Cyware Orchestrate

Add Indicators to Community Threat 

This action adds indicators to a community threat.

Create Community Threat 

This action creates a community threat.

Delete Community Threat 

This action deletes a community threat.

Get Investigation 

This action retrieves the details of an investigation.

Get List of Rapid7 Product Alerts Associated with the Specified Investigation 

This action retrieves a list of rapid7 product alerts associated with an investigation.

List Alerts Associated with the Specified Investigation 

This action retrieves the alerts associated with an investigation.

List All Endpoints 

This action retrieves all the endpoints.

List Investigations 

This action retrieves all the investigations.

Query Multiple Logs 

This action queries multiple logs using the Logentries Query Language (LEQL).

Replace Indicators for Community Threats 

This action replaces indicators for community threats.

Set Status of Investigation 

This action sets the status of an investigation.

Update Investigation 

This action updates an investigation.

Close Investigations in Bulk 

This action closes investigations in bulk.

Search Investigations 

This action searches for investigations.

Poll an In-Progress Query 

This action polls a query that is in progress.

Create Investigation Using Alerts 

This action creates investigation using matching alerts.

Create Report for Alerts 

This action creates a report with alerts that match the search criteria.

Get Evidence for a Single Alert 

This action retrieves evidence associated with a single alert.

Retrieve Alert Action Result 

This action retrieves the result of a single alert action.

Generic Action 

This is a generic action to perform any additional use case that you want on rapid7 insightidr.

Retrieve Alert Actions 

This action retrieves the alert actions that occurred within a time period.

Retrieve Alert Action Tasks 

This action retrieves the tasks associated with a single alert action.

Retrieve Alert Actors 

This action retrieves actors associated with a single alert.

Retrieve Alert Field Values 

This action retrieves alert field values related to the specified field id.

Retrieve All Alert Fields 

This action retrieves all the alert fields.

Retrieve All Process Tree 

This action retrieves all process trees for an alert.

Retrieve Assignee for a Single Alert 

This action retrieves users that are assigned to a single alert.

Retrieve Assignee for Multiple Alerts 

This action retrieves users that could be assigned to multiple alerts.

Retrieve Multiple Alerts 

This action retrieves multiple alerts related to the specified alert rnn.

Retrieve Process Tree 

This action retrieves a single process tree for an alert.

Retrieve Single Alert 

This action retrieves single alert based on the alert rrn.

Retrieve Single Alert Field 

This action returns a single field based on the field identifier.

Search Alerts 

This action returns alerts that match the search criteria.

Update Multiple Alerts 

This action asynchronously updates information for multiple alerts.

Update Single Alert 

This action asynchronously updates information for a single alert.

API Key

Enter the API key to authenticate.

Password

Required

Region

Enter the region where the data is stored.

Examples:

Text

Required

Key 

Enter the key of a Community Threat to add the indicators.

Example:

156c9e48-64da-4bba-939e-e1c329be591b

Text

Required

IPs 

Enter the list of IP addresses to add to the Community Threat.

Example:

['192.168.0.1']

List

Required

Hashes 

Enter the hashes to add to the community threat.

Example:

['b95663ec7339033cf1fde459a34b6606']

List

Required

Domain Names 

Enter the domain names to add to the community threat.

Example:

['rapid7.com', 'mailxpy.com']

List

Required

URLs 

Enter the URLs to add to the community threat.

Example:

['http://example.com/index', ' http://www.mailxpy.com/login/index.php']

List

Required

threat

Object

The information about the threat.

threat.name

String

The name of the threat.

threat.note

String

Notes about this threat.

threat.published

Boolean

Indicates whether this threat has been published.

threat.indicator_count

Integer

The number of indicators in this threat.

threat.rejected_indicators

Array of Strings

The list of indicators that have been rejected during the update.

Source 

Enter the source. 

Example: 

"threat" intelligence", "alert", "hunt"

Text

Required

To 

Enter the time for the investigations to be closed. Only investigations whose created_time is before this date will be closed. The time must be in ISO-formatted timestamp.

Example: 

"2020-01-01t00:00:00.000z"

Text

Required

From 

Enter the time from which the investigations must be closed, which must be an ISO-formatted timestamp.

Example: 

"2020-01-01t00:00:00.000z"

Text

Required

Alert Type 

Enter the alert type.

Example: 

"threat intelligence"

Text

Optional

Detection Rule RRN 

Enter the detection Rule RRN.

Example: 

"threat intelligence"

Text

Required

Max Investigations to Close 

Enter the maximum number of investigations to close. 

Example: 

10

Integer

Optional

Disposition 

Enter the disposition.

Example: 

malicious, benign, undecided, not applicable

Text

Optional

Threat Name

Enter the name of a threat.

Example:

"Trojan"

Text

Required

Domain Names

Enter the domain names to add to the community threat.

Example:

$LIST['rapid7.com', 'mailxpy.com']

Text

Required

Hashes

Enter the hashes to add to the community threat.

Example:

$LIST['b95663ec7339033cf1fde459a34b6606']

Text

Required

IPs

Enter the list of IP addresses to add to the community threat.

Example:

$LIST['192.168.0.1']

Text

Required

URLs

Enter the URLs to add to the community threat.

Example:

$LIST['http://example.com/index', ' http://www.mailxpy.com/login/index.php']

Text

Required

Note

Enter a description of the community threat. Example: 'This is a sample note for this Community Threat.'

Text

Optional

threat

Object

Contains information about the threat.

threat.name

String

Name of the threat. Example: Threat

threat.note

String

Additional notes regarding the threat. Example: Notes

threat.published

Boolean

Indicates whether the threat information is published. Example: true

threat.indicator_count

Integer

Count of indicators related to the threat. Example: 1

rejected_indicators

Array of Strings

List of indicators that were rejected. Example: ['blacklisted', 'invalid']

Key

Enter the key of a community threat to delete.

Example:

156c9e48-64da-4bba-939e-e1c329be591b

Text

Required

Reason

Enter the reason for deleting the threat.

Example:

"Threat has been neutralized."

Text

Optional

name

String

The name of the threat.

note

String

Notes about this threat.

published

Boolean

Indicates whether this threat has been published.

indicator_count

Integer

The number of indicators in this threat. Must be greater than or equal to 0.

ID

Enter the ID of an investigation.

Example:

174e4f99-2ac7-4481-9301-4d24c34baf06

Text

Required

Multi Customer

Indicates whether the requester has multi-customer access. If set to true, the ID of the investigation must be in the RRN format, the region of the RRN must match the region of the endpoint, and a user API key must be provided.

Example:

multi-customer=true

Boolean

Optional

Allowed values are true and false

The default value is false.

data

Array of objects

The list of data that matches the pagination parameters. If no results match, this will be an empty list.

data.id

String

The ID of the investigation.

data.rrn

String

The RRN of the investigation.

data.title

String

The investigation's title.

data.status

String

The status of the investigations. OPEN, INVESTIGATING, CLOSED

data.source

String

The source of this investigation.

data.disposition

String

The disposition of this investigation. Values are BENIGN, MALICIOUS, NOT_APPLICABLE, UNSPECIFIED

data.assignee

Object

The user assigned to this investigation, if any.

data.alerts

Array of objects

The alerts involved in this investigation, if any.

data.created_time

String

The time the investigation was created, as an ISO formatted timestamp.

metadata

Object

The pagination parameters used to generate this page result.

metadata.index

Integer

The 0-based index of the page retrieved.

metadata.size

Integer

The size of the page requested.

metadata.total_pages

Integer

The total number of pages available with the given filter parameters.

metadata.total_data

Integer

The total number of results available with the given filter parameters.

ID

Enter the ID of an investigation.

Example:

"174e4f99-2ac7-4481-9301-4d24c34baf06"

Text

Required

Multi Customer

Choose to verify whether this is a multi-customer request.

Example:

false

Boolean

Optional

Allowed values:

Default value:

false

ID

Enter the ID of an investigation.

Example:

174e4f99-2ac7-4481-9301-4d24c34baf06

Text

Required

Index

The optional 0-based index of the page to retrieve. It must be an integer greater than or equal to 0.

Example:

0

Text

Optional

Default is 0

Size

The optional size of the page to retrieve. It must be an integer greater than 0, or less than or equal to 100.

Example:

size=20

Text

Optional

Default is 20

data.id

String

Unique identifier for the alert.

data.title

String

Title or brief description of the alert.

data.alert_type

String

Type of alert.

data.alert_type_description

String

Description of the alert type.

data.created_time

String

Timestamp when the alert was created (ISO 8601 format).

data.first_event_time

String

Timestamp of the first event related to the alert (ISO 8601 format).

data.latest_event_time

String

Timestamp of the latest event related to the alert (ISO 8601 format).

data.alert_source

String

Source of the alert.

data.detection_rule_rrn.rule_name

String

Name of the detection rule that triggered the alert.

data.detection_rule_rrn.rule_rrn

String

Resource Reference Number (RRN) for the detection rule.

metadata.index

Integer

Index of the current page.

metadata.size

Integer

Number of items per page.

metadata.total_pages

Integer

Total number of pages available.

metadata.total_data

Integer

Total number of data items.

endpoint.path

String

The path of the endpoint. Example, https://eu.rest.logs.insight.rapid7.com/audit/query/logs/{log_keys}

endpoint.verbs

Array of strings

Array of HTTP verbs supported by the endpoint. Example, ["GET"]

Assignee Email

Enter the email ID of the assignee. Only investigations assigned to that user will be included.

Example:

assignee.email=johndoe@exampledomain.com

Text

Optional

End Time

Enter the time an investigation is closed. Only investigations whose created_time is before this date will be returned by the API. Must be an ISO-formatted timestamp.

Example:

end_time=2018-07-28T23:59:00Z

Text

Optional

Default is 

"The current time"

Index

Enter the 0-based index of the first page to retrieve. Must be an integer greater than 0.

Example:

0

Text

Optional

Default is 0

Size

Enter the maximum number of investigations to retrieve. Must be an integer greater than 0, or less than or equal to 100.

Example: size=20

Text

Optional

Default is 20

Sort

Enter a field for investigations to be sorted by and their sort direction separated by a comma.

Example:

"priority,DESC"

Text

Optional

Sortable fields are created_time,priority, rrn, alerts_most_recent_created_time, and alerts_most_recent_detection_created_time.

Start Time

Enter the time an investigation is opened. Only investigations whose created_time is after this date will be returned by the API. Must be an ISO-formatted timestamp.

Example:

start_time=2018-07-01T00:00:00Z

Text

Optional

Default is 

"28 days prior"

Statuses

Enter a comma-separated list of investigation statuses to include in the result.

Example: statuses=OPEN,INVESTIGATING

Text

Optional

Possible values are 

Priorities

Enter a comma-separated list of investigation priorities to include in the result.

Example: priorities=UNSPECIFIED, LOW

Text

Optional

Possible values are UNSPECIFIED, LOW, MEDIUM, HIGH, and CRITICAL

data

Array of objects

The list of data that matches the pagination parameters. If no results match, this will be an empty list.

data.id

String

The ID of the investigation.

data.rrn

String

The RRN of the investigation.

data.title

String

The investigation's title.

data.status

String

The status of the investigations. Possible values: "OPEN, INVESTIGATING, CLOSED".

data.source

String

The source of this investigation.

data.disposition

String

The disposition of this investigation. Possible values: "BENIGN, MALICIOUS, NOT_APPLICABLE, UNSPECIFIED".

data.assignee

Object

The user assigned to this investigation, if any.

data.alerts

Array of objects

The alerts involved in this investigation, if any.

data.created_time

String

The time the investigation was created, as an ISO formatted timestamp.

metadata

Object

The pagination parameters used to generate this page result.

metadata.index

Number

The 0-based index of the page retrieved.

metadata.size

Number

The size of the page requested.

metadata.total_pages

Number

The total number of pages available with the given filter parameters.

metadata.total_data

Number

The total number of results available with the given filter parameters.

Log IDs

Enter the log IDs.

Example:

['565c1b7b-c08b-4c87-a42a-ab08bad56071', 'c78579a8-8b20-4e6a-d4c0-5287198a263b']

List

Required

Duration

Enter the time range to search logs.

Example:

{'time_range':'last 1 hour'}

Key Value

Required

Allowed values: yesterday, today and last x timeunits (where x represents a number and timeunits represents one of min(s) or minute(s), hr(s) or hour(s), day(s), week(s), month(s), or years).

Statement

Enter the LEQL query run against the logs.

Example:

where(931dde6c60>=800)

Text

Required

Query Params

Enter the query params.Example:{"per_page": 10}

Key Value

Optional

Key

Enter the key of a Community Threat for which the indicators are going to be replaced. Example: 156c9e48-64da-4bba-939e-e1c329be591b

Text

Required

Domain Names

Enter the domain names to add to the community threat. Example: ['rapid7.com', 'mailxpy.com']

List

Required

Hashes

Enter the hashes to add to the community threat. Example: ['b95663ec7339033cf1fde459a34b6606']

List

Required

IPs

Enter the IP address to add to the community threat.

Example:

['192.168.0.1']

List

Required

URLs

Enter the URLs to add to the community threat.

Example:

['http://example.com/index', ' http://www.mailxpy.com/login/index.php']

List

Required

threat

Object

The information about the threat.

threat.name

String

The name of the threat.

threat.note

String

Notes about this threat (optional).

threat.published

Boolean

Indicates whether this threat has been published.

threat.indicator_count

Integer (int64)

The number of indicators in this threat. Must be greater than or equal to 0.

threat.rejected_indicators

Array of strings

The list of indicators that have been rejected during the update.

ID

Enter the continuation ID.

Example:

"0bnc17f4-bbbe-46b1-a843-163c074bd1ad"

Text

Required

You can retrieve the continuation ID from the Query Multiple Logs action.

Time Range

Enter the time range.

Example: 

"last 10 weeks"

Text

Optional

Allowed values:

Allowed time units(case insensitive):

Organization ID 

Enter the ID of the organization that the investigation belongs to. Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Title 

Enter the title of the investigation. 

Example: 

alert from insight ops

Text

Required

Disposition 

Enter the disposition of the investigation. 

Text

Required

Status 

Enter the status of the investigation. 

Example: 

open

Text

Required

Start Time 

Enter the start time. Example: 

"2020-01-01t00:00:00.000z"

Text

Required

Terms 

Enter the search terms. Example: 

{"field_ids":"['2525', '2523']"}

Key Value

Required

End Time 

Enter the end time. 

Example: 

"2020-01-01t00:00:00.000z"

Text

Optional

LEQL Query 

Enter the Log Entry Query Language (LEQL) query. Example:

(where (931dde6c60>=800))

Text

Optional

Priority 

Enter the priority of the investigation. 

Example: 

low

Text

Optional

Allowed values are UNMAPPED, INFO, LOW, MEDIUM, HIGH, and CRITICAL.

Tags 

Enter the tags to apply to the investigation. 

Example: 

['malware', 'threat']

List

Optional

Extra Params 

Enter any additional details associated with the investigation. Example: 

{"key":"value"}

Key Value

Optional

action_rrn

String

The RRN of the action created to update the alerts. See the Actions endpoints for more information.

region_failures

Array of Objects (RegionFailure)

The regions where the request failed to execute. The presence of items in this field indicates partial failure.

region_failures.region

String

The region where the request failed.

region_failures.message

String

A description of the failure.

Start time 

Enter the start time of the range to search. Example: 

"2020-01-01t00:00:00.000z"

Text

Required

Terms 

Enter the search terms to match against. Example: 

{"field_ids":"['233','454','476']"}

Key Value

Required

End time 

Enter the end time of the range to search.

Example: 

2020-01-01t00:00:00.000z

Text

Optional

Leql query 

Enter the LEQL 'WHERE' clause to match against. Example: 

(where(931dde6c60>=800))

Text

Optional

Aggregates 

Enter the aggregations to apply for all matching results. 

Example: 

{"type": "bucket"}

Key Value

Optional

Extra params 

Enter the extra params. Example: 

{"key":"value"}

Key Value

Optional

count

Integer

The number of alerts that match the search criteria.

aggregates

Array of Objects

The aggregation results.

aggregates.name

String

The identifier of the aggregation, that was specified in the request.

aggregates.type

String

The type of aggregate. The default is "BUCKET".

aggregates.value

Object

The single-value result of the requested query.

aggregates.field_ids

Array of Strings

The field identifiers that were aggregated by.

aggregates.buckets

Array of Objects

The buckets that the aggregation results are grouped into.

aggregates.buckets.keys

Array of Strings or Strings or Numbers or Booleans

The values for the selected field identifiers in this bucket, in matching order.

aggregates.buckets.count

Integer (int64)

The number of alerts in this bucket.

region_failures

Array of Objects

Regions that failed to execute the request. The presence of items indicates partial results.

region_failures.region

String

The region where the request failed.

region_failures.message

String

A description of the failure.

Alert RRN 

Enter the alert RRN. 

Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Index 

The index of the page to retrieve (zero-indexed).

Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

evidences

Array of objects

The alert evidence.

evidences.rrn

String

The unique RRN of the evidence.

evidences.version

Integer

The version of the evidence.

evidences.created_at

String (date-time)

The timestamp when the evidence was created.

evidences.updated_at

String (date-time)

The timestamp when the evidence was last updated.

evidences.evented_at

String (date-time)

The timestamp when the event that triggered the alert occurred in the source system.

evidences.external_source

String

The source of the evidence.

evidences.event_type

String

The type of evidence.

evidences.data

String

The evidence data.

metadata

Object

The pagination returned.

metadata.index

Integer

The page number.

metadata.size

Integer

The number of items requested.

metadata.items_in_index

Integer

The number of items returned in the index.

metadata.total_items

Integer

The total number of items available to request.

metadata.is_last_index

Boolean

Indicates that the item is the last in the index.

Action RRN 

Enter the unique identifier for the action. 

Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

actions

Array of Objects

List of actions taken.

actions.rrn

String

Resource reference number for the action.

actions.type

String

Type of action taken. Example: "PATCH_ALERT"

actions.created_at

String

Date and time the action was created. Example: "2019-08-24T14:15:22Z"

actions.task_count

Number

Number of tasks associated with the action.

actions.request_payload

String

Payload of the request related to the action.

actions.metadata

Array of Objects

Additional metadata for the action.

actions.metadata.key

String

Key for the metadata entry.

actions.metadata.value

String

Value for the metadata entry.

actions.metadata.display

String

The display name for the metadata entry.

metadata

Object

Metadata about the response.

metadata.index

Number

Current index in pagination.

metadata.size

Number

Number of items per page.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items across all indices.

metadata.is_last_index

Boolean

Indicates if the current index is the last one. Example: true

region_failures

Array of Objects

Failures by region.

region_failures.region

String

Region where the failure occurred.

region_failures.message

String

Message describing the failure.

Endpoint 

Enter the endpoint to make the API request.

Example: 

/v1/investigations

Text

Required

Method 

Enter the HTTP method to make the API request. 

Example: 

Text

Required

Payload JSON 

Enter the payload in JSON format.

Example: 

{"format": "json"}

Key Value

Optional

Query Params 

Enter the query parameters to filter the results.

Example: 

{"format": "json"}

Key Value

Optional

Extra Fields

Enter the extra fields to pass to the API.

Example:

download: false

Key Value

Optional

Allowed values:

Start Time 

Enter the start time to limit the results to only actions that were created after the specified date and time. Example: 

"2020-01-01t00:00:00.000z"

Text

Optional

Type 

Enter the type to limit the results to only actions with the specified type. 

Example: 

["PATCH_ALERT"]

List

Optional

Allowed values are PATCH_ALERT and CREATE_INVESTIGATION

Sort Fields 

Enter the sort fields. Example: 

CREATED_AT

Text

Optional

Allowed values are CREATED_AT and TASK_COUNT

Sort Order 

Enter the sort order. Example: 

"desc"

Text

Optional

Allowed values are ASC and DESC.

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

Status 

Enter the status to limit the results to only actions with a specified status. 

Example: 

PENDING

Text

Optional

Allowed values are PENDING, RUNNING, FAILED, COMPLETE_WITH_ISSUES, and COMPLETED.

Has Failed Task 

Enter true to limit the results to only actions that have failed tasks. 

Example: 

true, false

Boolean

Optional

actions

Array of Objects

List of actions taken.

actions.rrn

String

Resource reference number for the action.

actions.type

String

Type of action taken. Example: "PATCH_ALERT"

actions.created_at

String

Date and time the action was created. Example: "2019-08-24T14:15:22Z"

actions.task_count

Number

Number of tasks associated with the action.

actions.request_payload

String

Payload of the request related to the action.

actions.metadata

Array of Objects

Additional metadata for the action.

actions.metadata.key

String

Key for the metadata entry.

actions.metadata.value

String

Value for the metadata entry.

actions.metadata.display

String

Display name for the metadata entry.

metadata

Object

Metadata about the response.

metadata.index

Number

Current index in pagination.

metadata.size

Number

Number of items per page.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items across all indices.

metadata.is_last_index

Boolean

Indicates if the current index is the last one. Example: true

region_failures

Array of Objects

Failures by region.

region_failures.region

String

Region where the failure occurred.

region_failures.message

String

Message describing the failure.

Action rrn

Enter the unique identifier for the action.

Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Status

Enter the status to limit the results to only tasks with a specified status. Example: PENDING

Text

Optional

Allowed values are PENDING, RUNNING, FAILED, COMPLETE_WITH_ISSUES, and COMPLETED.

Index

The index of the page to retrieve (zero-indexed). Example: 0

Integer

Optional

Size

Enter the size of the page to retrieve. Example: 10

Integer

Optional

tasks

Array of Objects

List of tasks with their details.

tasks.rrn

String

Resource reference number for the task.

tasks.item_identifier

String

Identifier for the item associated with the task.

tasks.status

String

Status of the task. Example: "PENDING"

tasks.failure_reason

String

Reason for the task's failure, if any.

metadata

Object

Metadata about the response.

metadata.index

Number

Current index in pagination.

metadata.size

Number

Number of items per page.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items across all indices.

metadata.is_last_index

Boolean

Indicates if the current index is the last one. Example: true

region_failures

Array of Objects

Failures by region.

region_failures.region

String

Region where the failure occurred.

region_failures.message

String

Message describing the failure.

Alert rrn 

Enter the alert RRN. 

Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

actors

Array of Objects

List of actors or entities.

actors.rrn

String

Global unique identifier for the actor.

actors.id

String

Identifier of the actor.

actors.type

String

Type of the actor.

actors.display_name

String

Display name of the actor.

metadata

Object

Metadata about the collection of actors.

metadata.index

Number

Index of the current set of actors.

metadata.size

Number

Size of the current set of actors.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items across all indexes.

metadata.is_last_index

Boolean

Indicator if the current index is the last one.

Field id 

Enter the field ID. 

Example: 

73654

Integer

Required

Search 

Enter the search. 

Example: 

malware

Text

Optional

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

values

Array of Objects

List of values.

values.value

String

The main value

values.display

String

The display value associated with the main value.

values.additional_displays

Array of Objects

List of additional displays.

values.additional_displays.name

String

Name of the additional display.

values.additional_displays.display

String

The display value associated with the additional display.

metadata

Object

Metadata information.

metadata.index

Number

The index value.

metadata.size

Number

The size value.

metadata.items_in_index

Number

Number of items in the index.

metadata.total_items

Number

Total number of items.

metadata.is_last_index

Boolean

Indicates if it is the last index, e.g., true.

region_failures

Array of Objects

List of region failures.

region_failures.region

String

The region associated with the failure.

region_failures.message

String

The message describing the failure.

Path 

Enter the path to limit results to only fields that are the same as or less than this value. 

Example: 

process

Text

Optional

Path depth 

Enter the path depth. Example: 

1

Integer

Optional

Value must be greater than or equal to 1.

Search 

Enter the search term. Example:

malware

Text

Optional

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

fields

Array of Objects

List of fields.

fields.id

String

The ID of the field.

fields.is_enumerable

Boolean

Indicates if the field is enumerable.

fields.is_searchable

Boolean

Indicates if the field is searchable.

fields.is_sortable

Boolean

Indicates if the field is sortable.

fields.is_aggregateable

Boolean

Indicates if the field is aggregateable.

fields.display_groups

Array of Objects

List of display groups.

fields.display_groups.name

String

The name of the display group.

fields.display_groups.is_column

Boolean

Indicates if the display group is a column.

fields.display_groups.has_children

Boolean

Indicates if the display group has children.

metadata

Object

Metadata information.

metadata.index

Number

The index value.

metadata.size

Number

The size value.

metadata.items_in_index

Number

Number of items in the index.

metadata.total_items

Number

Total number of items.

metadata.is_last_index

Boolean

Indicates if it is the last index.

region_failures

Array of Objects

List of region failures.

region_failures.region

String

The region associated with the failure, if any.

region_failures.message

String

The message describing the failure, if any.

Alert rrn

Enter the unique identifier of the alert.

Example: 0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Force refresh

Enter true to indicate whether forced refresh is enabled for the process tree.

Example: true, false

Boolean

Required

When true, it forces the tree to be regenerated regardless of the available data, otherwise the cached version is returned if available. Note that regeneration is an expensive operation, response times may be high.

Index

The index of the page to retrieve (zero-indexed). Example: 0

Integer

Optional

Size

Enter the size of the page to retrieve. Example: 10

Integer

Optional

Branch

Enter the branch number to generate the process tree with. Example: 9

Integer

Optional

process_trees

Array of Objects

List of process trees.

process_trees.rrn

String

Resource reference number.

process_trees.creator

String

Creator of the resource.

process_trees.created_at

String

Date and time the resource was created. Example: "2019-08-24T14:15:22Z"

process_trees.updated_at

String

Date and time the resource was last updated. Example: "2019-08-24T14:15:22Z"

process_trees.alert_rrn

String

Reference number of the related alert.

process_trees.tree_uuid

String

UUID of the process tree.

process_trees.process_tree

Object

Details about the process tree.

process_trees.process_tree.pid

String

Process ID.

process_trees.process_tree.name

String

Name of the process.

process_trees.process_tree.cmdline

String

Command line used to start the process.

process_trees.process_tree.username

String

Username under which the process is running.

process_trees.process_tree.start_time

Number

Start time of the process (epoch time).

process_trees.process_tree.hashes

Object

Hashes associated with the process.

process_trees.process_tree.hashes.md5

String

MD5 hash of the process.

process_trees.process_tree.hashes.sha1

String

SHA1 hash of the process.

process_trees.process_tree.hashes.sha256

String

SHA256 hash of the process.

process_trees.process_tree.children

Array of Objects

Child processes.

process_trees.new_starts

Number

Count of new process starts.

process_trees.snapshots

Number

Count of snapshots taken.

process_trees.refresh_status

Boolean

Indicates if the refresh status is true or false. Example: true

metadata

Object

Metadata about the process trees.

metadata.index

Number

Index of the metadata.

metadata.size

Number

Size of the metadata.

metadata.items_in_index

Number

Number of items in the index.

metadata.total_items

Number

Total number of items.

metadata.is_last_index

Boolean

Indicates if it is the last index. Example: true

Alert rrn 

Enter the alert rnn. 

Example: 

"0bnc17f4-bbbe-46b1-a843-163c074bd1ad"

Text

Required

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

Search 

Limits the results to those containing the search term.

Text

Optional

Start Time 

Enter the start time of the range to search. Example: 

2020-01-01t00:00:00.000z

Text

Required

End Time 

Enter the end time of the range to search.

Example: 

2020-01-01t00:00:00.000z

Text

Required

LEQL Query 

Enter the LEQL query. Example: 

(where(931dde6c60>=800))

Text

Required

Terms 

Enter the search terms to match against.

Example: 

{"key":"value"}

Key Value

Required

Index 

The index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page you want to retrieve. 

Example: 

10

Integer

Optional

Search 

Enter the search criteria. 

Example: 

malware

Text

Optional

users

Array of Objects

List of users.

users.id

String

Identifier of the user.

users.email

String

Email address of the user.

users.name

String

Name of the user.

metadata

Object

Metadata about the collection of users.

metadata.index

Number

Index of the current set of users.

metadata.size

Number

Size of the current set of users.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items across all indexes.

metadata.is_last_index

Boolean

Indicator if the current index is the last one.

Alert RRNs 

Enter the RRNs of the alerts to retrieve. Example: 

["0bnc17f4-bbbe-46b1-a843-163c074bd1ad", "0bnc17f4-bbbe-46b1-a843-163c074bd1ad"]

List

Required

Field IDs 

Enter the field IDs of additional fields to include for each alert. No additional fields are included if this parameter is empty.

Example: 

["key1", "key2"]

List

Optional

Strict 

Choose true to return a 404 error if no alerts are found. Example:

true

Boolean

Optional

Alert rrn 

Enter the unique identifier of the alert. 

Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

Process tree rrn 

Enter the unique identifier of the process tree. Example: 

"1cft17f4-bbbe-46b1-a843-163ciqabd1ad"

Text

Required

Force refresh 

Enter true to indicates whether forced refresh is enabled for the process tree. Example: 

true, false

Boolean

Required

Branch 

Enter the branch number to generate the process tree with. 

Example: 

6

Integer

Optional

rrn

String

Resource reference number.

creator

String

Creator of the resource.

created_at

String

Date and time the resource was created. Example: "2019-08-24T14:15:22Z"

updated_at

String

Date and time the resource was last updated. Example: "2019-08-24T14:15:22Z"

alert_rrn

String

Reference number of the related alert.

tree_uuid

String

UUID of the process tree.

process_tree

Object

Details about the process tree.

process_tree.pid

String

Process tree ID.

process_tree.name

String

Name of the process.

process_tree.cmdline

String

Command line used to start the process.

process_tree.username

String

Username under which the process is running.

process_tree.start_time

Number

Start time of the process (epoch time).

process_tree.hashes

Object

Hashes associated with the process.

process_tree.hashes.md5

String

MD5 hash of the process.

process_tree.hashes.sha1

String

SHA1 hash of the process.

process_tree.hashes.sha256

String

SHA256 hash of the process.

process_tree.children

Array of Objects

Child processes.

new_starts

Number

Count of new process starts.

snapshots

Number

Count of snapshots taken.

refresh_status

Boolean

Indicates if the refresh status is true or false

Alert rrn 

Enter the unique identifier of the alert.

Example: 

0bnc17f4-bbbe-46b1-a843-163c074bd1ad

Text

Required

rrn

Unique identifier for the record.

String

version

Version number of the record.

Number

created_at

Timestamp when the record was created.

String

updated_at

Timestamp when the record was last updated.

String

alerted_at

Timestamp when the record was last alerted.

String

ingested_at

Timestamp when the record was ingested.

String

external_source

Name of the external source providing the data.

String

external_id

External identifier associated with the record.

String

organization

Information about the organization associated with the record.

Object

organization.id

Identifier of the organization.

String

organization.name

Name of the organization.

String

organization.region

Region where the organization is located.

String

organization.product_token

Token associated with the organization's product.

String

organization.customer_id

Identifier of the customer within the organization.

String

organization.customer_name

Name of the customer within the organization.

String

organization.customer_code

Code associated with the customer.

String

organization.customer_group

Group or category the customer belongs to.

String

organization.flags

Flags associated with the organization.

Array of Strings

title

Title or name associated with the record.

String

type

Type of the record.

String

rule

Details of the rule associated with the record.

Object

rule.rrn

Rule identifier.

String

rule.name

Name of the rule.

String

rule.mitre_tcodes

Mitre Tcodes associated with the rule.

Array of Strings

rule.version_rrn

Version identifier of the rule.

String

rule_matching_keys

Keys used for matching rules.

Array of Objects

rule_matching_keys.key

Key used for matching rules.

String

rule_matching_keys.values

Values associated with the matching key.

Array of Strings

rule_keys_of_interest

Keys of interest for rules.

Array of Objects

rule_keys_of_interest.key

Key of interest for rules.

String

rule_keys_of_interest.values

Values associated with the key of interest.

Array of Strings

responsibility

Responsibility status associated with the record.

String

monitored

Flag indicating if the record is monitored.

Boolean

assignee

Details of the assignee responsible for the record.

Object

assignee.at

Timestamp when the assignee was assigned.

String

assignee.id

Identifier of the assignee.

String

assignee.email

Email address of the assignee.

String

assignee.first_name

First name of the assignee.

String

assignee.last_name

Last name of the assignee.

String

priority

Priority status associated with the record.

String

status

Status of the record.

String

status_transitions

Transition times for status changes.

Object

status_transitions.seconds_to_first_investigating

Seconds elapsed to first investigating status.

Number

status_transitions.seconds_to_first_closed

Seconds elapsed to first closed status.

Number

disposition

Disposition status associated with the record.

String

investigation_rrn

Unique identifier for the associated investigation.

String

tags

Tags associated with the record.

Array of Strings

permissions

Permissions associated with the record.

Object

permissions.canEdit

Flag indicating if editing is permitted.

Boolean

fields

Custom fields associated with the record.

Array of Objects

fields.id

Identifier of the field.

String

fields.values

Values associated with the field.

Array of Strings

Field id 

Enter the field ID. 

Example: 

9873546

Integer

Required

id

String

Identifier.

is_enumerable

Boolean

Indicates if the field is enumerated, e.g., true.

is_searchable

Boolean

Indicates if the field is searchable, e.g., true.

is_sortable

Boolean

Indicates if the field is sortable, e.g., true.

is_aggregateable

Boolean

Indicates if the field is aggregateable, e.g., true.

display_groups

Array of Objects

List of display groups the field belongs to.

display_groups.name

String

Name of the display group.

display_groups.is_column

Boolean

In this group, indicates whether the field can be displayed as a table column., e.g., true.

display_groups.has_children

Boolean

In this group, indicates whether other fields are nested beneath the field (for example, if other fields exist that have the field as part of their path).

Start time 

Enter the start time of the range to search. 

Example: 

2020-01-01t00:00:00.000z

Text

Required

Terms 

Enter the search terms. Example: 

[ { "field_ids": [ "string" ]

List

Required

Sort 

Enter the sort order. Example: 

[{"field_id": "string","order": "ASCENDING_NULLS_LAST"}]

List

Optional

Allowed values for order are ASCENDING_NULLS_LAST, ASCENDING_NULLS_FIRST, DESCENDING_NULLS_LAST, and DESCENDING_NULLS_FIRST.

Leql query 

The LEQL 'where' clause to match against. 

Example: (where(931dde6c60>=800))

Text

Optional

End time 

Enter the end time of the range to search. 

Example: 

2020-01-01t00:00:00.000z

Text

Optional

Rrn only 

Specify whether the response returns only the alert RRNs and the alert details.

Boolean

Optional

If you set it to TRUE, the response returns the RRNs only. If you set it to FALSE or is unspecified, the response returns the RRNs and the alert details.

Index 

Enter the index of the page to retrieve (zero-indexed). Example: 

0

Integer

Optional

Size 

Enter the size of the page to retrieve. 

Example: 

10

Integer

Optional

Extra params 

Enter the extra params. Example: 

{ "name": "string", "type": "bucket", "fields": [ { "field_id": "string", "interval": 0, "order": "ASCENDING_NULLS_LAST" }

Key Value

Optional

Field ids 

Enter the field IDs of the alert. 

Example: 

["key1", "key2"]

List

Optional

Aggregates 

Enter the aggregations to apply for all matching results. 

Example: 

[{ "name": "string", "type": "bucket", "fields": [ { "field_id": "string", "interval": 0, "order": "ASCENDING_NULLS_LAST" }]

List

Optional

rrns

Array of Strings

Array of unique identifiers (RRNs) of the alerts.

alerts

Array of Objects

Array of alert objects.

alerts.rrn

String

Unique identifier for the alert record.

alerts.version

Number

Version number of the alert.

alerts.created_at

String

Timestamp when the alert was created.

alerts.updated_at

String

Timestamp when the alert was last updated.

alerts.alerted_at

String

Timestamp when the alert was last alerted.

alerts.ingested_at

String

Timestamp when the alert was ingested.

alerts.external_source

String

Name of the external source providing the alert data.

alerts.external_id

String

External identifier associated with the alert record.

alerts.organization

Object

Information about the organization associated with the alert record.

alerts.organization.id

String

Identifier of the organization.

alerts.organization.name

String

Name of the organization.

alerts.organization.region

String

Region where the organization is located.

alerts.organization.product_token

String

Token associated with the organization's product.

alerts.organization.customer_id

String

Identifier of the customer within the organization.

alerts.organization.customer_name

String

Name of the customer within the organization.

alerts.organization.customer_code

String

Code associated with the customer.

alerts.organization.customer_group

String

Group or category the customer belongs to.

alerts.organization.flags

Array of Strings

Flags associated with the organization.

alerts.title

String

Title or name associated with the alert record.

alerts.type

String

Type of the alert record.

alerts.rule

Object

Details of the rule associated with the alert record.

alerts.rule.rrn

String

Rule identifier.

alerts.rule.name

String

Name of the rule.

alerts.rule.mitre_tcodes

Array of Strings

Mitre Tcodes associated with the rule.

alerts.rule.version_rrn

String

Version identifier of the rule.

alerts.rule_matching_keys

Array of Objects

Keys used for matching rules.

alerts.rule_matching_keys.key

String

Key used for matching rules.

alerts.rule_matching_keys.values

Array of Strings

Values associated with the matching key.

alerts.rule_keys_of_interest

Array of Objects

Keys of interest for rules.

alerts.rule_keys_of_interest.key

String

Key of interest for rules.

alerts.rule_keys_of_interest.values

Array of Strings

Values associated with the key of interest.

alerts.responsibility

String

Responsibility status associated with the alert record.

alerts.monitored

Boolean

Flag indicating if the alert record is monitored.

alerts.assignee

Object

Details of the assignee responsible for the alert record.

alerts.assignee.at

String

Timestamp when the assignee was assigned.

alerts.assignee.id

String

Identifier of the assignee.

alerts.assignee.email

String

Email address of the assignee.

alerts.assignee.first_name

String

First name of the assignee.

alerts.assignee.last_name

String

Last name of the assignee.

alerts.priority

String

Priority status associated with the alert record.

alerts.status

String

Status of the alert record.

alerts.status_transitions

Object

Transition times for status changes.

alerts.status_transitions.seconds_to_first_investigating

Number

Seconds elapsed to first investigating status.

alerts.status_transitions.seconds_to_first_closed

Number

Seconds elapsed to first closed status.

alerts.disposition

String

Disposition status associated with the alert record.

alerts.investigation_rrn

String

Unique identifier for the associated investigation.

alerts.tags

Array of Strings

Tags associated with the alert record.

alerts.permissions

Object

Permissions associated with the alert record.

alerts.permissions.canEdit

Boolean

Flag indicating if editing is permitted.

alerts.fields

Array of Objects

Custom fields associated with the alert record.

alerts.fields.id

String

Identifier of the field.

alerts.fields.values

Array of Strings

Values associated with the field.

metadata

Object

Metadata related to the collection of alerts.

metadata.index

Number

Index of the current batch of alerts.

metadata.size

Number

Size of the current batch of alerts.

metadata.items_in_index

Number

Number of items in the current index.

metadata.total_items

Number

Total number of items in the collection.

metadata.is_last_index

Boolean

Flag indicating if the current index is the last.

aggregates

Array of Objects

Aggregates related to the alerts.

aggregates.name

String

Name of the aggregate.

aggregates.type

String

Type of the aggregate.

aggregates.value

Object

Value associated with the aggregate.

aggregates.field_ids

Array of Strings

Identifiers of fields associated with the aggregate.

aggregates.buckets

Array of Objects

Buckets associated with the aggregate.

aggregates.buckets.keys

Array of Arrays of Strings

Keys within the bucket.

aggregates.buckets.count

Number

Count of items within the bucket.

region_failures

Array of Objects

Failures related to specific regions, if any.

region_failures.region

String

Region where the failure occurred.

region_failures.message

String

Message describing the failure.

Filters 

Enter the filters. 

Example: 

{"multi-customer": "true"}

Key Value

Optional

Payload 

Enter the payload. 

Example: 

{"multi-customer": "true"}

Key Value

Optional

ID

Enter the ID of an investigation.

Example:

"174e4f99-2ac7-4481-9301-4d24c34baf06"

Text

Required

Status

Enter the status of the investigation.

Example:

"open"

Text

Required

Allowed values:

ID

Enter the ID of an investigation.

Example:

"174e4f99-2ac7-4481-9301-4d24c34baf06"

Text

Required

Multi Customer

Choose to verify whether this is a multi-customer request.

Example:

false

Boolean

Optional

Allowed values:

Default value:false

Assignee

Enter the email ID of the assignee.

Example:

"john.doe@sampledomain.com"

Text

Optional

Priority

Enter the priority of the investigation.

Example:

"low"

Text

Optional

Allowed values:

Disposition

Enter the disposition of the investigation.

Examples:

Text

Optional

Status

Enter the status of the investigation.

Examples:

Text

Optional

Tags

Enter the tags of the investigation.

Example:

"tag1, tag2, tag3"

Text

Optional

Title

Enter the new name of the investigation.

Example:

"new_name"

Text

Optional

Threat Command Close Reason

Enter the threat command close reason of the investigation.

Example:

"threat_command_close_reason"

Text

Optional

Threat Command Free Text

Enter the threat command free text of the investigation.

Example:

"threat_command_free_text"

Text

Optional

Start time 

Enter the start time. Example: 

"2020-01-01t00:00:00.000z"

Text

Required

Terms 

Enter the search terms. Example: 

{ "field_ids": "string" }

Key Value

Required

Patch 

Enter the new information to update the alerts with. Example: 

{"status":"open"}

Key Value

Required

End time 

Enter the end time. 

Example: 

"2020-01-01t00:00:00.000z"

Text

Optional

Leql query 

Enter the leql query. Example: 

"(where(931dde6c60>=800))"

Text

Optional

Alert rrn 

Enter the alert rrn. 

Example: 

"0bnc17f4-bbbe-46b1-a843-163c074bd1ad"

Text

Required

Alert status 

Enter the alert status. 

Text

Required

Allowed values: 

Disposition value 

Enter the disposition value. 

Text

Required

Allowed values: 

Priority value 

Enter the priority value. 

Text

Required

Allowed values: 

Assignee id 

Enter the user assigned to the alert. 

Example: 

"0bnc17f4-bbbe-46b1-a843-163c074bd1ad"

Text

Required

Investigation rrn 

Enter the investigation rrn. Example: 

"0bnc17f4-bbbe-46b1-a843-163c074bd1ad"

Text

Required

Tag value 

Enter the tags. 

Example: 

["tag1", "tag2"]

List

Required

Tag action 

Enter the action to add or remove tags from the alerts.

Text

Required

Allowed values: 

Comments 

Enter the reason for updating the alerts, which is captured in the alert audit log for tracking purposes.

Text

Required