispositions."
},
"stats": {
"type": "object",
"properties": {
"alert_groups": {
"type": "integer",
"format": "int32",
"description": "Number of distinct alert groups."
},
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts affected."
},
"quarantines": {
"type": "integer",
"format": "int32",
"description": "Number of quarantines."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_filter_single.success_created": {
"description": "Success - Alert Filter created.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"filter": {
"type": "object",
"description": "JSON object filter definition."
},
"detected_by": {
"type": "string",
"description": "Base name of alert type."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "FireEye or User."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
}
}
}
},
"disposition_created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of most recent disposition."
},
"has_fp_disposition": {
"type": "boolean",
"description": "True if the alert filter contains only False Positive dispositions."
},
"stats": {
"type": "object",
"properties": {
"alert_groups": {
"type": "integer",
"format": "int32",
"description": "Number of distinct alert groups."
},
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts affected."
},
"quarantines": {
"type": "integer",
"format": "int32",
"description": "Number of quarantines."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_group.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert group ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"assessment": {
"type": "string",
"description": "Summary of the alert."
},
"file_full_path": {
"type": "string",
"description": "Path to file related to the alert."
},
"acknowledgement": {
"type": "object",
"properties": {
"acknowledged": {
"type": "boolean",
"description": "Has the alert been acknowledged?"
},
"acknowledged_by": {
"type": "string",
"description": "User who acknowledged the alert."
},
"acknowledged_time": {
"type": "string",
"format": "date-time",
"description": "Time the alert was acknowledged."
}
}
},
"stats": {
"type": "object",
"properties": {
"events": {
"type": "integer",
"format": "int32",
"description": "Number of events."
}
}
},
"first_event_at": {
"type": "string",
"format": "date-time",
"description": "Time of first event."
},
"last_event_at": {
"type": "string",
"format": "date-time",
"description": "Time of most recent event."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "fireeye, custom, or mandiant."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"description": {
"type": "string",
"description": "Explanation of the disposition."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"deleted_at": {
"type": "string",
"format": "date-time",
"description": "Time deleted."
}
}
}
},
"source": {
"type": "string",
"description": "Source of the alert (IOC, EXD, MAL, etc)."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the group was created."
},
"has_fp_disposition": {
"type": "boolean",
"description": "Alert has been identfied as False Positive."
},
"last_alert": {
"type": "object",
"description": "JSON object describing the most recent alert in this group."
},
"grouped_by": {
"type": "object",
"properties": {
"event_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"exploited_process_path": {
"type": "string",
"description": "File path of the exploited process."
},
"exploited_process_md5sum": {
"type": "string",
"description": "MD5 hash of the exploited process."
},
"detected_by": {
"type": "string",
"description": "Engine that detected the exploit."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"containment_state": {
"type": "string",
"description": "Containment state.",
"enum": [
"normal",
"contain",
"contain_fail",
"containing",
"contained",
"uncontain",
"uncontaining",
"not_normal",
"not_contained"
]
}
}
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_group_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert group ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"assessment": {
"type": "string",
"description": "Summary of the alert."
},
"file_full_path": {
"type": "string",
"description": "Path to file related to the alert."
},
"acknowledgement": {
"type": "object",
"properties": {
"acknowledged": {
"type": "boolean",
"description": "Has the alert been acknowledged?"
},
"acknowledged_by": {
"type": "string",
"description": "User who acknowledged the alert."
},
"acknowledged_time": {
"type": "string",
"format": "date-time",
"description": "Time the alert was acknowledged."
}
}
},
"stats": {
"type": "object",
"properties": {
"events": {
"type": "integer",
"format": "int32",
"description": "Number of events."
}
}
},
"first_event_at": {
"type": "string",
"format": "date-time",
"description": "Time of first event."
},
"last_event_at": {
"type": "string",
"format": "date-time",
"description": "Time of most recent event."
},
"dispositions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"source": {
"type": "string",
"description": "fireeye, custom, or mandiant."
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"description": {
"type": "string",
"description": "Explanation of the disposition."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Time created."
},
"deleted_at": {
"type": "string",
"format": "date-time",
"description": "Time deleted."
}
}
}
},
"source": {
"type": "string",
"description": "Source of the alert (IOC, EXD, MAL, etc)."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the group was created."
},
"has_fp_disposition": {
"type": "boolean",
"description": "Alert has been identfied as False Positive."
},
"last_alert": {
"type": "object",
"description": "JSON object describing the most recent alert in this group."
},
"grouped_by": {
"type": "object",
"properties": {
"event_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"exploited_process_path": {
"type": "string",
"description": "File path of the exploited process."
},
"exploited_process_md5sum": {
"type": "string",
"description": "MD5 hash of the exploited process."
},
"detected_by": {
"type": "string",
"description": "Engine that detected the exploit."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"containment_state": {
"type": "string",
"description": "Containment state.",
"enum": [
"normal",
"contain",
"contain_fail",
"containing",
"contained",
"uncontain",
"uncontaining",
"not_normal",
"not_contained"
]
}
}
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.alert_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"agent": {
"type": "object",
"properties": {}
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"condition": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"tests": {
"type": "string",
"description": "List of tests that define this condition."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
}
}
},
"indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"event_id": {
"type": "string",
"description": "ID of the event from the alert JSON object key.event_id."
},
"event_type": {
"type": "string",
"description": "Type of the event from the alert JSON object key.event_type."
},
"event_values": {
"type": "object",
"description": "JSON object alert content."
},
"event_at": {
"type": "string",
"format": "date-time",
"description": "Time the event happened on the agent."
},
"matched_at": {
"type": "string",
"format": "date-time",
"description": "Time the IOC match occurred on the agent."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"source": {
"type": "string",
"description": "Source of the alert (IOC, EXD, MAL, etc)."
},
"subtype": {
"type": "string",
"description": "Engine that generated the alert (av, mg, etc)."
},
"matched_source_alerts": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of matched source alerts. Empty except when returned from /alerts/{id}/full_details."
},
"has_share_mode": {
"type": "string",
"description": "Indicator share mode (unrestricted, restricted, silent, or any).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any"
]
},
"resolution": {
"type": "string",
"description": "Alert resolution (alert, block, or partial_block).",
"enum": [
"alert",
"block",
"partial_block",
"active_threat"
]
},
"is_false_positive": {
"type": "boolean",
"description": "False positive alert (true) or not false positive alert (false)."
},
"decorators": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of Enricher reports."
},
"md5values": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of MD5 hashes of files involved."
},
"decorator_sources": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of Enricher sources."
},
"decorator_statuses": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of Enricher summary statuses."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"alerts.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"common.api_json_array": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object"
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"common.api_json_object": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"common.api_no_data": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"common.api_no_entries": {
"description": "Standard API response for no entries.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"common.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"conditions.condition.successGET": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"query": {
"type": "object",
"properties": {
"search": {
"type": "string",
"description": "Searched query"
},
"enabled": {
"type": "boolean",
"description": "Is the condidtion enabled"
},
"has_alerts": {
"type": "boolean",
"description": "Does the condition have alerts"
}
}
},
"sort": {
"type": "object",
"properties": {
"_id": {
"type": "integer",
"description": "Sorted by _id value"
}
}
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"is_private": {
"type": "boolean",
"description": "is_private"
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"tests": {
"type": "string",
"description": "List of tests that define this condition."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
}
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"listOfConditions": {
"summary": "Limit to 1 condition",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {
"_id": 1
},
"offset": 0,
"limit": 1,
"entries": [
{
"_id": "ogrAqlkr_YutyuzsJ8VDVg==",
"uuid": "a20ac0aa-592b-4d8b-adca-ecec27c54356",
"event_type": "dnsLookupEvent",
"enabled": true,
"is_private": false,
"tests": [
{
"operator": "contains",
"token": "dnsLookupEvent/hostname",
"type": "text",
"value": "evil"
}
],
"url": "/hx/api/v3/conditions/ogrAqlkr_YutyuzsJ8VDVg"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/conditions"
}
}
}
}
}
},
"conditions.condition.successGetId": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"is_private": {
"type": "boolean",
"description": "is_private"
},
"tests": {
"type": "array",
"items": {
"type": "string",
"description": "List of tests that define this condition."
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"conditionCreated": {
"summary": "Condition retrieved",
"value": {
"details": [],
"route": "/hx/api/v3/conditions/id",
"data": {
"_id": "nsKyqZF7EJQsIBBbpF3OZg==",
"uuid": "9ec2b2a9-917b-4094-ac20-105ba45dce66",
"event_type": "fileWriteEvent",
"enabled": true,
"is_private": false,
"tests": [
{
"operator": "starts-with",
"token": "fileWriteEvent/drive",
"type": "text",
"value": "c"
}
],
"url": "/hx/api/v3/conditions/nsKyqZF7EJQsIBBbpF3OZg"
},
"message": "OK"
}
}
}
}
}
},
"conditions.condition.successPOST": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"is_private": {
"type": "boolean",
"description": "is_private"
},
"tests": {
"type": "array",
"items": {
"type": "string",
"description": "List of tests that define this condition."
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"conditionCreated": {
"summary": "Condition Created",
"value": {
"details": [],
"route": "/hx/api/v3/conditions",
"data": {
"_id": "nsKyqZF7EJQsIBBbpF3OZg==",
"uuid": "9ec2b2a9-917b-4094-ac20-105ba45dce66",
"event_type": "fileWriteEvent",
"enabled": true,
"is_private": false,
"tests": [
{
"operator": "starts-with",
"token": "fileWriteEvent/drive",
"type": "text",
"value": "c"
}
],
"url": "/hx/api/v3/conditions/nsKyqZF7EJQsIBBbpF3OZg"
},
"message": "Created"
}
}
}
}
}
},
"conditions.condition.successPATCH": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"is_private": {
"type": "boolean",
"description": "is_private"
},
"tests": {
"type": "array",
"items": {
"type": "string",
"description": "List of tests that define this condition."
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"conditionCreated": {
"summary": "Condition enabled",
"value": {
"details": [],
"route": "/hx/api/v3/conditions/id",
"data": {
"_id": "nsKyqZF7EJQsIBBbpF3OZg==",
"uuid": "9ec2b2a9-917b-4094-ac20-105ba45dce66",
"event_type": "fileWriteEvent",
"enabled": true,
"is_private": false,
"tests": [
{
"operator": "starts-with",
"token": "fileWriteEvent/drive",
"type": "text",
"value": "d"
}
],
"url": "/hx/api/v3/conditions/nsKyqZF7EJQsIBBbpF3OZg"
},
"message": "OK"
}
}
}
}
}
},
"conditions.condition.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "Condition not found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Condition not found."
}
],
"route": "/hx/api/v3/conditions/id",
"message": "Not Found"
}
}
}
}
}
},
"conditions.condition.notFoundCatIndResponse": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found_ind": {
"summary": "Indicator not found",
"value": {
"details": [
{
"code": 1005,
"message": "Indicator not found.",
"type": "error"
}
],
"route": "/hx/api/v3/indicators/category/indicator/conditions",
"message": "Not Found"
}
},
"not_found_cat": {
"summary": "Category not found",
"value": {
"details": [
{
"code": 1005,
"message": "Category not found.",
"type": "error"
}
],
"route": "/hx/api/v3/indicators/category/indicator/conditions",
"message": "Not Found"
}
}
}
}
}
},
"conditions.condition.putConditions": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"res": {
"summary": "Created",
"value": {
"details": [],
"route": "/hx/api/v3/indicators/category/indicator/conditions",
"message": "Created"
}
}
}
}
}
},
"conditions.condition.patchConditions": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"res": {
"summary": "add conditions",
"value": {
"details": [],
"route": "/hx/api/v3/indicators/category/indicator/conditions",
"message": "OK"
}
}
}
}
}
},
"conditions.condition.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"conditions.condition.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2024,
"path": "query.enabled",
"message": "Instance is not one of the possible values",
"details": [
"0",
"1",
"true",
"false"
]
}
],
"route": "/hx/api/v3/conditions",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"conditions.condition.unprocessable_patch": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2007,
"path": "enabled",
"message": "should be boolean",
"details": [
"boolean"
]
}
],
"route": "/hx/api/v3/conditions/id",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"conditions.condition.unprocessableGetTypeResponse": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2010,
"path": "params.type",
"message": "should be equal to one of the allowed values",
"details": {
"allowedValues": [
"presence",
"execution"
]
}
}
],
"route": "/hx/api/v3/indicators/category/indicator/conditions/type",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"conditions.condition.conflict": {
"description": "Conflict",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique condition ID.",
"type": "string"
},
"uuid": {
"type": "string",
"description": "Unique ID."
},
"event_type": {
"type": "string",
"description": "Primary event type for this condition based on the first test."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"is_private": {
"type": "boolean",
"description": "is_private"
},
"tests": {
"type": "array",
"items": {
"type": "string",
"description": "List of tests that define this condition."
}
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "Record already exists",
"value": {
"details": [
{
"type": "error",
"code": 1006,
"path": "_id",
"message": "Record already exists"
}
],
"route": "/hx/api/v3/conditions",
"data": {
"_id": "JX8yOr81AuWlwDVrGZRPHA==",
"uuid": "257f323a-bf35-42e5-a5c0-356b19944f1c",
"event_type": "fileWriteEvent",
"enabled": true,
"is_private": false,
"tests": [
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "5a440a1226624a51650ca95314cac2f4"
}
],
"url": "/hx/api/v3/conditions/JX8yOr81AuWlwDVrGZRPHA"
},
"message": "Conflict"
}
}
}
}
}
},
"containment.containment.get_agent_containment_state": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"last_sysinfo": {
"type": "string",
"format": "date-time"
},
"requested_by_actor": {
"type": "string"
},
"requested_on": {
"type": "string",
"format": "date-time"
},
"contained_by_actor": {
"type": "string"
},
"contained_on": {
"type": "string",
"format": "date-time"
},
"queued": {
"type": "boolean"
},
"excluded": {
"type": "boolean"
},
"missing_software": {
"type": "boolean"
},
"reported_clone": {
"type": "boolean"
},
"state": {
"type": "string",
"enum": [
"normal"
]
},
"state_update_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"containmentDetails": {
"summary": "get agent containment state",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/containment",
"data": {
"_id": "S8Y5cr4oBbkbZmUYrgMicr",
"last_sysinfo": "2020-05-28T08:15:05.898Z",
"requested_by_actor": null,
"requested_on": null,
"contained_by_actor": null,
"contained_on": null,
"queued": false,
"excluded": false,
"missing_software": false,
"reported_clone": false,
"state": "normal",
"state_update_time": "2020-05-25T08:09:47.853Z",
"url": "/hx/api/v3/hosts/S8Y5cr4oBbkbZmUYrgMicr"
},
"message": "OK"
}
}
}
}
}
},
"containment.containment.get_all_containment_states": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"last_sysinfo": {
"type": "string",
"format": "date-time"
},
"requested_by_actor": {
"type": "string"
},
"requested_on": {
"type": "string",
"format": "date-time"
},
"contained_by_actor": {
"type": "string"
},
"contained_on": {
"type": "string",
"format": "date-time"
},
"queued": {
"type": "boolean"
},
"excluded": {
"type": "boolean"
},
"missing_software": {
"type": "boolean"
},
"reported_clone": {
"type": "boolean"
},
"state": {
"type": "string",
"enum": [
"normal"
]
},
"state_update_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"containmentDetails": {
"summary": "get agent containment state",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": "S8Y5cr4oBbkbZmUYrgMicr",
"last_sysinfo": "2020-05-28T09:19:13.138Z",
"requested_by_actor": {
"_id": 1000,
"username": "api_admin"
},
"requested_on": "2020-05-28T08:37:03.485Z",
"contained_by_actor": null,
"contained_on": null,
"queued": true,
"excluded": false,
"missing_software": false,
"reported_clone": false,
"state": "normal",
"state_update_time": "2020-05-28T08:37:03.486Z",
"url": "/hx/api/v3/hosts/S8Y5cr4oBbkbZmUYrgMicr"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/containment_states"
}
}
}
}
}
},
"containment.containment.post_agent_containment": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"postContainmentRes": {
"summary": "Containment Requested response",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/containment",
"message": "Accepted"
}
}
}
}
}
},
"containment.containment.patch_agent_containment": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"patchContainmentRes": {
"summary": "Containment Requested response",
"value": {
"details": [],
"route": "/hx/api/v3/hosts/agent_id/containment",
"message": "Created"
}
}
}
}
}
},
"containment.containment.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"containment.containment.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "Condition not found",
"value": {
"details": [
{
"type": "warn",
"code": 2004,
"path": "agent_id",
"message": "String is not correctly formatted"
}
],
"route": "/hx/api/v3/hosts/agent_id/containment",
"message": "Not Found (With Warnings)"
}
}
}
}
}
},
"containment.containment.unprocessable": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2007,
"path": "enabled",
"message": "should be boolean",
"details": [
"boolean"
]
}
],
"route": "/hx/api/v3/conditions/id",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_all_channels": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"_revision": {
"type": "string"
},
"priority": {
"type": "integer"
},
"host_sets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"url": {
"type": "string"
}
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time"
},
"create_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"containmentDetails": {
"summary": "get agent containment state",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": "j-jNoaSXFzN_8PDoqROXRQ__",
"name": "my first configuration channel",
"description": "my config channel",
"priority": 1,
"host_sets": [
{
"_id": 1002,
"url": "/hx/api/v3/host_sets/1002",
"name": "example_host_set"
}
],
"_revision": "20200529084625353375148962",
"update_time": "2020-05-29T08:46:25.353Z",
"create_time": "2020-05-29T08:46:25.353Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"url": "/hx/api/v3/host_policies/channels/j-jNoaSXFzN_8PDoqROXRQ__"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/host_policies/channels"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_channel_json": {
"description": "Configuration associated with the configuration channel",
"content": {
"application/json;": {
"schema": {
"type": "object"
},
"examples": {
"get_channel_json": {
"summary": "get_channel_json",
"value": {
"key1": "value1"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_policy_ids": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "string"
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_policy_ids": {
"summary": "get_policy_ids",
"value": {
"details": [],
"route": "/hx/api/v3/configurations/channel/policy_ids",
"data": [
"dfee98e0-4da3-47aa-bb77-807239lcbda8",
"90bb8811-c5e9-498e-b213-f28da2029b9b"
],
"message": "OK"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_host_set_ids": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "integer",
"format": "int32"
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_policy_ids": {
"summary": "get_policy_ids",
"value": {
"details": [],
"route": "/hx/api/v3/configurations/channel/host_set_ids",
"data": [
2002,
2003
],
"message": "OK"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_channel_by_id": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"_revision": {
"type": "string"
},
"priority": {
"type": "integer"
},
"host_sets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"url": {
"type": "string"
}
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time"
},
"create_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_channel_by_id": {
"summary": "get_channel_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/host_policies/channels/id",
"data": {
"_id": "t7LoI-r0v7i2E1FHOlLjPQ__",
"name": "my first configuration channel",
"description": "my config channel",
"priority": 1,
"host_sets": [
{
"_id": 1001,
"url": "/hx/api/v3/host_sets/1001",
"name": "host_set_example"
}
],
"_revision": "20200602090407317255102924",
"update_time": "2020-06-02T09:04:07.317Z",
"create_time": "2020-06-02T09:04:07.317Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"url": "/hx/api/v3/host_policies/channels/t7LoI-r0v7i2E1FHOlLjPQ__"
},
"message": "OK"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.post_channel_json": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"_revision": {
"type": "string"
},
"priority": {
"type": "integer"
},
"host_sets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"url": {
"type": "string"
}
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time"
},
"create_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"post_channel_json": {
"summary": "post_channel_json",
"value": {
"details": [],
"route": "/hx/api/v3/host_policies/channels",
"data": {
"_id": "z_M5Fma5lZ7Nhic-cDwLOQ__",
"name": "Another channel",
"description": "secondary channel",
"priority": 2,
"host_sets": [
{
"_id": 1002,
"url": "/hx/api/v3/host_sets/1002",
"name": "example_host_set"
}
],
"_revision": "20200529103718501796149846",
"update_time": "2020-05-29T10:37:18.501Z",
"create_time": "2020-05-29T10:37:18.501Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"url": "/hx/api/v3/host_policies/channels/z_M5Fma5lZ7Nhic-cDwLOQ__"
},
"message": "Created"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.patch_channel_json": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"_revision": {
"type": "string"
},
"priority": {
"type": "integer"
},
"host_sets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"url": {
"type": "string"
}
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time"
},
"create_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"patch_channel_json": {
"summary": "patch_channel_json",
"value": {
"details": [],
"route": "/hx/api/v3/host_policies/channels/id",
"data": {
"_id": "SUfEXiaVDmfY4Bs3pGz08w__",
"name": "my first configuration channel",
"description": "my config channel",
"priority": 1,
"host_sets": [
{
"_id": 1010,
"url": "/hx/api/v3/host_sets/1010",
"name": "host_set_one"
}
],
"_revision": "20200529141316970494151637",
"update_time": "2020-05-29T14:13:16.970Z",
"create_time": "2020-05-29T14:05:45.830Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"url": "/hx/api/v3/host_policies/channels/SUfEXiaVDmfY4Bs3pGz08w__"
},
"message": "OK"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.put_channel_json": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"_revision": {
"type": "string"
},
"priority": {
"type": "integer"
},
"host_sets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"name": {
"type": "string"
},
"url": {
"type": "string"
}
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time"
},
"create_time": {
"type": "string",
"format": "date-time"
},
"url": {
"type": "string"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"put_channel_json": {
"summary": "put_channel_json",
"value": {
"details": [],
"route": "/hx/api/v3/host_policies/channels/id.json",
"data": {
"_id": "j-jNoaSXFzN_8PDoqROXRQ__",
"name": "my first configuration channel",
"description": "my config channel",
"priority": 1,
"host_sets": [
{
"_id": 1002,
"url": "/hx/api/v3/host_sets/1002",
"name": "example_host_set"
}
],
"_revision": "20200529101959507674149706",
"update_time": "2020-05-29T10:19:59.507Z",
"create_time": "2020-05-29T08:46:25.353Z",
"update_actor": {
"_id": 1000,
"username": "api_admin"
},
"create_actor": {
"_id": 1000,
"username": "api_admin"
},
"url": "/hx/api/v3/host_policies/channels/j-jNoaSXFzN_8PDoqROXRQ__"
},
"message": "OK"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.conflict": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"conflict": {
"summary": "conflict",
"value": {
"details": [
{
"code": 1006,
"message": "Record already exists",
"path": "name",
"type": "error"
}
],
"route": "/hx/api/v3/host_policies/channels",
"message": "Conflict"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.bad_request": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"bad_request": {
"summary": "Bad Request",
"value": {
"details": [
{
"type": "error",
"code": 1304,
"message": "Unable to parse request body",
"details": "Unexpected token \n in JSON at position 26"
}
],
"message": "Bad Request"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.unprocessable": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.offset",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/host_policies/channels",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "Not Found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Config channel not found",
"path": "id"
}
],
"route": "/hx/api/v3/host_policies/channels/id.json",
"message": "Not Found"
}
}
}
}
}
},
"custom_configuration_channels.custom_configuration_channels.get_configuration_by_id": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "string"
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_configuration_by_id": {
"summary": "get_configuration_by_id",
"value": {
"details": [],
"route": "/hx/api/v3/configurations/id",
"data": {
"fips": {
"enabled": false
},
"credentials": {
"cacert": "MIIDkzCCAnugAwIBAgIJAPJoAGi3bUXiMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEPMA0GA1UEBwwGUkVTVE9OMRAwDgYDVQQKDAdGSVJFRVlFMRAwDgYDVQQLDAdQUk9EVUNUMQ8wDQYDVQQDDAZQUk9EQ0EwHhcNMjAwNjAyMDgxNTU4WhcNNDAwNjAyMDgxNTU4WjBgMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVkExDzANBgNVBAcMBlJFU1RPTjEQMA4GA1UECgwHRklSRUVZRTEQMA4GA1UECwwHUFJPRFVDVDEPMA0GA1UEAwwGUFJPRENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA89PFvukeRltuxZZXnLhQmYOXAmnqbQ3ltPhwEK+q8zwq2pNcLSvyD3xjvFU1ne/er8U6RjwXmZequ9teeTBa0sIpCtBID8Czor5+iuP1hYo1w5up9k/4kZ2TxjkydcLXMp0Asbb2JdpRl5oMAylIQk3WZtJNcXJgVXpl5ae0eLrgnUAfkfHfJRp9wT6kdZ9GeqgAxiHFZMrEldctWzZW7ARywvhbHdELAjXNuF6qrb1eoBy1eJM16B13xaDjky36Hzru8N8uz0U7MZ9cgX7oRcu7SxFN4QoIZk5+cce2rday19dokCLe3qC8za4nMsNho3IS8k4eXz0xKNfcNIXXYwIDAQABo1AwTjAdBgNVHQ4EFgQUabnXkOcprYUzyEP1NPibE0t2QfYwHwYDVR0jBBgwFoAUabnXkOcprYUzyEP1NPibE0t2QfYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdNTSU8pvr4nszj+ZpyVmciZChny6wYNmXo8iu4NX4xvVLNgx6GqGzYFeaY++aq1mMqGtDYrTDW6Yc8Tuhmhq64pMy9tBcAi/m5gSBqiIdZ6w1Dd2Y+nSUmFOqKAPtWBvjn+RLd5MR6lMynE4vf6nV2G8qNsRfpX//DwuPhafTVRE/1jo4b4WX7O/9dhNvn/xNJJ3as+Aor1xQsOjBsMlfapb5Hf5ZvfdLZ4/p93XTHN64W9ArNATMi4LVomwIjOk2zg9FQ9058wclsEeqSTBgaz3nEOTpQdWTFUkBje8jGGw3re6/uV6So1veMF5aXiJdR7cbXyU7PNekTXm7TGOjQ=="
},
"service": {
"config_pull_enabled": true,
"config_poll_interval_sec": 900,
"poll_agents": 60,
"fastpoll_agents": 20,
"request_sysinfo": 300
},
"logging": {
"enabled": true,
"log_mask": "",
"log_level": "INFO"
},
"process": {
"priority": "idle",
"cpu_limit": 100,
"deny_local_admin_stop": true,
"protection_enabled": true
},
"events": {
"max_db_size": 120,
"excludedPaths": [],
"intel_poll_sec": 900,
"udp_send_events": false,
"excludedProcessNames": [],
"active_collection_enabled": true,
"db_regen_errors": [
"1725",
"1726",
"1731",
"1733",
"1734",
"1735",
"1736",
"1737",
"1738",
"1739",
"1740",
"1743",
"1744",
"1750",
"1808"
],
"intel_uri": "/content/v1/intel/ioc/win-current_xagent_win"
},
"resource_use": {
"concurrent_host_limit_enabled": false,
"concurrent_host_limit": 500
},
"malwareDetection": {
"enable": false,
"quarantine": {
"enable": false,
"actions": {
"clean_infection": false,
"remove_trace": false,
"notify_user": false
},
"exceptions": {
"heuristic_detections": false,
"adware": false,
"pup": false,
"spyware": false
}
},
"excludedProcesses": [],
"excludedFiles": [],
"excludedMD5s": [],
"update_source": "internet",
"network_oas": {
"enabled": false,
"mode": "read-write"
},
"update_interval": 14400,
"engine_configuration": {
"mg": {
"enable": false,
"quarantine_enable": false
},
"av": {
"cloud_lookup": false
},
"heuristic": {
"enable": false,
"quarantine_enable": false
}
},
"scan_configuration": {
"oas": {
"scan_timeout": 15,
"blocking_timeout": 10,
"archive_scan_enabled": false,
"max_archive_depth": 4,
"av": {
"max_file_size": 30
},
"mg": {
"max_file_size": 7
},
"heuristic": {
"max_file_size": 1,
"file_age": 7,
"actor_process_list": [
"chrome.exe",
"microsoftedge.exe"
]
}
},
"ods": {
"scan_timeout": 180,
"archive_scan_enabled": true,
"max_archive_depth": 4,
"av": {
"max_file_size": 2048
},
"mg": {
"max_file_size": 100
}
}
},
"update_url32": "http://avupdate.fireeye.com/av32bit",
"update_url64": "http://avupdate.fireeye.com/av64bit",
"clean32_uri": "/content/v1/intel/mal/clean32",
"clean64_uri": "/content/v1/intel/mal/clean64",
"dti_exclusions_uri": "/content/v1/intel/mal/exclusions",
"user_exclusions_uri": "/content/v1/intel/mal/hx_exclusions",
"mg_intel_uri": "/content/v1/intel/mal/mg_content",
"update_enabled": true
},
"ProtectionServices": {
"age_to_purge": 90,
"enable": true
},
"advanced": {
"mxa/MalwareProtection/mg_intel/rsrc/timeout": 300,
"mxa/MalwareProtection/cleandb/rsrc/timeout": 300
},
"exploitDetection": {
"excludedMD5s": [],
"excludedFiles": [],
"excludedPaths": [],
"alertThreshold": 40,
"enable_pageguard": true,
"enable_server_os": false,
"enable_production": true,
"enable_termination": false,
"enable_notification": true,
"enable_prevent_known": false,
"rules_uri": "/content/v1/intel/exd/prod_rules",
"whitelist_uri": "/content/v1/intel/exd/prod_whitelist",
"enable_protection": true,
"traceLevel": "INFO"
},
"serverlist": {
"servers": [
{
"server": "10.61.152.167"
}
]
},
"type": "config",
"version": "2.0.0",
"channel": "0017afdf2546cbcf4fc3bc8bae2973efdee48cf8ad28ba2bdca7c20bc6163fd1",
"name": "0017afdf2546cbcf4fc3bc8bae2973efdee48cf8ad28ba2bdca7c20bc6163fd1",
"id": "EdyxtLjdxmCV+ws77BMFhw==",
"ts": "2020-06-02T09:04:13Z"
},
"message": "OK"
}
}
}
}
}
},
"host_information.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.not_acceptable": {
"description": "Not Acceptable",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"agent_version": {
"type": "string",
"description": "Agent version."
},
"excluded_from_containment": {
"type": "boolean",
"description": "Determines whether the host is excluded from containment."
},
"containment_missing_software": {
"type": "boolean",
"description": "Indicates that the agent version supports containment."
},
"containment_queued": {
"type": "boolean",
"description": "Containment requested."
},
"containment_state": {
"type": "string",
"description": "Containment state.",
"enum": [
"normal",
"contain",
"contain_fail",
"containing",
"contained",
"uncontain",
"uncontaining",
"not_normal",
"not_contained"
]
},
"stats": {
"type": "object",
"properties": {
"acqs": {
"description": "Number of file acquisition requests.",
"type": "integer",
"format": "int32"
},
"malware_cleaned_count": {
"description": "The number of cleaned malware on the host.",
"type": "integer",
"format": "int32"
},
"malware_quarantined_count": {
"description": "The number ofquarantined files on the host.",
"type": "integer",
"format": "int32"
},
"alerting_conditions": {
"description": "Number of alerting conditions.",
"type": "integer",
"format": "int32"
},
"alerts": {
"description": "Total number of alerts, including exploit-detection alerts.",
"type": "integer",
"format": "int32"
},
"exploit_alerts": {
"description": "Number of exploit alerts, partially blocked exploits, and blocked exploits.",
"type": "integer",
"format": "int32"
},
"exploit_blocks": {
"description": "The number of blocked exploits on the host.",
"type": "integer",
"format": "int32"
},
"malware_alerts": {
"description": "The number of malware alerts on the host.",
"type": "integer",
"format": "int32"
},
"generic_alerts": {
"description": "The number of generic alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts": {
"description": "The number of false positive alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts_by_source": {
"type": "object",
"description": "Number of false positive alerts by source."
},
"malware_false_positive_alerts": {
"description": "The number of false positive malware alerts on the host.",
"type": "integer",
"format": "int32"
}
}
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"domain": {
"type": "string",
"description": "Network domain."
},
"gmt_offset_seconds": {
"type": "integer",
"format": "int32",
"description": "How many seconds the offset is from Greenwich Mean Time (GMT)"
},
"timezone": {
"type": "string",
"description": "Timezone name."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
},
"last_audit_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent system information audit was performed."
},
"last_poll_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent poll was performed."
},
"last_poll_ip": {
"type": "string",
"description": "IP address used for the most recent poll."
},
"reported_clone": {
"type": "boolean",
"description": "Indicates more than one host has this same agent ID."
},
"initial_agent_checkin": {
"type": "string",
"format": "date-time",
"description": "Time of initial agent checkin."
},
"last_alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"last_alert_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent alert for the host."
},
"last_exploit_block_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent blocked exploit for the host."
},
"sysinfo": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"os": {
"type": "object",
"properties": {
"product_name": {
"type": "string",
"description": "Operating system name."
},
"patch_level": {
"type": "string",
"description": "Operating system patch."
},
"bitness": {
"type": "string",
"description": "Operating system word size.",
"enum": [
"64-bit",
"32-bit"
]
},
"platform": {
"type": "string",
"description": "Family of operating systems.",
"enum": [
"win",
"osx",
"linux"
]
},
"kernel_version": {
"type": "string",
"description": "Operating system kernel version."
}
}
},
"primary_mac": {
"type": "string",
"description": "MAC address the host uses to communicate with the Endpoint server."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"get_channel_hosts": {
"summary": "get_channel_hosts",
"value": {
"data": {
"total": 1,
"query": {
"host_sets.query": {
"operator": "relativeComplement",
"operands": [
{
"setId": 1002
},
{
"operator": "union",
"operands": [
{
"operator": "lt",
"key": "NormalizedAgentVersion",
"value": [
"#A20.#0.#0-|"
]
}
]
}
]
}
},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"_id": "QcuSTNMEZ35c9dMWpJs4ox",
"agent_version": "32.30.0",
"excluded_from_containment": false,
"containment_missing_software": false,
"containment_queued": false,
"containment_state": "normal",
"stats": {
"acqs": 0,
"malware_cleaned_count": 0,
"malware_quarantined_count": 0,
"alerting_conditions": 0,
"alerts": 0,
"exploit_alerts": 0,
"exploit_blocks": 0,
"malware_alerts": 0,
"generic_alerts": 0,
"false_positive_alerts": 0,
"false_positive_alerts_by_source": {},
"malware_false_positive_alerts": 0
},
"hostname": "WINc089bc37b59c",
"domain": "WORKGROUP",
"gmt_offset_seconds": 0,
"timezone": "Coordinated Universal Time",
"primary_ip_address": "10.61.153.247",
"last_audit_timestamp": "2020-06-02T09:13:39.418Z",
"last_poll_timestamp": "2020-06-02T09:12:15.000Z",
"last_poll_ip": "10.61.153.247",
"reported_clone": false,
"initial_agent_checkin": "2020-06-02T08:51:24.529Z",
"url": "/hx/api/v3/hosts/QcuSTNMEZ35c9dMWpJs4ox",
"last_alert": null,
"last_exploit_block": null,
"last_alert_timestamp": null,
"last_exploit_block_timestamp": null,
"sysinfo": {
"url": "/hx/api/v3/hosts/QcuSTNMEZ35c9dMWpJs4ox/sysinfo"
},
"os": {
"product_name": "Windows 10 Enterprise",
"patch_level": null,
"bitness": "64-bit",
"platform": "win",
"kernel_version": null
},
"primary_mac": "00-50-56-01-f0-21"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/host_policies/channels/id/hosts"
}
}
}
}
}
},
"host_information.host_alerts.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"enabled": {
"type": "boolean",
"description": "Enabled / disabled setting."
},
"hasExecution": {
"type": "boolean",
"description": "True if the host has execution alerts."
},
"hasPresence": {
"type": "boolean",
"description": "True if the host has presence alerts."
},
"threatCount": {
"description": "Number of threats.",
"type": "integer",
"format": "int32"
},
"threats": {
"description": "Up to 5 threats.",
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique threat ID.",
"type": "string"
},
"uri_name": {
"type": "string",
"description": ""
},
"display_name": {
"type": "string",
"description": ""
},
"sub_type": {
"type": "string",
"description": ""
},
"signature": {
"type": "string",
"description": ""
},
"intel_version": {
"type": "string",
"description": ""
},
"meta": {
"type": "object",
"description": ""
},
"active_since": {
"type": "string",
"format": "date-time",
"description": ""
},
"update_time": {
"type": "string",
"format": "date-time",
"description": ""
},
"create_text": {
"type": "string",
"description": ""
},
"create_actor_id": {
"type": "integer",
"format": "int32",
"description": ""
},
"pending_changes": {
"type": "integer",
"format": "int32",
"description": ""
},
"_revision": {
"type": "string",
"description": ""
},
"input_type": {
"type": "string",
"enum": [
"ui",
"local",
"legacy",
"api",
"intel"
],
"description": ""
},
"category_id": {
"type": "integer",
"format": "int32",
"description": ""
},
"update_actor_id": {
"type": "integer",
"format": "int32",
"description": ""
},
"description": {
"type": "string",
"description": ""
},
"supports_win": {
"type": "boolean",
"description": ""
},
"supports_osx": {
"type": "boolean",
"description": ""
},
"supports_linux": {
"type": "boolean",
"description": ""
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"description": ""
},
"NAME": {
"type": "string",
"description": "Threat display or URI name."
},
"condition_id": {
"description": "Unique condition ID.",
"type": "string"
},
"executed": {
"type": "boolean",
"description": "The threat was executed on the host."
},
"detected": {
"type": "boolean",
"description": "The threat was detected on the host."
},
"origin": {
"type": "string",
"description": "Originator of the IOC."
}
}
}
},
"resolution": {
"type": "string",
"description": "Alert resolution.",
"enum": [
"ALERT",
"BLOCK",
"PARTIAL_BLOCK",
"QUARANTINED",
"CLEANED"
]
},
"mostRecentHit": {
"type": "string",
"format": "date-time",
"description": "Most recent alert."
},
"firstHit": {
"type": "string",
"format": "date-time",
"description": "First alert."
},
"hits": {
"description": "Number of alerts.",
"type": "integer",
"format": "int32"
},
"source": {
"type": "string",
"description": "Source of the alert (IOC, EXD, MAL, etc)."
},
"group_id": {
"description": "Unique alert group ID.",
"type": "string"
},
"filter_id": {
"description": "Unique alert filter ID.",
"type": "string"
},
"alert_disposition": {
"type": "string",
"description": "Unknown, True Positive, or False Positive."
},
"disposition_source": {
"type": "string",
"description": "List of Alert Disposition sources (FireEye, Custom, Mandiant)."
},
"priority": {
"type": "string",
"description": "Alert type priority."
},
"details": {
"type": "object",
"description": "Condition or Alert detail JSON object."
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_config.success": {
"description": "Content of the Agent configuration object varies.",
"content": {
"application/json": {
"schema": {
"type": "object"
}
}
}
},
"host_information.host_csv.success": {
"description": "Host CSV data. Content is defined by the list of fields given in the request body.",
"content": {
"text/csv": {
"schema": {
"type": "string"
}
}
}
},
"host_information.host_delete.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"rowCount": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"status": {
"type": "string",
"description": "Query parameter value."
},
"show": {
"type": "string",
"description": "Query parameter value."
},
"containment": {
"type": "string",
"description": "Query parameter value."
},
"search": {
"type": "string",
"description": "Query parameter value."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_details_acqs.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique acquisition ID.",
"type": "integer",
"format": "int32"
},
"request_actor": {
"type": "integer",
"format": "int32",
"description": "ID of user who requested the acquisition."
},
"extract_state": {
"type": "string",
"description": "Extraction process state.",
"enum": [
"NEW",
"RUNNING",
"COMPLETE",
"CHECK_VERSION",
"NEEDS_UPDATE",
"FAILED"
]
},
"extract_hit_count": {
"description": "",
"type": "integer",
"format": "int32"
},
"to_extract": {
"type": "string",
"description": "Intended use of extraction: Triage View, Audit View.",
"enum": [
"TV",
"AV",
"TV_AV"
]
},
"acq_type": {
"type": "string",
"description": "Type of acquisition.",
"enum": [
"triage",
"file",
"file_qtn",
"bulk",
"custom",
"live",
"diag"
]
},
"state": {
"type": "string",
"description": "State of acquisition job.",
"enum": [
"NEW",
"ERROR",
"QUEUED",
"RUNNING",
"COMPLETE",
"FAILED"
]
},
"action": {
"type": "string",
"description": "",
"enum": [
"DELETE",
"DELETECACHE"
]
},
"name": {
"type": "string",
"description": "Acquired file name."
},
"zip_file_size": {
"type": "string",
"description": "Size (bytes) of acquired file."
},
"zip_passphrase": {
"type": "string",
"description": "Acquired file zip passphrase."
},
"req_filename": {
"type": "string",
"description": "Name of the file requested."
},
"md5": {
"description": "Acquired file MD5 hash.",
"type": "string"
},
"request_time": {
"type": "string",
"format": "date-time",
"description": "File acquisition request time."
},
"current_server_time": {
"type": "string",
"format": "date-time",
"description": "Current Enpoint server time."
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_last_poll.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"ip": {
"type": "string",
"description": "IP address used for the most recent poll."
},
"last_poll_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent poll was performed."
},
"is_cloned": {
"type": "boolean",
"description": "Indicates more than one host has this same agent ID."
},
"agent_id": {
"description": "Unique agent ID.",
"type": "string"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"agent_version": {
"type": "string",
"description": "Agent version."
},
"excluded_from_containment": {
"type": "boolean",
"description": "Determines whether the host is excluded from containment."
},
"containment_missing_software": {
"type": "boolean",
"description": "Indicates that the agent version supports containment."
},
"containment_queued": {
"type": "boolean",
"description": "Containment requested."
},
"containment_state": {
"type": "string",
"description": "Containment state.",
"enum": [
"normal",
"contain",
"contain_fail",
"containing",
"contained",
"uncontain",
"uncontaining",
"not_normal",
"not_contained"
]
},
"stats": {
"type": "object",
"properties": {
"acqs": {
"description": "Number of file acquisition requests.",
"type": "integer",
"format": "int32"
},
"malware_cleaned_count": {
"description": "The number of cleaned malware on the host.",
"type": "integer",
"format": "int32"
},
"malware_quarantined_count": {
"description": "The number ofquarantined files on the host.",
"type": "integer",
"format": "int32"
},
"alerting_conditions": {
"description": "Number of alerting conditions.",
"type": "integer",
"format": "int32"
},
"alerts": {
"description": "Total number of alerts, including exploit-detection alerts.",
"type": "integer",
"format": "int32"
},
"exploit_alerts": {
"description": "Number of exploit alerts, partially blocked exploits, and blocked exploits.",
"type": "integer",
"format": "int32"
},
"exploit_blocks": {
"description": "The number of blocked exploits on the host.",
"type": "integer",
"format": "int32"
},
"malware_alerts": {
"description": "The number of malware alerts on the host.",
"type": "integer",
"format": "int32"
},
"generic_alerts": {
"description": "The number of generic alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts": {
"description": "The number of false positive alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts_by_source": {
"type": "object",
"description": "Number of false positive alerts by source."
},
"malware_false_positive_alerts": {
"description": "The number of false positive malware alerts on the host.",
"type": "integer",
"format": "int32"
}
}
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"domain": {
"type": "string",
"description": "Network domain."
},
"gmt_offset_seconds": {
"type": "integer",
"format": "int32",
"description": "How many seconds the offset is from Greenwich Mean Time (GMT)"
},
"timezone": {
"type": "string",
"description": "Timezone name."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
},
"last_audit_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent system information audit was performed."
},
"last_poll_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent poll was performed."
},
"last_poll_ip": {
"type": "string",
"description": "IP address used for the most recent poll."
},
"reported_clone": {
"type": "boolean",
"description": "Indicates more than one host has this same agent ID."
},
"initial_agent_checkin": {
"type": "string",
"format": "date-time",
"description": "Time of initial agent checkin."
},
"last_alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"last_alert_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent alert for the host."
},
"last_exploit_block_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent blocked exploit for the host."
},
"sysinfo": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"os": {
"type": "object",
"properties": {
"product_name": {
"type": "string",
"description": "Operating system name."
},
"patch_level": {
"type": "string",
"description": "Operating system patch."
},
"bitness": {
"type": "string",
"description": "Operating system word size.",
"enum": [
"64-bit",
"32-bit"
]
},
"platform": {
"type": "string",
"description": "Family of operating systems.",
"enum": [
"win",
"osx",
"linux"
]
},
"kernel_version": {
"type": "string",
"description": "Operating system kernel version."
}
}
},
"primary_mac": {
"type": "string",
"description": "MAC address the host uses to communicate with the Endpoint server."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_sysinfo.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"agent_id": {
"description": "Unique agent ID.",
"type": "string"
},
"data": {
"type": "object",
"description": "Content of the Agent System Information JSON object varies by agent version, platform, and installed modules."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_sysinfo_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {},
"description": "Content of the Agent System Information JSON object varies by agent version, platform, and installed modules."
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_unlock_code.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"unlock_code": {
"type": "string",
"description": "Unlock code."
},
"salt": {
"type": "string",
"description": "Unlock code salt."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the unlock code was created."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_information.host_unlock_code_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"unlock_code": {
"type": "string",
"description": "Unlock code."
},
"salt": {
"type": "string",
"description": "Unlock code salt."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the unlock code was created."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.conflict": {
"description": "Another host set has that name.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.internal_error": {
"description": "An unexpected error occurred.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_data.failed": {
"description": "Cache initialization failed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.host_set_mod_summary.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
},
"_revision": {
"type": "string",
"description": "Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the databse, the update will fail."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"host_sets.host_set_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
},
"type": {
"type": "string",
"enum": [
"venn",
"static"
],
"description": "Type of host set.<ul><li>venn</li>This is a dynamic host set defined by search criteria and set inclusion.<li>static</li>This is a static host set defined by a list of host IDs."
},
"_revision": {
"type": "string",
"description": "Timestamp of last update. Used for preventing updates with obsolete data. If _revision in the request body does not match _revision in the databse, the update will fail."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.success_indicatr_category": {
"description": "Success - Some indicator categories not found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.not_empty": {
"description": "Cannot delete category that still contains indicators.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.bad_content_type": {
"description": "Unsupported Media Type",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.etag_not_found": {
"description": "Specified If-Match ETag(s) not found.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_data.not_allowed": {
"description": "Not Allowed - Modification of FireEye categories is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_entries.invalid_filter": {
"description": "Invalid Category",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye categories is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"indicators.indicator.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator ID.",
"type": "string"
},
"uri_name": {
"type": "string",
"description": "Indicator uri name"
},
"name": {
"type": "string",
"description": "Indicator name"
},
"_revision": {
"type": "string",
"description": "Indicator revision"
},
"display_name": {
"type": "string",
"description": "Indicator display name"
},
"description": {
"type": "string",
"description": "Indicator description"
},
"category": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator Category ID.",
"type": "integer",
"format": "int32"
},
"uri_name": {
"type": "string",
"description": "Indicator category uri name"
},
"url": {
"type": "string",
"description": "Indicator category url"
},
"name": {
"type": "string",
"description": "Indicator category name"
},
"share_mode": {
"type": "string",
"description": "Indicator category share mode (unrestricted, restricted, silent, any or visible).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any",
"visible"
]
}
}
},
"created_by": {
"type": "string",
"description": "Indicator created by"
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"create_text": {
"type": "string",
"description": "Indicator create text"
},
"signature": {
"type": "string",
"description": "Indicator signature"
},
"active_since": {
"type": "string",
"format": "date-time",
"description": "Indicator active since date-time"
},
"meta": {
"type": "object",
"description": "Indicator meta information"
},
"platforms": {
"type": "array",
"description": "List of target platforms",
"items": {
"type": "string",
"enum": [
"win",
"osx",
"linux"
]
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"listOfIndicators": {
"summary": "list of indicators",
"value": {
"data": {
"total": 16,
"query": {},
"sort": {
"active_since": -1
},
"offset": 0,
"limit": 50,
"entries": [
{
"uri_name": "18b18f24-6b42-497c-b574-dc07edb5a38f",
"_id": "18b18f24-6b42-497c-b574-dc07edb5a38f",
"name": "SUSPICIOUS VBSCRIPT (METHODOLOGY)",
"_revision": "20200602065842477247102716",
"display_name": "SUSPICIOUS VBSCRIPT (METHODOLOGY)",
"description": "This IOC identifies the use of explicit script engine declarations for cscript or wscript without their normally associated file extensions. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/18b18f24_6b42_497c_b574_dc07edb5a38f",
"stats": {
"source_alerts": 0,
"active_conditions": 8,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "2e0f439b-c20c-475f-8017-9e43d3ec0f3c",
"_id": "2e0f439b-c20c-475f-8017-9e43d3ec0f3c",
"name": "SUSPICIOUS SCRIPT CREATION (METHODOLOGY)",
"_revision": "20200602065842525475102728",
"display_name": "SUSPICIOUS SCRIPT CREATION (METHODOLOGY)",
"description": "This IOC is designed to identify the creation and execution of scripts with random names. This technique has been observed to drop payloads in phishing emails. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2e0f439b_c20c_475f_8017_9e43d3ec0f3c",
"stats": {
"source_alerts": 0,
"active_conditions": 3,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"_id": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"name": "FIREEYE END2END TEST",
"_revision": "20200602065842473590102712",
"display_name": "FIREEYE END2END TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2b4753b0_9972_477e_ba16_1a7c29058cee",
"stats": {
"source_alerts": 0,
"active_conditions": 7,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "206fd4d5-d5fe-44a8-8ce4-375a6ba425ab",
"_id": "206fd4d5-d5fe-44a8-8ce4-375a6ba425ab",
"name": "WSCRIPT LAUNCHING POWERSHELL (METHODOLOGY)",
"_revision": "20200602065842477489102718",
"display_name": "WSCRIPT LAUNCHING POWERSHELL (METHODOLOGY)",
"description": "This IOC looks for wscript.exe launching powershell scripts out of a temp directory. The CERTOR is known to do this . This is associated to MITRE ATT&CK (r) Tactic: Execution and Technique: T1086, T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/206fd4d5_d5fe_44a8_8ce4_375a6ba425ab",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "54ceea13-bfb3-41f4-8755-ffd8c7e03f5e",
"_id": "54ceea13-bfb3-41f4-8755-ffd8c7e03f5e",
"name": "MALICIOUS SCRIPT CONTENT A (METHODOLOGY)",
"_revision": "20200602065842476712102720",
"display_name": "MALICIOUS SCRIPT CONTENT A (METHODOLOGY)",
"description": "This IOC looks for potentially malicious scripts run via mshta.exe or rundll32.exe via persistence mechanisms of the regsitry. The script contents may be available in the registry data, or refer to files on disk. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1170, T1085, T1064",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/54ceea13_bfb3_41f4_8755_ffd8c7e03f5e",
"stats": {
"source_alerts": 0,
"active_conditions": 6,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "060807ae-01a9-48bb-8219-64de2bf64d03",
"_id": "060807ae-01a9-48bb-8219-64de2bf64d03",
"name": "CRYPMIC RANSOMWARE (FAMILY)",
"_revision": "20200602065842473974102714",
"display_name": "CRYPMIC RANSOMWARE (FAMILY)",
"description": "This IOC identifies artifacts associated with the execution of CRYPMIC ransomware family and its variants.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/060807ae_01a9_48bb_8219_64de2bf64d03",
"stats": {
"source_alerts": 0,
"active_conditions": 7,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "c408b3cd-cd41-4c56-b797-1a5a91a8af0b",
"_id": "c408b3cd-cd41-4c56-b797-1a5a91a8af0b",
"name": "JAKU (REPORT)",
"_revision": "20200602065842516319102726",
"display_name": "JAKU (REPORT)",
"description": "Indicators of Compromise derived from information located in the Forcepoint JAKUE report. This includes Host Based Indicators and Network Based Indicators.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/c408b3cd_cd41_4c56_b797_1a5a91a8af0b",
"stats": {
"source_alerts": 0,
"active_conditions": 33,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "873ae10d-2124-4345-bbfb-a15229104c50",
"_id": "873ae10d-2124-4345-bbfb-a15229104c50",
"name": "MIMIKATZ (CREDENTIAL STEALER)",
"_revision": "20200602065842502364102724",
"display_name": "MIMIKATZ (CREDENTIAL STEALER)",
"description": "This tool is a freely downloadable binary capable of process injection, SAM hash dumping and exporting certificates and private keys of the executing user. This is associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/873ae10d_2124_4345_bbfb_a15229104c50",
"stats": {
"source_alerts": 0,
"active_conditions": 21,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "ae26b41f-b7a8-4d74-a73a-d45897c6d918",
"_id": "ae26b41f-b7a8-4d74-a73a-d45897c6d918",
"name": "NEUTRINO EXPLOITKIT (EXPLOIT)",
"_revision": "20200602065842502109102722",
"display_name": "NEUTRINO EXPLOITKIT (EXPLOIT)",
"description": "Identify files dropped by the Neutrino Exploitkit. An encoded JScript payload is used to download and decrypt either an EXE or DLL payload, which is written to %TEMP% and then launched.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/ae26b41f_b7a8_4d74_a73a_d45897c6d918",
"stats": {
"source_alerts": 0,
"active_conditions": 6,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "7f318a71-6fab-436e-a5fd-fbf188959d4d",
"_id": "7f318a71-6fab-436e-a5fd-fbf188959d4d",
"name": "FIREEYE END2END OSX TEST",
"_revision": "20200602065644756872100625",
"display_name": "FIREEYE END2END OSX TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end for OSX.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_OSX_unrestricted_2019.03.101046",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_OSX_unrestricted_2019.03.101046",
"signature": null,
"active_since": "2020-06-02T06:56:10.961Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/7f318a71_6fab_436e_a5fd_fbf188959d4d",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "08368358-477d-41c8-97ad-86e46df5f66d",
"_id": "08368358-477d-41c8-97ad-86e46df5f66d",
"name": "VPNFILTER (FAMILY)",
"_revision": "20200602065639441703100456",
"display_name": "VPNFILTER (FAMILY)",
"description": "This IOC detects the execution of cronjobs which start suspicious processes from /var directory. This is a technique used by VpnFilter malware family.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/08368358_477d_41c8_97ad_86e46df5f66d",
"stats": {
"source_alerts": 0,
"active_conditions": 3,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "213916dd-2b4d-4802-b3c3-3dbd08f6544c",
"_id": "213916dd-2b4d-4802-b3c3-3dbd08f6544c",
"name": "SUSPICIOUS CREATION OF CRONJOB (METHODOLOGY)",
"_revision": "20200602065639473897100462",
"display_name": "SUSPICIOUS CREATION OF CRONJOB (METHODOLOGY)",
"description": "This IOC detects the suspicious creation of cronjobs from remote URL. This technique is used by malware for persistence. This is associated to MITRE ATT&CK (r) Persistence, Execution and Technique: T1168",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/213916dd_2b4d_4802_b3c3_3dbd08f6544c",
"stats": {
"source_alerts": 0,
"active_conditions": 1,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "5df24c6a-c807-49bd-9adc-c7adcd5d7ee2",
"_id": "5df24c6a-c807-49bd-9adc-c7adcd5d7ee2",
"name": "EMPYRE LINUX (UTILITY)",
"_revision": "20200602065639451795100458",
"display_name": "EMPYRE LINUX (UTILITY)",
"description": "EMPYRE is a pure Python post-exploitation agent based on the PowerShell version called Empire. This alert focuses on the default command line arguments of the processes invoked by this tool. ",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/5df24c6a_c807_49bd_9adc_c7adcd5d7ee2",
"stats": {
"source_alerts": 0,
"active_conditions": 4,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "9b988026-42b0-4342-82f0-0f3ce70decdd",
"_id": "9b988026-42b0-4342-82f0-0f3ce70decdd",
"name": "FIREEYE END2END LINUX TEST",
"_revision": "20200602065639481131100464",
"display_name": "FIREEYE END2END LINUX TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end for Linux.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/9b988026_42b0_4342_82f0_0f3ce70decdd",
"stats": {
"source_alerts": 0,
"active_conditions": 1,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "18ae598d-5605-4296-9877-19ccf628e6c9",
"_id": "18ae598d-5605-4296-9877-19ccf628e6c9",
"name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"_revision": "20200602065639439621100454",
"display_name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"description": "This IOC detects the suspicous execution of Xorg to exploit CVE-2018-14665 which results in execution of high privilege due to improper authentication. This is associated to MITRE ATT&CK (r) Tactic: Privilege Escalation and Technique: T1068",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/18ae598d_5605_4296_9877_19ccf628e6c9",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "0216e9ed-70cf-4052-a7ed-4062cc588501",
"_id": "0216e9ed-70cf-4052-a7ed-4062cc588501",
"name": "ADORE (ROOTKIT)",
"_revision": "20200602065639473456100460",
"display_name": "ADORE (ROOTKIT)",
"description": "ADORE is a linux rootkit capable of hiding files and processes, it usually installs itself as a kernel module. Kindly investigate the process to confirm maliciousness.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/0216e9ed_70cf_4052_a7ed_4062cc588501",
"stats": {
"source_alerts": 0,
"active_conditions": 22,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/indicators"
}
}
}
}
}
},
"indicators.indicator_category.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator Category ID.",
"type": "integer",
"format": "int32"
},
"uri_name": {
"type": "string",
"description": "Indicator category uri name"
},
"_revision": {
"type": "string",
"description": "Indicator category revision"
},
"display_name": {
"type": "string",
"description": "Indicator category display name"
},
"retention_policy": {
"type": "string",
"description": "Indicator category Retention policy (manual, auto, intel).",
"enum": [
"manual",
"auto",
"intel"
]
},
"ui_edit_policy": {
"type": "string",
"description": "Indicator category UI edit policy (full, edit_delete, delete, read_only).",
"enum": [
"full",
"edit_delete",
"delete",
"read_only"
]
},
"ui_signature_enabled": {
"type": "boolean",
"description": "Set to true if UI signature is enabled"
},
"ui_source_alerts_enabled": {
"type": "boolean",
"description": "Set to true if UI source alerts are enabled"
},
"share_mode": {
"type": "string",
"description": "Indicator category share mode (unrestricted, restricted, silent, any or visible).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any",
"visible"
]
},
"url": {
"type": "string",
"description": "Indicator category url"
},
"name": {
"type": "string",
"description": "Indicator category name"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"listOfIndicatorCategories": {
"summary": "list of indicator categories",
"value": {
"data": {
"total": 7,
"query": {},
"sort": {
"name": 1
},
"offset": 0,
"limit": 50,
"entries": [
{
"uri_name": "Custom",
"_id": 2,
"_revision": "20200518131206897664100026",
"display_name": null,
"retention_policy": "manual",
"ui_edit_policy": "full",
"ui_signature_enabled": false,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/custom",
"name": "Custom"
},
{
"uri_name": "FireEye",
"_id": 4,
"_revision": "20200518131206897664100030",
"display_name": null,
"retention_policy": "auto",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/fireeye",
"name": "FireEye"
},
{
"uri_name": "fireeye_restricted",
"_id": 8,
"_revision": "20200518131206897664100038",
"display_name": "FireEye Restricted",
"retention_policy": "auto",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"share_mode": "restricted",
"url": "/hx/api/v3/indicator_categories/fireeye_restricted",
"name": "FireEye Restricted"
},
{
"uri_name": "FireEye-CMS",
"_id": 5,
"_revision": "20200518131206897664100032",
"display_name": null,
"retention_policy": "auto",
"ui_edit_policy": "delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/fireeye_cms",
"name": "FireEye-CMS"
},
{
"uri_name": "Imported",
"_id": 3,
"_revision": "20200518131206897664100028",
"display_name": null,
"retention_policy": "manual",
"ui_edit_policy": "edit_delete",
"ui_signature_enabled": false,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/imported",
"name": "Imported"
},
{
"uri_name": "Mandiant",
"_id": 1,
"_revision": "20200518131206897664100024",
"display_name": "Mandiant Intel",
"retention_policy": "intel",
"ui_edit_policy": "read_only",
"ui_signature_enabled": false,
"ui_source_alerts_enabled": true,
"share_mode": "restricted",
"url": "/hx/api/v3/indicator_categories/mandiant",
"name": "Mandiant Intel"
},
{
"uri_name": "mandiant_unrestricted",
"_id": 7,
"_revision": "20200518131206897664100036",
"display_name": "Mandiant Unrestricted Intel",
"retention_policy": "intel",
"ui_edit_policy": "read_only",
"ui_signature_enabled": false,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/indicator_categories"
}
}
}
}
}
},
"indicators.indicator_category_obj.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator Category ID.",
"type": "integer",
"format": "int32"
},
"uri_name": {
"type": "string",
"description": "Indicator category uri name"
},
"_revision": {
"type": "string",
"description": "Indicator category revision"
},
"display_name": {
"type": "string",
"description": "Indicator category display name"
},
"retention_policy": {
"type": "string",
"description": "Indicator category Retention policy (manual, auto, intel).",
"enum": [
"manual",
"auto",
"intel"
]
},
"ui_edit_policy": {
"type": "string",
"description": "Indicator category UI edit policy (full, edit_delete, delete, read_only).",
"enum": [
"full",
"edit_delete",
"delete",
"read_only"
]
},
"ui_signature_enabled": {
"type": "boolean",
"description": "Set to true if UI signature is enabled"
},
"ui_source_alerts_enabled": {
"type": "boolean",
"description": "Set to true if UI source alerts are enabled"
},
"share_mode": {
"type": "string",
"description": "Indicator category share mode (unrestricted, restricted, silent, any or visible).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any",
"visible"
]
},
"url": {
"type": "string",
"description": "Indicator category url"
},
"name": {
"type": "string",
"description": "Indicator category name"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"res": {
"summary": "Indicator category create/update",
"value": {
"details": [],
"route": "/hx/api/v3/indicator_categories/category",
"data": {
"uri_name": "t1",
"_id": 1000,
"name": "t1",
"_revision": "20200522082638088279105702",
"display_name": null,
"retention_policy": "manual",
"ui_edit_policy": "edit_delete",
"ui_signature_enabled": true,
"ui_source_alerts_enabled": true,
"share_mode": "unrestricted",
"url": "/hx/api/v3/indicator_categories/t1"
},
"message": "OK"
}
}
}
}
}
},
"indicators.indicator_for_cat.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator ID.",
"type": "string"
},
"uri_name": {
"type": "string",
"description": "Indicator uri name"
},
"name": {
"type": "string",
"description": "Indicator name"
},
"_revision": {
"type": "string",
"description": "Indicator revision"
},
"display_name": {
"type": "string",
"description": "Indicator display name"
},
"description": {
"type": "string",
"description": "Indicator description"
},
"category": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator Category ID.",
"type": "integer",
"format": "int32"
},
"uri_name": {
"type": "string",
"description": "Indicator category uri name"
},
"url": {
"type": "string",
"description": "Indicator category url"
},
"name": {
"type": "string",
"description": "Indicator category name"
},
"share_mode": {
"type": "string",
"description": "Indicator category share mode (unrestricted, restricted, silent, any or visible).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any",
"visible"
]
}
}
},
"created_by": {
"type": "string",
"description": "Indicator created by"
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"create_text": {
"type": "string",
"description": "Indicator create text"
},
"signature": {
"type": "string",
"description": "Indicator signature"
},
"active_since": {
"type": "string",
"format": "date-time",
"description": "Indicator active since date-time"
},
"meta": {
"type": "object",
"description": "Indicator meta information"
},
"platforms": {
"type": "array",
"description": "List of target platforms",
"items": {
"type": "string",
"enum": [
"win",
"osx",
"linux"
]
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"listOfIndicators": {
"summary": "list of indicators",
"value": {
"data": {
"total": 16,
"query": {},
"sort": {
"active_since": -1
},
"offset": 0,
"limit": 50,
"entries": [
{
"uri_name": "18b18f24-6b42-497c-b574-dc07edb5a38f",
"_id": "18b18f24-6b42-497c-b574-dc07edb5a38f",
"name": "SUSPICIOUS VBSCRIPT (METHODOLOGY)",
"_revision": "20200602065842477247102716",
"display_name": "SUSPICIOUS VBSCRIPT (METHODOLOGY)",
"description": "This IOC identifies the use of explicit script engine declarations for cscript or wscript without their normally associated file extensions. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/18b18f24_6b42_497c_b574_dc07edb5a38f",
"stats": {
"source_alerts": 0,
"active_conditions": 8,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "2e0f439b-c20c-475f-8017-9e43d3ec0f3c",
"_id": "2e0f439b-c20c-475f-8017-9e43d3ec0f3c",
"name": "SUSPICIOUS SCRIPT CREATION (METHODOLOGY)",
"_revision": "20200602065842525475102728",
"display_name": "SUSPICIOUS SCRIPT CREATION (METHODOLOGY)",
"description": "This IOC is designed to identify the creation and execution of scripts with random names. This technique has been observed to drop payloads in phishing emails. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2e0f439b_c20c_475f_8017_9e43d3ec0f3c",
"stats": {
"source_alerts": 0,
"active_conditions": 3,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"_id": "2b4753b0-9972-477e-ba16-1a7c29058cee",
"name": "FIREEYE END2END TEST",
"_revision": "20200602065842473590102712",
"display_name": "FIREEYE END2END TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/2b4753b0_9972_477e_ba16_1a7c29058cee",
"stats": {
"source_alerts": 0,
"active_conditions": 7,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "206fd4d5-d5fe-44a8-8ce4-375a6ba425ab",
"_id": "206fd4d5-d5fe-44a8-8ce4-375a6ba425ab",
"name": "WSCRIPT LAUNCHING POWERSHELL (METHODOLOGY)",
"_revision": "20200602065842477489102718",
"display_name": "WSCRIPT LAUNCHING POWERSHELL (METHODOLOGY)",
"description": "This IOC looks for wscript.exe launching powershell scripts out of a temp directory. The CERTOR is known to do this . This is associated to MITRE ATT&CK (r) Tactic: Execution and Technique: T1086, T1064\t",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/206fd4d5_d5fe_44a8_8ce4_375a6ba425ab",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "54ceea13-bfb3-41f4-8755-ffd8c7e03f5e",
"_id": "54ceea13-bfb3-41f4-8755-ffd8c7e03f5e",
"name": "MALICIOUS SCRIPT CONTENT A (METHODOLOGY)",
"_revision": "20200602065842476712102720",
"display_name": "MALICIOUS SCRIPT CONTENT A (METHODOLOGY)",
"description": "This IOC looks for potentially malicious scripts run via mshta.exe or rundll32.exe via persistence mechanisms of the regsitry. The script contents may be available in the registry data, or refer to files on disk. This is associated to MITRE ATT&CK (r) Tactic: Defense Evasion, Execution and Technique: T1170, T1085, T1064",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/54ceea13_bfb3_41f4_8755_ffd8c7e03f5e",
"stats": {
"source_alerts": 0,
"active_conditions": 6,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "060807ae-01a9-48bb-8219-64de2bf64d03",
"_id": "060807ae-01a9-48bb-8219-64de2bf64d03",
"name": "CRYPMIC RANSOMWARE (FAMILY)",
"_revision": "20200602065842473974102714",
"display_name": "CRYPMIC RANSOMWARE (FAMILY)",
"description": "This IOC identifies artifacts associated with the execution of CRYPMIC ransomware family and its variants.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/060807ae_01a9_48bb_8219_64de2bf64d03",
"stats": {
"source_alerts": 0,
"active_conditions": 7,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "c408b3cd-cd41-4c56-b797-1a5a91a8af0b",
"_id": "c408b3cd-cd41-4c56-b797-1a5a91a8af0b",
"name": "JAKU (REPORT)",
"_revision": "20200602065842516319102726",
"display_name": "JAKU (REPORT)",
"description": "Indicators of Compromise derived from information located in the Forcepoint JAKUE report. This includes Host Based Indicators and Network Based Indicators.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/c408b3cd_cd41_4c56_b797_1a5a91a8af0b",
"stats": {
"source_alerts": 0,
"active_conditions": 33,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "873ae10d-2124-4345-bbfb-a15229104c50",
"_id": "873ae10d-2124-4345-bbfb-a15229104c50",
"name": "MIMIKATZ (CREDENTIAL STEALER)",
"_revision": "20200602065842502364102724",
"display_name": "MIMIKATZ (CREDENTIAL STEALER)",
"description": "This tool is a freely downloadable binary capable of process injection, SAM hash dumping and exporting certificates and private keys of the executing user. This is associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/873ae10d_2124_4345_bbfb_a15229104c50",
"stats": {
"source_alerts": 0,
"active_conditions": 21,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "ae26b41f-b7a8-4d74-a73a-d45897c6d918",
"_id": "ae26b41f-b7a8-4d74-a73a-d45897c6d918",
"name": "NEUTRINO EXPLOITKIT (EXPLOIT)",
"_revision": "20200602065842502109102722",
"display_name": "NEUTRINO EXPLOITKIT (EXPLOIT)",
"description": "Identify files dropped by the Neutrino Exploitkit. An encoded JScript payload is used to download and decrypt either an EXE or DLL payload, which is written to %TEMP% and then launched.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Windows_unrestricted_2020.05.270833",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Windows_unrestricted_2020.05.270833",
"signature": null,
"active_since": "2020-06-02T06:56:13.324Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/ae26b41f_b7a8_4d74_a73a_d45897c6d918",
"stats": {
"source_alerts": 0,
"active_conditions": 6,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "7f318a71-6fab-436e-a5fd-fbf188959d4d",
"_id": "7f318a71-6fab-436e-a5fd-fbf188959d4d",
"name": "FIREEYE END2END OSX TEST",
"_revision": "20200602065644756872100625",
"display_name": "FIREEYE END2END OSX TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end for OSX.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_OSX_unrestricted_2019.03.101046",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_OSX_unrestricted_2019.03.101046",
"signature": null,
"active_since": "2020-06-02T06:56:10.961Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/7f318a71_6fab_436e_a5fd_fbf188959d4d",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "08368358-477d-41c8-97ad-86e46df5f66d",
"_id": "08368358-477d-41c8-97ad-86e46df5f66d",
"name": "VPNFILTER (FAMILY)",
"_revision": "20200602065639441703100456",
"display_name": "VPNFILTER (FAMILY)",
"description": "This IOC detects the execution of cronjobs which start suspicious processes from /var directory. This is a technique used by VpnFilter malware family.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/08368358_477d_41c8_97ad_86e46df5f66d",
"stats": {
"source_alerts": 0,
"active_conditions": 3,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "213916dd-2b4d-4802-b3c3-3dbd08f6544c",
"_id": "213916dd-2b4d-4802-b3c3-3dbd08f6544c",
"name": "SUSPICIOUS CREATION OF CRONJOB (METHODOLOGY)",
"_revision": "20200602065639473897100462",
"display_name": "SUSPICIOUS CREATION OF CRONJOB (METHODOLOGY)",
"description": "This IOC detects the suspicious creation of cronjobs from remote URL. This technique is used by malware for persistence. This is associated to MITRE ATT&CK (r) Persistence, Execution and Technique: T1168",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/213916dd_2b4d_4802_b3c3_3dbd08f6544c",
"stats": {
"source_alerts": 0,
"active_conditions": 1,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "5df24c6a-c807-49bd-9adc-c7adcd5d7ee2",
"_id": "5df24c6a-c807-49bd-9adc-c7adcd5d7ee2",
"name": "EMPYRE LINUX (UTILITY)",
"_revision": "20200602065639451795100458",
"display_name": "EMPYRE LINUX (UTILITY)",
"description": "EMPYRE is a pure Python post-exploitation agent based on the PowerShell version called Empire. This alert focuses on the default command line arguments of the processes invoked by this tool. ",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/5df24c6a_c807_49bd_9adc_c7adcd5d7ee2",
"stats": {
"source_alerts": 0,
"active_conditions": 4,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "9b988026-42b0-4342-82f0-0f3ce70decdd",
"_id": "9b988026-42b0-4342-82f0-0f3ce70decdd",
"name": "FIREEYE END2END LINUX TEST",
"_revision": "20200602065639481131100464",
"display_name": "FIREEYE END2END LINUX TEST",
"description": "IOC used for testing HX appliances and content packages to ensure that things work end to end for Linux.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/9b988026_42b0_4342_82f0_0f3ce70decdd",
"stats": {
"source_alerts": 0,
"active_conditions": 1,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "18ae598d-5605-4296-9877-19ccf628e6c9",
"_id": "18ae598d-5605-4296-9877-19ccf628e6c9",
"name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"_revision": "20200602065639439621100454",
"display_name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"description": "This IOC detects the suspicous execution of Xorg to exploit CVE-2018-14665 which results in execution of high privilege due to improper authentication. This is associated to MITRE ATT&CK (r) Tactic: Privilege Escalation and Technique: T1068",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/18ae598d_5605_4296_9877_19ccf628e6c9",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
{
"uri_name": "0216e9ed-70cf-4052-a7ed-4062cc588501",
"_id": "0216e9ed-70cf-4052-a7ed-4062cc588501",
"name": "ADORE (ROOTKIT)",
"_revision": "20200602065639473456100460",
"display_name": "ADORE (ROOTKIT)",
"description": "ADORE is a linux rootkit capable of hiding files and processes, it usually installs itself as a kernel module. Kindly investigate the process to confirm maliciousness.",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/0216e9ed_70cf_4052_a7ed_4062cc588501",
"stats": {
"source_alerts": 0,
"active_conditions": 22,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/indicators/category"
}
}
}
}
}
},
"indicators.indicator_obj.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator ID.",
"type": "string"
},
"uri_name": {
"type": "string",
"description": "Indicator uri name"
},
"name": {
"type": "string",
"description": "Indicator name"
},
"_revision": {
"type": "string",
"description": "Indicator revision"
},
"display_name": {
"type": "string",
"description": "Indicator display name"
},
"description": {
"type": "string",
"description": "Indicator description"
},
"category": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Indicator Category ID.",
"type": "integer",
"format": "int32"
},
"uri_name": {
"type": "string",
"description": "Indicator category uri name"
},
"url": {
"type": "string",
"description": "Indicator category url"
},
"name": {
"type": "string",
"description": "Indicator category name"
},
"share_mode": {
"type": "string",
"description": "Indicator category share mode (unrestricted, restricted, silent, any or visible).",
"enum": [
"unrestricted",
"restricted",
"silent",
"any",
"visible"
]
}
}
},
"created_by": {
"type": "string",
"description": "Indicator created by"
},
"create_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"update_actor": {
"type": "object",
"properties": {
"_id": {
"description": "Actor ID.",
"type": "integer",
"format": "int32"
},
"username": {
"type": "string",
"description": "Actor user name"
}
}
},
"create_text": {
"type": "string",
"description": "Indicator create text"
},
"signature": {
"type": "string",
"description": "Indicator signature"
},
"active_since": {
"type": "string",
"format": "date-time",
"description": "Indicator active since date-time"
},
"meta": {
"type": "object",
"description": "Indicator meta information"
},
"platforms": {
"type": "array",
"description": "List of target platforms",
"items": {
"type": "string",
"enum": [
"win",
"osx",
"linux"
]
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"res": {
"summary": "Indicator",
"value": {
"details": [],
"route": "/hx/api/v3/indicators/category/indicator",
"data": {
"uri_name": "18ae598d-5605-4296-9877-19ccf628e6c9",
"_id": "18ae598d-5605-4296-9877-19ccf628e6c9",
"name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"_revision": "20200602065639439621100454",
"display_name": "SUSPICIOUS EXECUTION OF XORG SERVER (EXPLOIT)",
"description": "This IOC detects the suspicous execution of Xorg to exploit CVE-2018-14665 which results in execution of high privilege due to improper authentication. This is associated to MITRE ATT&CK (r) Tactic: Privilege Escalation and Technique: T1068",
"category": {
"_id": 7,
"uri_name": "mandiant_unrestricted",
"url": "/hx/api/v3/indicator_categories/mandiant_unrestricted",
"name": "Mandiant Unrestricted Intel",
"share_mode": "unrestricted"
},
"created_by": "General_Linux_unrestricted_2020.03.110910",
"create_actor": {
"_id": 3,
"username": "mandiant"
},
"update_actor": {
"_id": 3,
"username": "mandiant"
},
"create_text": "General_Linux_unrestricted_2020.03.110910",
"signature": null,
"active_since": "2020-06-02T06:56:08.855Z",
"meta": null,
"url": "/hx/api/v3/indicators/mandiant_unrestricted/18ae598d_5605_4296_9877_19ccf628e6c9",
"stats": {
"source_alerts": 0,
"active_conditions": 2,
"alerted_agents": 0
},
"platforms": [
"win",
"osx",
"linux"
]
},
"message": "OK"
}
}
}
}
}
},
"policies.category.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Category ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The name of the category."
},
"title": {
"type": "string",
"description": "Title of the category."
},
"description": {
"type": "string",
"description": "Description of the category."
},
"policy_type_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"view_order": {
"type": "integer",
"format": "int32",
"description": "The priority order of the view."
},
"default_only": {
"type": "boolean",
"description": "True if the category is default only."
},
"settings": {
"type": "object",
"description": "Settings for the category.s"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_data.conflict": {
"description": "Another policy has that name.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.host_set_policy.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy_id": {
"description": "Unique policy ID.",
"type": "string"
},
"persit_id": {
"type": "integer",
"description": "The host set ID",
"format": "int32"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.host_set_policy_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"policy_id": {
"description": "Unique policy ID.",
"type": "string"
},
"persit_id": {
"type": "integer",
"description": "The host set ID",
"format": "int32"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The name of the policy."
},
"description": {
"type": "string",
"description": "Description of the policy."
},
"policy_type_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"priority": {
"type": "integer",
"format": "int32",
"description": "The priority order of the policy"
},
"enabled": {
"type": "boolean",
"description": "The policy is enabled (\"true\") or disabled (\"false\")."
},
"default": {
"type": "boolean",
"description": "True if it is the default policy. There can only be one policy marked as default"
},
"migrated": {
"type": "boolean",
"description": "True if it is a migrated policy."
},
"created_by": {
"type": "string",
"description": "The user who created the policy."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was first created."
},
"updated_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was last updated."
},
"categories": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of categories the policy is associated with"
},
"display_created_at": {
"type": "string",
"description": "Time since the display was first created."
},
"display_updated_at": {
"type": "string",
"description": "Time since the display was last updated."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The name of the policy."
},
"description": {
"type": "string",
"description": "Description of the policy."
},
"policy_type_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"priority": {
"type": "integer",
"format": "int32",
"description": "The priority order of the policy"
},
"enabled": {
"type": "boolean",
"description": "The policy is enabled (\"true\") or disabled (\"false\")."
},
"default": {
"type": "boolean",
"description": "True if it is the default policy. There can only be one policy marked as default"
},
"migrated": {
"type": "boolean",
"description": "True if it is a migrated policy."
},
"created_by": {
"type": "string",
"description": "The user who created the policy."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was first created."
},
"updated_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was last updated."
},
"categories": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of categories the policy is associated with"
},
"display_created_at": {
"type": "string",
"description": "Time since the display was first created."
},
"display_updated_at": {
"type": "string",
"description": "Time since the display was last updated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_single.success_created": {
"description": "Success - Policy created.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The name of the policy."
},
"description": {
"type": "string",
"description": "Description of the policy."
},
"policy_type_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"priority": {
"type": "integer",
"format": "int32",
"description": "The priority order of the policy"
},
"enabled": {
"type": "boolean",
"description": "The policy is enabled (\"true\") or disabled (\"false\")."
},
"default": {
"type": "boolean",
"description": "True if it is the default policy. There can only be one policy marked as default"
},
"migrated": {
"type": "boolean",
"description": "True if it is a migrated policy."
},
"created_by": {
"type": "string",
"description": "The user who created the policy."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was first created."
},
"updated_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was last updated."
},
"categories": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of categories the policy is associated with"
},
"display_created_at": {
"type": "string",
"description": "Time since the display was first created."
},
"display_updated_at": {
"type": "string",
"description": "Time since the display was last updated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_single.success_updated": {
"description": "Success - Policy updated.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The name of the policy."
},
"description": {
"type": "string",
"description": "Description of the policy."
},
"policy_type_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"priority": {
"type": "integer",
"format": "int32",
"description": "The priority order of the policy"
},
"enabled": {
"type": "boolean",
"description": "The policy is enabled (\"true\") or disabled (\"false\")."
},
"default": {
"type": "boolean",
"description": "True if it is the default policy. There can only be one policy marked as default"
},
"migrated": {
"type": "boolean",
"description": "True if it is a migrated policy."
},
"created_by": {
"type": "string",
"description": "The user who created the policy."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was first created."
},
"updated_at": {
"type": "string",
"format": "date-time",
"description": "Time the policy was last updated."
},
"categories": {
"type": "array",
"items": {
"type": "object"
},
"description": "Collection of categories the policy is associated with"
},
"display_created_at": {
"type": "string",
"description": "Time since the display was first created."
},
"display_updated_at": {
"type": "string",
"description": "Time since the display was last updated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_type.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The policy type name"
},
"description": {
"type": "string",
"description": "A description of the policy type."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_type_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The policy type name"
},
"description": {
"type": "string",
"description": "A description of the policy type."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_type_single.success_created": {
"description": "Success - Policy Type created.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The policy type name"
},
"description": {
"type": "string",
"description": "A description of the policy type."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"policies.policy_type_single.success_updated": {
"description": "Success - Policy Type updated.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique policy type ID.",
"type": "string"
},
"name": {
"type": "string",
"description": "The policy type name"
},
"description": {
"type": "string",
"description": "A description of the policy type."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessable": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.offset",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/hosts/agent_id/quarantines",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"quarantines.common_no_data.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"quarantines.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.quarantine.get_quarantines_by_filter": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique quarantine ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
},
"alert_filter": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert filter ID.",
"type": "string"
}
}
},
"agent_quarantine_id": {
"description": "Agent's unique quarantine ID.",
"type": "string"
},
"hit_correlation_id": {
"description": "Agent's alert correlation ID.",
"type": "string"
},
"file_path": {
"type": "string",
"description": "Quarantined file path."
},
"file_md5": {
"description": "Quarantined file MD5 hash.",
"type": "string"
},
"file_sha1": {
"type": "string",
"description": "Quarantined file SHA1 hash."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"quarantined_at": {
"type": "string",
"format": "date-time",
"description": "Time the file was quarantined."
},
"alert_file_creation_time": {
"type": "string",
"format": "date-time",
"description": "Time the file was created."
},
"alert_infection_name": {
"type": "string",
"description": "Name of the infection."
},
"state": {
"type": "string",
"description": "Quarantine state.",
"enum": [
"QUARANTINED",
"CLEANED",
"DELETED",
"DELETING",
"DELETE_FAILED",
"RESTORED",
"RESTORING",
"RESTORE_FAILED",
"AGED_OUT"
]
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the quarantine_state was last updated."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"quarantines.quarantine.success_all_quarantines_files": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique quarantine ID.",
"type": "integer",
"format": "int32"
},
"agent_quarantine_id": {
"description": "Agent's unique quarantine ID.",
"type": "string"
},
"hit_correlation_id": {
"description": "Agent's alert correlation ID.",
"type": "string"
},
"file_path": {
"type": "string",
"description": "Quarantined file path."
},
"file_md5": {
"description": "Quarantined file MD5 hash.",
"type": "string"
},
"file_sha1": {
"type": "string",
"description": "Quarantined file SHA1 hash."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"quarantined_at": {
"type": "string",
"format": "date-time",
"description": "Time the file was quarantined."
},
"alert_file_creation_time": {
"type": "string",
"format": "date-time",
"description": "Time the file was created."
},
"alert_infection_name": {
"type": "string",
"description": "Name of the infection."
},
"state": {
"type": "string",
"description": "Quarantine state.",
"enum": [
"QUARANTINED",
"CLEANED",
"DELETED",
"DELETING",
"DELETE_FAILED",
"RESTORED",
"RESTORING",
"RESTORE_FAILED",
"AGED_OUT"
]
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the quarantine_state was last updated."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"listOfQuarantinesFiles": {
"summary": "Quarantines files",
"value": {
"data": {
"total": 19,
"query": {},
"sort": {},
"offset": 0,
"limit": 1,
"entries": [
{
"_id": 1,
"agent_quarantine_id": "9844c593-c549-4b3c-bd02-d5c71d7047bb",
"hit_correlation_id": "93ac009e-f723-46ad-99c2-57208999d81d",
"file_path": "C:\\tmp_454d4a\\Samples\\cert_expired.dll",
"file_md5": "4d75c34ea2ea1f5d451375ae62a6cc60",
"file_sha1": "e965be5712b7ca321d8a8ad96ec6d78cf10ab3b3",
"reported_at": "2020-05-29T12:42:33.068Z",
"quarantined_at": "2020-05-29T12:41:43.000Z",
"alert_file_creation_time": "2020-05-29T12:41:40.005Z",
"alert_infection_name": "Gen:Variant.Ulise.5564",
"state": "QUARANTINED",
"update_time": "2020-05-29T12:42:33.089Z",
"url": "/hx/api/v3/quarantines/1",
"host": {
"_id": "S8Y5cr4oBbkbZmUYrgMicr",
"url": "/hx/api/v3/hosts/S8Y5cr4oBbkbZmUYrgMicr"
},
"alert": {
"_id": 3,
"url": "/hx/api/v3/alerts/3"
}
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/quarantines"
}
}
}
}
}
},
"quarantines.quarantine.success_single_quarantines_id": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique quarantine ID.",
"type": "integer",
"format": "int32"
},
"agent_quarantine_id": {
"description": "Agent's unique quarantine ID.",
"type": "string"
},
"hit_correlation_id": {
"description": "Agent's alert correlation ID.",
"type": "string"
},
"file_path": {
"type": "string",
"description": "Quarantined file path."
},
"file_md5": {
"description": "Quarantined file MD5 hash.",
"type": "string"
},
"file_sha1": {
"type": "string",
"description": "Quarantined file SHA1 hash."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"quarantined_at": {
"type": "string",
"format": "date-time",
"description": "Time the file was quarantined."
},
"alert_file_creation_time": {
"type": "string",
"format": "date-time",
"description": "Time the file was created."
},
"alert_infection_name": {
"type": "string",
"description": "Name of the infection."
},
"state": {
"type": "string",
"description": "Quarantine state.",
"enum": [
"QUARANTINED",
"CLEANED",
"DELETED",
"DELETING",
"DELETE_FAILED",
"RESTORED",
"RESTORING",
"RESTORE_FAILED",
"AGED_OUT"
]
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the quarantine_state was last updated."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"singleQuarantineFile": {
"summary": "Single Quarantine Response",
"value": {
"details": [],
"route": "/hx/api/v3/quarantines/id",
"data": {
"_id": 106,
"agent_quarantine_id": "23775c33-b95c-438d-94f5-48209332f35a",
"hit_correlation_id": "c4689c40-d7b5-4e2e-9ade-7c49e9718330",
"file_path": "D:\\documents\\Samples\\grrr.exe",
"file_md5": "0b141adba998fef7e7c99b9d97de3041",
"file_sha1": "a94fce81574fe524002ea69f61bbe7e10838e925",
"reported_at": "2018-08-27T23:02:02.795Z",
"quarantined_at": "2018-08-27T23:02:02.795Z",
"alert_file_creation_time": "2017-02-08T03:46:23.670Z",
"alert_infection_name": "INFECTION",
"state": "RESTORING",
"update_time": "2018-08-27T23:02:02.795Z",
"url": "/hx/api/v3/quarantines/106",
"host": {
"_id": "63D6601535410922332B98",
"url": "/hx/api/v3/hosts/63D6601535410922332B98"
},
"alert": {
"_id": 34,
"url": "/hx/api/v3/alerts/34"
}
},
"message": "OK"
}
}
}
}
}
},
"quarantines.quarantine.post_quarantine_action": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique quarantine ID.",
"type": "integer",
"format": "int32"
},
"agent_quarantine_id": {
"description": "Agent's unique quarantine ID.",
"type": "string"
},
"hit_correlation_id": {
"description": "Agent's alert correlation ID.",
"type": "string"
},
"file_path": {
"type": "string",
"description": "Quarantined file path."
},
"file_md5": {
"description": "Quarantined file MD5 hash.",
"type": "string"
},
"file_sha1": {
"type": "string",
"description": "Quarantined file SHA1 hash."
},
"reported_at": {
"type": "string",
"format": "date-time",
"description": "Time the server received the alert."
},
"quarantined_at": {
"type": "string",
"format": "date-time",
"description": "Time the file was quarantined."
},
"alert_file_creation_time": {
"type": "string",
"format": "date-time",
"description": "Time the file was created."
},
"alert_infection_name": {
"type": "string",
"description": "Name of the infection."
},
"state": {
"type": "string",
"description": "Quarantine state.",
"enum": [
"QUARANTINED",
"CLEANED",
"DELETED",
"DELETING",
"DELETE_FAILED",
"RESTORED",
"RESTORING",
"RESTORE_FAILED",
"AGED_OUT"
]
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the quarantine_state was last updated."
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"deleteSingleQuarantineFile": {
"summary": "Delete Quarantine",
"value": {
"details": [],
"route": "/hx/api/v3/quarantines/id/actions/delete",
"data": {
"_id": 102,
"agent_quarantine_id": "8ab3c500-65c1-11e7-xxxx-a6006ad3dba1",
"hit_correlation_id": "331b7816-60bb-423c-xxxx-02d8a2de4492",
"file_path": "C:\\Users\\exdauto\\Downloads\\DebugView\\test_samples\\Samples\\test2.exe",
"file_md5": "18b367529c07b94296d4f6991c7e872b",
"file_sha1": "b7e3e3aa32bf4cde03d39ae8cb8fef9cd955b74b",
"reported_at": "2017-07-16T09:30:48.000Z",
"quarantined_at": "2017-07-17T09:30:48.000Z",
"alert_file_creation_time": "2017-02-08T03:46:23.672Z",
"alert_infection_name": "BD.TestSignature1",
"state": "DELETING",
"update_time": "2017-09-13T15:26:23.376Z",
"url": "/hx/api/v3/quarantines/102",
"host": {
"_id": "F657321503916382034B96",
"url": "/hx/api/v3/hosts/F657321505396382034B96"
},
"alert": {
"_id": 2,
"url": "/hx/api/v3/alerts/2"
}
},
"message": "Accepted"
}
},
"restoreSingleQuarantineFile": {
"summary": "Restore Quarantine",
"value": {
"details": [],
"route": "/hx/api/v3/quarantines/id/actions/restore",
"data": {
"_id": 102,
"agent_quarantine_id": "8ab3c500-65c1-11e7-xxxx-a6006ad3dba1",
"hit_correlation_id": "331b7816-60bb-423c-xxxx-02d8a2de4492",
"file_path": "C:\\Users\\exdauto\\Downloads\\DebugView\\test_samples\\Samples\\test2.exe",
"file_md5": "18b367529c07b94296d4f6991c7e872b",
"file_sha1": "b7e3e3aa32bf4cde03d39ae8cb8fef9cd955b74b",
"reported_at": "2017-07-16T09:30:48.000Z",
"quarantined_at": "2017-07-17T09:30:48.000Z",
"alert_file_creation_time": "2017-02-08T03:46:23.672Z",
"alert_infection_name": "BD.TestSignature1",
"state": "RESTORING",
"update_time": "2017-09-13T15:26:23.376Z",
"url": "/hx/api/v3/quarantines/102",
"host": {
"_id": "F657321503916382034B96",
"url": "/hx/api/v3/hosts/F657321505396382034B96"
},
"alert": {
"_id": 2,
"url": "/hx/api/v3/alerts/2"
}
},
"message": "Accepted"
}
}
}
}
}
},
"quarantines.quarantine.create_quarantined_file_acquisition": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"create_quarantined_file_acquisition": {
"summary": "Create Quarantined File Acquisition",
"value": {
"details": [],
"route": "/hx/api/v3/quarantines/id/files",
"data": {
"_id": 8,
"agent_quarantine_id": "8ab3c500-65c1-11e7-397b-a6006ad3dba0",
"state": "NEW",
"url": "/hx/api/v3/quarantines/8",
"host": {
"_id": "F657321505316382034B96",
"url": "/hx/api/v3/hosts/F657321505316382034B96"
},
"alert": {
"_id": 1,
"url": "/hx/api/v3/alerts/1"
}
},
"message": "Created"
}
}
}
}
}
},
"quarantines.quarantine.quarantined_file_info": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object"
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"quarantined_file_info": {
"summary": "Quarantined File Information by ID Response",
"value": {
"details": [],
"route": "/hx/api/v3/quarantines/files/id",
"data": {
"_id": 8,
"_revision": "20170913152622176955101185",
"error_message": null,
"comment": null,
"state": "NEW",
"agent_quarantine_id": "8ab3c539-65c1-11e7-907b-a6006ad3dba0",
"req_path": "C:\\Users\\exdauto\\Downloads\\DebugView\\test_samples\\Samples",
"req_filename": "test5.exe",
"md5": "18b367529c07b94296d4f6391c7e872a",
"request_time": "2017-09-13T15:26:22.000Z",
"request_actor": {
"_id": 1076,
"username": "api_analyst"
},
"zip_passphrase": "unzip-me",
"url": "/hx/api/v3/quarantines/files/8",
"host": {
"_id": "F657321505316382034B96",
"url": "/hx/api/v3/hosts/F657321505396382034B96"
},
"alert": {
"_id": 1,
"url": "/hx/api/v3/alerts/1"
}
},
"message": "OK"
}
}
}
}
}
},
"quarantines.quarantine.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"not_found": {
"summary": "Not found",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Quarantine record not found."
}
],
"route": "/hx/api/v3/quarantines/id",
"message": "Not Found"
}
}
}
}
}
},
"scans.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.conflict": {
"description": "Another host set has that name.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.internal_error": {
"description": "An unexpected error occurred.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_data.failed": {
"description": "Cache initialization failed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.delete_by_host.success": {
"description": "Scan delete response object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"deletedrowcount": {
"description": "Number of scan summaries deleted.",
"type": "integer",
"format": "int32"
}
}
}
}
}
},
"scans.delete_by_id.success": {
"description": "Scan delete response object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"deletedrowcount": {
"description": "Number of scan summaries deleted.",
"type": "integer",
"format": "int32"
},
"details": {
"type": "array",
"description": "Deletion status of each summary.",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Scan Summary ID.",
"type": "integer",
"format": "int32"
},
"message": {
"type": "string",
"enum": [
"Success",
"Not Found"
]
},
"code": {
"type": "integer",
"format": "int32",
"enum": [
200,
404
],
"description": "Code is set to 200 for \"Success\" or 404 for \"Not Found\"."
}
}
}
}
}
}
}
}
},
"scans.scanNow.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "array",
"description": "Scan task details for each host.",
"items": {
"type": "object",
"properties": {
"scan_summary_id": {
"description": "Unique Scan Summary ID.",
"type": "integer",
"format": "int32"
},
"scan_now_uuid": {
"description": "ScanNow unique ID.",
"type": "string"
},
"task_id": {
"description": "ScanNow task ID.",
"type": "string"
},
"agent_id": {
"description": "Unique agent ID.",
"type": "string"
},
"status": {
"type": "string",
"enum": [
"created task",
"failed"
],
"description": "Status of Scan request."
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.scanNow.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scans.scanNow.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
}
}
}
}
}
},
"scans.scanSummary.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Scan Summary ID.",
"type": "integer",
"format": "int32"
},
"scan_name": {
"description": "Scan name.",
"type": "string"
},
"scan_type": {
"type": "string",
"enum": [
"Custom",
"Full"
],
"description": "Type of scan. Full scan includes all local and mounted drives.<br>Custom is for specified folders and files."
},
"agent_id": {
"description": "Unique agent ID.",
"type": "string"
},
"status": {
"type": "string",
"enum": [
"REQUESTED",
"COMPLETED",
"FAILED",
"TIMEOUT",
"STOPPED"
],
"description": "Scan request status."
},
"scan_now_request_time": {
"type": "string",
"format": "date-time",
"description": "Time the scan was reqested."
},
"targets": {
"type": "array",
"description": "List of folder names and file paths to scan. Applies only to Custom type scans.",
"items": {
"type": "string"
},
"minItems": 1
},
"num_files_scanned": {
"type": "integer",
"format": "int32",
"description": "Number of files scanned."
},
"num_actioned_files": {
"type": "integer",
"format": "int32",
"description": "Number of files affected."
},
"num_malware_found": {
"type": "integer",
"format": "int32",
"description": "Number of infections found."
},
"start_time": {
"type": "string",
"format": "date-time",
"description": "Time the scan was started."
},
"end_time": {
"type": "string",
"format": "date-time",
"description": "Time the scan was completed."
},
"scan_duration": {
"type": "string",
"description": "Time the scan took to run."
},
"error_code": {
"type": "string",
"description": "Scan failure code."
},
"actor_type": {
"type": "string",
"enum": [
"system",
"mgmtd"
],
"description": "Internal or external user type."
},
"actor_name": {
"type": "string",
"description": "Name of user initiating the scan."
},
"is_scheduled": {
"type": "boolean",
"description": "Has the scan been scheduled?"
},
"scan_correlation_id": {
"description": "Scan summary ID for mapping to alerts.",
"type": "string"
},
"record_created_at": {
"type": "string",
"format": "date-time",
"description": "Time the scan request record was created."
},
"agent_details": {
"type": "object",
"description": "Agent information. Included when query parameter get_agent_details is set.",
"properties": {
"content_version": {
"type": "string",
"description": "Version of the installed Endpoint security content."
},
"engine_version": {
"type": "string",
"description": "Version of the Endpoint malware detection engine."
},
"product_version": {
"type": "string",
"description": "Version of the Endpoint agent."
},
"os": {
"type": "object",
"description": "Host operating system information.",
"properties": {
"platform": {
"type": "string",
"description": "Family of operating systems.",
"enum": [
"win",
"osx",
"linux"
]
},
"product_name": {
"type": "string",
"description": "Operating system name."
},
"patch_level": {
"type": "string",
"description": "Operating system patch."
},
"os_bitness": {
"type": "string",
"description": "Operating system word size.",
"enum": [
"64-bit",
"32-bit"
]
}
}
},
"timezone": {
"type": "string",
"description": "Timezone name."
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
}
}
},
"correlated_malwares": {
"type": "array",
"description": "List of related alerts. Included when get_correlated_malwares is set.",
"items": {
"type": "object",
"description": "Alert related to the scan.",
"properties": {
"hit_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"infection_name": {
"type": "string",
"description": "Name of the infection."
},
"scanned_object": {
"type": "string",
"description": "Name of the object scanned."
},
"drive": {
"type": "string",
"description": "Drive containing the scanned object."
},
"key": {
"type": "string",
"description": "Scanned registry key."
},
"value": {
"type": "string",
"description": "Scanned registry value."
},
"pid": {
"type": "string",
"description": "Name of the infection."
},
"file_path": {
"type": "string",
"description": "Path of the scanned object."
},
"md5sum": {
"type": "string",
"description": "MD5 hash of the scanned object."
},
"access_time": {
"type": "string",
"description": "Last time the scanned object was accessed."
},
"applied_action": {
"type": "string",
"description": "Action applied to the scanned object."
}
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"scripts.script.list_scripts": {
"description": "Standard API response for an array of JSON objects.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"last_used_at": {
"type": "string",
"description": "Time when script was last used."
},
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"scripts": {
"summary": "List Scripts",
"value": {
"data": {
"total": 1,
"query": {},
"sort": {},
"offset": 0,
"limit": 50,
"entries": [
{
"last_used_at": "2020-05-26T15:27:22.603Z",
"_id": "a7864b162f3cf5a8f28c01e81425e24c181650e9",
"url": "/hx/api/v3/scripts/a7864b162f3cf5a8f28c01e81425e24c181650e9",
"download": "/hx/api/v3/scripts/a7864b162f3cf5a8f28c01e81425e24c181650e9.xml"
}
]
},
"message": "OK",
"details": [],
"route": "/hx/api/v3/scripts"
}
}
}
}
}
},
"scripts.script.single_script": {
"description": "Standard API response for a single JSON object.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"last_used_at": {
"type": "string",
"description": "Time when script was last used."
},
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"scripts": {
"summary": "List Scripts",
"value": {
"details": [],
"route": "/hx/api/v3/scripts/id",
"data": {
"last_used_at": "2020-05-26T15:27:22.603Z",
"_id": "a7864b162f3cf5a8f28c01e81425e24c181650e9",
"url": "/hx/api/v3/scripts/a7864b162f3cf5a8f28c01e81425e24c181650e9",
"download": "/hx/api/v3/scripts/a7864b162f3cf5a8f28c01e81425e24c181650e9.xml"
},
"message": "OK"
}
}
}
}
}
},
"scripts.script.unauthorized": {
"description": "Unauthorized",
"content": {
"text/plain": {
"schema": {
"type": "string",
"example": "Unauthorized"
}
}
}
},
"scripts.script.unprocessable": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 2019,
"path": "query.offset",
"message": "Value must be formatted as a non-negative 32 bit integer (0 to 2147483647)."
}
],
"route": "/hx/api/v3/scripts",
"message": "Unprocessable Entity"
}
}
}
}
}
},
"scripts.script.not_found": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unprocessableEntity": {
"summary": "Unprocessable Entity",
"value": {
"details": [
{
"type": "error",
"code": 1005,
"message": "Script not found.",
"path": "id"
}
],
"route": "/hx/api/v3/scripts/id",
"message": "Not Found"
}
}
}
}
}
},
"searches.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.limit_exceeded": {
"description": "Search limits exceeded",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"_url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"scripts": {
"type": "array",
"description": "A list of reference objects for the scripts utilized in this search.",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
},
"platform": {
"type": "string",
"description": "Platform this script is used for."
}
}
}
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was updated last."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was created."
},
"update_actor": {
"type": "object",
"description": "Actor who last updated the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"description": "Actor who created the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"settings": {
"type": "object",
"properties": {
"query_terms": {
"type": "object",
"description": "Terms and exhaustive search terms for the operation.",
"properties": {
"terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"field": {
"type": "string",
"description": "The field to be searched.",
"enum": [
"Application Name",
"Browser Name",
"Browser Version",
"Cookie Flags",
"Cookie Name",
"Cookie Value",
"DNS Hostname",
"Driver Device Name",
"Driver Module Name",
"Executable Exported Dll Name",
"Executable Exported Function Name",
"Executable Imported Function Name",
"Executable Imported Module Name",
"Executable Injected",
"Executable PE Type",
"Executable Resource Name",
"File Attributes",
"File Certificate Issuer",
"File Certificate Subject",
"File Download Mime Type",
"File Download Referrer",
"File Download Type",
"File Full Path",
"File MD5 Hash",
"File Name",
"File SHA1 Hash",
"File SHA256 Hash",
"File Signature Exists",
"File Signature Verified",
"File Stream Name",
"File Text Written",
"Group Name",
"HTTP Header",
"Host Set",
"Hostname",
"IP Address",
"Local IP Address",
"Local Port",
"Parent Process Name",
"Parent Process Path",
"Port",
"Port Protocol",
"Port State",
"Process Arguments",
"Process Name",
"Quarantine Event Sender Address",
"Quarantine Event Sender Name",
"Registry Key Full Path",
"Registry Key Value Name",
"Registry Key Value Text",
"Remote IP Address",
"Remote Port",
"Service DLL",
"Service Mode",
"Service Name",
"Service Status",
"Service Type",
"Size in bytes",
"Syslog Event ID",
"Syslog Event Message",
"Syslog Facility",
"Syslog Sender",
"Syslog Severity Level",
"Task Flag",
"Task Name",
"Task Reference",
"Task Status",
"Timestamp - Accessed",
"Timestamp - Changed",
"Timestamp - Created",
"Timestamp - Event",
"Timestamp - Last Login",
"Timestamp - Last Run",
"Timestamp - Modified",
"Timestamp - Started",
"URL",
"Username",
"Web Page Origin URL",
"Web Page Title",
"Windows Event ID",
"Windows Event Log Type",
"Windows Event Message"
]
},
"operator": {
"type": "string",
"description": "Operator to be applied on the field for comparison.",
"enum": [
"equals",
"not equals",
"contains",
"not contains",
"less than",
"greater than",
"between"
]
},
"value": {
"type": "string",
"description": "Value used for the search. Depending on the field and operator values, this item may be a list of strings."
}
}
}
},
"exhaustive_terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"item_type": {
"type": "string",
"description": "Type of item being searched for.",
"enum": [
"CookieHistoryItem",
"DnsEntryItem",
"DriverItem",
"EventLogItem",
"FileDownloadHistoryItem",
"FileItem",
"FormHistoryItem",
"GroupItem",
"ModuleItem",
"PortItem",
"PrefetchItem",
"ProcessItem",
"QuarantineEventItem",
"RegistryItem",
"RouteEntryItem",
"ServiceItem",
"Syslog",
"SystemInfoItem",
"TaskItem",
"UrlHistoryItem",
"UserItem",
"eventItem",
"eventItem/dnsLookupEvent",
"eventItem/fileWriteEvent",
"eventItem/imageLoadEvent",
"eventItem/ipv4NetworkEvent",
"eventItem/processEvent",
"eventItem/regKeyEvent",
"eventItem/urlMonitorEvent"
]
},
"name": {
"type": "string",
"description": "Name of the place or level of search."
},
"value": {
"type": "string",
"description": "Value being searched."
},
"platform": {
"type": "string",
"description": "Applicable platform for this search term."
},
"found": {
"type": "boolean",
"description": "Whether or not this value was found."
}
}
}
}
}
},
"search_type": {
"type": "string",
"description": "The type of search."
},
"exhaustive": {
"type": "boolean",
"description": "Whether a search is exhaustive or not."
},
"mode": {
"type": "string",
"description": "Whether a search is HOST type or GRID type."
},
"displayname": {
"type": "string",
"description": "Name of the search."
}
}
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"stats": {
"type": "object",
"properties": {
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts running this operation."
},
"skipped_hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that were skipped."
},
"search_state": {
"type": "object",
"description": "Number of search in different states.",
"properties": {
"PENDING": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"NOT_MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ERROR": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
},
"search_issues": {
"type": "object",
"description": "Issues encountered for searches."
},
"running_state": {
"type": "object",
"description": "Number of operations in each state.",
"properties": {
"NEW": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"QUEUED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"FAILED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"COMPLETE": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ABORTED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"DELETED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"REFRESH": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"CANCELLED": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
}
}
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"input_type": {
"type": "string",
"description": "The input method that was used to start the search"
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_action.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"scripts": {
"type": "array",
"description": "A list of reference objects for the scripts utilized in this search.",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
},
"platform": {
"type": "string",
"description": "Platform this script is used for."
}
}
}
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was updated last."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was created."
},
"update_actor": {
"type": "object",
"description": "Actor who last updated the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"description": "Actor who created the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"input_type": {
"type": "string",
"description": "The input method that was used to start the search"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts running this operation."
},
"skipped_hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that were skipped."
},
"search_state": {
"type": "object",
"description": "Number of search in different states.",
"properties": {
"PENDING": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"NOT_MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ERROR": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
},
"search_issues": {
"type": "object",
"description": "Issues encountered for searches."
},
"running_state": {
"type": "object",
"description": "Number of operations in each state.",
"properties": {
"NEW": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"QUEUED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"FAILED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"COMPLETE": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ABORTED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"DELETED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"REFRESH": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"CANCELLED": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
}
}
},
"settings": {
"type": "object",
"properties": {
"query_terms": {
"type": "object",
"description": "Terms and exhaustive search terms for the operation.",
"properties": {
"terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"field": {
"type": "string",
"description": "The field to be searched.",
"enum": [
"Application Name",
"Browser Name",
"Browser Version",
"Cookie Flags",
"Cookie Name",
"Cookie Value",
"DNS Hostname",
"Driver Device Name",
"Driver Module Name",
"Executable Exported Dll Name",
"Executable Exported Function Name",
"Executable Imported Function Name",
"Executable Imported Module Name",
"Executable Injected",
"Executable PE Type",
"Executable Resource Name",
"File Attributes",
"File Certificate Issuer",
"File Certificate Subject",
"File Download Mime Type",
"File Download Referrer",
"File Download Type",
"File Full Path",
"File MD5 Hash",
"File Name",
"File SHA1 Hash",
"File SHA256 Hash",
"File Signature Exists",
"File Signature Verified",
"File Stream Name",
"File Text Written",
"Group Name",
"HTTP Header",
"Host Set",
"Hostname",
"IP Address",
"Local IP Address",
"Local Port",
"Parent Process Name",
"Parent Process Path",
"Port",
"Port Protocol",
"Port State",
"Process Arguments",
"Process Name",
"Quarantine Event Sender Address",
"Quarantine Event Sender Name",
"Registry Key Full Path",
"Registry Key Value Name",
"Registry Key Value Text",
"Remote IP Address",
"Remote Port",
"Service DLL",
"Service Mode",
"Service Name",
"Service Status",
"Service Type",
"Size in bytes",
"Syslog Event ID",
"Syslog Event Message",
"Syslog Facility",
"Syslog Sender",
"Syslog Severity Level",
"Task Flag",
"Task Name",
"Task Reference",
"Task Status",
"Timestamp - Accessed",
"Timestamp - Changed",
"Timestamp - Created",
"Timestamp - Event",
"Timestamp - Last Login",
"Timestamp - Last Run",
"Timestamp - Modified",
"Timestamp - Started",
"URL",
"Username",
"Web Page Origin URL",
"Web Page Title",
"Windows Event ID",
"Windows Event Log Type",
"Windows Event Message"
]
},
"operator": {
"type": "string",
"description": "Operator to be applied on the field for comparison.",
"enum": [
"equals",
"not equals",
"contains",
"not contains",
"less than",
"greater than",
"between"
]
},
"value": {
"type": "string",
"description": "Value used for the search. Depending on the field and operator values, this item may be a list of strings."
}
}
}
},
"exhaustive_terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"item_type": {
"type": "string",
"description": "Type of item being searched for.",
"enum": [
"CookieHistoryItem",
"DnsEntryItem",
"DriverItem",
"EventLogItem",
"FileDownloadHistoryItem",
"FileItem",
"FormHistoryItem",
"GroupItem",
"ModuleItem",
"PortItem",
"PrefetchItem",
"ProcessItem",
"QuarantineEventItem",
"RegistryItem",
"RouteEntryItem",
"ServiceItem",
"Syslog",
"SystemInfoItem",
"TaskItem",
"UrlHistoryItem",
"UserItem",
"eventItem",
"eventItem/dnsLookupEvent",
"eventItem/fileWriteEvent",
"eventItem/imageLoadEvent",
"eventItem/ipv4NetworkEvent",
"eventItem/processEvent",
"eventItem/regKeyEvent",
"eventItem/urlMonitorEvent"
]
},
"name": {
"type": "string",
"description": "Name of the place or level of search."
},
"value": {
"type": "string",
"description": "Value being searched."
},
"platform": {
"type": "string",
"description": "Applicable platform for this search term."
},
"found": {
"type": "boolean",
"description": "Whether or not this value was found."
}
}
}
}
}
},
"search_type": {
"type": "string",
"description": "The type of search."
},
"exhaustive": {
"type": "boolean",
"description": "Whether a search is exhaustive or not."
},
"mode": {
"type": "string",
"description": "Whether a search is HOST type or GRID type."
},
"displayname": {
"type": "string",
"description": "Name of the search."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_action.created": {
"description": "Created",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"scripts": {
"type": "array",
"description": "A list of reference objects for the scripts utilized in this search.",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
},
"platform": {
"type": "string",
"description": "Platform this script is used for."
}
}
}
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was updated last."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was created."
},
"update_actor": {
"type": "object",
"description": "Actor who last updated the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"description": "Actor who created the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"input_type": {
"type": "string",
"description": "The input method that was used to start the search"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"stats": {
"type": "object",
"properties": {
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts running this operation."
},
"skipped_hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that were skipped."
},
"search_state": {
"type": "object",
"description": "Number of search in different states.",
"properties": {
"PENDING": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"NOT_MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ERROR": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
},
"search_issues": {
"type": "object",
"description": "Issues encountered for searches."
},
"running_state": {
"type": "object",
"description": "Number of operations in each state.",
"properties": {
"NEW": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"QUEUED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"FAILED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"COMPLETE": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ABORTED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"DELETED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"REFRESH": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"CANCELLED": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
}
}
},
"settings": {
"type": "object",
"properties": {
"query_terms": {
"type": "object",
"description": "Terms and exhaustive search terms for the operation.",
"properties": {
"terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"field": {
"type": "string",
"description": "The field to be searched.",
"enum": [
"Application Name",
"Browser Name",
"Browser Version",
"Cookie Flags",
"Cookie Name",
"Cookie Value",
"DNS Hostname",
"Driver Device Name",
"Driver Module Name",
"Executable Exported Dll Name",
"Executable Exported Function Name",
"Executable Imported Function Name",
"Executable Imported Module Name",
"Executable Injected",
"Executable PE Type",
"Executable Resource Name",
"File Attributes",
"File Certificate Issuer",
"File Certificate Subject",
"File Download Mime Type",
"File Download Referrer",
"File Download Type",
"File Full Path",
"File MD5 Hash",
"File Name",
"File SHA1 Hash",
"File SHA256 Hash",
"File Signature Exists",
"File Signature Verified",
"File Stream Name",
"File Text Written",
"Group Name",
"HTTP Header",
"Host Set",
"Hostname",
"IP Address",
"Local IP Address",
"Local Port",
"Parent Process Name",
"Parent Process Path",
"Port",
"Port Protocol",
"Port State",
"Process Arguments",
"Process Name",
"Quarantine Event Sender Address",
"Quarantine Event Sender Name",
"Registry Key Full Path",
"Registry Key Value Name",
"Registry Key Value Text",
"Remote IP Address",
"Remote Port",
"Service DLL",
"Service Mode",
"Service Name",
"Service Status",
"Service Type",
"Size in bytes",
"Syslog Event ID",
"Syslog Event Message",
"Syslog Facility",
"Syslog Sender",
"Syslog Severity Level",
"Task Flag",
"Task Name",
"Task Reference",
"Task Status",
"Timestamp - Accessed",
"Timestamp - Changed",
"Timestamp - Created",
"Timestamp - Event",
"Timestamp - Last Login",
"Timestamp - Last Run",
"Timestamp - Modified",
"Timestamp - Started",
"URL",
"Username",
"Web Page Origin URL",
"Web Page Title",
"Windows Event ID",
"Windows Event Log Type",
"Windows Event Message"
]
},
"operator": {
"type": "string",
"description": "Operator to be applied on the field for comparison.",
"enum": [
"equals",
"not equals",
"contains",
"not contains",
"less than",
"greater than",
"between"
]
},
"value": {
"type": "string",
"description": "Value used for the search. Depending on the field and operator values, this item may be a list of strings."
}
}
}
},
"exhaustive_terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"item_type": {
"type": "string",
"description": "Type of item being searched for.",
"enum": [
"CookieHistoryItem",
"DnsEntryItem",
"DriverItem",
"EventLogItem",
"FileDownloadHistoryItem",
"FileItem",
"FormHistoryItem",
"GroupItem",
"ModuleItem",
"PortItem",
"PrefetchItem",
"ProcessItem",
"QuarantineEventItem",
"RegistryItem",
"RouteEntryItem",
"ServiceItem",
"Syslog",
"SystemInfoItem",
"TaskItem",
"UrlHistoryItem",
"UserItem",
"eventItem",
"eventItem/dnsLookupEvent",
"eventItem/fileWriteEvent",
"eventItem/imageLoadEvent",
"eventItem/ipv4NetworkEvent",
"eventItem/processEvent",
"eventItem/regKeyEvent",
"eventItem/urlMonitorEvent"
]
},
"name": {
"type": "string",
"description": "Name of the place or level of search."
},
"value": {
"type": "string",
"description": "Value being searched."
},
"platform": {
"type": "string",
"description": "Applicable platform for this search term."
},
"found": {
"type": "boolean",
"description": "Whether or not this value was found."
}
}
}
}
}
},
"search_type": {
"type": "string",
"description": "The type of search."
},
"exhaustive": {
"type": "boolean",
"description": "Whether a search is exhaustive or not."
},
"mode": {
"type": "string",
"description": "Whether a search is HOST type or GRID type."
},
"displayname": {
"type": "string",
"description": "Name of the search."
}
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_count.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"active_settings": {
"type": "object",
"properties": {
"concurrent_search_limit": {
"type": "integer",
"format": "int32",
"description": "Limit for number of concurrent searches allowed."
},
"existing_search_limit": {
"type": "integer",
"format": "int32",
"description": "Limit for number of allowed existing searches."
},
"hits_per_host_limit": {
"type": "integer",
"format": "int32",
"description": "Number of results per hosts."
},
"matched_hosts_limit": {
"type": "integer",
"format": "int32",
"description": "Number of hosts to be matched."
},
"hosts_with_issues_limit": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that show the error."
},
"issue_items_limit": {
"type": "integer",
"format": "int32",
"description": "Number of issues to be shown."
},
"task_size_limit_in_bytes": {
"type": "integer",
"format": "int32",
"description": "Maximum size of a task to be sent to hosts."
}
}
},
"active_searchCount": {
"type": "integer",
"format": "int32",
"description": "Number of active searches."
},
"total_settings": {
"type": "object",
"properties": {
"concurrent_search_limit": {
"type": "integer",
"format": "int32",
"description": "Limit for number of concurrent searches allowed."
},
"existing_search_limit": {
"type": "integer",
"format": "int32",
"description": "Limit for number of allowed existing searches."
},
"hits_per_host_limit": {
"type": "integer",
"format": "int32",
"description": "Number of results per hosts."
},
"matched_hosts_limit": {
"type": "integer",
"format": "int32",
"description": "Number of hosts to be matched."
},
"hosts_with_issues_limit": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that show the error."
},
"issue_items_limit": {
"type": "integer",
"format": "int32",
"description": "Number of issues to be shown."
},
"task_size_limit_in_bytes": {
"type": "integer",
"format": "int32",
"description": "Maximum size of a task to be sent to hosts."
}
}
},
"total_searchCount": {
"type": "integer",
"format": "int32",
"description": "Total number of searches."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_hosts.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"state": {
"type": "string",
"description": "The state of the search on one host."
},
"queued_at": {
"type": "string",
"format": "date-time",
"description": "The time that search was queued at for host."
},
"complete_at": {
"type": "string",
"format": "date-time",
"description": "The time that search was finished on the host."
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
}
}
},
"search": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"search_state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"has_issues": {
"type": "boolean",
"description": "Whether or not the search encountered issues."
},
"issues": {
"type": "array",
"description": "List of issues encountered during the search.",
"items": {
"type": "string",
"description": "Issue encountered."
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_hosts_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"state": {
"type": "string",
"description": "The state of the search on one host."
},
"queued_at": {
"type": "string",
"format": "date-time",
"description": "The time that search was queued at for host."
},
"complete_at": {
"type": "string",
"format": "date-time",
"description": "The time that search was finished on the host."
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
}
}
},
"search": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"search_state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"has_issues": {
"type": "boolean",
"description": "Whether or not the search encountered issues."
},
"issues": {
"type": "array",
"description": "List of issues encountered during the search.",
"items": {
"type": "string",
"description": "Issue encountered."
}
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_results.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"hostname": {
"type": "string",
"description": "Name of the host."
}
}
},
"results": {
"type": "array",
"description": "List of result metadata objects for this search.",
"items": {
"type": "object",
"properties": {
"id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"type": {
"type": "string",
"description": "Type of the search result data. Some examples of item types are: File Write Event, Image Load Event, Browser File Download, etc..."
},
"data": {
"type": "object",
"description": "Object containing data relating to the search result for the host. Keys present will differ depending on the item type."
}
}
}
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique search ID.",
"type": "integer",
"format": "int32"
},
"_url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"state": {
"type": "string",
"description": "The state of the search whether it stopped or running"
},
"scripts": {
"type": "array",
"description": "A list of reference objects for the scripts utilized in this search.",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique script ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"download": {
"description": "URI to download this script.",
"type": "string",
"format": "uri"
},
"platform": {
"type": "string",
"description": "Platform this script is used for."
}
}
}
},
"host_set": {
"type": "object",
"properties": {
"_id": {
"description": "Unique Host Set ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"description": "Host set name.",
"type": "string"
}
}
},
"update_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was updated last."
},
"create_time": {
"type": "string",
"format": "date-time",
"description": "Time the search was created."
},
"update_actor": {
"type": "object",
"description": "Actor who last updated the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"create_actor": {
"type": "object",
"description": "Actor who created the search",
"properties": {
"_id": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
},
"username": {
"type": "string",
"description": "Username."
}
}
},
"settings": {
"type": "object",
"properties": {
"query_terms": {
"type": "object",
"description": "Terms and exhaustive search terms for the operation.",
"properties": {
"terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"field": {
"type": "string",
"description": "The field to be searched.",
"enum": [
"Application Name",
"Browser Name",
"Browser Version",
"Cookie Flags",
"Cookie Name",
"Cookie Value",
"DNS Hostname",
"Driver Device Name",
"Driver Module Name",
"Executable Exported Dll Name",
"Executable Exported Function Name",
"Executable Imported Function Name",
"Executable Imported Module Name",
"Executable Injected",
"Executable PE Type",
"Executable Resource Name",
"File Attributes",
"File Certificate Issuer",
"File Certificate Subject",
"File Download Mime Type",
"File Download Referrer",
"File Download Type",
"File Full Path",
"File MD5 Hash",
"File Name",
"File SHA1 Hash",
"File SHA256 Hash",
"File Signature Exists",
"File Signature Verified",
"File Stream Name",
"File Text Written",
"Group Name",
"HTTP Header",
"Host Set",
"Hostname",
"IP Address",
"Local IP Address",
"Local Port",
"Parent Process Name",
"Parent Process Path",
"Port",
"Port Protocol",
"Port State",
"Process Arguments",
"Process Name",
"Quarantine Event Sender Address",
"Quarantine Event Sender Name",
"Registry Key Full Path",
"Registry Key Value Name",
"Registry Key Value Text",
"Remote IP Address",
"Remote Port",
"Service DLL",
"Service Mode",
"Service Name",
"Service Status",
"Service Type",
"Size in bytes",
"Syslog Event ID",
"Syslog Event Message",
"Syslog Facility",
"Syslog Sender",
"Syslog Severity Level",
"Task Flag",
"Task Name",
"Task Reference",
"Task Status",
"Timestamp - Accessed",
"Timestamp - Changed",
"Timestamp - Created",
"Timestamp - Event",
"Timestamp - Last Login",
"Timestamp - Last Run",
"Timestamp - Modified",
"Timestamp - Started",
"URL",
"Username",
"Web Page Origin URL",
"Web Page Title",
"Windows Event ID",
"Windows Event Log Type",
"Windows Event Message"
]
},
"operator": {
"type": "string",
"description": "Operator to be applied on the field for comparison.",
"enum": [
"equals",
"not equals",
"contains",
"not contains",
"less than",
"greater than",
"between"
]
},
"value": {
"type": "string",
"description": "Value used for the search. Depending on the field and operator values, this item may be a list of strings."
}
}
}
},
"exhaustive_terms": {
"type": "array",
"items": {
"type": "object",
"properties": {
"item_type": {
"type": "string",
"description": "Type of item being searched for.",
"enum": [
"CookieHistoryItem",
"DnsEntryItem",
"DriverItem",
"EventLogItem",
"FileDownloadHistoryItem",
"FileItem",
"FormHistoryItem",
"GroupItem",
"ModuleItem",
"PortItem",
"PrefetchItem",
"ProcessItem",
"QuarantineEventItem",
"RegistryItem",
"RouteEntryItem",
"ServiceItem",
"Syslog",
"SystemInfoItem",
"TaskItem",
"UrlHistoryItem",
"UserItem",
"eventItem",
"eventItem/dnsLookupEvent",
"eventItem/fileWriteEvent",
"eventItem/imageLoadEvent",
"eventItem/ipv4NetworkEvent",
"eventItem/processEvent",
"eventItem/regKeyEvent",
"eventItem/urlMonitorEvent"
]
},
"name": {
"type": "string",
"description": "Name of the place or level of search."
},
"value": {
"type": "string",
"description": "Value being searched."
},
"platform": {
"type": "string",
"description": "Applicable platform for this search term."
},
"found": {
"type": "boolean",
"description": "Whether or not this value was found."
}
}
}
}
}
},
"search_type": {
"type": "string",
"description": "The type of search."
},
"exhaustive": {
"type": "boolean",
"description": "Whether a search is exhaustive or not."
},
"mode": {
"type": "string",
"description": "Whether a search is HOST type or GRID type."
},
"displayname": {
"type": "string",
"description": "Name of the search."
}
}
},
"error": {
"type": "array",
"items": {
"type": "string"
},
"description": "Collection of errors per agents for the search."
},
"stats": {
"type": "object",
"properties": {
"hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts running this operation."
},
"skipped_hosts": {
"type": "integer",
"format": "int32",
"description": "Number of hosts that were skipped."
},
"search_state": {
"type": "object",
"description": "Number of search in different states.",
"properties": {
"PENDING": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"NOT_MATCHED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ERROR": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
},
"search_issues": {
"type": "object",
"description": "Issues encountered for searches."
},
"running_state": {
"type": "object",
"description": "Number of operations in each state.",
"properties": {
"NEW": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"QUEUED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"FAILED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"COMPLETE": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"ABORTED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"DELETED": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"REFRESH": {
"type": "integer",
"format": "int32",
"description": "Object count."
},
"CANCELLED": {
"type": "integer",
"format": "int32",
"description": "Object count."
}
}
}
}
},
"_revision": {
"type": "string",
"description": "ETag that can be used for concurrency checking"
},
"input_type": {
"type": "string",
"description": "The input method that was used to start the search"
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"searches.search_skipped_hosts.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique agent ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"agent_version": {
"type": "string",
"description": "Agent version."
},
"excluded_from_containment": {
"type": "boolean",
"description": "Determines whether the host is excluded from containment."
},
"containment_missing_software": {
"type": "boolean",
"description": "Indicates that the agent version supports containment."
},
"containment_queued": {
"type": "boolean",
"description": "Containment requested."
},
"containment_state": {
"type": "string",
"description": "Containment state.",
"enum": [
"normal",
"contain",
"contain_fail",
"containing",
"contained",
"uncontain",
"uncontaining",
"not_normal",
"not_contained"
]
},
"stats": {
"type": "object",
"properties": {
"acqs": {
"description": "Number of file acquisition requests.",
"type": "integer",
"format": "int32"
},
"malware_cleaned_count": {
"description": "The number of cleaned malware on the host.",
"type": "integer",
"format": "int32"
},
"malware_quarantined_count": {
"description": "The number ofquarantined files on the host.",
"type": "integer",
"format": "int32"
},
"alerting_conditions": {
"description": "Number of alerting conditions.",
"type": "integer",
"format": "int32"
},
"alerts": {
"description": "Total number of alerts, including exploit-detection alerts.",
"type": "integer",
"format": "int32"
},
"exploit_alerts": {
"description": "Number of exploit alerts, partially blocked exploits, and blocked exploits.",
"type": "integer",
"format": "int32"
},
"exploit_blocks": {
"description": "The number of blocked exploits on the host.",
"type": "integer",
"format": "int32"
},
"malware_alerts": {
"description": "The number of malware alerts on the host.",
"type": "integer",
"format": "int32"
},
"generic_alerts": {
"description": "The number of generic alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts": {
"description": "The number of false positive alerts on the host.",
"type": "integer",
"format": "int32"
},
"false_positive_alerts_by_source": {
"type": "object",
"description": "Number of false positive alerts by source."
},
"malware_false_positive_alerts": {
"description": "The number of false positive malware alerts on the host.",
"type": "integer",
"format": "int32"
}
}
},
"hostname": {
"type": "string",
"description": "Name of the host."
},
"domain": {
"type": "string",
"description": "Network domain."
},
"gmt_offset_seconds": {
"type": "integer",
"format": "int32",
"description": "How many seconds the offset is from Greenwich Mean Time (GMT)"
},
"timezone": {
"type": "string",
"description": "Timezone name."
},
"primary_ip_address": {
"type": "string",
"description": "Primary IPv4 or IPv6 address the host uses to communicate with the Endpoint server."
},
"last_audit_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent system information audit was performed."
},
"last_poll_timestamp": {
"type": "string",
"format": "date-time",
"description": "Time when the most recent poll was performed."
},
"last_poll_ip": {
"type": "string",
"description": "IP address used for the most recent poll."
},
"reported_clone": {
"type": "boolean",
"description": "Indicates more than one host has this same agent ID."
},
"initial_agent_checkin": {
"type": "string",
"format": "date-time",
"description": "Time of initial agent checkin."
},
"last_alert": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"last_alert_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent alert for the host."
},
"last_exploit_block_timestamp": {
"type": "string",
"format": "date-time",
"description": "The time stamp of the most recent blocked exploit for the host."
},
"sysinfo": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
}
}
},
"os": {
"type": "object",
"properties": {
"product_name": {
"type": "string",
"description": "Operating system name."
},
"patch_level": {
"type": "string",
"description": "Operating system patch."
},
"bitness": {
"type": "string",
"description": "Operating system word size.",
"enum": [
"64-bit",
"32-bit"
]
},
"platform": {
"type": "string",
"description": "Family of operating systems.",
"enum": [
"win",
"osx",
"linux"
]
},
"kernel_version": {
"type": "string",
"description": "Operating system kernel version."
}
}
},
"primary_mac": {
"type": "string",
"description": "MAC address the host uses to communicate with the Endpoint server."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.success_no_content": {
"description": "Success - no content.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.success_quarantines": {
"description": "Success - Some quarantines not found or not all quarantined files were scheduled for restoration.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.deleted": {
"description": "Deleted",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.unable_to_parse": {
"description": "Unable to parse request body",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_data.forbidden": {
"description": "Forbidden - Request unsuccessful because you do not belong to the correct authorization group or because you are using an appliance without an active MD_ACCESS license.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_entries.unprocessable": {
"description": "Unprocessable Entity",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_entries.not_found": {
"description": "Not Found",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_entries.invalid_filter": {
"description": "Invalid Alert Filter",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.common_no_entries.not_allowed": {
"description": "Not Allowed - Modification of FireEye filters is not allowed.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.source_alert.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"description": "Total number of matching items."
},
"query": {
"type": "object",
"description": "List of query parameters."
},
"sort": {
"type": "object",
"description": "List of sort parameters."
},
"offset": {
"type": "integer",
"description": "Starting item # returned for paging."
},
"limit": {
"type": "integer",
"description": "Number of items to return."
},
"entries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"description": "Source alert URL.",
"type": "string",
"format": "uri"
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"ip_addresses": {
"type": "array",
"description": "List of IP addresses in the source alert.",
"items": {
"type": "string"
}
},
"primary_indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"validated": {
"type": "boolean",
"description": "The source alert has been validated."
}
}
},
"description": "JSON objects returned."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.source_alert_single.success": {
"description": "Success",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"description": "Source alert URL.",
"type": "string",
"format": "uri"
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"ip_addresses": {
"type": "array",
"description": "List of IP addresses in the source alert.",
"items": {
"type": "string"
}
},
"primary_indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"validated": {
"type": "boolean",
"description": "The source alert has been validated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.source_alert_single.success_exists": {
"description": "Success - Source Alert already exists.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"description": "Source alert URL.",
"type": "string",
"format": "uri"
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"ip_addresses": {
"type": "array",
"description": "List of IP addresses in the source alert.",
"items": {
"type": "string"
}
},
"primary_indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"validated": {
"type": "boolean",
"description": "The source alert has been validated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"source_alerts.source_alert_single.success_created": {
"description": "Success - Source Alert created.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"_id": {
"description": "Unique alert ID.",
"type": "integer",
"format": "int32"
},
"url": {
"description": "Source alert URL.",
"type": "string",
"format": "uri"
},
"appliance": {
"type": "object",
"properties": {
"_id": {
"description": "Unique appliance ID.",
"type": "string"
}
}
},
"ip_addresses": {
"type": "array",
"description": "List of IP addresses in the source alert.",
"items": {
"type": "string"
}
},
"primary_indicator": {
"type": "object",
"properties": {
"_id": {
"description": "Unique indicator ID.",
"type": "string"
},
"url": {
"type": "string",
"format": "uri",
"description": "URI to retrieve data for this record."
},
"name": {
"type": "string",
"description": "Object name."
},
"uri_name": {
"type": "string",
"description": "Formalized name of the indicator definition source."
},
"display_name": {
"type": "string",
"description": "Name of the indicator definition source."
},
"signature": {
"type": "string",
"description": "IOC signature."
},
"category": {
"type": "integer",
"format": "int32",
"description": "Unique ID."
}
}
},
"validated": {
"type": "boolean",
"description": "The source alert has been validated."
}
}
},
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
}
}
}
},
"token.token.unauthorized": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API route path."
}
}
},
"examples": {
"unauthorized": {
"summary": "unauthorized",
"value": {
"details": [
{
"type": "error",
"code": 1105,
"message": "Incorrect user id or password."
}
],
"message": "Unauthorized"
}
}
}
}
}
},
"token.token.forbidden": {
"description": "Standard API response for no data.",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"message": {
"type": "string",
"description": "API response message."
},
"details": {
"type": "array",
"items": {
"type": "object"
},
"description": "API response message details."
},
"route": {
"type": "string",
"description": "API rou
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment