--- openapi: "3.0.3" info: title: "Lacework API 2.0 Documentation" description: "The Lacework API documentation is available directly from your Lacework\ \ application at the following URI:\n`https://YourLacework.lacework.net/api/v2/docs`,\ \ where `YourLacework` is your Lacework application.\n\nNo login to the Lacework\ \ Console is required. However, there is a link to the Lacework API 2.0 documentation\ \ from the\nLacework Console. From the **Help** drop-down, select **API Documentation**\ \ and then **API 2.0 Documentation**.\n\n All the Lacework API operations listed\ \ below require an API Access Token to allow access to the Lacework API. For more\ \ information about getting a temporary API Access Token to pass into these operations\ \ as a header, see https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens.\ \ \n\nYou can run the Lacework APIs using your favorite REST API tools, such as\ \ curl or Postman. You can also run the Lacework API from the **Lacework CLI**.\ \ For more information, see \n[Getting Started with the Lacework CLI](https://docs.fortinet.com/document/lacework-forticnapp/latest/cli-reference/68020/get-started-with-the-lacework-forticnapp-cli)." termsOfService: "https://www.lacework.com/terms-of-use/" contact: name: "Lacework, Inc." url: "https://info.lacework.com/contact" email: "info@lacework.net" license: name: "Lacework Use License" url: "https://www.lacework.com/terms-of-use/" version: "2.0" tags: - name: "OVERVIEW" x-displayName: "Overview" description: "

Conventions

\n\n 1. **Parameters:** Parameters follow the\ \ JSON conventions, i.e., camelcase or lowerCamelcase notation, for all parameter\ \ names in the query, request and response bodies, for example, `startTime`,\ \ `endTime`. \n\n 2. **Data Types:** For the constant types of data sets, integrations,\ \ assets, and other resources, the convention is to use UpperCamelcase notation,\ \ for example, `AlertChannels`, `AuditLogs`, `CloudActivities`. \n\n 3. **Response\ \ Schema:** A successful response returns either the HTTP 200 or 201 Status Code\ \ and a top-level property called `data`, which contains the result in the JSON\ \ format. A response returning the HTTP 4xx or 5xx Status Code returns the top-level\ \ property called `message`, which contains an error message. \n\n 4. `additionalProperties`\ \ **Keyword**: For all response schemas, the `additionalProperties` keyword is\ \ set to `true`. This means additional fields or properties can be added to responses\ \ in the future. For information about the `additionalProperties` keyword, see\ \ the [JSON Schema online documentation](http://json-schema.org/understanding-json-schema/reference/object.html#additional-properties).\ \ \n\n\n

Simple & Advanced Search

\n\n The Lacework API provides simple\ \ and advanced searches for retrieving information.\n\n For simple searches,\ \ specify a HTTP GET method with simple query parameters, for example, `startTime`,\ \ `endTime`.\n\n For advanced searches, specify a HTTP POST method with filters\ \ in the request body. For a given endpoint, you can see what fields are available\ \ to filter on by viewing the response schema for the endpoint. The filters in\ \ requests that have multiple filters are `AND`'d, that is, all filters conditions\ \ must be met to satisfy a match. \n\n There are 16 filter types consisting of\ \ seven pairs and two unique operators, which are similar to the SQL comparison\ \ operators for database queries. The pairs are: \n\n * The `eq` operator allows\ \ you to specify a value that the field values of the result must be equal to.\ \ The `ne` operator means not equal to. Note the `value` field of the `filters`\ \ must be used; the `values` field of the `filters` cannot be used for `eq` and\ \ `ne`. \n\n * The `in` operator allows you to specify multiple values in the\ \ `values` field of the `filters`. The field values of the result must match one\ \ of the values. The `not_in` operator is the opposite of `in`. Note the `value`\ \ field of the `filters` cannot be used for `in` and `not_in`. \n\n * The `like`\ \ operator allows you to specify a pattern that the field values of the result\ \ must match. The `not_like` operator is the opposite of `like`. Note the `values`\ \ field of the `filters` cannot be used for `like` and `not_like`. \n\n * The\ \ `ilike` operator works similar to `like` but it makes the match case insensitive.\ \ The `not_ilike` operator is the opposite of `ilike`. Note the `values` field\ \ of the `filters` cannot be used for `ilike` and `not_ilike`. \n\n * The `rlike`\ \ operator matches the specified pattern represented by regular expressions (more\ \ info on [RLIKE — Snowflake Documentation](https://docs.snowflake.com/en/sql-reference/functions/rlike.html)).\ \ You can use `rlike` to filter object values in arrays, to return only those\ \ values that match a regular expression. The `not_rlike` operator is the opposite\ \ of `rlike`. Note the `values` field of the `filters` cannot be used for `rlike`\ \ and `not_rlike`. \n\n * The `gt` operator allows you to specify a value that\ \ the field values of the result must be `greater than`. The `lt` (less-than)\ \ operator is the opposite of `gt`. Note the `values` field of the `filters` cannot\ \ be used for `gt` and `lt`. \n\n * The `ge` operator allows you to specify a\ \ value that the field values of the result must be `greater than or equal to`.\ \ The `le` (less-than-or-equal-to) operator is the opposite of `ge`. Note the\ \ `values` field of the `filters` cannot be used for `ge` and `le`. \n\n The\ \ unique operators are: \n\n * The `between` operator allows you to specify a\ \ range that the field values of the result must be within. The specified upper\ \ boundary must be larger/greater than the lower boundary. The two values of upper\ \ and lower boundaries must be set in the `values` field of the `filters`. Note\ \ the `value` field of the `filters` cannot be used for `between`. \n\n * The\ \ `expr` operator is reserved for future use. \n\n\n

Date & Time Formats

\n\ \n For date and time parameters, the time zone is always UTC and the following\ \ formats are supported: \n\n * `yyyy-MM-dd` for example, `2020-12-18` \n\n \ \ * `yyyy-MM-ddTHH` for example, `2020-12-18T08`\n\n * `yyyy-MM-ddTHH:mm:ssZ`\ \ for example `2020-12-18T08:00:00Z`\n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example,\ \ `2020-12-18T08:00:00.000Z`\n\n\n

Organization Level Access

\n\n An\ \ organization may have a primary account and multiple sub-accounts. An access\ \ token generated for the primary account and used as the authorization token\ \ can also be used for one of the sub-accounts, with the additional header called\ \ `Account-Name` (case insensitive).\n\n For example, if the primary account is\ \ `xyz` and the sub-account is `xyz-sub1`, set the `Account-Name` header to `xyz-sub1`.\ \ \n\n **Note:** Multiple sub-account and organizational-level access is limited\ \ to access tokens generated with regular user API keys. A service user has access\ \ to individual accounts only.\n\n To access organization-level data sets, you\ \ can use a header called `Org-Access` (case insensitive). If this header is set\ \ to `true` (case insensitive) and the authorization token has the proper permissions\ \ (org admin), if specified, the `Account-Name` header is ignored. If the `Org-Access`\ \ header is not set to `true`, the `Account-Name` header is used, if specified.\n\ \n\n

Pagination

\n\n Making calls to Lacework APIs could return a lot\ \ of results. Pagination of the results helps manage overall performance and makes\ \ the responses easier for you to handle by dividing the results into separate\ \ pages, each with a subset of the results. \n\n The following row limits apply:\ \ \n\n * Row limit per page: 5,000 rows \n\n * Row limit of all pages of one result\ \ set: 500,000 rows \n\n\n Pagination is available for some datasets, such as\ \ those that are searched with the `/api/v2/Vulnerabilities/Containers/search`\ \ or `/api/v2/Entities/Machines/search` endpoints. \n\n Pagination metadata is\ \ located within the response's `paging` field, which contains information for\ \ `rows`, `totalRows`, and `urls`. The `urls` field contains the `nextPage` field\ \ with the Next Page URL. The Next Page URLs stay valid for 24 hours. No pagination\ \ is available for an API if the `paging` field is missing from a response. \n\ \n To get the next page of the result, use the entire Next Page URL and send a\ \ GET request with the two required HTTP headers: \"Authorization: Bearer {YourAPIToken}\"\ \ and \"Content-Type: application/json\". \n\n Example: \n\n > `GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/abcxyz...`\ \ \n\n See the right panel for response examples. \n\n\n

Rate Limiting

\ \ \n\n The current rate limit is 480 API requests per hour per user. When the\ \ total number of API requests on a one-hour rolling window exceeds the rate limit,\ \ the HTTP 429 Too Many Requests response status code is returned. \n\n Lacework\ \ uses the token bucket algorithm to apply request rate limiting. Each API v2\ \ functionality has its own bucket with 480 tokens and each request that you make\ \ removes one token from the bucket. For example, performing a `GET /api/v2/AgentAccessTokens`\ \ or a `GET /api/v2/AgentAccessTokens/{ID}` are both part of one functionality,\ \ which gets an agent access token, so each request removes one token from the\ \ same bucket. Similarly, updating an agent access token (`PATCH /api/v2/AgentAccessTokens/{ID}`)\ \ is a different functionality and disregards the ID to use the same bucket, so\ \ a token is removed from a different bucket. \n\n Each request sends back three\ \ response headers following standard HTTP naming conventions for rate limiting.\ \ `RateLimit-Limit` is the total number of requests you can make in an hour, `RateLimit-Remaining`\ \ is the number of remaining requests, and `RateLimit-Reset` is how much time\ \ it will take (in seconds) before you can make another request once the limit\ \ is reached. For more information about `RateLimit` header fields, see [IETF\ \ Draft 05](https://tools.ietf.org/id/draft-polli-ratelimit-headers-05.html).\ \ \n\n\n

POST Body Size Limit

\n\n Many Lacework API endpoints accept\ \ data as POST body content. POST body content is limited to 1 MB. Requests that\ \ exceed the 1 MB limit result in a 400 Bad Request error. \n\n\n

Response\ \ Status Codes

\n\n The Lacework API endpoints return the following HTTP\ \ response status codes. \n\n \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
Status CodeDefinitionDescription
200 OK The request has succeeded.
201 Created The request has been fulfilled\ \ and resulted in a new resource being created.
204 \ \ No Content The server has fulfilled the request but does not need\ \ to return an entity-body.
400 Bad Request \ \ The request could not be understood by the server due to malformed syntax. The\ \ client SHOULD NOT repeat the request without modifications.
401 Unauthorized The request requires user authentication.\ \ If the request already included Authorization credentials, then the 401 response\ \ indicates that authorization has been refused for those credentials.
403 Forbidden The server understood the request,\ \ but is refusing to fulfill it. Authorization will not fix the issue and the\ \ request SHOULD NOT be repeated.
404 Not Found\ \ The server has not found anything matching the Request-URI.
405 Method Not Allowed The method specified\ \ in the Request-Line is not allowed for the resource identified by the Request-URI.\ \
409 Conflict The request could not\ \ be completed due to a conflict with the current state of the resource.
429 Too Many Requests Too many requests\ \ occurred during the allotted time period and rate limiting was applied.
500 Internal Server Error The request did\ \ not complete due to an internal error on the server side. The server encountered\ \ an unexpected condition which prevented it from fulfilling the request.
503 Service Unavailable The server is currently\ \ unable to handle the request due to a temporary overloading or maintenance of\ \ the server.
" - name: "ACCESS_TOKENS" x-displayName: "Access Tokens" description: "[API keys and access tokens](https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens)\ \ for API requests. " - name: "SCHEMAS" x-displayName: "Schemas" description: "Get details about the available Lacework schemas." - name: "Activities" x-displayName: "Activities" description: "Get information about network activities detected through the agent." - name: "AgentAccessTokens" x-displayName: "Agent Access Tokens" description: "To connect to the Lacework instance, Lacework agents require an [agent\ \ access token](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/698365/create-agent-access-token)." - name: "AgentInfo" x-displayName: "Agent Information" description: "View and verify information about all agents, including:\n * The hostname\n\ \ * The number of active and inactive agents\n * Machine tags information associated\ \ with the agents\n * The agent version" - name: "AlertChannels" x-displayName: "Alert Channels" description: "Lacework combines [alert channels](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/746001/alert-channels)\ \ with [alert rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/705029/alert-rules)\ \ or [report rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/79701/report-rules)\ \ to provide a flexible method for routing alerts and reports. " - name: "AlertProfiles" x-displayName: "Alert Profiles" description: "An alert profile is a set of metadata that defines how your LQL queries\ \ get consumed into events and alerts.\n\nAlert profiles exist as a system. Lacework\ \ provides a set of predefined alert profiles to ensure that policy evaluation\ \ gives you useful results out of the box. To create your own customized profiles,\ \ you extend an existing alert profile and add your custom definitions to it.\ \ The predefined alert profiles and operations for defining and editing your own\ \ are exposed via Lacework API calls." - name: "AlertRules" x-displayName: "Alert Rules" description: "Lacework combines [alert channels](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/746001/alert-channels)\ \ and [alert rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/705029/alert-rules)\ \ to provide a flexible method for routing alerts. For [alert channels](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/746001/alert-channels),\ \ you define information about where to send alerts, such as to Jira, Slack,\ \ or email. For [alert rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/705029/alert-rules),\ \ you define information about which alert types to send, such as critical and\ \ high severity compliance alerts. " - name: "Alerts" x-displayName: "Alerts" description: "Lacework provides real-time alerts that are interactive and manageable.\ \ Each alert contains various metadata information, such as severity level, type,\ \ status, alert category, and associated tags. \n\n You can also post a comment\ \ to an [alert's timeline](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772309/view-alerts#timeline);\ \ or change an [alert status](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772309/view-alerts#status)\ \ from Open to Closed." - name: "AuditLogs" x-displayName: "Audit Logs" description: "Audit logs let you view the history of all actions performed within\ \ a Lacework account so you know who made changes to the system and when. For\ \ example, you can see who suppressed certain alerts, what time an authentication\ \ setting was modified, etc. For more information, see [Audit Logs](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/44323/audit-logs)." - name: "CloudAccounts" x-displayName: "Cloud Accounts" description: "Cloud accounts are integrations between Lacework and cloud providers\ \ such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. " - name: "CloudActivities" x-displayName: "Cloud Activities" description: "Get information about cloud activities for the integrated AWS cloud\ \ accounts in your Lacework instance." - name: "Configs" x-displayName: "Configurations" description: "Get information about compliance configurations." - name: "ContainerRegistries" x-displayName: "Container Registries" description: "Lacework provides the ability to assess, identify, and report vulnerabilities\ \ found in the operating system software packages in a Docker container image.\ \ After integrating a container registry in Lacework, Lacework finds all container\ \ images in the registry repositories, assesses those container images for software\ \ packages with known vulnerabilities, and reports them.\n\n In addition to online\ \ container registry integrations, Lacework helps secure containers that are not\ \ connected to the Internet through the use of [proxy scanners](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/321350/integrate-proxy-scanner)\ \ and [inline scanners](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/371448/integrate-inline-scanner).\ \ Container registries that are of type proxy scanner (`PROXY_SCANNER`) or inline\ \ scanner (`INLINE_SCANNER`) may not include all fields shown below, such as `state`.\n\ \n **Note:** If the `state` property is missing for any type other than `PROXY_SCANNER`\ \ or `INLINE_SCANNER`, the state of the integration is **Pending**." - name: "ContractInfo" x-displayName: "Contract Info" description: "Get Lacework contract information." - name: "DataExportRules" x-displayName: "Data Export Rules" description: "S3 data export allows you to export data collected from your Lacework\ \ account and send it to an S3 bucket of your choice. You can extend Lacework\ \ processed/normalized data to report/visualize alone or combine with other business/security\ \ data to get insights and make meaningful business decisions." - name: "Datasources" x-displayName: "Datasources" description: "Get schema details for all datasources that you can query using LQL." - name: "Entities" x-displayName: "Entities" description: "Lacework continuously monitors machines in your environment and maintains\ \ data on both running and non-running virtual machines." - name: "Events" x-displayName: "Events" description: "View and verify the evidence or observation details of individual\ \ events." - name: "Exceptions" x-displayName: "Policy Exceptions" description: "Policy exceptions are a mechanism used to maintain the policies but\ \ allow you to circumvent one or more restrictions." - name: "Inventory" x-displayName: "Inventory" description: "View and monitor in-use cloud resources' risk, compliance, and configuration\ \ changes. \n\n For more details about snapshots of resources, see [Resource\ \ Inventory](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/744719/resource-inventory)." - name: "OrganizationInfo" x-displayName: "Organization Info" description: "Return information about whether the Lacework account is an organization\ \ account and, if it is, what the organization account URL is by invoking the\ \ following endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/OrganizationInfo`" - name: "Policies" x-displayName: "Policies" description: "Policies are a mechanism used to add annotated metadata to queries\ \ for improving the context of alerts, reports, and information displayed in the\ \ Lacework Console. You can fully customize policies." - name: "Queries" x-displayName: "Queries" description: "Queries are the mechanism used to interactively request information\ \ from a specific curated datasource. Queries have a defined structure for authoring\ \ detections." - name: "ReportConfigurations" x-displayName: "Report Configurations" description: "A report configuration associates a framework with an alert channel\ \ for the report. A report configuration can refine the scope of the report by\ \ filtering its content by incident severity, resource groups, and integrations." - name: "ReportRules" x-displayName: "Report Rules" description: "Lacework combines [alert channels](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/746001/alert-channels)\ \ and [report rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/79701/report-rules)\ \ to provide a flexible method for routing reports. For [report rules](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/79701/report-rules),\ \ you define information about which reports to send. For [alert channels](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/746001/alert-channels),\ \ you define where to send reports such as to Jira, Slack, or email." - name: "Reports" x-displayName: "Reports" description: "Lacework combines details about non-compliant resources that are in\ \ violation into reports. You must configure at least one cloud integration with\ \ AWS, Azure, or GCP to receive these reports." - name: "ResourceGroups" x-displayName: "Resource Groups" description: "Resource groups provide a way to categorize Lacework-identifiable\ \ assets, including the ability to populate resource groups based on conditional\ \ statements. For more information, see [Resource Groups](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/698623/resource-groups).\ \ \n\n For examples on using the Resource Groups endpoint API for Resource Groups,\ \ see [Using the Resource Groups API](https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/690087/using-the-resource-groups-api)." - name: "TeamMembers" x-displayName: "Team Members (Deprecated)" description: "Team members can be granted access to multiple Lacework accounts and\ \ have different roles for each account. Team members can also be granted organization-level\ \ roles. For more information, see [Team Members](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/170036/team-members).\ \ \n\n **Note**: The TeamMembers API is deprecated and is unavailable if you have\ \ migrated to the new RBAC model in your Lacework Console. See [Access Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." - name: "TeamUsers" x-displayName: "Team Users" description: "Role-based access control (RBAC) gives you control over user access\ \ to resources based on a defined role at an account level. \n\n The Team Users\ \ API works with the new Lacework role-based access control (RBAC) model. After\ \ you enable RBAC in the Lacework Console, the Team Users API is available and\ \ the legacy Team Members API (deprecated) is disabled. For more information on\ \ the legacy API, see the [Team Members APIs](https://youraccount.lacework.net/api/v2/docs/#tag/TeamMembers).\ \ \n\n The Team Users API works with users and groups at the account level only;\ \ organization-level users are not supported. For information on working with\ \ account level users in the Lacework Console, see [Access Control at Account\ \ Level](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/626065/manage-access-at-account-level).\ \ \n\nThe Lacework RBAC model defines two types of users: standard users and service\ \ users. Standard user accounts are typically associated with specific people\ \ in your organization, while service users are often shared among people and\ \ typically represent a service, client, or other type of programmatic Lacework\ \ integration. \n\n See [Access Control Overview](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for details on users and groups in Lacework." - name: "TemplateFiles" x-displayName: "Template Files" description: "Template Files are equivalent to CloudFormation template files. \n\ \n **AWS Config** \n\n For the file parameter, specify AwsConfig to download an\ \ AWS Config CloudFormation template for configuring an AWS Config integration\ \ to analyze AWS configuration compliance. \n\n **AWS Cloud Trail** \n\n For the\ \ file parameter, specify AwsCloudTrail to download an AWS CloudTrail CloudFormation\ \ template for configuring an AWS CloudTrail integration to monitor cloud account\ \ security. \n\n **AWS EKS Audit Logs** \n\n For the file parameter, specify AwsEksAudit\ \ to download an AWS EKS Audit Log template for configuring resources to allow\ \ monitoring of Kubernetes runtime security using audit logs on EKS [(Step 1)](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772330/eks-audit-log-integration-using-terraform#what-happens-during-step-1).\ \ \n\n For the file parameter, specify AwsEksAuditSubscriptionFilter to download\ \ an AWS EKS Audit Log template for configuring an EKS cluster log group to monitor\ \ EKS runtime security. Optionally pass in `intgGuid` as a query parameter. This\ \ allows the intgGuid to get the SNS ARN, create the firehose ARN, and insert\ \ that into the template before returning it. This means you don't have to find\ \ the firehoseARN and insert it manually. Obtain the integration's intgGuid by\ \ using the `GET https://YourLacework.lacework.net/api/v2/CloudAccounts` endpoint\ \ [(Step 2)](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772330/eks-audit-log-integration-using-terraform#what-happens-during-step-2).\ \ \n\n After downloading the template, you must upload and run the template file\ \ in the AWS Console. For information about setting up AWS CloudTrail and AWS\ \ Config integrations, see [AWS Integration Using CloudFormation](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/865261/eks-audit-log-integration-using-cloudformation).\ \ For information on EKS Audit Log integration, see [EKS Audit Log Integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772330/eks-audit-log-integration-using-terraform).\ \ You must also create the integration in the Lacework Console." - name: "UserGroups" x-displayName: "User Groups" description: "A [user group](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ associates Lacework service and standard users with specific permissions in\ \ Lacework. See [Team Users](#tag/TeamUsers) for information about service and\ \ standard users." - name: "UserProfile" x-displayName: "User Profiles" description: "An organization can contain multiple accounts so you can also manage\ \ components such as alerts, resource groups, team members, and audit logs at\ \ a more granular level inside an organization. For more information, see [Organization\ \ Overview](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/68366/organization-overview)." - name: "Vulnerabilities" x-displayName: "Vulnerabilities" description: "Lacework provides the ability to assess, identify, and report vulnerabilities\ \ found in the operating system software packages in a Docker container image\ \ before the container image is deployed. Lacework also supports scanning of non-OS\ \ packages for programming languages (Java, Ruby, PHP, GO, NPM, .NET, Python)." - name: "VulnerabilityExceptions" x-displayName: "Vulnerability Exceptions" description: "Lacework provides the ability to create exceptions for certain vulnerable\ \ resources and criteria. For example, a certain CVE for a certain package or\ \ all packages can be excepted until a set expiry time." - name: "VulnerabilityObservations" x-displayName: "Vulnerability Observations" description: "Lacework provides the ability to assess, identify, and report vulnerabilities\ \ found in the operating system software packages in a Docker container image\ \ before the container image is deployed. Lacework also supports scanning of\ \ non-OS packages for programming languages such as Java, Ruby, PHP, GO, NPM,\ \ .NET, and Python. This path differs from `/vulnerabilities` by focusing exclusively\ \ on the present state rather than historical assestment data, enabling near\ \ real-time insights into your environment." - name: "VulnerabilityPolicies" x-displayName: "Vulnerability Policies" description: "Lacework provides the ability to create container vulnerability policies\ \ to assess your container images at build and/or runtime based on your own unique\ \ requirements. For example, a policy can be created for any critical vulnerability\ \ with a fix available or a policy to target a specific CVE." - name: "Webhooks" x-displayName: "Webhooks" description: "Send notifications from your integration using a server token or signature." paths: /api/v2/access/tokens: post: tags: - "ACCESS_TOKENS" summary: "Generate Access Tokens" description: "Get access tokens for the API requests by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/access/tokens`\n\ \n After creating a secret key, administrators can generate Temporary API\ \ access (bearer) tokens that clients and client applications use to access\ \ the Lacework API. Create temporary API access (bearer) tokens by invoking\ \ the `POST https://YourLacework.lacework.net/api/v2/access/tokens` endpoint." parameters: - in: "header" name: "X-LW-UAKS" description: "YourSecretKey" required: true schema: type: "string" - in: "header" name: "Content-Type" description: "application/json" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ApiV2AccessTokens" responses: "201": description: "A temporary access (bearer) token is returned." content: application/json: schema: $ref: "#/components/schemas/ResponseApiV2AccessTokens" "4XX": description: "Client Error" content: application/json: schema: $ref: "#/components/schemas/Response4xxApiV2AccessTokens" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/schemas/{type}: get: tags: - "SCHEMAS" summary: "Schema Details" description: "Get a list of available Lacework schema types by invoking the\ \ following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/schemas`\ \ \n\n Get details about a Lacework schema by invoking the following endpoint:\ \ \n\n > `GET https://YourLacework.lacework.net/api/v2/schemas/{type}`\n\n\ \ Here is an example invocation:\n\n > `GET https://YourLacework.lacework.net/api/v2/schemas/AuditLogs`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "type" in: "path" description: "When sending a request, use this parameter to specify the schema\ \ type. If not specified, the response returns all schema types. If specified,\ \ the response returns details of the requested schema." required: true schema: type: "string" example: "AuditLogs" responses: "200": description: "No Error (see example: schema of AuditLogs)" content: application/json: schema: $ref: "#/components/schemas/ResponseApiV2SchemasType" "4XX": description: "Client Error" content: application/json: schema: $ref: "#/components/schemas/ResponseInvalidApiV2SchemasType" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/schemas/{type}/{subtype}: get: tags: - "SCHEMAS" summary: "Schema Details of Subtype" description: "Get details about a Lacework schema by specifying a schema type\ \ and subtype when invoking the endpoint.\n\n > `GET https://YourLacework.lacework.net/api/v2/schemas/{type}/{subtype}`\ \ \n\n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/schemas/AlertChannels/SlackChannel`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - in: "path" name: "type" description: "When sending a request, use this parameter to specify the schema\ \ type. If not specified, the response returns all schema types. If specified,\ \ the response returns details of the requested schema." required: true schema: type: "string" example: "AlertChannels" - in: "path" name: "subtype" description: "The schema's subtype. If a type is subordinate to another type,\ \ it is called a subtype." required: true schema: type: "string" example: "SlackChannel" responses: "200": description: "No Error (see example: schema of /api/v2/AlertChannels/SlackChannel)" content: application/json: schema: $ref: "#/components/schemas/ResponseApiV2SchemasTypeSubtype" "4XX": description: "Client Error" content: application/json: schema: $ref: "#/components/schemas/ResponseInvalidApiV2SchemasTypeSubtype" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Activities/ChangedFiles/search: post: tags: - "Activities" summary: "Search Changed Files" description: "Search for changed files in your environment by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned changed files by start time, end time,\ \ machine ID, file path, and more. For more information, see [CHANGE_FILES_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/837331/change-files-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },` \n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"48011\" } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\"\ , \"endTime\": \"2021-08-28T22:30:00Z\"},`\n `\"filters\": [ { \"field\":\ \ \"mid\", \"expression\": \"eq\", \"value\": \"48011\" }, { \"field\": \"\ filePath\", \"expression\": \"eq\", \"value\": \"/usr/bin/curl\" } ],` \n\ \ `\"returns\": [ \"filePath\", \"filedataHash\", \"mid\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseActivities_ChangedFilesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Activities/Connections/search: post: tags: - "Activities" summary: "Search Connections" description: "Search for connections in your environment by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Activities/Connections/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned connections by start time, end time,\ \ created time, machine ID, and more. For more information, see [CONNECTIONS_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/473122/connections-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2022-08-18T00:00:00Z\", \"endTime\": \"2022-08-18T02:00:00Z\"\ },` \n `\"filters\": [ { \"field\": \"dstEntityId.mid\", \"expression\": \"\ eq\", \"value\": \"116018\" } ] }` \n * `{ \"timeFilter\": { \"startTime\"\ : \"2022-08-18T00:00:00Z\", \"endTime\": \"2022-08-18T02:00:00Z\"},`\n `\"\ filters\": [ { \"field\": \"srcEntityId.mid\", \"expression\": \"eq\", \"\ value\": \"123456\" }, { \"field\": \"dstInBytes\", \"expression\": \"le\"\ , \"value\": \"300000\" } ],` \n `\"returns\": [ \"dstEntityId\", \"dstEntityType\"\ , \"srcEntityId\", \"srcEntityType\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseActivities_ConnectionsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Activities/DNSs/search: post: tags: - "Activities" summary: "Search DNS Summaries" description: "Search for DNS summaries in your environment by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Activities/DNSs/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned DNS summaries by start time, end time,\ \ created time, machine ID, and more. For more information, see [DNS_QUERY_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/694772/dns-query-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },` \n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"48011\" } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\"\ , \"endTime\": \"2021-08-28T22:30:00Z\"},`\n `\"filters\": [ { \"field\":\ \ \"mid\", \"expression\": \"eq\", \"value\": \"48011\" }, { \"field\": \"\ fqdn\", \"expression\": \"eq\", \"value\": \"sqs.us-west-2.amazonaws.com\"\ \ } ],` \n `\"returns\": [ \"fqdn\", \"hostIpAddr\", \"mid\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseActivities_DNSsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Activities/UserLogins/search: post: tags: - "Activities" summary: "Search User Logins" description: "Search for user logins in your environment by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Activities/UserLogins/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned login activities by start time, end time,\ \ created time, machine ID, and more. For more information, see [USER_LOGIN_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/246701/user-login-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },` \n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"48011\" } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\"\ , \"endTime\": \"2021-08-28T22:30:00Z\"},`\n `\"filters\": [ { \"field\":\ \ \"mid\", \"expression\": \"eq\", \"value\": \"48011\" }, { \"field\": \"\ username\", \"expression\": \"eq\", \"value\": \"ec2-user\" } ],` \n `\"\ returns\": [ \"username\", \"activityType\", \"activityTime\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseActivities_UserLoginsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AgentAccessTokens: post: tags: - "AgentAccessTokens" summary: "Create Agent Access Token" description: "Create a new agent access token that an agent can use to connect\ \ and send data to your Lacework instance by invoking the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens`\n\n\ \ Here is an example `body` payload:\n\n > `{ \"tokenAlias\": \"prod\",\ \ \"tokenEnabled\": \"1\" }`\n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AgentAccessTokens_Create_Schema" responses: "201": $ref: "#/components/responses/responseAgentAccessTokens_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "AgentAccessTokens" summary: "List All Agent Access Tokens" description: "Get a list of currently enabled agent access tokens in your Lacework\ \ instance by invoking the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseAgentAccessTokensList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AgentAccessTokens/search: post: tags: - "AgentAccessTokens" summary: "Search Agent Access Tokens" description: "Search all enabled agent access tokens in your Lacework instance\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AgentAccessTokens/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n You can filter\ \ on the following fields:\n\n * `accessToken`\n\n * `createdTime`\n\n \ \ * `tokenAlias`\n\n * `tokenEnabled`\n\n * `version`\n\n \n\n Here is\ \ an example `body` payload:\n\n > `{ \"filters\" : [ { \"expression\": \"\ eq\", \"field\": \"tokenAlias\", \"value\": \"Eng\" } ] } `\n\n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseAgentAccessTokensList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AgentAccessTokens/{id}: get: tags: - "AgentAccessTokens" summary: "Agent Access Token Details" description: "Get details about an agent access token by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}`\n\ \n You can get the `{id}` by invoking the `GET /api/v2/AgentAccessTokens`\ \ endpoint. Replace `{id}` with the long hexadecimal access token identifier\ \ returned in the `accessToken` field of the `GET /api/v2/AgentAccessTokens`\ \ endpoint response. " parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Agent Access Token {id}" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAgentAccessTokens_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "AgentAccessTokens" summary: "Update Agent Access Token" description: "Optionally update the `tokenEnabled` settings of the passed in\ \ agent access token. Update these settings by invoking the following endpoint:\n\ \n > `PATCH https://YourLacework.lacework.net/api/v2/AgentAccessTokens/{id}`\n\ \n Get the agent access token id by calling the `GET /api/v2/AgentAccessTokens`\ \ endpoint.\n\n Replace `{id}` with the long hexadecimal access token identifier\ \ returned in the `accessToken` field of the `GET /api/v2/AgentAccessTokens`\ \ endpoint response.\n\n Here is an example `body` payload:\n\n > `{ \"\ tokenEnabled\": \"1\" }`\n\n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "AgentAccessTokens {id}" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AgentAccessTokens_Update_Schema" responses: "200": $ref: "#/components/responses/responseAgentAccessTokens_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AgentInfo/search: post: tags: - "AgentInfo" summary: "Search Agent Information" description: "The Agent Information API enables you to retrieve information\ \ about all agents by invoking the following endpoint:\n\n > `POST /api/v2/AgentInfo/search`\n\ \ \n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the information returned by agent status, agent version,\ \ IP address, and more. For details about what agent information is available,\ \ see [AGENT_MANAGEMENT_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/901452/agent-management-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\" : \"2022-04-28T00:00:00Z\", \"endTime\": \"2022-04-28T18:00:00Z\"\ },` \n * `{ \"timeFilter\": { \"startTime\": \" 2022-04-28T00:00:00Z\", \"\ endTime\": \"2022-04-28T18:00:00Z\"},`\n `\"filters\" : [ { \"field\": \"\ status\", \"expression\": \"eq\", \"value\": \"ACTIVE\" }, { \"field\": \"\ tags.VmProvider\", \"expression\": \"eq\", \"value\" : \"AWS\" } ],` \n `\"\ returns\": [ \"hostname\", \"ipAddr\", \"os\" , \"agentVersion\", \"status\"\ \ ] }` \n\n\n Within request bodies, nested field names that contain one or\ \ more special characters—e.g., dot (\".\"), colon (\":\"), or slash (\"/\"\ )—must be enclosed in **escaped double quotes**. For example, the field name\ \ `aws:ec2launchtemplate:version` nested under the `tags` field would be rendered\ \ as follows: \n\n `\"tags.\\\"aws:ec2launchtemplate:version\\\"\"` \n\n In\ \ a filter, the example would appear as follows: \n\n `{ \"field\": \"tags.\\\ \"aws:ec2launchtemplate:version\\\"\", \"expression\": \"eq\", \"value\":\ \ \"3\" }` \n\n In addition, forward slash characters within field names must\ \ be escaped with a backslash, as in the following example: \n\n `\"tags.\\\ \"kubernetes.io\\/cluster\\/prod1\\\"\"`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseAgentInfoList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertChannels: post: tags: - "AlertChannels" summary: "Create Alert Channels" description: "Create an alert channel by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AlertChannels`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertChannels_Create_Schema" responses: "201": $ref: "#/components/responses/responseAlertChannels_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "AlertChannels" summary: "List All Alert Channels" description: "Get a list of alert channels for the current user by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AlertChannels`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseAlertChannelsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertChannels/{type}: get: tags: - "AlertChannels" summary: "List Alert Channels by Type" description: "Get a list of alert channels of the specified type by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/{type}`\n\ \n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/SlackChannel`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "type" in: "path" description: "Alert Channel Type" required: true schema: type: "string" enum: - "AwsS3" - "CiscoSparkWebhook" - "CloudwatchEb" - "Datadog" - "EmailUser" - "GcpPubsub" - "IbmQradar" - "Jira" - "MicrosoftTeams" - "NewRelicInsights" - "PagerDutyApi" - "ServiceNowRest" - "SlackChannel" - "SplunkHec" - "VictorOps" - "Webhook" responses: "200": $ref: "#/components/responses/responseAlertChannelsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertChannels/search: post: tags: - "AlertChannels" summary: "Search Alert Channels" description: "Search alert channels by invoking the following endpoint:\n\n\ \ > `POST https://YourLacework.lacework.net/api/v2/AlertChannels/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array, for example, `\"returns\":[\ \ \"name\", \"type\", \"enabled\" ]`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseAlertChannelsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertChannels/{intgGuid}/test: post: tags: - "AlertChannels" summary: "Test Alert Channels" description: "Test the integration of an alert channel by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}/test`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Alert Channel ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertChannels/{intgGuid}: get: tags: - "AlertChannels" summary: "Alert Channel Details" description: "Get details about an alert channel by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Alert Channel ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAlertChannels_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "AlertChannels" summary: "Update Alert Channels" description: "Update an alert channel by specifying parameters in the request\ \ body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}`\ \ \n\n In the request body, only specify the parameter(s) that you want to\ \ update, for example, `{ \"enabled\" : 0 }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Alert Channel ID" required: true schema: type: "string" requestBody: required: true description: "Only specify the parameter(s) that you want to update, for example,\ \ `{ \"enabled\" : 0 }`." content: application/json: schema: $ref: "#/components/schemas/AlertChannels_Update_Schema" responses: "200": $ref: "#/components/responses/responseAlertChannels_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" put: tags: - "AlertChannels" summary: "Update Alert Channels" description: "Update an alert channel by specifying the entire object in the\ \ request body when invoking the following endpoint: \n\n > `PUT https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}`\ \ \n\n In the request body, specify the entire object that you want to update,\ \ for example, \n > `{\"name\": \"string\",\"type\": \"AwsS3\", \"enabled\"\ : 1, \n > \"data\": {\"s3CrossAccountCredentials\": {\"externalId\": \"string\"\ , \"roleArn\": \"string\", \"bucketArn\":\"string\"}} }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Alert Channel ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertChannels_Create_Schema" responses: "200": $ref: "#/components/responses/responseAlertChannels_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "AlertChannels" summary: "Delete Alert Channels" description: "Delete an alert channel by invoking the following endpoint:\n\n\ \ > `DELETE https://YourLacework.lacework.net/api/v2/AlertChannels/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Alert Channel ID" required: true schema: type: "string" responses: "204": description: "No response content is returned and the request was successfully\ \ completed with no errors." "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertProfiles: post: tags: - "AlertProfiles" summary: "Create Alert Profiles" description: "Create an alert profile that extends off of a current alert profile\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AlertProfiles`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertProfiles_Create_Schema" responses: "201": $ref: "#/components/responses/responseAlertProfiles_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "AlertProfiles" summary: "List All Alert Profiles" description: "Get all the alert profiles for the current user by invoking the\ \ following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AlertProfiles`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseAlertProfilesList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertProfiles/{id}: get: tags: - "AlertProfiles" summary: "Alert Profiles Details" description: "Get the details to the specified alert profile by invoking the\ \ following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAlertProfiles_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "AlertProfiles" summary: "Update Alert Profiles" description: "Update the alert templates of the specified alert profile by invoking\ \ the following endpoint:\n\n > `PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertProfiles_Update_Schema" responses: "200": $ref: "#/components/responses/responseAlertProfiles_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "AlertProfiles" summary: "Delete Alert Profiles" description: "Delete the specified alert profile by invoking the following endpoint:\n\ \n > `DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertProfiles/{id}/AlertTemplates: post: tags: - "AlertProfiles" summary: "Create Alert Templates" description: "Create a new alert template for a specified alert profile by invoking\ \ the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertProfiles_AlertTemplates_Create_Schema" responses: "200": $ref: "#/components/responses/responseAlertProfiles_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertProfiles/{id}/AlertTemplates/{alertTemplateName}: patch: tags: - "AlertProfiles" summary: "Update Alert Templates" description: "Update an alert template for a specified alert profile by invoking\ \ the following endpoint:\n\n > `PATCH https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" - name: "alertTemplateName" in: "path" description: "Alert Template Name" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertProfiles_AlertTemplates_Update_Schema" responses: "200": $ref: "#/components/responses/responseAlertProfiles_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "AlertProfiles" summary: "Delete Alert Templates" description: "Delete an alert template for a specified alert profile by invoking\ \ the following endpoint:\n\n > `DELETE https://YourLacework.lacework.net/api/v2/AlertProfiles/{alertProfileId}/AlertTemplates/{alertTemplateName}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "Alert Profile id" required: true schema: type: "string" - name: "alertTemplateName" in: "path" description: "Alert Template Name" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertRules: post: tags: - "AlertRules" summary: "Create Alert Rules" description: "Create an alert rule by specifying parameters in the request body\ \ when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/AlertRules`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertRules_Create_Schema" responses: "201": $ref: "#/components/responses/responseAlertRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "AlertRules" summary: "List All Alert Rules" description: "List all alert rules in your Lacework instance by invoking the\ \ following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/AlertRules`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseAlertRulesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertRules/search: post: tags: - "AlertRules" summary: "Search Alert Rules" description: "Search alert rules by invoking the following endpoint:\n\n >\ \ `POST https://YourLacework.lacework.net/api/v2/AlertRules/search`\n\n To\ \ limit the returned result, optionally specify one or more filters in the\ \ request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n Here are some\ \ example `body` payloads:\n\n * `{ \"filters\": [ { \"field\": \"mcGuid\"\ , \"expression\": \"rlike\", \"value\": \"123ABC\" } ] } ` \n\n * `{ \"filters\"\ : [ { \"field\": \"mcGuid\", \"expression\": \"between\", \"values\": [ \"\ ABC_123\", \"DEC_456\" ] } ] }` \n\n * `{ \"filters\": [ { \"field\": \"\ intgGuidList\", \"expression\": \"eq\", \"value\": \"ABC_123\" } ] } ` \n\n\ \ * `{ \"filters\": [ { \"field\": \"intgGuidList\", \"expression\": \"in\"\ , \"values\": [ \"ABC_123\", \"DEF_456\" ] } ] } ` \n\n * `{ \"filters\"\ : [ { \"field\": \"filters.name\", \"expression\": \"ilike\", \"value\": \"\ slack\" } ] } ` \n\n * `{ \"filters\": [ { \"field\": \"filters.resourceGroups\"\ , \"expression\": \"eq\", \"value\": \"ABC_123\" } ] } ` \n\n * `{ \"filters\"\ : [ { \"field\": \"filters.severity\", \"expression\": \"eq\", \"value\":\ \ \"5\" } ] } ` \n\n * `{ \"filters\": [ { \"field\": \"filters.eventCategory\"\ , \"expression\": \"eq\", \"value\": \"App\" } ] } ` \n\n * `{ \"filters\"\ : [ { \"field\": \"reportNotificationTypes.agentEvents\", \"expression\":\ \ \"eq\", \"value\": \"false\" } ] } ` \n\n In the request body, optionally\ \ specify the list of fields to return in the response by specifying the list\ \ in the `returns` array." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseAlertRulesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AlertRules/{mcGuid}: get: tags: - "AlertRules" summary: "Alert Rule Details" description: "Get details about an alert rule by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule\ \ in the response when the `GET /api/v2/AlertRules` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Alert Rule mcGuid" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAlertRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "AlertRules" summary: "Update Alert Rules" description: "Update an alert rule by specifying parameters in the request body\ \ when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule\ \ in the response when the `GET /api/v2/AlertRules` endpoint is invoked. In\ \ the request body, only specify the parameters that you want to update." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Alert Rules mcGuid" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/AlertRules_Update_Schema" responses: "200": $ref: "#/components/responses/responseAlertRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "AlertRules" summary: "Delete Alert Rules" description: "Delete an alert rule by invoking the following endpoint:\n\n \ \ > `DELETE https://YourLacework.lacework.net/api/v2/AlertRules/{mcGuid}`\n\ \ \n Replace `{mcGuid}` with the `mcGuid` value returned for an alert rule\ \ in the response when the `GET /api/v2/AlertRules` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Alert Rules mcGuid" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts: get: tags: - "Alerts" summary: "List Alerts" description: "Get a list of alerts during the specified date range by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Alerts?startTime={startTime}&endTime={endTime}`\ \ \n\n Use the following formats to specify the `startTime` and `endTime`:\n\ \n * `yyyy-MM-dd` for example, `2022-06-28` \n\n * `yyyy-MM-ddTHH` for example,\ \ `2022-06-28T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ` for example, `2022-06-28T08:00:00Z`\ \ \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2022-06-28T08:00:00.000Z`\ \ \n\n\n Here is an example invocation: \n\n > `GET https://YourLacework.lacework\ \ .net/api/v2/Alerts?startTime=2022-06-30T00:00:00Z&endTime=2022-06-30T08:00:00Z`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. \n\n\ \ Pagination metadata is located within the response's `paging` field, which\ \ contains information for `rows`, `totalRows`, and `urls`. The `urls` field\ \ contains the `nextPage` field with the Next Page URL. The Next Page URLs\ \ stay valid for 24 hours. \n\n To get the next page of the result, use the\ \ entire Next Page URL and send a GET request with the two required HTTP headers:\ \ \"Authorization: Bearer {YourAPIToken}\" and \"Content-Type: application/json\"\ . \n\n Example: \n\n > `GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramStartTime" - $ref: "#/components/parameters/paramEndTime" responses: "200": $ref: "#/components/responses/responseAlertsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/search: post: tags: - "Alerts" summary: "Search Alerts" description: "Search alerts by invoking the following endpoint:\n\n > `POST\ \ https://YourLacework.lacework.net/api/v2/Alerts/search` \n\n Optionally\ \ specify filters in the request body. For more information about using filters,\ \ see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\n\ \n For the `timeFilter` filter, these are the supported time formats:\n\n\ \ * `yyyy-MM-dd` for example, `2022-07-08` \n\n * `yyyy-MM-ddTHH` for example,\ \ `2022-07-08T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ` for example, `2022-07-08T08:00:00Z`\ \ \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2022-07-08T08:00:00.000Z`\ \ \n\n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n To\ \ limit the returned result, optionally specify one or more filters in the\ \ request body. These fields can be set in the filters: `alertId`, `alertType`,\ \ `severity`, `status`, `subCategory`, `category`, and `source`. In the filter,\ \ specify the field on which to filter, the `eq` operator, and the value against\ \ which the field value is compared.\n\n You can optionally filter the returned\ \ alerts by one or more of the top-level fields. See [Filter Alerts](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/600144/filter-alerts)\ \ for the filter values. \n\n Here are some example `body` payloads: \n *\ \ `{ \"timeFilter\": { \"startTime\": \"2022-07-08T00:00:00Z\", \"endTime\"\ : \"2022-07-08T08:00:00Z\"},` \n `\"filters\": [ { \"field\": \"alertType\"\ , \"expression\": \"eq\", \"value\": \"SuspiciousUserFailedLogin\" } ] }`\ \ \n * `{ \"timeFilter\": { \"startTime\": \"2022-07-08T00:00:00Z\", \"endTime\"\ : \"2022-07-08T08:00:00Z\"},` \n `\"filters\": [ { \"field\": \"severity\"\ , \"expression\": \"eq\", \"value\": \"Critical\" }, { \"field\": \"status\"\ , \"expression\": \"eq\", \"value\": \"Open\" } ],` \n `\"returns\": [ \"\ alertId\", \"alertName\", \"alertType\", \"alertInfo\" ] }` \n\n\n Pagination\ \ metadata is located within the response's `paging` field, which contains\ \ information for `rows`, `totalRows`, and `urls`. The `urls` field contains\ \ the `nextPage` field with the Next Page URL. The Next Page URLs stay valid\ \ for 24 hours. \n\n To get the next page of the result, use the entire Next\ \ Page URL and send a GET request with the two required HTTP headers: \"Authorization:\ \ Bearer {YourAPIToken}\" and \"Content-Type: application/json\". \n\n Example:\ \ \n\n > `GET https://YourLacework.lacework.net/api/v2/Alerts/abcxyz123...`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS_FOR_ALERTS" responses: "200": $ref: "#/components/responses/responseAlertsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/{alertId}: get: tags: - "Alerts" summary: "Alert Details" description: "Get details about an alert by invoking the following endpoint:\n\ \ \n > `GET https://YourLacework.lacework.net/api/v2/Alerts/{alertId}?scope={scope}`\ \ \n\n You must specify a scope, as one of these options: `Details`, `Investigation`,\ \ `Events`, `RelatedAlerts`, `Integrations`, or `Timeline` or `ObservationTimeline`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "alertId" in: "path" description: "Alert id" required: true schema: type: "string" - name: "scope" in: "query" description: "You must specify a scope, as one of these options." required: true schema: type: "string" enum: - "Details" - "Investigation" - "Events" - "RelatedAlerts" - "Integrations" - "Timeline" - "ObservationTimeline" responses: "200": $ref: "#/components/responses/responseAlerts_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/Entities/{alertId}: get: tags: - "Alerts" summary: "Alert Entities" description: "List all entities associated with a given alert ID for which additional\ \ context is available. The entity can be any non-compliant resource, such\ \ as a machine or IP address." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "alertId" in: "path" description: "Alert id" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAlerts_Entities_Response_schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/EntityDetails/{alertId}: get: tags: - "Alerts" summary: "Alert Entity Details" description: "Get details about an entity associated with a given alert ID for\ \ which additional context is available by invoking the following endpoint:\n\ \ \n > `GET https://YourLacework.lacework.net/api/v2/Alerts/EntityDetails/{alertId}?contextEntityType={entityType}&entityValue={entityValue}`\ \ \n\n You must specify a `contextEntityType` and `entityValue`. (Currently,\ \ additional context support is available for IpAddress entities only, so\ \ `contextEntityType` must be `Machine` or `IpAddress`.) If any item of information\ \ about this entity is not available, partial information is returned." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "alertId" in: "path" description: "Alert ID" required: true schema: type: "string" - name: "contextEntityType" in: "query" description: "You must specify a context entity type from the available options.\ \ (Currently, only `Machine` and `IpAddress` is available.)" required: true schema: type: "string" enum: - "IpAddress" - "Machine" - name: "entityValue" in: "query" description: "You must specify a context entity value, such as the Machine\ \ identifier (MID) or IP address." required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAlertsEntityDetails_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/{alertId}/comment: post: tags: - "Alerts" summary: "Post Comments" description: "Post a user comment on an alert’s timeline by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/comment`\ \ \n\n For details about alert timelines, see [Timeline](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772309/view-alerts#timeline)." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "alertId" in: "path" description: "Alert id" required: true schema: type: "string" requestBody: required: true content: application/json: schema: required: - "comment" properties: comment: type: "string" responses: "200": $ref: "#/components/responses/responseAlerts_Comment_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Alerts/{alertId}/close: post: tags: - "Alerts" summary: "Close Alerts" description: "Change the status of an alert to closed by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Alerts/{alertId}/close`\ \ \n\n The body of the request should contain the reason for closing, from\ \ these options: \n * Other \n * False positive \n * Not enough information\ \ \n * Malicious and have resolution in place \n * Expected because of routine\ \ testing \n * Expected behavior \n\n\n If you choose `Other`, the message\ \ field is required and should contain a brief explanation of why the alert\ \ is closed.\n\n Note that a closed alert cannot be reopened. \n\n For details\ \ about alert statuses, see [Status](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/772309/view-alerts#status)." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "alertId" in: "path" description: "Alert id" required: true schema: type: "string" requestBody: required: true content: application/json: schema: required: - "reason" properties: reason: type: "number" description: "0 - Other \n\n 1 - False positive \n\n 2 - Not enough\ \ information \n\n 3 - Malicious and have resolution in place\ \ \n\n 4 - Expected because of routine testing \n\n 5 - Expected\ \ behavior" enum: - 0 - 1 - 2 - 3 - 4 - 5 comment: type: "string" description: "If you choose `0` (`Other`), the comment field is\ \ required and should contain a brief explanation of why the alert\ \ is closed." responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AuditLogs: get: tags: - "AuditLogs" summary: "Audit Logs" description: "Get audit logs by invoking the following endpoint:\n\n > `GET\ \ https://YourLacework.lacework.net/api/v2/AuditLogs` \n\n Optionally specify\ \ the `startTime` and `endTime` time range filters using the following formats:\n\ \n * `yyyy-MM-dd` for example, `2020-12-18` \n\n * `yyyy-MM-ddTHH` for example,\ \ `2020-12-18T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ` for example, `2020-12-18T08:00:00Z`\ \ \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2020-12-18T08:00:00.000Z`\ \ \n\n To use the current time as the end time, exclude the endTime parameter.\ \ \n\n\n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/AuditLogs?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramStartTime" - $ref: "#/components/parameters/paramEndTime" responses: "200": $ref: "#/components/responses/responseAuditLogsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/AuditLogs/search: post: tags: - "AuditLogs" summary: "Search Audit Logs" description: "Search the audit logs by invoking the following endpoint:\n\n\ \ > `POST https://YourLacework.lacework.net/api/v2/AuditLogs/search` \n\n\ \ Optionally specify filters in the request body. For more information about\ \ using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\ \ \n\n For the `timeFilter` filter, these are the supported time formats:\n\ \n * `yyyy-MM-dd` for example, `2020-12-18` \n\n * `yyyy-MM-ddTHH` for example,\ \ `2020-12-18T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ` for example, `2020-12-18T08:00:00Z`\ \ \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ`, for example, `2020-12-18T08:00:00.000Z`\ \ \n\n To use the current time as the end time, exclude the endTime field." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true description: "Filters in the request body" content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseAuditLogsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudAccounts: post: tags: - "CloudAccounts" summary: "Create Cloud Accounts" description: "Create a cloud account by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/CloudAccounts`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/CloudAccounts_Create_Schema" responses: "201": $ref: "#/components/responses/responseCloudAccounts_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "CloudAccounts" summary: "List All Cloud Accounts" description: "Get a list of cloud accounts for the current user by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseCloudAccountsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudAccounts/{type}: get: tags: - "CloudAccounts" summary: "List Cloud Accounts by Type" description: "Get a list of cloud accounts of the specified type by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{type}`\n\ \n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/AwsCfg`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "type" in: "path" description: "Cloud Accounts Type" required: true schema: type: "string" enum: - "AwsCfg" - "AwsCtSqs" - "AwsEksAudit" - "AwsUsGovCfg" - "AwsUsGovCtSqs" - "AzureAlSeq" - "AzureCfg" - "GcpAtSes" - "GcpCfg" responses: "200": $ref: "#/components/responses/responseCloudAccountsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudAccounts/search: post: tags: - "CloudAccounts" summary: "Search Cloud Accounts" description: "Search cloud accounts by invoking the following endpoint:\n\n\ \ > `POST https://YourLacework.lacework.net/api/v2/CloudAccounts/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array, for example, `\"returns\":[\ \ \"name\", \"type\", \"enabled\" ]`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseCloudAccountsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudAccounts/{intgGuid}: get: tags: - "CloudAccounts" summary: "Cloud Accounts Details" description: "Get details about a cloud account by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Cloud Account ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseCloudAccounts_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "CloudAccounts" summary: "Update Cloud Accounts" description: "Update a cloud account by specifying parameters in the request\ \ body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}`\ \ \n\n In the request body, only specify the parameters that you want to\ \ update, for example, `{ \"enabled\" : 0 }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Cloud Account ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/CloudAccounts_Update_Schema" responses: "200": $ref: "#/components/responses/responseCloudAccounts_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" put: tags: - "CloudAccounts" summary: "Update Cloud Accounts" description: "Update a cloud account by specifying the entire object in the\ \ request body when invoking the following endpoint: \n\n > `PUT https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}`\ \ \n\n In the request body, specify the entire object that you want to update,\ \ for example, \n > `{\"name\": \"string\",\"type\": \"AwsCfg\", \"enabled\"\ : 1, \n > \"data\": { \"awsAccountId\": \"string\", \"crossAccountCredentials\"\ : {\"externalId\": \"string\", \"roleArn\": \"string\"}} }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Cloud Account ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/CloudAccounts_Create_Schema" responses: "200": $ref: "#/components/responses/responseCloudAccounts_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "CloudAccounts" summary: "Delete Cloud Accounts" description: "Delete a cloud account by invoking the following endpoint:\n\n\ \ > `DELETE https://YourLacework.lacework.net/api/v2/CloudAccounts/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "Cloud Account ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudActivities: get: tags: - "CloudActivities" summary: "Cloud Activities" description: "Get cloud activity details by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/CloudActivities` \n\n\ \ Optionally filter by specifying the `startTime` and `endTime` of a time\ \ range using the following formats:\n\n * `yyyy-MM-dd` for example, `2020-12-18`\ \ \n\n * `yyyy-MM-ddTHH` for example, `2020-12-18T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ`\ \ for example, `2020-12-18T08:00:00Z` \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for\ \ example, `2020-12-18T08:00:00.000Z` \n\n To use the current time as the\ \ end time, exclude the endTime parameter. \n\n\n Here is an example invocation:\ \ \n\n > `GET https://YourLacework.lacework.net/api/v2/CloudActivities?startTime=2020-12-11T08:00:00Z&endTime=2020-12-18T08:00:00Z`\ \ \n\n To use the current time as the end time, exclude the endTime parameter." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramStartTime" - $ref: "#/components/parameters/paramEndTime" responses: "200": $ref: "#/components/responses/responseCloudActivitiesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/CloudActivities/search: post: tags: - "CloudActivities" summary: "Search Cloud Activities" description: "Search cloud activities by invoking the following endpoint:\n\n\ \ > `POST https://YourLacework.lacework.net/api/v2/CloudActivities/search`\ \ \n\n Optionally specify filters in the request body. For more information\ \ about using filters, see the [Simple & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\n\ \n For the `timeFilter` filter, these are the supported time formats:\n\n\ \ * `yyyy-MM-dd` for example, `2021-12-18` \n\n * `yyyy-MM-ddTHH` for example,\ \ `2021-12-18T08` \n\n * `yyyy-MM-ddTHH:mm:ssZ` for example, `2021-12-18T08:00:00Z`\ \ \n\n * `yyyy-MM-ddTHH:mm:ss.SSSZ` for example, `2021-12-18T08:00:00.000Z`\n\ \n The `rlike` and `not_rlike` operators are useful for filtering results.\ \ For example, the following expression limits results to the `CreateTags`\ \ API:\n\n > `\"filters\": [ { \"expression\": \"rlike\", \"field\": \"entityMap.API\"\ , \"value\": \".CreateTags.\" } ]` \n\n Here is another example that shows\ \ how to limit results to those with the numeric pattern specified as the\ \ resource ID:\n\n > `\"filters\": [ { \"expression\": \"rlike\", \"field\"\ : \"entityMap.Resource\", \"value\": \".3\\.0\\.529\\.0.\" } ]` \n\n Here\ \ are some additional example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-12-11T00:00:00Z\", \"endTime\": \"2021-12-12T00:00:00Z\"\ },` \n `\"filters\": [ { \"field\": \"eventType\", \"expression\": \"eq\"\ , \"value\": \"NewUser\" } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"\ 2021-12-11T00:00:00Z\", \"endTime\": \"2021-12-12T00:00:00Z\"},` \n `\"filters\"\ : [ { \"field\": \"eventType\", \"expression\": \"eq\", \"value\": \"NewUser\"\ \ },` \n `{ \"field\": \"eventModel\", \"expression\": \"eq\", \"value\"\ : \"AwsApiTracker\" } ],` \n `\"returns\":[ \"startTime\", \"endTime\", \"\ eventType\", \"eventActor\", \"eventModel\" ] }` \n\n To use the current time\ \ as the end time, exclude the endTime field." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseCloudActivitiesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Configs/ComplianceEvaluations/search: post: tags: - "Configs" summary: "Search Compliance Evaluations" description: "Search for compliance evaluations (with details such as compliance\ \ status, violated resources, reason, recommendation, account info, etc.)\ \ for a specified cloud provider within the last 90 days by invoking the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/search`\ \ \n\n The search results include details about compliance violations identified\ \ by cloud assessments for all supported and configured cloud provider types:\ \ AWS, Azure, and GCP.\n\n Lacework highly recommends specifying a time range.\ \ Without a specified time range, the request uses the default time range\ \ of 24 hours prior to the current time. The maximum time range per API request\ \ is 7 days. \n\n You must specify a dataset. The possible datasets are `AwsCompliance`,\ \ `AzureCompliance`, `GcpCompliance`, and `K8sCompliance`. You can optionally\ \ filter the compliance evaluations by report time, account, section, ID,\ \ and more. For more information, see [CLOUD_COMPLIANCE_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/456112/cloud-compliance-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"},` \n `\"\ dataset\": \"AwsCompliance\" }` \n * `{ \"timeFilter\": { \"startTime\": \"\ 2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"},`\n `\"filters\"\ : [ { \"field\": \"status\", \"expression\": \"eq\", \"value\": \"NonCompliant\"\ \ }, { \"field\": \"account.AccountId\", \"expression\": \"eq\", \"value\"\ : \"812212113623\" } ],` \n `\"returns\": [ \"account\", \"id\", \"recommendation\"\ , \"severity\", \"status\" ],` \n `\"dataset\": \"AzureCompliance\" }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Dataset_Request_Body_Schema" responses: "200": $ref: "#/components/responses/responseConfigs_ComplianceEvaluationsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Configs/AzureSubscriptions: get: tags: - "Configs" summary: "Azure Subscriptions" description: "Get a list of Azure subscription IDs for an entire account or\ \ for a specific Azure tenant. \n\n To list all Azure subscription IDs for\ \ an account, invoke the following endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions`\ \ \n\n To get a list of Azure subscription IDs for a specific tenant, pass\ \ the tenant ID as a parameter to the endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/Configs/AzureSubscriptions?tenantId={tenantId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "tenantId" in: "query" description: "The Azure tenant ID." schema: type: "string" responses: "200": $ref: "#/components/responses/responseConfigs_AzureSubscriptions_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Configs/GcpProjects: get: tags: - "Configs" summary: "GCP Projects" description: "Get a list of GCP project IDs for an entire account or for a specific\ \ organization. \n\n To list all GCP project IDs for an account, invoke the\ \ following endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects`\ \ \n\n To get a list of GCP project IDs for a specific organization, pass\ \ the organization ID as a parameter to the endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/Configs/GcpProjects?orgId={orgId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "orgId" in: "query" description: "The GCP organization ID." schema: type: "string" responses: "200": $ref: "#/components/responses/responseConfigs_GcpProjects_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContainerRegistries: post: tags: - "ContainerRegistries" summary: "Create Container Registries" description: "Create a container registry by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ContainerRegistries_Create_Schema" responses: "201": $ref: "#/components/responses/responseContainerRegistries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "ContainerRegistries" summary: "List All Container Registries" description: "Get a list of container registries for the current user by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseContainerRegistriesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContainerRegistries/{type}/{subtype}: get: tags: - "ContainerRegistries" summary: "List Container Registries by Type" description: "Get a list of container registries of the specified type by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{type}/{subtype}`\n\ \n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/ContVulnCfg/AWS_ECR`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "type" in: "path" description: "Container Registry Type" required: true schema: type: "string" enum: - "ContVulnCfg" - name: "subtype" in: "path" description: "Container Registry Subtype" required: true schema: type: "string" $ref: "#/components/schemas/ContainerRegistriesSubtype" responses: "200": $ref: "#/components/responses/responseContainerRegistriesList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContainerRegistries/search: post: tags: - "ContainerRegistries" summary: "Search Container Registries" description: "Search container registries by invoking the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array, for example, `\"returns\":[\ \ \"name\", \"type\", \"enabled\" ]`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseContainerRegistriesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContainerRegistries/{intgGuid}/mapPolicies: post: tags: - "ContainerRegistries" summary: "Map policies to Container Registries" description: "Map specific policies to a container registry by invoking the\ \ following endpoint: `POST https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}/mapPolicies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "The container registry's ID." required: true schema: type: "string" requestBody: required: true content: application/json: schema: properties: evaluate: type: "boolean" description: "Set to `True` if you want to evaluate all policies\ \ for this integration. Otherwise, set to `False`." policyGuids: type: "array" description: "A list of all policy IDs to map to this integration." items: type: "string" responses: "200": $ref: "#/components/responses/responseContainerRegistries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContainerRegistries/{intgGuid}: get: tags: - "ContainerRegistries" summary: "Container Registry Details" description: "Get details about a container registry by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "The container registry's ID." required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseContainerRegistries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "ContainerRegistries" summary: "Update Container Registries" description: "Update a container registry by specifying parameters in the request\ \ body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}`\ \ \n\n In the request body, only specify the parameters that you want to\ \ update, for example, `{ \"enabled\" : 0 }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "The container registry's ID." required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ContainerRegistries_Update_Schema" responses: "200": $ref: "#/components/responses/responseContainerRegistries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "ContainerRegistries" summary: "Delete Container Registries" description: "Delete a container registry by invoking the following endpoint:\n\ \n > `DELETE https://YourLacework.lacework.net/api/v2/ContainerRegistries/{intgGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "intgGuid" in: "path" description: "The container registry's ID." required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ContractInfo: get: tags: - "ContractInfo" summary: "Contract Info" description: "Return contract details about the Lacework licenses found in the\ \ Lacework instance by invoking the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ContractInfo`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseContractInfoList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/DataExportRules: post: tags: - "DataExportRules" summary: "Create Data Export Rules" description: "Create a data export rule by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n`POST https://YourLacework.lacework.net/api/v2/DataExportRules`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/DataExportRules_Create_Schema" responses: "201": $ref: "#/components/responses/responseDataExportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "DataExportRules" summary: "List All Data Export Rules" description: "List all data export rules in your Lacework Application by invoking\ \ the following endpoint: \n\n`GET https://YourLacework.lacework.net/api/v2/DataExportRules`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseDataExportRulesList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/DataExportRules/search: post: tags: - "DataExportRules" summary: "Search Data Export Rules" description: "Search data export rules by invoking the following endpoint:\n\ \n `POST https://YourLacework.lacework.net/api/v2/DataExportRules/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request\n body. \n\n Here are some example `body` payloads:\n\n * `{\ \ \"filters\": [ { \"field\": \"mcGuid\", \"expression\": \"rlike\", \"value\"\ : \"123ABC\" } ] } ` \n\n * `{ \"filters\": [ { \"field\": \"mcGuid\", \"\ expression\": \"between\", \"values\": [ \"ABC_123\", \"DEC_456\" ] } ] }`\ \ \n\n * `{ \"filters\": [ { \"field\": \"intgGuidList\", \"expression\"\ : \"eq\", \"value\": \"ABC_123\" } ] } ` \n\n * `{ \"filters\": [ { \"field\"\ : \"intgGuidList\", \"expression\": \"in\", \"values\": [ \"ABC_123\", \"\ DEF_456\" ] } ] } ` \n\n * `{ \"filters\": [ { \"field\": \"filters.name\"\ , \"expression\": \"ilike\", \"value\": \"slack\" } ] } ` \n\n * `{ \"filters\"\ : [ { \"field\": \"filters.profileVersions\", \"expression\": \"eq\", \"value\"\ : \"V1\" } ] } `\n\n In the request body, optionally specify the list of\ \ fields to return in the response by specifying the list in the `returns`\ \ array." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseDataExportRulesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/DataExportRules/{mcGuid}: get: tags: - "DataExportRules" summary: "Data Export Rule Details" description: "Get details about a data export rule by invoking the following\ \ endpoint:\n\n `GET https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for a data export rule\ \ in the response when the `GET /api/v2/DataExportRules` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Data Export Rule ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseDataExportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "DataExportRules" summary: "Update Data Export Rules" description: "Update a data export rule by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n `PATCH https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for a data export rule\ \ in the response when the `GET /api/v2/DataExportRules` endpoint is invoked.\n\ \n In the request body, only specify the parameters that you want to update,\ \ for example, `{ \"enabled\" : 0 }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Data Export Rule ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/DataExportRules_Update_Schema" responses: "200": $ref: "#/components/responses/responseDataExportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" put: tags: - "DataExportRules" summary: "Update Data Export Rules" description: "Update a data export rule by specifying the entire object in the\ \ request body when invoking the following endpoint:\n\n `PUT https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}`\n\ \n In the request body, specify the entire object that you want to update,\ \ for example,\n\n > `{\"mcGuid\": \"string\", \"filters\": {\"name\": \"\ string\", \"description\": \"string\", \"enabled\": 1, \"profileVersions\"\ : [\"V1\"]}, \"intgGuidList\": [\"string\"], \"type\": \"Dataexport\"}`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Data Export Rule ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/DataExportRules_Create_Schema" responses: "200": $ref: "#/components/responses/responseDataExportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "DataExportRules" summary: "Delete DataExportRules" description: "Delete a data export rule by invoking the following endpoint:\n\ \n `DELETE https://YourLacework.lacework.net/api/v2/DataExportRules/{mcGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "mcGuid" in: "path" description: "Data Export Rule ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Datasources: get: tags: - "Datasources" summary: "List All Datasources" description: "List all available datasources in your Lacework instance by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Datasources`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseDatasourcesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Datasources/{datasource}: get: tags: - "Datasources" summary: "Datasource Details" description: "Get details about a single datasource by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Datasources/{datasource}`\n\ \n Replace `{datasource}` with the `name` value returned for a datasource\ \ in the response when invoking the following endpoint: `GET /api/v2/Datasources`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "datasource" in: "path" description: "The datasource's name." required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseDatasources_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Datasources/search: post: tags: - "Datasources" summary: "Search Datasources" description: "Search for datasources by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Datasources/search`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PASSTHROUGH_API_FILTERS" responses: "200": $ref: "#/components/responses/responseDatasources_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Applications/search: post: tags: - "Entities" summary: "Search Applications" description: "Search for applications running on the machine with an agent within\ \ the last 90 days. Get details such as the application name, username, machine,\ \ etc. by invoking the following endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Applications/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned applications by application name, username,\ \ machine, and more. For more information, see [APPLICATIONS_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/529927/applications-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"}}`\n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"containerInfo.pod_type\", \"expression\": \"\ eq\", \"value\": \"lacework-agent\" } ],` \n `\"returns\": [ \"appName\"\ , \"exePath\", \"containerInfo\", \"mid\", \"username\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_ApplicationsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/CommandLines/search: post: tags: - "Entities" summary: "Search Command Line Invocations" description: "Search for active command line invocations in your environment\ \ across machines. Get details such as the created time, command line hash,\ \ and name of the command line executable by invoking the following endpoint:\ \ \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/CommandLines/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned command line invocations by the created\ \ time, command line hash, and name of the command line executable. For more\ \ information, see [CMDLINE_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/208452/cmdline-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"}}`\n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"cmdlineHash\"\ , \"expression\": \"eq\", \"value\": \"12345sdlfkhk54l5...\" } ] }` \n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},`\n `\"filters\": [ { \"field\": \"cmdlineHash\"\ , \"expression\": \"eq\", \"value\": \"12345sdlfkhk54l5...\" }, { \"field\"\ : \"cmdline\", \"expression\": \"eq\", \"value\": \"some command\" } ],` \ \ \n `\"returns\": [ \"cmdline\", \"cmdlineHash\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_CommandLinesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Containers/search: post: tags: - "Entities" summary: "Search Containers" description: "Search for containers in your environment. Get details, such as\ \ the container name, pod name, tags, and so on, by invoking the following\ \ endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Containers/search`\ \ \n\n The results reflect containers that were active and processed by Lacework\ \ within the specified time frame. Containers that were not active and containers\ \ that have not been processed yet do not appear in the results. \n\n Lacework\ \ highly recommends specifying a time range. Without a specified time range,\ \ the request uses the default time range of 24 hours prior to the current\ \ time. The maximum time range per API request is 7 days. To use the current\ \ time as the end time, exclude the endTime field. \n\n Due to the to the\ \ hourly aggregation window for container rows, any time range less than 1\ \ hour will return no results. The specified time range will filter container\ \ rows with aggregation windows that fall in the time range. For more information,\ \ see [CONTAINER_SUMMARY_V View](https://docs.fortinet.com/document/forticnapp/latest/administration-guide/672257/container-summary-v-view).\ \ \n\n You can optionally filter the returned containers by the container\ \ name, pod name, tags, and more. For more information, see [CONTAINER_SUMMARY_V\ \ View](https://docs.fortinet.com/document/forticnapp/latest/administration-guide/672257/container-summary-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"propsContainer.IMAGE_TAG\", \"expression\":\ \ \"eq\", \"value\": \"v1.7.0-eksbuild.1\" } ],` \n `\"returns\": [ \"containerName\"\ , \"imageId\", \"podName\", \"propsContainer\", \"tags\" ] }` \n\n\n Within\ \ request bodies, nested field names that contain one or more special characters—\ e.g., dot (\".\"), colon (\":\"), or slash (\"/\")—must be enclosed in **escaped\ \ double quotes**. For example, the field name `io.codefresh.repo.name` nested\ \ under the `PROPS_LABEL` of the `propsContainer` field would be rendered\ \ as follows: \n\n `\"propsContainer.PROPS_LABEL.\\\"io.codefresh.repo.name\\\ \"\"` \n\n In a filter, the example would appear as follows: \n\n `{ \"field\"\ : \"propsContainer.PROPS_LABEL.\\\"io.codefresh.repo.name\\\"\", \"expression\"\ : \"eq\", \"value\": \"modelservice\" }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_ContainersList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Files/search: post: tags: - "Entities" summary: "Search Files" description: "Search for files in your environment. Get details such as the\ \ path to the file, file size, date of file modification, etc. by invoking\ \ the following endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Files/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned files by the path to the file, file size,\ \ date of file modification, and more. For more information, see [ALL_FILES_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/227038/all-files-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"}}`\n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"filePath\", \"expression\": \"eq\", \"value\"\ : \"somePath\" } ],` \n `\"returns\": [ \"filePath\", \"filedataHash\", \"\ mid\", \"size\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_FilesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Images/search: post: tags: - "Entities" summary: "Search Images" description: "Search for container images in your environment. Get details such\ \ as the image id, image size, repository name, etc. by invoking the following\ \ endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Images/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned images by image id, image size, repository\ \ name, and more. For more information, see [IMAGE_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/98614/image-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"size\", \"expression\": \"eq\", \"value\": \"\ 434\" } ],` \n `\"returns\": [ \"imageId\", \"mid\", \"repo\", \"size\" ]\ \ }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_ImagesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/InternalIPAddresses/search: post: tags: - "Entities" summary: "Search Internal IP Addresses" description: "Search for internal IP addresses in your environment. Get details\ \ such as the start time, IP address, machine ID, etc. by invoking the following\ \ endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned addresses by the start time, IP address,\ \ machine ID, and more. For more information, see [INTERNAL_IPA_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/303823/internal-ipa-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"ipAddr\", \"expression\": \"eq\", \"value\"\ : \"10.123.456.1\" } ],` \n `\"returns\": [ \"ipAddr\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_InternalIPAddressesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/K8sPods/search: post: tags: - "Entities" summary: "Search K8s Pods" description: "Search for Kubernetes pods in your environment. Get details such\ \ as the pod name, IP address assigned to the pod, and other pod statistics\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/K8sPods/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To use\ \ the current time as the end time, exclude the endTime field.\n\n You can\ \ optionally filter the returned pods by machine ID, pod name, primary IP\ \ address, and more. For more information, see [POD_SUMMARY_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/999654/pod-summary-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"propsContainer.IMAGE_ID\", \"expression\": \"\ eq\", \"value\": \"sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39\"\ \ } ],` \n `\"returns\": [ \"mid\", \"podName\", \"propsContainer\" ] }`\ \ \n\n\n Within request bodies, nested field names that contain one or more\ \ special characters—e.g., dot (\".\"), colon (\":\"), or slash (\"/\")—must\ \ be enclosed in **escaped double quotes**. For example, the field name `io.kubernetes.pod.namespace`\ \ nested under the `PROPS_LABEL` of the `propsContainer` field would be rendered\ \ as follows: \n\n `\"propsContainer.PROPS_LABEL.\\\"io.kubernetes.pod.namespace\\\ \"\"` \n\n In a filter, the example would appear as follows: \n\n `{ \"field\"\ : \"propsContainer.PROPS_LABEL.\\\"io.kubernetes.pod.namespace\\\"\", \"expression\"\ : \"eq\", \"value\": \"codefresh\" }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_K8sPodsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Machines/search: post: tags: - "Entities" summary: "Search Machines" description: "Search for machines in your environment. Get details such as the\ \ machine ID, host name of the machine, and other machine statistics by invoking\ \ the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Machines/search`\ \ \n\n The results reflect the online machines for the specified time frame.\ \ Machines that were not online do not appear in the results. \n\n Lacework\ \ highly recommends specifying a time range. Without a specified time range,\ \ the request uses the default time range of 24 hours prior to the current\ \ time. The maximum time range per API request is 7 days. To use the current\ \ time as the end time, exclude the endTime field.\n\n You can optionally\ \ filter the returned machines by machine ID, host name, primary IP address,\ \ and more. For more information, see [MACHINE_SUMMARY_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/304427/machine-summary-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"machineTags.ExternalIp\", \"expression\": \"\ eq\", \"value\": \"35.163.78.148\" } ],` \n `\"returns\": [ \"hostname\"\ , \"machineTags\", \"mid\", \"primaryIpAddr\" ] }` \n\n\n Within request bodies,\ \ nested field names that contain one or more special characters—e.g., dot\ \ (\".\"), colon (\":\"), or slash (\"/\")—must be enclosed in **escaped double\ \ quotes**. For example, the field name `spotinst:aws:ec2:group:createdBy`\ \ nested under the `machineTags` field would be rendered as follows: \n\n\ \ `\"machineTags.\\\"spotinst:aws:ec2:group:createdBy\\\"\"` \n\n In a filter,\ \ the example would appear as follows: \n\n `{ \"field\": \"machineTags.\\\ \"spotinst:aws:ec2:group:createdBy\\\"\", \"expression\": \"eq\", \"value\"\ : \"spotinst\" }` \n\n In addition, forward slash characters within field\ \ names must be escaped with a backslash, as in the following example: \n\n\ \ `\"machineTags.\\\"kubernetes.io\\/cluster\\/prod1\\\"\"`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_MachinesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/MachineDetails/search: post: tags: - "Entities" summary: "Search Machine Details" description: "Search for machine details in your environment. Get details such\ \ as the machine ID, host name of the machine, domain associated with the\ \ machine, kernel type of the machine, and other machine statistics by invoking\ \ the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/search`\ \ \n\n Machine details are available only for machines that were online for\ \ the specified time frame. Details for machines that were not online are\ \ not available. \n\n Lacework highly recommends specifying a time range.\ \ Without a specified time range, the request uses the default time range\ \ of 24 hours prior to the current time. The maximum time range per API request\ \ is 7 days. To use the current time as the end time, exclude the endTime\ \ field. \n\n You can optionally filter the returned machines by machine ID,\ \ host name, domain, os, os version, and more. For more information, see [MACHINE_DETAILS_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/906955/machine-details-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"tags.AmiId\", \"expression\": \"eq\", \"value\"\ : \"ami-0b83c6233cdbe5c3e\" } ],` \n `\"returns\": [ \"hostname\", \"mid\"\ , \"awsInstanceId\", \"awsZone\", \"tags\" ] }` \n\n\n Within request bodies,\ \ nested field names that contain one or more special characters—e.g., dot\ \ (\".\"), colon (\":\"), or slash (\"/\")—must be enclosed in **escaped double\ \ quotes**. For example, the field name `spotinst:aws:ec2:group:createdBy`\ \ nested under the `tags` field would be rendered as follows: \n\n `\"tags.\\\ \"spotinst:aws:ec2:group:createdBy\\\"\"` \n\n In a filter, the example would\ \ appear as follows: \n\n `{ \"field\": \"tags.\\\"spotinst:aws:ec2:group:createdBy\\\ \"\", \"expression\": \"eq\", \"value\": \"spotinst\" }` \n\n In addition,\ \ forward slash characters within field names must be escaped with a backslash,\ \ as in the following example: \n\n `\"tags.\\\"kubernetes.io\\/cluster\\\ /prod1\\\"\"`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_MachineDetailsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/NetworkInterfaces/search: post: tags: - "Entities" summary: "Search Network Interfaces" description: "Search for network interfaces in your environment. Get details\ \ such as the interface name, machine ID, hardware address associated with\ \ the interface, etc. by invoking the following endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned interfaces by the interface name, machine\ \ ID, the hardware address associated with the interface, and more. For more\ \ information, see [INTERFACES_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/319023/interfaces-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"name\", \"expression\": \"eq\", \"value\": \"\ someName\" } ],` \n `\"returns\": [ \"name\", \"mid\", \"hwAddr\", \"ipAddr\"\ \ ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_NetworkInterfacesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/NewFileHashes/search: post: tags: - "Entities" summary: "Search New File Hashes" description: "Search for new file hashes in your environment. Get details such\ \ as the file hash, start time, and end time by invoking the following endpoint:\ \ \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned file hashes by the file hash, start time,\ \ or end time. For more information, see [NEW_HASHES_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/246848/new-hashes-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"filedataHash\"\ , \"expression\": \"eq\", \"value\": \"2394832980909eoifjof3209032840i39r02390\"\ \ } ],` \n `\"returns\": [ \"filedataHash\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_NewFileHashesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Packages/search: post: tags: - "Entities" summary: "Search Packages" description: "Search for package in your environment. Get details such as the\ \ machine ID that contains the package, package name, package version, and\ \ other package statistics by invoking the following endpoint:\n\n > `POST\ \ https://YourLacework.lacework.net/api/v2/Entities/Packages/search` \n\n\ \ Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned packages by machine ID, version, package\ \ architecture type, and more. For more information, see [PACKAGE_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/639899/package-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"}}`\n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"packageName\", \"expression\": \"eq\", \"value\"\ : \"package-1\" } ],` \n `\"returns\": [ \"packageName\", \"mid\", \"version\"\ \ ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_PackagesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Processes/search: post: tags: - "Entities" summary: "Search Processes" description: "Search for processes in your environment. Get details such as\ \ the process ID, username that started the process, path to the file, parent\ \ process ID, etc., by invoking the following endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Processes/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned processes by the process id, username\ \ that started the process, path to the file, parent process ID, and more.\ \ For more information, see [PROCESS_SUMMARY_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/667093/process-summary-v-view).\n\ \n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"}}`\n * `{\ \ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\":\ \ \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"ppid\", \"expression\": \"eq\", \"value\": \"\ 0044\" } ],` \n `\"returns\": [ \"pid\", \"ppid\", \"cmdlineHash\", \"mid\"\ , \"uid\", \"username\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_ProcessesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Entities/Users/search: post: tags: - "Entities" summary: "Search Users" description: "Search for users in your environment. Get details such as the\ \ username, machine ID, user ID, etc. by invoking the following endpoint:\ \ \n\n > `POST https://YourLacework.lacework.net/api/v2/Entities/Users/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter the returned users by username, machine ID, user ID,\ \ and more. For more information, see [USER_DETAILS_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/515580/user-details-v-view).\ \ \n\n Here are some example `body` payloads: \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ }}`\n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"mid\", \"\ expression\": \"eq\", \"value\": \"12345\" } ] }` \n * `{ \"timeFilter\":\ \ { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"mid\", \"expression\": \"eq\", \"value\"\ : \"12345\" }, { \"field\": \"username\", \"expression\": \"eq\", \"value\"\ : \"someUser\" } ],` \n `\"returns\": [ \"username\", \"uid\", \"mid\" ]\ \ }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEntities_UsersList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Events/search: post: tags: - "Events" summary: "Search Events" description: "The Events API enables you to retrieve the evidence or observation\ \ details by invoking the following endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Events/search`\ \ \n\n Lacework highly recommends specifying a time range in the request to\ \ narrow the search. If no time range is specified, the request uses the default\ \ time range of 24 hours before the current time. The maximum time range per\ \ API request is 7 days. To use the current time as the end time, exclude\ \ the endTime field. \n\n You can optionally filter the returned users by\ \ `eventType`, `srcType`, and more.\n\n Here are some example `body` payloads:\ \ \n * `{ \"timeFilter\": { \"startTime\": \"2022-03-18T00:00:00Z\", \"endTime\"\ : \"2022-03-18T12:00:00Z\"}}`\n * `{ \"timeFilter\": { \"startTime\": \"2022-03-18T00:00:00Z\"\ , \"endTime\": \"2022-03-18T12:00:00Z\"},` \n `\"filters\": [ { \"field\"\ : \"eventType\", \"expression\": \"eq\", \"value\": \"CloudTrailDefaultAlert\"\ \ } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"2022-03-18T00:00:00Z\"\ , \"endTime\": \"2022-03-18T12:00:00Z\"},`\n `\"filters\": [ { \"field\":\ \ \"srcType\", \"expression\": \"eq\", \"value\": \"AwsResource\" }, { \"\ field\": \"srcEvent.awsRegion\", \"expression\": \"eq\", \"value\": \"us-west-2\"\ \ } ],` \n `\"returns\": [ \"id\", \"srcEvent\", \"srcType\" ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseEventsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Exceptions: post: tags: - "Exceptions" summary: "Create Policy Exceptions" description: "Create exceptions for a specific policy by specifying the exception\ \ metadata when invoking the following endpoint: \n\n > `POST /api/v2/Exceptions?policyId={policyId}`\ \ \n\n Replace `{policyId}` with the `policyId` value returned for an LQL\ \ policy in the response when invoking the following endpoint: \n\n > `GET\ \ /api/v2/Policies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramPolicyId" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Exceptions_Create_Schema" responses: "201": $ref: "#/components/responses/responseExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "Exceptions" summary: "List All Policy Exceptions" description: "Get all existing exceptions by invoking the following endpoint:\ \ \n\n > `GET /api/v2/Exceptions` \n\n Get all existing exceptions of a specific\ \ policy by invoking the following endpoint: \n\n > `GET /api/v2/Exceptions?policyId={policyId}`\ \ \n\n Replace `{policyId}` with the `policyId` value returned for an LQL\ \ policy in the response when invoking the following endpoint: \n\n > `GET\ \ /api/v2/Policies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramPolicyIdOptional" responses: "200": $ref: "#/components/responses/responseExceptionsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Exceptions/{exceptionId}: get: tags: - "Exceptions" summary: "Policy Exception Details" description: "Get details about an existing exception applied to a specific\ \ policy by invoking the following endpoint: \n\n > `GET /api/v2/Exceptions/{exceptionId}?policyId={policyId}`\ \ \n\n Replace `{policyId}` with the `policyId` value returned for an LQL\ \ policy in the response when when invoking the following endpoint: \n\n >\ \ `GET /api/v2/Policies` \n\n Replace `{exceptionId}` with the `exceptionId`\ \ value returned for an LQL policy in the response when invoking the following\ \ endpoint: \n\n > `GET /api/v2/Exceptions?policyId={policyId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionId" in: "path" description: "Exception ID" required: true schema: type: "string" - $ref: "#/components/parameters/paramPolicyId" responses: "200": $ref: "#/components/responses/responseExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "Exceptions" summary: "Update Policy Exceptions" description: "Update an existing exception applied to a specific policy by invoking\ \ the following endpoint: \n\n > `PATCH /api/v2/Exceptions/{exceptionId}?policyId={policyId}`\ \ \n\n Replace `{policyId}` with the `policyId` value returned for an LQL\ \ policy in the response when invoking the following endpoint: \n\n > `GET\ \ /api/v2/Policies` \n\n Replace `{exceptionId}` with the `exceptionId` value\ \ returned for an LQL policy in the response when invoking the following endpoint:\ \ \n\n > `GET /api/v2/Exceptions?policyId={policyId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionId" in: "path" description: "Exception ID" required: true schema: type: "string" - $ref: "#/components/parameters/paramPolicyId" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Exceptions_Update_Schema" responses: "200": $ref: "#/components/responses/responseExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "Exceptions" summary: "Delete Policy Exceptions" description: "Delete an existing exception applied to a specific policy by invoking\ \ the following endpoint: \n\n > `DELETE /api/v2/Exceptions/{exceptionId}?policyId={policyId}`\ \ \n\n Replace `{policyId}` with the `policyId` value returned for an LQL\ \ policy in the response when invoking the following endpoint: \n\n > `GET\ \ /api/v2/Policies` \n\n Replace `{exceptionId}` with the `exceptionId` value\ \ returned for an LQL policy in the response when invoking the following endpoint:\ \ \n\n > `GET /api/v2/Exceptions?policyId={policyId}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionId" in: "path" description: "Exception ID" required: true schema: type: "string" - $ref: "#/components/parameters/paramPolicyId" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Inventory/search: post: tags: - "Inventory" summary: "Search Inventory" description: "The Inventory API enables you to retrieve information about resources\ \ in your cloud integrations, such as virtual machines, S3 buckets, security\ \ groups, and more, using the following endpoint: \n\n > `POST /api/v2/Inventory/search`\ \ \n\nBy default, Lacework collects resource information once a day. You can\ \ view and modify when resource collection starts using the Compliance Report\ \ Schedule [setting](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/807088/general#resource-management-collection-schedule).\ \ \n\n The time filter allows you to see your resource inventory at a specific\ \ point of time. When using the Inventory API, keep in mind that the information\ \ returned reflects the inventory when the resource collector last ran within\ \ the specified time range. If you use a recent time range that does not encompass\ \ the last time inventory collection occurred, the query returns an empty\ \ array. In this case, expand the time span to include the last collection\ \ time. \n\n For details about what cloud resource information is available,\ \ see [CLOUD_CONFIGURATION_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/479324/cloud-configuration-v-view).\ \ \n\n The `rlike` and `not_rlike` operators are useful for filtering results.\ \ For example, if the result contains the security group ID `sg-0a1b2c3d4e5f6g7h`\ \ in the path `resourceConfig.SecurityGroups.GroupId`, and `SecurityGroups`\ \ is an array, you can filter by ID for that pattern as follows:\n\n > `\"\ filters\" : [ {\"field\":\"resourceConfig\",\"expression\": \"rlike\", \"\ value\":\".*sg-0a1b2c3d4e5f6g7h.*\" } ]` \n\n Here are additional example\ \ `body` payloads: \n * `{ \"timeFilter\": { \"startTime\" : \"2022-06-08T00:00:00Z\"\ , \"endTime\": \"2022-06-10T12:00:00Z\"},` \n `\"csp\": \"AWS\" }` \n * `{\ \ \"timeFilter\": { \"startTime\": \"2022-06-08T00:00:00Z\", \"endTime\":\ \ \"2022-06-10T12:00:00Z\"},`\n `\"filters\" : [ { \"field\": \"resourceConfig.Architecture\"\ , \"expression\": \"eq\", \"value\": \"x86_64\" }, { \"field\": \"resourceRegion\"\ , \"expression\": \"eq\", \"value\" : \"us-east-2\" } ],` \n `\"returns\"\ : [ \"cloudDetails\", \"csp\", \"resourceConfig\" , \"resourceId\", \"resourceType\"\ \ ],` \n `\"csp\": \"GCP\" }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Dataset_2_Request_Body_Schema" responses: "200": $ref: "#/components/responses/responseInventoryList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Inventory/scan: post: tags: - "Inventory" summary: "Scan Inventory" description: "Trigger a [resource scan](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/744719/resource-inventory).\ \ By default, Lacework scans cloud integrations in order to generate or update\ \ its resource inventory [once a day](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/807088/general#resource-management-collection-schedule).\ \ This endpoint lets you trigger scans manually. This endpoint is useful,\ \ for example, after you have onboarded a new cloud integration and want to\ \ start collecting and evaluating resources from the system immediately. Manual\ \ scans can be run one hour after the last scan has completed. \n\n Usage\ \ Example: \n\n > `curl -X POST -H 'Content-Type: application/json' \"https://YourLacework.lacework.net/api/v2/Inventory/scan?csp=AWS\"\ \ -H \"Authorization: Bearer YourAPIToken\"`\n\n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "csp" in: "query" description: "Cloud service provider" required: true schema: type: "string" enum: - "AWS" - "GCP" - "Azure" responses: "200": $ref: "#/components/responses/responseInventoryScanStatus_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "Inventory" summary: "Track Inventory Scan Status" description: "Check the status of a [resource scan](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/744719/resource-inventory).\ \ A resource scan may take an hour or more to complete. This endpoint lets\ \ you check the progress of a running scan. \n\n Usage Example: \n\n > `curl\ \ -X GET -H 'Content-Type: application/json' \"https://YourLacework.lacework\ \ .net/api/v2/Inventory/scan?csp=AWS\" -H \"Authorization: Bearer YourAPIToken\"\ `\n\n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "csp" in: "query" description: "Cloud service provider" required: true schema: type: "string" enum: - "AWS" - "GCP" - "Azure" responses: "200": $ref: "#/components/responses/responseInventoryScanStatus_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/OrganizationInfo: get: tags: - "OrganizationInfo" summary: "Organization Info" description: "Return information about whether the Lacework account is an organization\ \ account and, if it is, what the organization account URL is by invoking\ \ the following endpoint: \n\n > `GET https://YourLacework.lacework.net/api/v2/OrganizationInfo`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseOrganizationInfoList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries: post: tags: - "Queries" summary: "Create Queries" description: "Create a Lacework Query Language (LQL) query by specifying parameters\ \ in the request body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Queries`\ \ \n\n This creates the LQL query in your Lacework instance so you can use\ \ it in an LQL custom policy and view it in the Lacework Console. You can\ \ get the unique identifiers for the LQL queries (`queryIdList`) array by\ \ invoking the `GET /api/v2/Queries` endpoint.\n\nFor information on creating\ \ queries, including information on specifying data sources, filtering, and\ \ returning data with the DISTINCT operator, see [LQL Overview](https://docs.fortinet.com/document/lacework-forticnapp/latest/lql-reference/598361/lql-overview)." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Queries_Create_Schema" responses: "201": $ref: "#/components/responses/responseQueries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "Queries" summary: "List All Queries" description: "List all registered LQL queries in your Lacework instance by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Queries`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseQueriesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries/execute: post: tags: - "Queries" summary: "Execute Queries" description: "Run an LQL query by specifying parameters in the request body\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Queries/execute`\ \ \n\n The response is the data that the query finds in the datasource for\ \ the specified time period. To specify a time period, use the `StartTimeRange`\ \ and `EndTimeRange` arguments. For an example of how to specify a time frame,\ \ see [Example Queries](https://docs.fortinet.com/document/lacework-forticnapp/latest/lql-reference/435177/example-queries)." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: required: - "query" properties: query: required: - "queryText" properties: queryText: description: "The query to execute" type: "string" options: $ref: "#/components/schemas/Query_Execute_Options" arguments: type: "array" items: description: "Argument for a query parameter" properties: name: description: "The parameter name." type: "string" value: description: "The argument value (type must match LQL type)" type: "string" responses: "200": $ref: "#/components/responses/responseQueriesExecute" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries/{queryId}/execute: post: tags: - "Queries" summary: "Execute Queries by ID" description: "Run an existing LQL query registered in your Lacework instance\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Queries/{queryId}/execute`\n\ \n Replace `{queryId}` with the `queryId` value returned for an LQL query\ \ in the response when the `GET /api/v2/Queries` endpoint is invoked. The\ \ response is the data that the query finds in the datasource for the specified\ \ time period. For an example of how to specify a time frame, see [Example\ \ Queries](https://docs.fortinet.com/document/lacework-forticnapp/latest/lql-reference/435177/example-queries)." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "queryId" in: "path" description: "Identifier of the query that executes while running the policy." required: true schema: type: "string" requestBody: required: false content: application/json: schema: properties: options: $ref: "#/components/schemas/Query_Execute_Options" arguments: type: "array" items: description: "Argument for a query parameter" properties: name: description: "The parameter name." type: "string" value: description: "The argument value (type must match LQL type)" type: "string" responses: "200": $ref: "#/components/responses/responseQueriesExecute" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries/validate: post: tags: - "Queries" summary: "Validate Queries" description: "Validate an LQL query by specifying parameters in the request\ \ body by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Queries/validate`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: required: - "queryText" properties: queryText: description: "When sending a request, provide a human-readable text\ \ syntax for specifying selection, filtering, and manipulation\ \ of data." type: "string" responses: "200": $ref: "#/components/responses/responseQueriesValidate" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries/search: post: tags: - "Queries" summary: "Search Queries" description: "Search for queries by specifying parameters in the request body\ \ when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Queries/search`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PASSTHROUGH_API_FILTERS" responses: "200": $ref: "#/components/responses/responseQueries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Queries/{queryId}: get: tags: - "Queries" summary: "Query Details" description: "Get details about a single LQL query by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Queries/{queryId}`\n\ \n Replace `{queryId}` with the `queryId` value returned for an LQL query\ \ in the response when the `GET /api/v2/Queries` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "queryId" in: "path" description: "Identifier of the query that executes while running the policy." required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseQueries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "Queries" summary: "Update Queries" description: "Update an existing LQL query registered in your Lacework instance\ \ by invoking the following endpoint:\n\n > `PATCH https://YourLacework.lacework.net/api/v2/Queries/{queryId}`\n\ \n Replace `{queryId}` with the `queryId` value returned for an LQL query\ \ in the response when the `GET /api/v2/Queries` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "queryId" in: "path" description: "Identifier of the query that executes while running the policy." required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Queries_Update_Schema" responses: "200": $ref: "#/components/responses/responseQueries_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "Queries" summary: "Delete Queries" description: "Delete a Lacework Query Language (LQL) query registered in your\ \ Lacework instance by invoking the following endpoint:\n\n > `DELETE https://YourLacework.lacework.net/api/v2/Queries/{queryId}`\n\ \n Replace `{queryId}` with the `queryId` value returned for an LQL query\ \ in the response when invoking the following endpoint: `GET /api/v2/Queries`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "queryId" in: "path" description: "Identifier of the query that executes while running the policy." required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Policies: post: tags: - "Policies" summary: "Create Policies" description: "Create a Lacework Query Language (LQL) policy by specifying parameters\ \ in the request body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Policies`\ \ \n\nThis creates the LQL policy in your Lacework instance so you can view\ \ it in the Lacework Console. You can get the unique identifiers for the LQL\ \ policies (`policyIdList`) array by invoking the `GET /api/v2/Policies` endpoint." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Policies_Create_Schema" responses: "201": $ref: "#/components/responses/responsePolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "Policies" summary: "List All Policies" description: "List all registered LQL policies in your Lacework instance, by\ \ invoking the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Policies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responsePoliciesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Policies/search: post: tags: - "Policies" summary: "Search Policies" description: "Search for policies by specifying parameters in the request body\ \ when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Policies/search`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PASSTHROUGH_API_FILTERS" responses: "200": $ref: "#/components/responses/responsePolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Policies/Tags: get: tags: - "Policies" summary: "Policy Tags" description: "Get a list of policy tags" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responsePolicyTags_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Policies/{policyId}: get: tags: - "Policies" summary: "Policy Details" description: "Get details about a single LQL policy by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/Policies/{policyId}`\n\ \n Replace `{policyId}` with the `policyId` value returned for an LQL policy\ \ in the response when the `GET /api/v2/Policies` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyId" in: "path" description: "Policy ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responsePolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "Policies" summary: "Update Policies" description: "Update an existing LQL policy registered in your Lacework instance\ \ by specifying parameters in the request body when invoking the following\ \ endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/Policies/{policyId}`\n\ \n Replace `{policyId}` with the `policyId` value returned for an LQL policy\ \ in the response when the `GET /api/v2/Policies` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyId" in: "path" description: "Policy ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Policies_Update_Schema" responses: "200": $ref: "#/components/responses/responsePolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "Policies" summary: "Delete Policies" description: "Delete an LQL custom policy registered in your Lacework instance\ \ by invoking the following endpoint:\n\n > `DELETE https://YourLacework.lacework.net/api/v2/Policies/{policyId}`\n\ \n Replace `{policyId}` with the `policyId` value returned for an LQL policy\ \ in the response when the `GET /api/v2/Policies` endpoint is invoked." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyId" in: "path" description: "Policy ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportConfigurations: post: tags: - "ReportConfigurations" summary: "Create Report Configurations" description: "Create a report configuration by invoking the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/ReportConfigurations`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ReportConfigurations_Create_Schema" responses: "201": $ref: "#/components/responses/responseReportConfigurations_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "ReportConfigurations" summary: "List All Report Configurations" description: "Get all report configurations by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/ReportConfigurations`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseReportConfigurationsList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportConfigurations/{reportConfigGuid}/generate: post: tags: - "ReportConfigurations" summary: "Generate Report Configurations" description: "Generate a report using a report configuration by invoking the\ \ following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/ReportConfigurations/{reportConfigGuid}/generate?startTime={time}&endTime={time}&format={format}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "reportConfigGuid" in: "path" description: "Report Configurations id" required: true schema: type: "string" - name: "startTime" in: "query" required: true description: "The start time of the report. For example, `2026-01-20T00:00:00.000Z`" schema: type: "string" - name: "endTime" in: "query" required: true description: "The end time of the report. For example, `2026-01-21T00:00:00.000Z`" schema: type: "string" - name: "format" in: "query" required: true description: "The format of the report." schema: type: "string" enum: - "pdf" - "html" - "json" responses: "200": description: "Successful retrieval of html or pdf report" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportConfigurations/{reportConfigGuid}: get: tags: - "ReportConfigurations" summary: "Report Configurations Details" description: "Get details about a report configuration by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ReportConfigurations/{reportConfigGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "reportConfigGuid" in: "path" description: "Report Configurations id" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseReportConfigurations_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "ReportConfigurations" summary: "Update Report Configurations" description: "Update an existing report configuration by invoking the following\ \ endpoint:\n\n > `PATCH https://YourLacework.lacework.net/api/v2/ReportConfigurations/{reportConfigGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "reportConfigGuid" in: "path" description: "Report Configurations id" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ReportConfigurations_Update_Schema" responses: "200": $ref: "#/components/responses/responseReportConfigurations_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "ReportConfigurations" summary: "Delete Report Configurations" description: "Delete an existing report configuration by invoking the following\ \ endpoint:\n\n > `DELETE https://YourLacework.lacework.net/api/v2/ReportConfigurations/{reportConfigGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "reportConfigGuid" in: "path" description: "Report Configurations id" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportRules: post: tags: - "ReportRules" summary: "Create Report Rule" description: "Create a report rule in your Lacework instance by invoking the\ \ following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/ReportRules`\n\ \n Get the unique identifiers for the alert channels (`intGuidList`) array\ \ by invoking the `GET /api/v2/ReportRules` endpoint.\n\n In addition, the\ \ severity field is required if you create report rules for any of the following\ \ report types: `awsCloudtrailEvents`, `awsComplianceEvents`, `azureActivityLogEvents`,\ \ `azureComplianceEvents`, `gcpAuditTrailEvents`, `gcpComplianceEvents`, `platformEvents`,\ \ `agentEvents`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ReportRules_Create_Schema" responses: "201": $ref: "#/components/responses/responseReportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "ReportRules" summary: "List All Report Rules" description: "List all report rules in your Lacework instance, by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ReportRules`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseReportRulesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportRules/search: post: tags: - "ReportRules" summary: "Search Report Rules" description: "Search all report rules in your Lacework instance by invoking\ \ the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/ReportRules/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\n\n Here are some\ \ example `body` payloads:\n\n * `{ \"filters\": [ { \"expression\": \"eq\"\ , \"field\": \"name\", \"value\": \" Jane\" } ] } `\n\n * `{ \"filters\"\ : [ { \"field\": \"mcGuid\", \"expression\": \"rlike\", \"value\": \"123ABC\"\ \ } ] } `\n\n * `{ \"filters\": [ { \"field\": \"mcGuid\", \"expression\"\ : \"between\", \"values\": [ \"ABC_123\", \"DEC_456\" ] } ] }` \n\n * `{\ \ \"filters\": [ { \"field\": \"intgGuidList\", \"expression\": \"eq\", \"\ value\": \"ABC_123\" } ] } ` \n\n * `{ \"filters\": [ { \"field\": \"intgGuidList\"\ , \"expression\": \"in\", \"values\": [ \"ABC_123\", \"DEF_456\" ] } ] } `\ \ \n\n * `{ \"filters\": [ { \"field\": \"filters.name\", \"expression\"\ : \"ilike\", \"value\": \"slack\" } ] } ` \n\n * `{ \"filters\": [ { \"field\"\ : \"filters.resourceGroups\", \"expression\": \"eq\", \"value\": \"ABC_123\"\ \ } ] } `\n\n * `{ \"filters\": [ { \"field\": \"filters.severity\", \"expression\"\ : \"eq\", \"value\": \"5\" } ] } ` \n\n * `{ \"filters\": [ { \"field\":\ \ \"filters.eventCategory\", \"expression\": \"eq\", \"value\": \"App\" }\ \ ] } `\n\n * `{ \"filters\": [ { \"field\": \"reportNotificationTypes.agentEvents\"\ , \"expression\": \"eq\", \"value\": \"false\" } ] } `" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseReportRulesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ReportRules/{mcGuid}: get: tags: - "ReportRules" summary: "Report Rule Details" description: "Get details about a report rule by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for a report rule\ \ in the response when invoking the following endpoint: `GET /api/v2/ReportRules`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "mcGuid" in: "path" description: "Report Rule ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseReportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "ReportRules" summary: "Update Report Rules" description: "Update a report rule by specifying parameters in the request body\ \ when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for a report rule\ \ in the response, when the `GET /api/v2/ReportRules` endpoint is invoked.\ \ \n\n In addition, if the severity field doesn't exist for the report rule\ \ being updated, the severity field is required if you add any of the following\ \ report types: `awsCloudtrailEvents`, `awsComplianceEvents`, `azureActivityLogEvents`,\ \ `azureComplianceEvents`, `gcpAuditTrailEvents`, `gcpComplianceEvents`, `platformEvents`,\ \ `agentEvents`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "mcGuid" in: "path" description: "Report Rule ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ReportRules_Update_Schema" responses: "200": $ref: "#/components/responses/responseReportRules_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "ReportRules" summary: "Delete Report Rules" description: "Delete a report rule by invoking the following endpoint:\n\n \ \ > `DELETE https://YourLacework.lacework.net/api/v2/ReportRules/{mcGuid}`\n\ \n Replace `{mcGuid}` with the `mcGuid` value returned for a report rule\ \ in the response when invoking the following endpoint: `GET /api/v2/ReportRules`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "mcGuid" in: "path" description: "Report Rule ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Reports: get: tags: - "Reports" summary: "Reports" description: "Get a specific report by invoking the following endpoint:\n\n\ \ > `GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId={primaryQueryId}&secondaryQueryId={secondaryQueryId}&format={format}&reportType={reportType}&severity={severity}&status={status}`\n\ \n Examples: \n\n > `GET https://YourLacework.lacework.net/api/v2/Reports?primaryQueryId=343523252&format=json&reportType=HIPAA&severity=critical,high,medium&status=Compliant,NonCompliant`\n\ \n" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "primaryQueryId" in: "query" description: "The primary ID that is used to fetch the report; for example,\ \ AWS Account ID or Azure Tenant ID.\n\n**Note:** For GCP, use the `secondaryQueryId`\ \ attribute to provide your GCP Project ID." schema: type: "string" - name: "secondaryQueryId" in: "query" description: "The secondary ID that is used to fetch the report; for example,\ \ GCP Project ID or Azure Subscription ID.\n\n**Note:** For AWS, this parameter\ \ is not required.\n\nUse the GCP Projects or Azure Subscriptions endpoints\ \ in the [Configurations API](#tag/Configs) to get the IDs to use. Be sure\ \ to provide only the ID as this parameter value, excluding the project\ \ or subscription alias. That is, use \"81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F\"\ , not \"81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F (Pay-As-You-Go)\"." schema: type: "string" - name: "format" in: "query" description: "The report's format." schema: type: "string" default: "pdf" enum: - "json" - "pdf" - "csv" - "html" - name: "reportType" in: "query" description: "The name of the report type in API format, for example, AZURE_NIST_CSF_CIS_1_5.\ \ See [Compliance Frameworks](https://docs.fortinet.com/document/lacework-forticnapp/latest/lacework-forticnapp-policies/286805/compliance-frameworks)\ \ for a list of available reports.\n\n**Note:** Use `reportName` to get\ \ the report by the report definition's name instead." required: true schema: type: "string" enum: - "AWS_CIS_14" - "AZURE_CIS_1_5" - "GCP_CIS13" - name: "severity" in: "query" description: "Severities to filter the report on, e.g. `severity=critical,high,medium`." schema: type: "string" enum: - "critical" - "high" - "medium" - "low" - "info" - name: "status" in: "query" description: "Statuses to filter the report on, e.g. `status=Compliant,NonCompliant`." schema: type: "string" enum: - "Compliant" - "NonCompliant" - "Suppressed" - "CouldNotAssess" - "Manual" responses: "200": $ref: "#/components/responses/responseReportsList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ResourceGroups: post: tags: - "ResourceGroups" summary: "Create Resource Group" description: "Create a resource group by specifying parameters in the request\ \ body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/ResourceGroups`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/ResourceGroups_Create_Schema" responses: "201": $ref: "#/components/responses/responseResourceGroups_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "ResourceGroups" summary: "List All Resource Groups" description: "Get a list of all resource groups for the account by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/ResourceGroups`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" responses: "200": $ref: "#/components/responses/responseResourceGroupsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ResourceGroups/search: post: tags: - "ResourceGroups" summary: "Search Resource Groups" description: "Search resource groups by invoking the following endpoint:\n\n\ \ > `POST https://YourLacework.lacework.net/api/v2/ResourceGroups/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array, for example, `\"returns\":[\ \ \"name\", \"type\", \"enabled\" ]`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseResourceGroupsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/ResourceGroups/{resourceGuid}: get: tags: - "ResourceGroups" summary: "Resource Groups Details" description: "Get details about a resource group by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - name: "resourceGuid" in: "path" description: "Resource Group ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseResourceGroups_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "ResourceGroups" summary: "Update Resource Groups" description: "Update a resource group by specifying parameters in the request\ \ body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}`\ \ \n\n In the request body, only specify the parameters that you want to\ \ update, for example, `{ \"enabled\" : 0 }`. \n\n When updating `query`,\ \ both `filters` and `expression` must be provided together." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - name: "resourceGuid" in: "path" description: "Resource Group ID" required: true schema: type: "string" requestBody: required: true description: "Only specify the parameter(s) that you want to update, for example,\ \ `{ \"enabled\" : 0 }`." content: application/json: schema: $ref: "#/components/schemas/ResourceGroups_Update_Schema" responses: "200": $ref: "#/components/responses/responseResourceGroups_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "ResourceGroups" summary: "Delete Resource Groups" description: "Delete a resource group by invoking the following endpoint:\n\n\ \ > `DELETE https://YourLacework.lacework.net/api/v2/ResourceGroups/{resourceGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - name: "resourceGuid" in: "path" description: "Resource Group ID" required: true schema: type: "string" responses: "204": description: "No response content is returned and the request was successfully\ \ completed with no errors." "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TeamMembers: post: tags: - "TeamMembers" summary: "Create Team Members" deprecated: true description: "Create a team member in your Lacework instance by invoking the\ \ following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/TeamMembers`\n\ \n Here is an example `body` payload:\n\n > `{ \"userName\": \"jane.smith@mycompany.com\"\ , \"userEnabled\": 1, \"props\": { \"firstName\": \"Jane\", \"lastName\"\ : \"Smith\", \"company\": \"myCompany\", \"accountAdmin\": true } \n }`\n\ \ \n\n **Note**: This API is deprecated and is unavailable if you have migrated\ \ to the new RBAC model in your Lacework Console. See [Access Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/TeamMembers_Create_Schema" responses: "201": $ref: "#/components/responses/responseTeamMembers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "TeamMembers" summary: "List All Team Members" deprecated: true description: "Get a list of team members in your Lacework instance by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/TeamMembers`\ \ \n\n **Note**: This API is deprecated and is unavailable if you have migrated\ \ to the new RBAC model in your Lacework Console. See [Access Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseTeamMembersList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TeamMembers/search: post: tags: - "TeamMembers" summary: "Search Team Members" deprecated: true description: "Search all team members in your Lacework instance by invoking\ \ the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/TeamMembers/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW).\n\n You can filter\ \ on the following fields:\n\n * `custGuid`\n\n * `userGuid`\n\n * `userName`\n\ \n * `userEnabled`\n\n Here is an example `body` payload:\n\n > `{ \"filters\"\ \ : [ { \"expression\": \"eq\", \"field\": \"userName\", \"value\": \"jane.smith@mycompany.com\"\ \ } ] } `\n\n **Note**: This API is deprecated and is unavailable if you\ \ have migrated to the new RBAC model in your Lacework Console. See [Access\ \ Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseTeamMembersList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TeamMembers/{userGuid}: get: tags: - "TeamMembers" summary: "Team Member Details" deprecated: true description: "Get details about a team member by invoking the following endpoint:\n\ \n > `GET https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}`\n\ \n Replace `{userGuid}` with the `userGuid` value returned for a team member\ \ in the response when invoking the following endpoint: `GET /api/v2/TeamMembers`\ \ \n\n **Note**: This API is deprecated and is unavailable if you have migrated\ \ to the new RBAC model in your Lacework Console. See [Access Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "userGuid" in: "path" description: "User Guid" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseTeamMembers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "TeamMembers" summary: "Update Team Member" deprecated: true description: "Optionally update the `userName` and`userEnabled` settings and\ \ the `props` sub-settings of the passed in team member. Update these settings\ \ by invoking the following endpoint:\n\n > `PATCH https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}`\n\ \n Replace `{userGuid}` with the `userGuid` value returned for a team member\ \ in the response, when invoking the following endpoint: `GET /api/v2/TeamMembers`.\n\ \n Here is an example `body` payload:\n\n > `{ \"props\": {\"firstName\"\ :\"Jane\"} }` \n\n **Note**: This API is deprecated and is unavailable if\ \ you have migrated to the new RBAC model in your Lacework Console. See [Access\ \ Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "userGuid" in: "path" description: "User Guid" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/TeamMembers_Update_Schema" responses: "200": $ref: "#/components/responses/responseUpdateTeamMember" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "TeamMembers" summary: "Delete Team Member" deprecated: true description: "Delete a team member by invoking the following endpoint:\n\n \ \ > `DELETE https://YourLacework.lacework.net/api/v2/TeamMembers/{userGuid}`\n\ \n Replace `{userGuid}` with the `userGuid` value returned for a team member\ \ in the response when invoking the following endpoint: `GET /api/v2/TeamMembers`\ \ \n\n **Note**: This API is deprecated and is unavailable if you have migrated\ \ to the new RBAC model in your Lacework Console. See [Access Control](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/873733/access-control-overview)\ \ for more information about the new RBAC model." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" - name: "userGuid" in: "path" description: "User Guid" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TeamUsers: post: tags: - "TeamUsers" summary: "Create Team Users" description: "Create a standard or service user in a Lacework account using\ \ the following endpoint: \n\n > `POST /api/v2/TeamUsers` \n\n In the request\ \ body, specify the type of user to create, a standard user or service user,\ \ as well as properties of the user. \n\n Here is an example `body` payload\ \ for a standard user:\n\n > `{\"type\": \"StandardUser\", \"name\": \"name_one\"\ , \"company\": \"company_name\", \"email\": \"test_email\", \"userEnabled\"\ : 1}` \n\n Here is an example `body` payload for a service user:\n\n > `{\"\ type\": \"ServiceUser\", \"name\": \"name_one\", \"description\": \"service_user_description\"\ , \"userEnabled\": 1}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/TeamUsers_Create_Schema" responses: "201": $ref: "#/components/responses/responseTeamUsers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "TeamUsers" summary: "List All Team Users" description: "Get a list of all users in a Lacework account, including both\ \ standard and service users, by invoking the following endpoint: \n\n > `GET\ \ /api/v2/TeamUsers`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseTeamUsersList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TeamUsers/{id}: get: tags: - "TeamUsers" summary: "Team Users Details" description: "Get details about a user in a Lacework Account by invoking the\ \ following endpoint: \n\n > `GET /api/v2/TeamUsers/{userGuid}` \n\n Replace\ \ `{userGuid}` with the `userGuid` value of the standard or service user whose\ \ details you want to retrieve. You can get the `userGuid` for a user in the\ \ response to the \"List All Team Users\" endpoint." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "User Guid" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseTeamUsers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "TeamUsers" summary: "Update Team Users" description: "Update an existing standard or service user by providing new values\ \ for the user properties to update using the following endpoint: \n\n > `PATCH\ \ /api/v2/TeamUsers/{userGuid}` \n\n Replace `{userGuid}` with the `userGuid`\ \ value of the user you want to update. You can get the `userGuid` for a user\ \ in the response to the \"List All Team Users\" endpoint. \n\n Here is an\ \ example `body` payload for a standard user:\n\n > `{\"name\": \"new_name\"\ , \"userEnabled\": 0}` \n\n Here is an example `body` payload for a service\ \ user:\n\n > `{\"name\": \"new_name\", \"userEnabled\": 0, \"description\"\ : \"new_description\"}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "User Guid" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/TeamUsers_Update_Schema" responses: "200": $ref: "#/components/responses/responseTeamUsers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "TeamUsers" summary: "Delete Team Users" description: "Delete a service or standard user to remove access for the user\ \ to the Lacework Console and Lacework APIs. Delete a user account using the\ \ following endpoint: \n\n > `DELETE /api/v2/TeamUsers/{userGuid}` \n\n Replace\ \ `{userGuid}` with the `userGuid` value of the standard or service user whose\ \ details you want to retrieve. You can get the `userGuid` for a user in the\ \ response to the \"List All Team Users\" endpoint." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "id" in: "path" description: "User Guid" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/TemplateFiles/{templateFileName}: get: tags: - "TemplateFiles" summary: "Download Template File" description: "Download the CloudFormation template from the Lacework Console\ \ for a specific template file name by invoking the following endpoint:\n\n\ \ > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/{templateFileName}`\n\ \n Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsConfig`\ \ \n\n Here is another example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsCloudTrail`\ \ \n\n Optionally pass in `intgGuid` as a query parameter for the `AwsEksAuditSubscriptionFilter`\ \ template file name. Here is an example invocation: \n\n > `GET https://YourLacework.lacework.net/api/v2/TemplateFiles/AwsEksAuditSubscriptionFilter?intgGuid=ROIJ898329....`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeOctet" - name: "templateFileName" in: "path" description: "The template's filename to download." required: true schema: type: "string" enum: - "AwsCloudTrail" - "AwsConfig" responses: "200": $ref: "#/components/responses/responseTemplateFilesList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/UserGroups/{userGroupGuid}/addUsers: post: tags: - "UserGroups" summary: "Add Users to User Groups" description: "Add one or more users to an existing user group using the following\ \ endpoint: \n\n > `POST /api/v2/UserGroups/{userGroupGuid}/addUsers` \n\n\ \ Replace `{userGroupGuid}` with the `userGroupGuid` value of the user group\ \ you want to add users to. You can get the `userGroupGuid` for a user group\ \ from the User Groups section under Settings in the Lacework platform. \n\ \n In the request body, specify the users to add to the group as an array\ \ of user IDs. \n\n Here is an example body payload: \n\n `{\"userGuids\"\ : [\"some_user_id\"]}` \n\n See [Add Standard Users to a User Group](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/626065/manage-access-at-account-level#add-standard-users-to-a-user-group)\ \ for more information." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "userGroupGuid" in: "path" description: "User Group ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/UserGroups_Relations_Request_Schema" responses: "200": $ref: "#/components/responses/responseUserGroups_AddUsers_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/UserGroups/{userGroupGuid}/removeUsers: post: tags: - "UserGroups" summary: "Remove Users from User Groups" description: "Remove one or more users from a user group using the following\ \ endpoint: \n\n > `POST /api/v2/UserGroups/{userGroupGuid}/removeUsers`.\ \ \n\n Replace `{userGroupGuid}` with the `userGroupGuid` value of the user\ \ group you details to remove users from. You can get the `userGroupGuid`\ \ for a user group from the User Groups section under Settings in the Lacework\ \ platform. \n\n In the request body, specify the users to remove from the\ \ group as an array of user IDs. \n\n Here is an example body payload: \n\n\ \ `{\"userGuids\": [\"some_user_id\"]}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "userGroupGuid" in: "path" description: "User Group ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/UserGroups_Relations_Request_Schema" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/UserProfile: get: tags: - "UserProfile" summary: "List Sub-accounts" description: "List all sub-accounts that are managed by the `YourLacework` account\ \ by invoking the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/UserProfile`\ \ \n\n For example, if you specify the `IT20.MyCompany` organization account\ \ in `YourLacework`, this lists all sub-accounts of the `IT20` account.\n\n\ \ Here is an example invocation:\n\n > `GET https://IT20.MyCompany.lacework.net/api/v2/UserProfile`\n\ \n The response reports details about organization accounts and non-organization\ \ accounts in addition to authorization and privilege details." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - $ref: "#/components/parameters/paramOrgAccessHeader" - $ref: "#/components/parameters/paramAccountNameHeader" responses: "200": $ref: "#/components/responses/responseUserProfileList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Vulnerabilities/Containers/search: post: tags: - "Vulnerabilities" summary: "Search Container Vulnerabilities" description: "Search the scan (assessment), including the risk score and scan\ \ status, the vulnerabilities found in the scan, and statistics for those\ \ vulnerabilities by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. To\ \ use the current time as the end time, exclude the endTime field.\n\n You\ \ can optionally filter returned vulnerabilities by severity, vulnerability\ \ ID, machine ID, and more. For more information, see [CONTAINER_VULN_DETAILS_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/970831/container-vuln-details-v-view).\ \ \n\n The `rlike` and `not_rlike` operators are useful for filtering results.\ \ For example, the following expression limits results to those that have\ \ `python` in their `featureKey` name field:\n\n > `\"filters\": [ { \"expression\"\ : \"rlike\", \"field\": \"featureKey.name\", \"value\": \".*python.*\" } ]`\ \ \n\n Here are additional example `body` payloads: \n\n Here are some additional\ \ example `body` payloads: \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\"\ , \"endTime\": \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\"\ : \"vulnId\", \"expression\": \"eq\", \"value\": \"CVE-2018-7169\" } ] }`\ \ \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\"\ : \"2021-08-28T22:30:00Z\"},` \n `\"filters\": [ { \"field\": \"evalGuid\"\ , \"expression\": \"eq\", \"value\": \"1234567a89012b34567890123cd56e78\"\ \ } ] }` \n * `{ \"timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\"\ , \"endTime\": \"2021-08-28T22:30:00Z\"},`\n `\"filters\": [ { \"field\":\ \ \"evalCtx.image_info.digest\", \"expression\": \"eq\", \"value\": \"sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611\"\ \ }, { \"field\": \"severity\", \"expression\": \"eq\", \"value\": \"Medium\"\ \ } ],` \n `\"returns\": [ \"imageId\", \"severity\", \"status\", \"vulnId\"\ , \"evalCtx\", \"fixInfo\", \"featureKey\" ] }`\n\nTo search for container\ \ vulnerabilities of only active containers, first use the \"Search Containers\"\ \ endpoint to get a list of active containers. Then call \"Search Container\ \ Vulnerabilities\" and pass the image IDs from the \"Search Containers\"\ \ results as a filter with the `in` filter type." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseVulnerabilities_ContainersList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Vulnerabilities/Containers/scan: post: tags: - "Vulnerabilities" summary: "Scan Container Vulnerabilities" description: "Request that Lacework scans (evaluates) for vulnerabilities in\ \ the specified container image. Specify the container image by passing in\ \ a tag, repository, and registry in the body parameter. You must specify\ \ a container image and repository located in a registry domain that has already\ \ been integrated with Lacework. \n\n For registries that are integrated\ \ using the Lacework generic `Docker V2 Registry` type, vulnerability scans\ \ can be started only by calling this API operation. \n\n For registries\ \ that are integrated using any Lacework registry type except *\"Docker V2\ \ Registry\"*, vulnerability scans start when the container registry is initially\ \ integrated, when specified by the default scan schedule, or when this operation\ \ is called. \n\n For more information, see https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/784472/container-vulnerability-assessment-overview.\ \ \n\n For more information about creating an API access key and token to\ \ run this operation and using this operation with organization resources,\ \ see https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens.\ \ \n\n Usage Example: \n\n > `curl -X POST -H 'Content-Type: application/json'\ \ -d '{ \"registry\": \"index.docker.io\", \"repository\": \"yourDockerOrg/yourRepository\"\ , \"tag\": \"yourTag\" }' \"https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan\"\ \ -H \"Authorization: Bearer YourAPIToken\"` \n\n In the JSON body, do not\ \ prefix the registry or the repository with the `http://` string. \n\n \ \ This operation returns a unique requestId in the response that you can use\ \ to track the status of this scan/assessment. " parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Vulnerability_Container_Scan_Request_Body_Schema" responses: "200": $ref: "#/components/responses/responseAsync_Scan_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Vulnerabilities/Containers/scan/{requestId}: get: tags: - "Vulnerabilities" summary: "Track Container Scan Status" description: "Track the progress and return data about an on-demand vulnerability\ \ scan that was started by calling the `POST /api/v2/Vulnerabilities/Containers/scan`\ \ operation. You must pass in the unique request id returned in the response\ \ of the POST Vulnerabilities/Containers/scan operation. For example, \n\n\ \ > `GET https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/scan/abcdefgh-123...`\ \ \n\n When completed, the scan operation returns an `evalGuid`, which you\ \ can use to get the results of the scan by passing it to the \"Search Container\ \ Vulnerabilities\" endpoint: \n\n > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/search`\ \ \n\n Pass the `evalGuid` in the request body, for example: \n\n > `{ \"\ timeFilter\": { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },` \n `\"filters\": [ { \"field\": \"evalGuid\", \"expression\": \"eq\",\ \ \"value\": \"1234567a89012b34567890123cd56e78\" } ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "requestId" in: "path" description: "Assessment Request ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseAsync_Scan_Status_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Vulnerabilities/Hosts/search: post: tags: - "Vulnerabilities" summary: "Search Host Vulnerabilities" description: "Search the scan (assessment), including the risk score and scan\ \ status, vulnerabilities found in the scan, and statistics about those vulnerabilities\ \ by invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/search`\ \ \n\n Lacework highly recommends specifying a time range. Without a specified\ \ time range, the request uses the default time range of 24 hours prior to\ \ the current time. The maximum time range per API request is 7 days. \n\n\ \ Optionally filter the returned vulnerabilities by severity, vulnerability\ \ ID, machine ID, and more. For more information, see [HOST_VULN_DETAILS_V\ \ View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/604250/host-vuln-details-v-view).\ \ \n\n The `rlike` and `not_rlike` operators are useful for filtering results.\ \ For example, the following expression limits results to those that have\ \ `python` in their `featureKey` name field:\n\n > `\"filters\": [ { \"expression\"\ : \"rlike\", \"field\": \"featureKey.name\", \"value\": \".*python.*\" } ]`\ \ \n\n Here are some additional example `body` payloads: \n * `{ \"timeFilter\"\ : { \"startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },` \n `\"filters\": [ { \"field\": \"vulnId\", \"expression\": \"eq\", \"\ value\": \"CVE-2018-7169\" } ] }` \n * `{ \"timeFilter\": { \"startTime\"\ : \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"},` \n `\"\ filters\": [ { \"field\": \"evalGuid\", \"expression\": \"eq\", \"value\"\ : \"1234567a89012b34567890123cd56e78\" } ] }` \n * `{ \"timeFilter\": { \"\ startTime\": \"2021-08-28T20:30:00Z\", \"endTime\": \"2021-08-28T22:30:00Z\"\ },`\n `\"filters\": [ { \"field\": \"machineTags.AmiId\", \"expression\":\ \ \"eq\", \"value\": \"ami-0d9ef0d809e365a36\" }, { \"field\": \"severity\"\ , \"expression\": \"eq\", \"value\": \"Medium\" } ],` \n `\"returns\": [\ \ \"mid\", \"props\", \"severity\", \"status\", \"vulnId\", \"evalCtx\", \"\ fixInfo\", \"featureKey\", \"machineTags\" ] }` \n\n\n Within request bodies,\ \ nested field names that contain one or more special characters—e.g., dot\ \ (\".\"), colon (\":\"), or slash (\"/\")—mus be enclosed in **escaped double\ \ quotes**. For example, the field name `aws:ec2launchtemplate:version` nested\ \ under the `machineTags` field would be rendered as follows: \n\n `\"machineTags.\\\ \"aws:ec2launchtemplate:version\\\"\"` \n\n In a filter, the example would\ \ appear as follows: \n\n `{ \"field\": \"machineTags.\\\"aws:ec2launchtemplate:version\\\ \"\", \"expression\": \"eq\", \"value\": \"3\" }` \n\n In addition, forward\ \ slash characters within field names must be escaped with a backslash, as\ \ in the following example: \n\n `\"machineTags.\\\"kubernetes.io\\/cluster\\\ /prod1\\\"\"` \n\nTo search for host vulnerabilities of only online machines,\ \ first use the \"Search Machines\" endpoint to get a list of online machines.\ \ Then call \"Search Host Vulnerabilities\", passing the machine IDs from\ \ the \"Search Machines\" results as a filter with the `in` filter type." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" responses: "200": $ref: "#/components/responses/responseVulnerabilities_HostsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Vulnerabilities/SoftwarePackages/scan: post: tags: - "Vulnerabilities" summary: "Scan Software Packages" description: "Request an on-demand vulnerability assessment of your software\ \ packages to determine if the packages contain any common vulnerabilities\ \ and exposures. The response for detected CVEs includes CVE details. Only\ \ packages managed by a package manager for supported operating systems are\ \ reported. \n\n Use the body parameter to specify the list of packages to\ \ scan for. In the package list, separate each package entry with a comma.\ \ Here is the list of supported OS types with some osVer examples: \n * `{\ \ \"os\": \"alpine\", \"osVer\": \"v3.1\" ... }` \n * `{ \"os\": \"amzn\"\ , \"osVer\": \"2\" ... }` \n * `{ \"os\": \"amzn\", \"osVer\": \"2018.03\"\ \ ... }` \n * `{ \"os\": \"centos\", \"osVer\": \"5\" ... }` \n * `{ \"os\"\ : \"debian\", \"osVer\": \"unstable\" ... }` \n * `{ \"os\": \"debian\", \"\ osVer\": \"11\" ... }` \n * `{ \"os\": \"oracle\", \"osVer\": \"8\" ... }`\ \ \n * `{ \"os\": \"rhel\", \"osVer\": \"8\" ... }` \n * `{ \"os\": \"ubuntu\"\ , \"osVer\": \"19.10\" ... }` \n\n For more information about creating an\ \ API access key and token to run this operation and using this operation\ \ with organization resources, see https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens.\ \ \n\n Usage Example: \n > `curl -X POST -H 'Content-Type: application/json'\ \ -d '{ \"osPkgInfoList\": [ { \"os\":\"Ubuntu\", \"osVer\":\"18.04\", \"\ pkg\": \"openssl\",\"pkgVer\": \"1.1.1-1ubuntu2.1~18.04.5\" } ] }' \"https://YourLacework.lacework.net/api/v2/Vulnerabilities/SoftwarePackages/scan\"\ \ -H \"Authorization: Bearer YourAPIToken\"` \n\n Note: Calls to this operation\ \ are rate limited to 10 calls per hour, per access key. If this rate limit\ \ is exceeded, an exception is thrown. Also, note that this operation is limited\ \ to 1k of packages per payload. If you require a payload larger than 1k,\ \ you must make multiple requests. For more information about creating an\ \ API access key and token to run this operation and using this operation\ \ with organization resources, see https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/Vulnerability_SW_Pkg_Scan_Request_Body_Schema" responses: "200": $ref: "#/components/responses/responseVulnerability_SW_Package_Scan_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityExceptions: post: tags: - "VulnerabilityExceptions" summary: "Create Vulnerability Exceptions" description: "Create a vulnerability exception by specifying parameters in the\ \ request body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityExceptions_Create_Schema" responses: "201": $ref: "#/components/responses/responseVulnerabilityExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "VulnerabilityExceptions" summary: "List All Vulnerability Exceptions" description: "Get a list of all vulnerability exceptions for the account by\ \ invoking the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseVulnerabilityExceptionsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityExceptions/search: post: tags: - "VulnerabilityExceptions" summary: "Search Vulnerability Exceptions" description: "Search vulnerability exceptions by invoking the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array. Here are some example `body`\ \ payloads: \n * `{ \"filters\": [ { \"field\": \"exceptionType\", \"expression\"\ : \"eq\", \"value\": \"Host\" } ] }` \n * `{ \"filters\": [ { \"field\": \"\ exceptionType\", \"expression\": \"eq\", \"value\": \"Container\" },` \n\ \ `{ \"field\": \"expiryTime\", \"expression\": \"gt\", \"value\": \"2021-01-01\"\ \ } ],` \n `\"returns\": [ \"name\", \"exceptionType\", \"expiryTime\" ]\ \ }` " parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseVulnerabilityExceptionsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityExceptions/{exceptionGuid}: get: tags: - "VulnerabilityExceptions" summary: "Vulnerability Exception Details" description: "Get details about a vulnerability exception by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionGuid" in: "path" description: "Vulnerability Exception ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseVulnerabilityExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "VulnerabilityExceptions" summary: "Update Vulnerability Exceptions" description: "Update a vulnerability exception by specifying parameters in the\ \ request body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}`\ \ \n\n In the request body, only specify the parameters that you want to\ \ update, for example, `{ \"exceptionReason\" : \"Other\" }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionGuid" in: "path" description: "Vulnerability Exception ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityExceptions_Update_Schema" responses: "200": $ref: "#/components/responses/responseVulnerabilityExceptions_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "VulnerabilityExceptions" summary: "Delete Vulnerability Exceptions" description: "Delete a vulnerability exception by invoking the following endpoint:\n\ \n > `DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityExceptions/{exceptionGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "exceptionGuid" in: "path" description: "Vulnerability Exception ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityObservations/Hosts/search: post: tags: - "VulnerabilityObservations" summary: "Search Host Vulnerability Observations" description: "Search for vulnerability observations that occur in hosts, including\ \ risk scores, observation statuses, and detailed statistics. \n\nQuery the\ \ current state of vulnerabilities across hosts with the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityObservations/Hosts/search`\n\ \ \nUse this endpoint to search for vulnerabilities based on the current\ \ state of the host, reflecting the most recent observations rather than\ \ historical evaluations. A time range is not required.\n\n### Filtering\n\ \nFilter the returned vulnerabilities by severity, vulnerability ID, machine\ \ ID, and more.\n \nUse the `rlike` and `not_rlike` operators to filter results\ \ by regular expression. For example, the following expression limits results\ \ to those that have `python` in the `packageName` field:\n\n > `\"filters\"\ : [ { \"expression\": \"rlike\", \"field\": \"packageName\", \"value\": \"\ .*python.*\" } ]` \n \nAdditional example `body` payloads:\n\n* `{ \"filters\"\ : [ { \"field\": \"vulnId\", \"expression\": \"eq\", \" value\": \"CVE-2018-7169\"\ \ } ] }`\n* `{ \"filters\": [ { \"field\": \"machineImage\", \"expression\"\ : \"eq\", \"value\": \"ami-0d9ef0d809e365a36\" }, { \"field\": \"severity\"\ , \"expression\": \"eq\", \"value\": 4 } ] \n }` \n\nIn request bodies, nested\ \ field names that contain one or more special characters, such as dot (\"\ .\"), colon (\":\"), or slash (\"/\"), must be enclosed in **escaped double\ \ quotes**. For example, the field name `aws:ec2launchtemplate:version` nested\ \ under the `machineTags` field would be rendered as follows:\n\n `\"machineTags.\\\ \"aws:ec2launchtemplate:version\\\"\"` \n\nIn a filter, use this as follows:\n\ \n `{ \"field\": \"machineTags.\\\"aws:ec2launchtemplate:version\\\"\", \"\ expression\": \"eq\", \"value\": \"3\" }`\n \nEscape forward slash characters\ \ within field names with a backslash:\n\n `\"machineTags.\\\"kubernetes.io\\\ /cluster\\/prod1\\\"\"` \n \nTo search for host vulnerabilities of only online\ \ machines, use the \"Search Machines\" endpoint to get a list of online\ \ machines, then call \"Search Host Vulnerabilities\", passing the machine\ \ IDs from the \"Search Machines\" results as a filter with the `in` filter\ \ type." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityObservationsHostsSearchRequestBody" responses: "200": $ref: "#/components/responses/responseVulnerabilityObservations_HostsList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityObservations/Images/search: post: tags: - "VulnerabilityObservations" summary: "Search Image Vulnerability Observations" description: "Search for vulnerability observations that occur in images (containers),\ \ including risk scores, observation statuses, and detailed statistics.\ \ \n\nQuery the current state of vulnerabilities across images with the following\ \ endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityObservations/Images/search`\n\ \nUse this endpoint to search for vulnerabilities based on the current state,\ \ reflecting the most recent observations rather than historical evaluations.\ \ A time range is not required.\n\n### Filtering\nOptionally filter the returned\ \ vulnerabilities by severity, vulnerability ID, machine ID, and more.\n\n\ Use the `rlike` and `not_rlike` operators to filter results by regular expression.\ \ For example, the following expression limits results to those that have\ \ `python` in the `packageName` field:\n\n > `\"filters\": [ { \"expression\"\ : \"rlike\", \"field\": \"packageName\", \"value\": \".*python.*\" } ]` \n\ \nAdditional example `body` payloads: \n* `{ \"filters\": [ { \"field\":\ \ \"vulnId\", \"expression\": \"eq\", \", \"value\": \"CVE-2018-7169\" } ]\ \ }` \n* `{ \"filters\": [ { \"field\": \"imageId\", \"expression\": \"eq\"\ , \"value\": \"sha256:2e05f1f668367c1fc0f1c9c02ee87521ed66541e6ebf0a31905b8cdd78d22611\"\ \ }, { \"field\": \"severity\", \"expression\": \"eq\", \"value\": 4 } ] \n\ \ }` \n\nTo search for container vulnerabilities of only online machines,\ \ use the hasActiveContainers filter: \n* `{ \"filters\": [ { \"field\": \"\ hasActiveContainers\", \"expression\": \"eq\", \"value\": \"true\" } ] }`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityObservationsImagesSearchRequestBody" responses: "200": $ref: "#/components/responses/responseVulnerabilityObservations_ImagesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityPolicies: post: tags: - "VulnerabilityPolicies" summary: "Create Vulnerability Policies" description: "Create a vulnerability policy by specifying parameters in the\ \ request body when invoking the following endpoint:\n\n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityPolicies_Create_Schema" responses: "201": $ref: "#/components/responses/responseVulnerabilityPolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" get: tags: - "VulnerabilityPolicies" summary: "List All Vulnerability Policies" description: "Get a list of all vulnerability policies for the account by invoking\ \ the following endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" responses: "200": $ref: "#/components/responses/responseVulnerabilityPoliciesList_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityPolicies/search: post: tags: - "VulnerabilityPolicies" summary: "Search Vulnerability Policies" description: "Search vulnerability policies by invoking the following endpoint:\n\ \n > `POST https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/search`\n\ \n To limit the returned result, optionally specify one or more filters in\ \ the request body. For more information about using filters, see the [Simple\ \ & Advanced Search section](/api/v2/docs/#tag/OVERVIEW). \n\n In the request\ \ body, optionally specify the list of fields to return in the response by\ \ specifying the list in the `returns` array. Here are some example `body`\ \ payloads: \n * `{ \"filters\": [ { \"field\": \"policyType\", \"expression\"\ : \"eq\", \"value\": \"DockerFile\" } ] }` \n * `{ \"filters\": [ { \"field\"\ : \"PolicyType\", \"expression\": \"eq\", \"value\": \"CVE\" },` \n `{ \"\ field\": \"createdTime\", \"expression\": \"gt\", \"value\": \"2021-01-01\"\ \ } ],` \n `\"returns\": [ \"name\", \"policyType\", \"createdTime\" ] }` " parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_FILTERS" responses: "200": $ref: "#/components/responses/responseVulnerabilityPoliciesList_Response_Schema" "204": description: "No Data" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/VulnerabilityPolicies/{policyGuid}: get: tags: - "VulnerabilityPolicies" summary: "Vulnerability Policy Details" description: "Get details about a vulnerability policy by invoking the following\ \ endpoint:\n\n > `GET https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyGuid" in: "path" description: "Vulnerability Policies ID" required: true schema: type: "string" responses: "200": $ref: "#/components/responses/responseVulnerabilityPolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" patch: tags: - "VulnerabilityPolicies" summary: "Update Vulnerability Policies" description: "Update a vulnerability policy by specifying parameters in the\ \ request body when invoking the following endpoint: \n\n > `PATCH https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}`\ \ \n\n In the request body, only specify the parameters that you want to\ \ update, for example, `{ \"severity\" : \"High\" }`." parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyGuid" in: "path" description: "Vulnerability Policies ID" required: true schema: type: "string" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/VulnerabilityPolicies_Update_Schema" responses: "200": $ref: "#/components/responses/responseVulnerabilityPolicies_Response_Schema" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" delete: tags: - "VulnerabilityPolicies" summary: "Delete Vulnerability Policies" description: "Delete a vulnerability policy by invoking the following endpoint:\n\ \n > `DELETE https://YourLacework.lacework.net/api/v2/VulnerabilityPolicies/{policyGuid}`" parameters: - $ref: "#/components/parameters/paramAuthHeader" - $ref: "#/components/parameters/paramContentTypeHeader" - name: "policyGuid" in: "path" description: "Vulnerability Policies ID" required: true schema: type: "string" responses: "204": description: "Success" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Webhooks/ServerTokens/{type}: post: tags: - "Webhooks" summary: "Webhooks by Server Tokens" description: "Send notifications from your integration using a server token.\ \ \n\n You must specify the integration's server token that was generated\ \ by the Lacework Console when you created the integration that subscribes\ \ to notifications. \n\n For more information, see https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/165042/integrate-a-docker-v2-registry.\ \ \n\n For more information about creating an API access key and token to\ \ run this operation and using this operation with organization resources,\ \ see https://docs.fortinet.com/document/lacework-forticnapp/latest/api-reference/932048/api-keys-and-access-tokens.\ \ \n\n Usage Example: \n > `curl -H 'Content-Type: {content-type}' -X POST\ \ -d '{notification-body}' \"https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/DockerV2\"\ \ -H \"Authorization: Bearer YourServerToken\"` \n\n Note: If a container\ \ registry integration is unsubscribed from notifications and then subscribed\ \ again, the same server token is used." parameters: - $ref: "#/components/parameters/paramAuthHeaderServerToken" - $ref: "#/components/parameters/paramContentTypeHeader" - in: "path" name: "type" required: true description: "The integration type such as `AzureCR`, `DockerV2`, `JFrog`." schema: type: "string" enum: - "AzureCR" - "DockerV2" - "JFrog" requestBody: required: true description: "Integration specific notification body" content: application/json: schema: type: "object" responses: "200": description: "No Error (integration specific response content)" content: application/json: schema: type: "object" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" /api/v2/Webhooks/Signatures/{type}: post: tags: - "Webhooks" summary: "Webhooks by Signature" description: "Send notifications from your integration using a signature. \n\ \n You must specify the integration's server token that was generated by\ \ the Lacework Console when you created the integration that subscribes to\ \ notifications. For more information, see https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/84782/integrate-github-container-registry.\ \ \n\n Usage Example: \n > `curl -H 'Content-Type: {content-type}' -X POST\ \ \"https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR\"\ \ -H \"x-hub-signature-256: sha256=sha256 payload hash with YourServerToken\ \ as secret\"` \n\n Note: For a container registry integration, use the same\ \ server token if you want to re-subscribe to notifications after unsubscribing." parameters: - $ref: "#/components/parameters/paramAuthHeaderSignature" - $ref: "#/components/parameters/paramContentTypeHeader" - in: "path" name: "type" required: true description: "The integration type such as `GithubCR`." schema: type: "string" enum: - "GithubCR" responses: "200": description: "No Error (integration specific response content)" content: application/json: schema: type: "object" "4XX": $ref: "#/components/responses/response4XX" "5XX": $ref: "#/components/responses/responseInternalError" components: parameters: paramAuthHeader: name: "Authorization" in: "header" description: "Bearer Access Token. For example, \"Bearer {YourAPIToken}\"" required: true schema: type: "string" paramAuthHeaderServerToken: name: "Authorization" in: "header" description: "Bearer Server Token. For example, \"Bearer {YourServerToken}\"" required: true schema: type: "string" paramAuthHeaderSignature: name: "x-hub-signature-256" in: "header" description: "When your secret token is set, Lacework uses it to create a hash\ \ signature with each payload. This hash signature is included with the headers\ \ of each request as `X-Hub-Signature-256`." required: true schema: type: "string" example: "x-hub-signature-256: sha256=123..." paramContentTypeHeader: name: "Content-Type" in: "header" description: "application/json" required: true schema: type: "string" paramOrgAccessHeader: name: "Org-Access" in: "header" description: "Use this attribute to specify if the access token has organization\ \ admin permissions. If the access token has only account permissions, use\ \ the `Account-Name` attribute to specify which account to access." schema: type: "boolean" paramAccountNameHeader: name: "Account-Name" in: "header" description: "Use this attribute to specify which sub-account to access." schema: type: "string" paramContentTypeOctet: name: "Content-Type" in: "header" description: "application/octet-stream" required: true schema: type: "string" paramStartTime: name: "startTime" in: "query" description: "Returns only recorded actions that occurred after this timestamp." schema: type: "string" paramEndTime: name: "endTime" in: "query" description: "Returns only recorded actions that occurred before this timestamp.\ \ If empty or missing, the current time is used." schema: type: "string" paramPolicyId: name: "policyId" in: "query" description: "Policy ID" required: true schema: type: "string" paramPolicyIdOptional: name: "policyId" in: "query" description: "Policy ID" required: false schema: type: "string" schemas: Activities_ChangedFiles_Response_Schema: properties: startTime: type: "string" description: "The time and date when the hourly aggregation time period\ \ starts." endTime: type: "string" mid: type: "integer" filePath: type: "string" filedataHash: type: "string" mtime: type: "string" size: type: "integer" threatInfo: type: "string" additionalProperties: true Activities_Connections_Response_Schema: properties: startTime: type: "string" endTime: type: "string" srcEntityType: type: "string" srcEntityId: type: "object" dstEntityType: type: "string" dstEntityId: type: "object" srcInBytes: type: "integer" srcOutBytes: type: "integer" dstInBytes: type: "integer" dstOutBytes: type: "integer" endpointDetails: type: "object" numConns: type: "integer" additionalProperties: true Activities_DNSs_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" fqdn: type: "string" hostIpAddr: type: "string" ttl: type: "integer" dnsServerIp: type: "string" additionalProperties: true Activities_UserLogins_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" activityTime: type: "string" activityType: type: "string" username: type: "string" uid: type: "integer" sourceIpAddr: type: "string" additionalProperties: true AgentAccessTokens: allOf: - $ref: "#/components/schemas/AgentAccessTokens_Create_Schema" - type: "object" properties: accessToken: type: "string" createdTime: type: "string" props: type: "string" version: type: "string" AgentAccessTokens_Create_Schema: allOf: - $ref: "#/components/schemas/AgentAccessTokens_Update_Schema" - type: "object" required: - "tokenAlias" - "tokenEnabled" properties: tokenAlias: type: "string" minItems: 1 description: "The token's alias such as Ops Agent. Aliases help communicate\ \ the intended purpose of a token and are effective when a value with\ \ a single intent appears in multiple places." AgentAccessTokens_Response_Schema: allOf: - $ref: "#/components/schemas/AgentAccessTokens_Create_Schema" - type: "object" properties: accessToken: type: "string" description: "The new agent access token." createdTime: type: "string" description: "The time and date when the token was issued by Lacework." version: type: "string" description: "The Lacework Agent's version." additionalProperties: true AgentAccessTokens_Update_Schema: type: "object" properties: props: type: "object" description: "The access token's properties, including `createdTime` and\ \ `description`." properties: description: type: "string" description: "A brief description of the token creation." os: type: "string" description: "The operating system." subscription: type: "string" enum: - "standard" - "professional" - "enterprise" description: "The subscription level of the token." tokenEnabled: type: "string" minItems: 1 description: "The `tokenEnabled` property determines if an edit control\ \ is a \"Text token\" edit control. When the `tokenEnabled` property is\ \ set to `1`, if the user enters a separator character or a carriage return\ \ (CR), a token is automatically added and the user can continue entering\ \ values in the control." AgentInfo_Response_Schema: properties: agentVersion: type: "string" createdTime: type: "string" hostname: type: "string" ipAddr: type: "string" lastUpdate: type: "string" mid: type: "integer" mode: type: "string" os: type: "string" status: type: "string" tags: type: "object" additionalProperties: true AlertChannels_AwsS3_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_AwsS3_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: s3CrossAccountCredentials: properties: externalId: title: "External ID" type: "string" minLength: 1 roleArn: title: "Role ARN" type: "string" pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" bucketArn: title: "Bucket ARN" type: "string" pattern: "^arn:aws(?:-[a-z]{2}-gov)?:s3:::(?=.{3,63}$)(?!(\\d+\\\ .)+\\d+$)(?!.*(?:\\.-|-\\.|\\.{2}))[a-z0-9](?:[a-z0-9.-]{0,61}[a-z0-9])?$" required: - "externalId" - "roleArn" - "bucketArn" type: "object" required: - "s3CrossAccountCredentials" type: "object" AlertChannels_AwsS3_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_AwsS3_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_AwsS3_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsS3" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: s3CrossAccountCredentials: properties: externalId: title: "External ID" type: "string" minLength: 1 roleArn: title: "Role ARN" type: "string" pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" bucketArn: title: "Bucket ARN" type: "string" pattern: "^arn:aws(?:-[a-z]{2}-gov)?:s3:::(?=.{3,63}$)(?!(\\d+\\\ .)+\\d+$)(?!.*(?:\\.-|-\\.|\\.{2}))[a-z0-9](?:[a-z0-9.-]{0,61}[a-z0-9])?$" type: "object" type: "object" AlertChannels_CiscoSparkWebhook_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: webhook: title: "Webhook" type: "string" description: "The URL of your incoming webhook." pattern: "^https://(api.ciscospark|webexapis).com/v1/webhooks/incoming([/][a-zA-Z0-9#-_]+)+$" required: - "webhook" type: "object" AlertChannels_CiscoSparkWebhook_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_CiscoSparkWebhook_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "CiscoSparkWebhook" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: webhook: title: "Webhook" type: "string" description: "The URL of your incoming webhook." pattern: "^https://(api.ciscospark|webexapis).com/v1/webhooks/incoming([/][a-zA-Z0-9#-_]+)+$" type: "object" AlertChannels_CloudwatchEb_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing `Events` results in a single\ \ event being created when Lacework detects compliance events of\ \ the same type on multiple resources. Choosing `Resources` results\ \ in multiple events being created, one for each resource. See [Create\ \ an Amazon CloudWatch Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSEventBridge)." default: "Events" enum: - "Events" - "Resources" eventBusArn: title: "Event Bus ARN" type: "string" description: "The ARN of your Amazon CloudWatch event bus, which uses\ \ the following format:
`arn:aws:events:::event-bus/`\ \
Replace `REGION` , `YOUR-ACCOUNT-ID` and `YOUR-EVENT-BUS-NAME`\ \ with your values." pattern: "^arn:aws(-[a-zA-Z]+)?:events:([a-zA-Z0-9]{1}[a-zA-Z0-9-]+[a-zA-Z0-9]{1}):([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)?$" required: - "eventBusArn" type: "object" AlertChannels_CloudwatchEb_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_CloudwatchEb_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "CloudwatchEb" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing `Events` results in a single\ \ event being created when Lacework detects compliance events of the\ \ same type on multiple resources. Choosing `Resources` results in\ \ multiple events being created, one for each resource. See [Create\ \ an Amazon CloudWatch Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSEventBridge)." default: "Events" enum: - "Events" - "Resources" eventBusArn: title: "Event Bus ARN" type: "string" description: "The ARN of your Amazon CloudWatch event bus, which uses\ \ the following format:
`arn:aws:events:::event-bus/`\ \
Replace `REGION` , `YOUR-ACCOUNT-ID` and `YOUR-EVENT-BUS-NAME`\ \ with your values." pattern: "^arn:aws(-[a-zA-Z]+)?:events:([a-zA-Z0-9]{1}[a-zA-Z0-9-]+[a-zA-Z0-9]{1}):([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)?$" type: "object" AlertChannels_Create_Schema: oneOf: - $ref: "#/components/schemas/AlertChannels_AwsS3_Create_Schema" - $ref: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema" - $ref: "#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema" - $ref: "#/components/schemas/AlertChannels_Datadog_Create_Schema" - $ref: "#/components/schemas/AlertChannels_EmailUser_Create_Schema" - $ref: "#/components/schemas/AlertChannels_GcpPubsub_Create_Schema" - $ref: "#/components/schemas/AlertChannels_IbmQradar_Create_Schema" - $ref: "#/components/schemas/AlertChannels_Jira_Create_Schema" - $ref: "#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema" - $ref: "#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema" - $ref: "#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema" - $ref: "#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema" - $ref: "#/components/schemas/AlertChannels_SlackChannel_Create_Schema" - $ref: "#/components/schemas/AlertChannels_SplunkHec_Create_Schema" - $ref: "#/components/schemas/AlertChannels_VictorOps_Create_Schema" - $ref: "#/components/schemas/AlertChannels_Webhook_Create_Schema" discriminator: propertyName: "type" mapping: AwsS3: "#/components/schemas/AlertChannels_AwsS3_Create_Schema" CiscoSparkWebhook: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Create_Schema" CloudwatchEb: "#/components/schemas/AlertChannels_CloudwatchEb_Create_Schema" Datadog: "#/components/schemas/AlertChannels_Datadog_Create_Schema" EmailUser: "#/components/schemas/AlertChannels_EmailUser_Create_Schema" GcpPubsub: "#/components/schemas/AlertChannels_GcpPubsub_Create_Schema" IbmQradar: "#/components/schemas/AlertChannels_IbmQradar_Create_Schema" Jira: "#/components/schemas/AlertChannels_Jira_Create_Schema" MicrosoftTeams: "#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema" NewRelicInsights: "#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema" PagerDutyApi: "#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema" ServiceNowRest: "#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema" SlackChannel: "#/components/schemas/AlertChannels_SlackChannel_Create_Schema" SplunkHec: "#/components/schemas/AlertChannels_SplunkHec_Create_Schema" VictorOps: "#/components/schemas/AlertChannels_VictorOps_Create_Schema" Webhook: "#/components/schemas/AlertChannels_Webhook_Create_Schema" AlertChannels_Datadog_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_Datadog_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: datadogType: title: "Datadog Service" type: "string" description: "The Datadog service to use in the alert channel such\ \ as Logs Detail, Logs Summary, or Events Summary." default: "Logs Detail" enum: - "Logs Detail" - "Logs Summary" - "Events Summary" datadogSite: title: "Datadog Site" type: "string" description: "The Datadog site you want to store your logs, either\ \ the US or Europe." default: "com" enum: - "com" - "eu" - "us" - "us3" - "us5" - "us1-fed" apiKey: title: "API Key" type: "string" description: "YourApiKey" minLength: 1 format: "password" required: - "datadogType" - "datadogSite" - "apiKey" type: "object" AlertChannels_Datadog_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_Datadog_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_Datadog_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "Datadog" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: datadogType: title: "Datadog Service" type: "string" description: "The Datadog service to use in the alert channel such as\ \ Logs Detail, Logs Summary, or Events Summary." default: "Logs Detail" enum: - "Logs Detail" - "Logs Summary" - "Events Summary" datadogSite: title: "Datadog Site" type: "string" description: "The Datadog site you want to store your logs, either the\ \ US or Europe." default: "com" enum: - "com" - "eu" - "us" - "us3" - "us5" - "us1-fed" apiKey: title: "API Key" type: "string" description: "YourApiKey" minLength: 1 format: "password" type: "object" AlertChannels_EmailUser_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_EmailUser_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: channelProps: required: - "recipients" properties: recipients: type: "string" minLength: 1 description: "The list of email addresses to send alerts to." type: "object" type: "object" required: - "channelProps" AlertChannels_EmailUser_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_EmailUser_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_EmailUser_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "EmailUser" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: channelProps: properties: recipients: type: "string" minLength: 1 description: "The list of email addresses to send alerts to." type: "object" type: "object" AlertChannels_GcpPubsub_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_GcpPubsub_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single message. Choosing `Events` results in a single\ \ message being created when Lacework detects compliance events\ \ of the same type on multiple resources. Choosing `Resources` results\ \ in multiple messages being created, one for each resource. See\ \ [Create a GCP Pub/Sub Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=gcpPubSubUrl)." default: "Events" enum: - "Events" - "Resources" credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP Pub/Sub's client ID." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your GCP Pub/Sub's private key." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The Client Email name provided when creating the\ \ new service account." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "Your GCP Pub/Sub's private key certificate." minLength: 1 type: "object" description: "Your GCP Pub/Sub's credentials." required: - "clientId" - "clientEmail" - "privateKeyId" - "privateKey" projectId: title: "Project ID" type: "string" description: "Your GCP Pub/Sub's project ID." minLength: 1 topicId: title: "Topic ID" type: "string" description: "The topic ID to use in this alert channel." minLength: 1 required: - "projectId" - "topicId" - "credentials" type: "object" AlertChannels_GcpPubsub_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_GcpPubsub_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_GcpPubsub_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "GcpPubsub" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single message. Choosing `Events` results in a single\ \ message being created when Lacework detects compliance events of\ \ the same type on multiple resources. Choosing `Resources` results\ \ in multiple messages being created, one for each resource. See [Create\ \ a GCP Pub/Sub Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=gcpPubSubUrl)." default: "Events" enum: - "Events" - "Resources" credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP Pub/Sub's client ID." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your GCP Pub/Sub's private key." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The Client Email name provided when creating the new\ \ service account." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "Your GCP Pub/Sub's private key certificate." minLength: 1 type: "object" description: "Your GCP Pub/Sub's credentials." projectId: title: "Project ID" type: "string" description: "Your GCP Pub/Sub's project ID." minLength: 1 topicId: title: "Topic ID" type: "string" description: "The topic ID to use in this alert channel." minLength: 1 type: "object" AlertChannels_IbmQradar_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_IbmQradar_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing Events results in a single\ \ event being created when Lacework detects compliance events of\ \ the same type on multiple resources. Choosing Resources results\ \ in multiple events being created, one for each resource. See [Create\ \ a IBM QRadar Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=ibmQradarUrl)." default: "Events" enum: - "Events" - "Resources" qradarCommType: title: "Communication Type" type: "string" description: "The issue group to use in this alert channel such as\ \ Events, Resources." default: "HTTPS" enum: - "HTTPS" - "HTTPS Self Signed Cert" qradarHostUrl: title: "QRadar Host Url" type: "string" description: "Your domain name or IP address of QRadar." pattern: ".+[a-zA-Z0-9]$" minLength: 1 qradarHostPort: title: "QRadar Host Port" type: "number" description: "Your listen port defined in QRadar." minimum: 0 maximum: 65535 required: - "qradarCommType" - "qradarHostUrl" type: "object" AlertChannels_IbmQradar_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_IbmQradar_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_IbmQradar_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "IbmQradar" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing Events results in a single event\ \ being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing Resources results in multiple\ \ events being created, one for each resource. See [Create a IBM QRadar\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=ibmQradarUrl)." default: "Events" enum: - "Events" - "Resources" qradarCommType: title: "Communication Type" type: "string" description: "The issue group to use in this alert channel such as Events,\ \ Resources." default: "HTTPS" enum: - "HTTPS" - "HTTPS Self Signed Cert" qradarHostUrl: title: "QRadar Host Url" type: "string" description: "Your domain name or IP address of QRadar." pattern: ".+[a-zA-Z0-9]$" minLength: 1 qradarHostPort: title: "QRadar Host Port" type: "number" description: "Your listen port defined in QRadar." minimum: 0 maximum: 65535 type: "object" AlertChannels_Jira_Create_Schema: required: - "type" - "enabled" - "name" - "data" properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "Jira" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: oneOf: - $ref: "#/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema" - $ref: "#/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Create_Schema" discriminator: propertyName: "jiraType" mapping: JIRA_CLOUD: "#/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema" JIRA_SERVER: "#/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Create_Schema" AlertChannels_Jira_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_Jira_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_Jira_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "Jira" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: oneOf: - $ref: "#/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema" - $ref: "#/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Update_Schema" discriminator: propertyName: "jiraType" mapping: JIRA_CLOUD: "#/components/schemas/AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema" JIRA_SERVER: "#/components/schemas/AlertChannels_Jira_data_JIRA_SERVER_Update_Schema" AlertChannels_Jira_data_JIRA_CLOUD_Create_Schema: properties: jiraType: title: "Jira Type" type: "string" description: "The Jira product you are using such as Jira Cloud or Jira\ \ Server." enum: - "JIRA_CLOUD" default: "JIRA_CLOUD" bidirectionalConfig: title: "Configuration" type: "string" description: "Whether you want to enable bidirectional updates, which allows\ \ Lacework to update Jira. See [Bidirectional Integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Unidirectional" enum: - "Unidirectional" - "Bidirectional" issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single type\ \ into a single Jira issue. Choosing `Events` results in a single Jira\ \ issue being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing `Resources` results in multiple\ \ Jira issues being created, one for each resource. See [Create a Jira\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Events" enum: - "Events" - "Resources" jiraUrl: title: "Jira URL" type: "string" description: "The URL of your Jira implementation." pattern: "[a-zA-Z0-9]\\.(atlassian\\.net|jira\\.com)$" minLength: 1 projectId: title: "Jira Project Key" type: "string" description: "The Jira project where the new Jira issues should be created.\ \ Note that the specified Jira Issue type must exist in the specified\ \ Jira project prior to creating the Lacework Jira channel." minLength: 1 issueType: title: "Issue Type" type: "string" description: "The Jira Issue type (such as a Bug) to create when a new Jira\ \ issue is created." minLength: 1 username: title: "Username" type: "string" description: "The Jira user name. Lacework recommends a dedicated Jira user." minLength: 1 apiToken: title: "API Token" type: "string" description: "Your Jira API Token." format: "password" minLength: 1 customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" required: - "jiraUrl" - "username" - "apiToken" - "issueType" - "projectId" title: "JIRA_CLOUD" type: "object" AlertChannels_Jira_data_JIRA_CLOUD_Update_Schema: properties: jiraType: title: "Jira Type" type: "string" description: "The Jira product you are using such as Jira Cloud or Jira\ \ Server." enum: - "JIRA_CLOUD" default: "JIRA_CLOUD" bidirectionalConfig: title: "Configuration" type: "string" description: "Whether you want to enable bidirectional updates, which allows\ \ Lacework to update Jira. See [Bidirectional Integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Unidirectional" enum: - "Unidirectional" - "Bidirectional" issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single type\ \ into a single Jira issue. Choosing `Events` results in a single Jira\ \ issue being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing `Resources` results in multiple\ \ Jira issues being created, one for each resource. See [Create a Jira\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Events" enum: - "Events" - "Resources" jiraUrl: title: "Jira URL" type: "string" description: "The URL of your Jira implementation." pattern: "[a-zA-Z0-9]\\.(atlassian\\.net|jira\\.com)$" minLength: 1 projectId: title: "Jira Project Key" type: "string" description: "The Jira project where the new Jira issues should be created.\ \ Note that the specified Jira Issue type must exist in the specified\ \ Jira project prior to creating the Lacework Jira channel." minLength: 1 issueType: title: "Issue Type" type: "string" description: "The Jira Issue type (such as a Bug) to create when a new Jira\ \ issue is created." minLength: 1 username: title: "Username" type: "string" description: "The Jira user name. Lacework recommends a dedicated Jira user." minLength: 1 apiToken: title: "API Token" type: "string" description: "Your Jira API Token." format: "password" minLength: 1 customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" title: "JIRA_CLOUD" type: "object" AlertChannels_Jira_data_JIRA_SERVER_Create_Schema: properties: jiraType: title: "Jira Type" type: "string" description: "The Jira product you are using such as Jira Cloud or Jira\ \ Server.\n" enum: - "JIRA_SERVER" default: "JIRA_SERVER" bidirectionalConfig: title: "Configuration" type: "string" description: "Whether you want to enable bidirectional updates, which allows\ \ Lacework to update Jira. See [Bidirectional Integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Unidirectional" enum: - "Unidirectional" - "Bidirectional" issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single type\ \ into a single Jira issue. Choosing `Events` results in a single Jira\ \ issue being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing `Resources` results in multiple\ \ Jira issues being created, one for each resource. See [Create a Jira\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Events" enum: - "Events" - "Resources" jiraUrl: title: "Jira URL" type: "string" description: "The URL of your Jira implementation." pattern: "[A-Za-z0-9\\/\\-&?_.=:]+" minLength: 1 projectId: title: "Jira Project Key" type: "string" description: "The Jira project where the new Jira issues should be created.\ \ Note that the specified Jira Issue type must exist in the specified\ \ Jira project prior to creating the Lacework Jira channel." minLength: 1 issueType: title: "Issue Type" type: "string" description: "The Jira Issue type (such as a Bug) to create when a new Jira\ \ issue is created." minLength: 1 username: title: "Username" type: "string" description: "The Jira user name. Lacework recommends using a dedicated\ \ Jira user." minLength: 1 password: title: "Password" type: "string" description: "The password to the Jira user specified in the `username`\ \ attribute." format: "password" minLength: 1 customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" required: - "jiraUrl" - "username" - "password" - "issueType" - "projectId" title: "JIRA_SERVER" type: "object" AlertChannels_Jira_data_JIRA_SERVER_Update_Schema: properties: jiraType: title: "Jira Type" type: "string" description: "The Jira product you are using such as Jira Cloud or Jira\ \ Server.\n" enum: - "JIRA_SERVER" default: "JIRA_SERVER" bidirectionalConfig: title: "Configuration" type: "string" description: "Whether you want to enable bidirectional updates, which allows\ \ Lacework to update Jira. See [Bidirectional Integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Unidirectional" enum: - "Unidirectional" - "Bidirectional" issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single type\ \ into a single Jira issue. Choosing `Events` results in a single Jira\ \ issue being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing `Resources` results in multiple\ \ Jira issues being created, one for each resource. See [Create a Jira\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingJira)." default: "Events" enum: - "Events" - "Resources" jiraUrl: title: "Jira URL" type: "string" description: "The URL of your Jira implementation." pattern: "[A-Za-z0-9\\/\\-&?_.=:]+" minLength: 1 projectId: title: "Jira Project Key" type: "string" description: "The Jira project where the new Jira issues should be created.\ \ Note that the specified Jira Issue type must exist in the specified\ \ Jira project prior to creating the Lacework Jira channel." minLength: 1 issueType: title: "Issue Type" type: "string" description: "The Jira Issue type (such as a Bug) to create when a new Jira\ \ issue is created." minLength: 1 username: title: "Username" type: "string" description: "The Jira user name. Lacework recommends using a dedicated\ \ Jira user." minLength: 1 password: title: "Password" type: "string" description: "The password to the Jira user specified in the `username`\ \ attribute." format: "password" minLength: 1 customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" title: "JIRA_SERVER" type: "object" AlertChannels_MicrosoftTeams_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: teamsUrl: title: "Webhook URL" type: "string" description: "The URL of your Microsoft Teams incoming webhook." pattern: "^https://[a-zA-Z0-9-_\\.]*\\.(outlook|webhook|logic|api)\\\ .(office|azure|powerplatform)\\.com(:443)?/.*" required: - "teamsUrl" type: "object" AlertChannels_MicrosoftTeams_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_MicrosoftTeams_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_MicrosoftTeams_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "MicrosoftTeams" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: teamsUrl: title: "Webhook URL" type: "string" description: "The URL of your Microsoft Teams incoming webhook." pattern: "^https://[a-zA-Z0-9-_\\.]*\\.(outlook|webhook|logic|api)\\\ .(office|azure|powerplatform)\\.com(:443)?/.*" type: "object" AlertChannels_NewRelicInsights_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: insertKey: title: "Insert Key" type: "string" description: "Your New Relic Insert Key. See [Add an Insert Key](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=newRelicUrl)" minLength: 1 accountId: title: "Account ID" type: "number" description: "Your New Relic account ID." minLength: 1 region: title: "Region" type: "string" description: "The data center (US or EU) to access." default: "US" enum: - "US" - "EU" required: - "insertKey" - "accountId" type: "object" AlertChannels_NewRelicInsights_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_NewRelicInsights_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_NewRelicInsights_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "NewRelicInsights" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: insertKey: title: "Insert Key" type: "string" description: "Your New Relic Insert Key. See [Add an Insert Key](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=newRelicUrl)" minLength: 1 accountId: title: "Account ID" type: "number" description: "Your New Relic account ID." minLength: 1 region: title: "Region" type: "string" description: "The data center (US or EU) to access." default: "US" enum: - "US" - "EU" type: "object" AlertChannels_PagerDutyApi_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: apiIntgKey: title: "API Integration Key" type: "string" description: "Your Integration Key." minLength: 1 required: - "apiIntgKey" type: "object" AlertChannels_PagerDutyApi_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_PagerDutyApi_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_PagerDutyApi_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "PagerDutyApi" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: apiIntgKey: title: "API Integration Key" type: "string" description: "Your Integration Key." minLength: 1 type: "object" AlertChannels_Response_Schema: oneOf: - $ref: "#/components/schemas/AlertChannels_AwsS3_Response_Schema" - $ref: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Response_Schema" - $ref: "#/components/schemas/AlertChannels_CloudwatchEb_Response_Schema" - $ref: "#/components/schemas/AlertChannels_Datadog_Response_Schema" - $ref: "#/components/schemas/AlertChannels_EmailUser_Response_Schema" - $ref: "#/components/schemas/AlertChannels_GcpPubsub_Response_Schema" - $ref: "#/components/schemas/AlertChannels_IbmQradar_Response_Schema" - $ref: "#/components/schemas/AlertChannels_Jira_Response_Schema" - $ref: "#/components/schemas/AlertChannels_MicrosoftTeams_Response_Schema" - $ref: "#/components/schemas/AlertChannels_NewRelicInsights_Response_Schema" - $ref: "#/components/schemas/AlertChannels_PagerDutyApi_Response_Schema" - $ref: "#/components/schemas/AlertChannels_ServiceNowRest_Response_Schema" - $ref: "#/components/schemas/AlertChannels_SlackChannel_Response_Schema" - $ref: "#/components/schemas/AlertChannels_SplunkHec_Response_Schema" - $ref: "#/components/schemas/AlertChannels_VictorOps_Response_Schema" - $ref: "#/components/schemas/AlertChannels_Webhook_Response_Schema" discriminator: propertyName: "type" mapping: AwsS3: "#/components/schemas/AlertChannels_AwsS3_Response_Schema" CiscoSparkWebhook: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Response_Schema" CloudwatchEb: "#/components/schemas/AlertChannels_CloudwatchEb_Response_Schema" Datadog: "#/components/schemas/AlertChannels_Datadog_Response_Schema" EmailUser: "#/components/schemas/AlertChannels_EmailUser_Response_Schema" GcpPubsub: "#/components/schemas/AlertChannels_GcpPubsub_Response_Schema" IbmQradar: "#/components/schemas/AlertChannels_IbmQradar_Response_Schema" Jira: "#/components/schemas/AlertChannels_Jira_Response_Schema" MicrosoftTeams: "#/components/schemas/AlertChannels_MicrosoftTeams_Response_Schema" NewRelicInsights: "#/components/schemas/AlertChannels_NewRelicInsights_Response_Schema" PagerDutyApi: "#/components/schemas/AlertChannels_PagerDutyApi_Response_Schema" ServiceNowRest: "#/components/schemas/AlertChannels_ServiceNowRest_Response_Schema" SlackChannel: "#/components/schemas/AlertChannels_SlackChannel_Response_Schema" SplunkHec: "#/components/schemas/AlertChannels_SplunkHec_Response_Schema" VictorOps: "#/components/schemas/AlertChannels_VictorOps_Response_Schema" Webhook: "#/components/schemas/AlertChannels_Webhook_Response_Schema" AlertChannels_ServiceNowRest_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single ServiceNow incident. Choosing `Events` results\ \ in a single ServiceNow incident being created when Lacework detects\ \ compliance events of the same type on multiple resources. Choosing\ \ `Resources` results in multiple compliance incidents being created,\ \ one for each resource. See [Create a ServiceNow Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=serviceNowUrl)." default: "Events" enum: - "Events" - "Resources" userName: title: "User Name" type: "string" description: "Your ServiceNow username." minLength: 1 password: title: "Password" type: "string" description: "Your ServiceNow password." format: "password" minLength: 1 instanceUrl: title: "Instance URL" type: "string" description: "Your ServiceNow server." pattern: "^https://[A-Za-z0-9]+[.]{1}service-now[.]{1}com/?$" customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" required: - "userName" - "password" - "instanceUrl" type: "object" AlertChannels_ServiceNowRest_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_ServiceNowRest_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_ServiceNowRest_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "ServiceNowRest" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single ServiceNow incident. Choosing `Events` results\ \ in a single ServiceNow incident being created when Lacework detects\ \ compliance events of the same type on multiple resources. Choosing\ \ `Resources` results in multiple compliance incidents being created,\ \ one for each resource. See [Create a ServiceNow Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=serviceNowUrl)." default: "Events" enum: - "Events" - "Resources" userName: title: "User Name" type: "string" description: "Your ServiceNow username." minLength: 1 password: title: "Password" type: "string" description: "Your ServiceNow password." format: "password" minLength: 1 instanceUrl: title: "Instance URL" type: "string" description: "Your ServiceNow server." pattern: "^https://[A-Za-z0-9]+[.]{1}service-now[.]{1}com/?$" customTemplateFile: title: "Custom Template File" description: "The custom template file to populate values from a custom\ \ template JSON file." format: "data-url" type: "string" type: "object" AlertChannels_SlackChannel_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_SlackChannel_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: slackUrl: title: "Slack Incoming Webhook URL" type: "string" description: "The URL of your Slack incoming webhook." pattern: "(^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$)|(^https://mattermost..+$)" required: - "slackUrl" type: "object" AlertChannels_SlackChannel_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_SlackChannel_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_SlackChannel_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "SlackChannel" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: slackUrl: title: "Slack Incoming Webhook URL" type: "string" description: "The URL of your Slack incoming webhook." pattern: "(^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$)|(^https://mattermost..+$)" type: "object" AlertChannels_SplunkHec_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_SplunkHec_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing Events results in a single\ \ event being created when Lacework detects compliance events of\ \ the same type on multiple resources. Choosing Resources results\ \ in multiple events being created, one for each resource. See [Create\ \ a Splunk Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=splunkUrl)." default: "Events" enum: - "Events" - "Resources" hecToken: title: "HEC Token" type: "string" description: "Your Splunk HEC token. To find your HEC token, navigate\ \ to Splunk Web, then click **Data Inputs > HttpEvent Collector**." minLength: 1 channel: title: "Channel" type: "string" description: "Channels are designed so that you assign a unique channel\ \ to each client that sends data to HEC. Each channel has a channel\ \ identifier (ID), which must be a Globally Unique Identifier (GUID)\ \ but can be randomly generated. You assign channel IDs simply by\ \ including them in requests as shown in the examples above. When\ \ Splunk Enterprise sees a new channel identifier, it creates a\ \ new channel." minLength: 1 host: title: "Host" type: "string" description: "The resolvable hostname or IP address of your Splunk\ \ instance (such as `http-inputs-.splunkcloud.com`)." minLength: 1 port: title: "Port" type: "number" description: "The destination port for forwarding alerts [80 or 443]." minimum: 0 maximum: 65536 ssl: title: "SSL" type: "boolean" description: "When sending a request, use this attribute to enable\ \ or disable the SSL encryption. When included in a response, returns\ \ `1` for enabled SSL encryption, or returns `0` for disabled SSL\ \ encryption." eventData: title: "Event Data" type: "object" description: "Details of the event's data structure." required: - "index" - "source" properties: index: title: "Index" type: "string" description: "The Splunk index to use in this alert channel." minLength: 1 source: title: "Source" type: "string" description: "The Splunk source to use in this alert channel." minLength: 1 sourceType: title: "Source Type" type: "string" default: "_json" enum: - "_json" - "lacework:alerts" required: - "hecToken" - "host" - "port" - "eventData" type: "object" AlertChannels_SplunkHec_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_SplunkHec_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_SplunkHec_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "SplunkHec" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: issueGrouping: title: "Group Issues by" type: "string" description: "Whether you want to group multiple events of a single\ \ type into a single event. Choosing Events results in a single event\ \ being created when Lacework detects compliance events of the same\ \ type on multiple resources. Choosing Resources results in multiple\ \ events being created, one for each resource. See [Create a Splunk\ \ Alert Channel](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=splunkUrl)." default: "Events" enum: - "Events" - "Resources" hecToken: title: "HEC Token" type: "string" description: "Your Splunk HEC token. To find your HEC token, navigate\ \ to Splunk Web, then click **Data Inputs > HttpEvent Collector**." minLength: 1 channel: title: "Channel" type: "string" description: "Channels are designed so that you assign a unique channel\ \ to each client that sends data to HEC. Each channel has a channel\ \ identifier (ID), which must be a Globally Unique Identifier (GUID)\ \ but can be randomly generated. You assign channel IDs simply by\ \ including them in requests as shown in the examples above. When\ \ Splunk Enterprise sees a new channel identifier, it creates a new\ \ channel." minLength: 1 host: title: "Host" type: "string" description: "The resolvable hostname or IP address of your Splunk instance\ \ (such as `http-inputs-.splunkcloud.com`)." minLength: 1 port: title: "Port" type: "number" description: "The destination port for forwarding alerts [80 or 443]." minimum: 0 maximum: 65536 ssl: title: "SSL" type: "boolean" description: "When sending a request, use this attribute to enable or\ \ disable the SSL encryption. When included in a response, returns\ \ `1` for enabled SSL encryption, or returns `0` for disabled SSL\ \ encryption." eventData: title: "Event Data" type: "object" description: "Details of the event's data structure." properties: index: title: "Index" type: "string" description: "The Splunk index to use in this alert channel." minLength: 1 source: title: "Source" type: "string" description: "The Splunk source to use in this alert channel." minLength: 1 sourceType: title: "Source Type" type: "string" default: "_json" enum: - "_json" - "lacework:alerts" type: "object" AlertChannels_Update_Schema: oneOf: - $ref: "#/components/schemas/AlertChannels_AwsS3_Update_Schema" - $ref: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema" - $ref: "#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema" - $ref: "#/components/schemas/AlertChannels_Datadog_Update_Schema" - $ref: "#/components/schemas/AlertChannels_EmailUser_Update_Schema" - $ref: "#/components/schemas/AlertChannels_GcpPubsub_Update_Schema" - $ref: "#/components/schemas/AlertChannels_IbmQradar_Update_Schema" - $ref: "#/components/schemas/AlertChannels_Jira_Update_Schema" - $ref: "#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema" - $ref: "#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema" - $ref: "#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema" - $ref: "#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema" - $ref: "#/components/schemas/AlertChannels_SlackChannel_Update_Schema" - $ref: "#/components/schemas/AlertChannels_SplunkHec_Update_Schema" - $ref: "#/components/schemas/AlertChannels_VictorOps_Update_Schema" - $ref: "#/components/schemas/AlertChannels_Webhook_Update_Schema" discriminator: propertyName: "type" mapping: AwsS3: "#/components/schemas/AlertChannels_AwsS3_Update_Schema" CiscoSparkWebhook: "#/components/schemas/AlertChannels_CiscoSparkWebhook_Update_Schema" CloudwatchEb: "#/components/schemas/AlertChannels_CloudwatchEb_Update_Schema" Datadog: "#/components/schemas/AlertChannels_Datadog_Update_Schema" EmailUser: "#/components/schemas/AlertChannels_EmailUser_Update_Schema" GcpPubsub: "#/components/schemas/AlertChannels_GcpPubsub_Update_Schema" IbmQradar: "#/components/schemas/AlertChannels_IbmQradar_Update_Schema" Jira: "#/components/schemas/AlertChannels_Jira_Update_Schema" MicrosoftTeams: "#/components/schemas/AlertChannels_MicrosoftTeams_Update_Schema" NewRelicInsights: "#/components/schemas/AlertChannels_NewRelicInsights_Update_Schema" PagerDutyApi: "#/components/schemas/AlertChannels_PagerDutyApi_Update_Schema" ServiceNowRest: "#/components/schemas/AlertChannels_ServiceNowRest_Update_Schema" SlackChannel: "#/components/schemas/AlertChannels_SlackChannel_Update_Schema" SplunkHec: "#/components/schemas/AlertChannels_SplunkHec_Update_Schema" VictorOps: "#/components/schemas/AlertChannels_VictorOps_Update_Schema" Webhook: "#/components/schemas/AlertChannels_Webhook_Update_Schema" AlertChannels_VictorOps_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_VictorOps_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: intgUrl: title: "Integration URL" type: "string" description: "The VictorOps REST endpoint URL." maxLength: 2083 pattern: "^https:\\/\\/alert.victorops.com\\/integrations\\/generic\\\ /([0-9]+)\\/alert\\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+\\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+$" required: - "intgUrl" type: "object" AlertChannels_VictorOps_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_VictorOps_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_VictorOps_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "VictorOps" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: intgUrl: title: "Integration URL" type: "string" description: "The VictorOps REST endpoint URL." maxLength: 2083 pattern: "^https:\\/\\/alert.victorops.com\\/integrations\\/generic\\\ /([0-9]+)\\/alert\\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+\\/[a-zA-Z0-9-._~!$&'()*+%,;=:@]+$" type: "object" AlertChannels_Webhook_Create_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_Webhook_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: webhookUrl: title: "Webhook URL" type: "string" description: "The Webhook URL endpoint." pattern: "https:\\/\\/[A-Za-z0-9\\/\\-&?_.=:]+" headers: title: "Headers" description: "A set of custom HTTP headers represented as key-value\ \ pairs. Keys are header names and values are header values." type: "object" default: {} required: - "webhookUrl" type: "object" AlertChannels_Webhook_Response_Schema: allOf: - $ref: "#/components/schemas/AlertChannels_Webhook_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true AlertChannels_Webhook_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "Webhook" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: webhookUrl: title: "Webhook URL" type: "string" description: "The Webhook URL endpoint." pattern: "https:\\/\\/[A-Za-z0-9\\/\\-&?_.=:]+" headers: title: "Headers" description: "A set of custom HTTP headers represented as key-value\ \ pairs. Keys are header names and values are header values." type: "object" default: {} type: "object" AlertProfiles_AlertTemplates_Create_Schema: required: - "name" - "eventName" - "description" - "subject" allOf: - $ref: "#/components/schemas/AlertProfiles_AlertTemplates_Update_Schema" - type: "object" properties: name: type: "string" description: "A name that policies can use to refer to this definition when\ \ generating alerts" AlertProfiles_AlertTemplates_Update_Schema: type: "object" properties: eventName: type: "string" description: "The name of the resulting alert" description: type: "string" description: "Summary of the resulting alert" subject: type: "string" description: "A high-level observation of the resulting alert" AlertProfiles_Create_Schema: allOf: - $ref: "#/components/schemas/AlertProfiles_Update_Schema" - type: "object" required: - "alertProfileId" - "extends" - "alerts" properties: alertProfileId: description: "Unique id within customer account for Alert Profile" type: "string" extends: type: "string" description: "Base Lacework defined Alert Profile to inherit properties" alerts: type: "array" description: "An alert is a definition of content to create from the results\ \ of a resource's policy violation. The event name, subject, and description\ \ contained in the alert appear in pushed alerts and in the Lacework\ \ Console." items: type: "object" required: - "name" - "eventName" - "description" - "subject" properties: name: type: "string" description: "A name that policies can use to refer to this definition\ \ when generating alerts" eventName: type: "string" description: "The name of the resulting alert" description: type: "string" description: "Summary of the resulting alert" subject: type: "string" description: "A high-level observation of the resulting alert" AlertProfiles_Response_Schema: allOf: - $ref: "#/components/schemas/AlertProfiles_Create_Schema" - type: "object" properties: fields: type: "array" description: "A field is a declaration of a field to be mapped in from\ \ an LQL query. Only LQL result fields that are declared as an alert\ \ profile field are mapped into event details and alerts. Fields returned\ \ by a query that are not listed as an alert profile field won't be\ \ mapped into event details and alerts." items: type: "object" properties: name: type: "string" description: "Name of the field" descriptionKeys: type: "array" description: "A description key is a placeholder variable that you can\ \ use in an alert definition's subject and/or description. Description\ \ keys can refer to LQL query result fields and can also refer to other\ \ available data (such as metadata, like the name of a policy). Only\ \ description keys can be referred to by an alert definition. A field\ \ must be used in a description key to be available in an alert." items: type: "object" properties: name: type: "string" description: "Name of the description key" spec: type: "string" description: "Specification of the description key" additionalProperties: true AlertProfiles_Update_Schema: type: "object" properties: alerts: type: "array" description: "An alert is a definition of content to create from the results\ \ of a resource's policy violation. The event name, subject, and description\ \ contained in the alert appear in pushed alerts and in the Lacework Console." items: type: "object" properties: name: type: "string" description: "A name that policies can use to refer to this definition\ \ when generating alerts" eventName: type: "string" description: "The name of the resulting alert" description: type: "string" description: "Summary of the resulting alert" subject: type: "string" description: "A high-level observation of the resulting alert" AlertRules: allOf: - $ref: "#/components/schemas/AlertRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" AlertRules_Create_Schema: allOf: - $ref: "#/components/schemas/AlertRules_Update_Schema" - type: "object" required: - "filters" - "intgGuidList" - "type" properties: type: type: "string" description: "The alert type." enum: - "Event" filters: type: "object" description: "When sending a request, use this object to define the new\ \ alert rule. When included in a response, this object contains details\ \ of an alert rule. You can use these attributes when searching for\ \ existing alert rules by invoking a GET request." required: - "name" - "enabled" - "severity" properties: name: type: "string" description: "The alert rule's name." minLength: 1 description: type: "string" description: "Summary of the alert rule." enabled: description: "When sending a request, use this attribute to enable\ \ or disable an alert rule. When included in a response, returns\ \ `1` for enabled alert rules, or returns `0` for disabled alert\ \ rules." enum: - 0 - 1 example: 1 resourceGroups: type: "array" description: "(Account-Only) The resource groups that you want the\ \ rule to apply to, identified by `resourceGuid`. You can get the\ \ `resourceGuid` for a resource group using the [Resource Groups](#tag/ResourceGroups)\ \ endpoint." items: type: "string" laceworkAccounts: type: "array" description: "(Organization-Only) The lacework accounts that you want\ \ the rule to apply to, identified by the lacework account name." minItems: 1 items: type: "string" eventCategory: deprecated: true type: "array" description: "The event categories that you want the rule to apply\ \ to. This field is deprecated. Use the `subCategory` field instead." uniqueItems: true items: enum: - "Compliance" - "App" - "Cloud" - "File" - "Machine" - "User" - "Platform" - "K8sActivity" - "Registry" - "SystemCall" - "ThreatIntel" source: type: "array" description: "The alert sources that will use this rule for alert\ \ routing." uniqueItems: true items: enum: - "Agent" - "AWS" - "Azure" - "GCP" - "K8s" sources: type: "array" deprecated: true description: "The alert sources that will use this rule for alert\ \ routing." uniqueItems: true items: enum: - "Agent" - "Aws" - "Azure" - "Gcp" - "K8s" category: type: "array" description: "The alert categories that will use this rule for alert\ \ routing." uniqueItems: true items: enum: - "Anomaly" - "Policy" - "Composite" subCategory: type: "array" description: "The subcategories that you want the rule to apply to." uniqueItems: true items: enum: - "Compliance" - "Application" - "Cloud Activity" - "File" - "Machine" - "User" - "Platform" - "Kubernetes Activity" - "Registry" - "SystemCall" - "Host Vulnerability" - "Container Vulnerability" - "Threat Intel" severity: description: "The severity levels that you want the rule to apply\ \ to, where 1 = Critical, 2 = High, 3 = Medium, 4 = Low, and 5 =\ \ Info." type: "array" minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 AlertRules_Response_Schema: allOf: - $ref: "#/components/schemas/AlertRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" description: "Alert Rule ID" additionalProperties: true AlertRules_Update_Schema: type: "object" properties: filters: type: "object" description: "When sending a request, use this object to define the new\ \ alert rule. When included in a response, this object contains details\ \ of an alert rule. You can use these attributes when searching for existing\ \ alert rules by invoking a GET request." properties: name: type: "string" description: "The alert rule's name." minLength: 1 description: type: "string" description: "Summary of the alert rule." enabled: description: "When sending a request, use this attribute to enable or\ \ disable an alert rule. When included in a response, returns `1`\ \ for enabled alert rules, or returns `0` for disabled alert rules." enum: - 0 - 1 example: 1 resourceGroups: type: "array" description: "(Account-Only) The resource groups that you want the rule\ \ to apply to, identified by `resourceGuid`. You can get the `resourceGuid`\ \ for a resource group using the [Resource Groups](#tag/ResourceGroups)\ \ endpoint." items: type: "string" laceworkAccounts: type: "array" description: "(Organization-Only) The lacework accounts that you want\ \ the rule to apply to, identified by the lacework account name." minItems: 1 items: type: "string" eventCategory: deprecated: true type: "array" description: "The event categories that you want the rule to apply to.\ \ This field is deprecated. Use the `subCategory` field instead." uniqueItems: true items: enum: - "Compliance" - "App" - "Cloud" - "File" - "Machine" - "User" - "Platform" - "K8sActivity" - "Registry" - "SystemCall" - "ThreatIntel" source: type: "array" description: "The alert sources that will use this rule for alert routing." uniqueItems: true items: enum: - "Agent" - "AWS" - "Azure" - "GCP" - "K8s" sources: type: "array" deprecated: true description: "The alert sources that will use this rule for alert routing." uniqueItems: true items: enum: - "Agent" - "Aws" - "Azure" - "Gcp" - "K8s" category: type: "array" description: "The alert categories that will use this rule for alert\ \ routing." uniqueItems: true items: enum: - "Anomaly" - "Policy" - "Composite" subCategory: type: "array" description: "The subcategories that you want the rule to apply to." uniqueItems: true items: enum: - "Compliance" - "Application" - "Cloud Activity" - "File" - "Machine" - "User" - "Platform" - "Kubernetes Activity" - "Registry" - "SystemCall" - "Host Vulnerability" - "Container Vulnerability" - "Threat Intel" severity: description: "The severity levels that you want the rule to apply to,\ \ where 1 = Critical, 2 = High, 3 = Medium, 4 = Low, and 5 = Info." type: "array" minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 intgGuidList: type: "array" description: "The alert channels for the rule to access." minItems: 1 uniqueItems: true items: type: "string" Alert_IP_Entity_Response_Schema: properties: data: type: "array" items: type: "object" properties: networkActivityOverview: type: "object" properties: externalServerConn: type: "object" description: "Total number of outgoing network connections to\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalClientConn: type: "object" description: "Total number of incoming network connections from\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalInBytes: type: "object" description: "Total number of bytes received from external IP\ \ addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalOutBytes: type: "object" description: "Total number of bytes sent to external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." isAgentInstalled: type: "boolean" description: "Whether the Lacework agent is installed on the machine\ \ with this IP address." isInternalIp: type: "boolean" description: "Whether this is an internal IP address." uniqueProcessDetails: type: "object" description: "Information regarding unique processes associated with\ \ the alert." properties: uniqueProcesses: type: "array" description: "Unique processes associated with the IP address." items: type: "object" properties: cmdLine: type: "string" description: "The command that launched the process." launchTime: type: "number" description: "The time when the process started." hostname: type: "string" description: "The hostname of the machine on which the process\ \ is running." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." ipAddressSummary: type: "object" description: "Location information for an IP address associated with\ \ the alert." properties: country: type: "string" description: "Country name associated with the IP address." region: type: "string" description: "Region associated with the IP address." city: type: "string" description: "City associated with the IP address." countryCode: type: "string" description: "Country code associated with the IP address" startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." resolvedIpInformation: type: "object" description: "DNS server information for a resolved IP address associated\ \ with the alert." properties: resolvedIPInfo: type: "array" description: "Resolved IP information." items: type: "object" properties: dnsResolverIp: type: "string" description: "IP address of the DNS server." dnsName: type: "string" description: "The fully qualified domain name of the DNS\ \ server." resolvedIp: type: "string" description: "Resolved IP address of the machine." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." virusTotal: type: "object" description: "Risk assessment of an IP address associated with the\ \ alert by VirusTotal." properties: securityVendorsCount: type: "number" description: "The number of security vendors who have marked this\ \ IP address as malicious." source: type: "string" description: "Source of evaluation." network: type: "string" description: "IPv4 network range to which the IP belongs, in slash\ \ notation format." autonomousSystemNumber: type: "string" description: "The number of the autonomous system to which the\ \ IP address belongs." autonomousSystemLabel: type: "string" description: "The label of the autonomous system to which the\ \ IP address belongs." regionalInternalRegistry: type: "string" description: "The regional Internet registry (RIR) associated\ \ with this IP address." country: type: "string" description: "The country in which the IP address originated." continent: type: "string" description: "The continent in which the IP address originated." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." laceworkLabs: type: "object" description: "Risk assessment of an IP address associated with the\ \ alert by Lacework Labs." properties: customerCount: type: "number" description: "Failed login attempts from this IP address seen\ \ across Lacework customers." badIpAddress: type: "boolean" description: "Lacework labs identified this IP address as bad." threatType: type: "string" description: "The type of threat." threatInfo: type: "string" description: "Additional information about the threat." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." Alert_IP_Entity_Summary_Response_Schema: type: "object" properties: entityValue: type: "string" description: "The identifying value for the entity, that is, its IpAddress." inBytes: type: "number" description: "Total number of bytes received from external IP addresses." outBytes: type: "number" description: "Total number of bytes sent to external IP addresses." country: type: "string" description: "Country name associated with the IP address." region: type: "string" description: "Region name associated with the IP address." ports: type: "array" description: "Array of ports associated with the IP address." items: type: "string" sources: type: "array" items: type: "object" properties: date: type: "string" description: "Date of the finding that this IP address is malicious." primary_threat_tag: type: "string" description: "The primary threat tag assigned to this finding by the\ \ security vendor who marked this IP address as malicious." source: type: "string" description: "The security vendor who marked this IP address as malicious." tag1: type: "string" description: "Tag associated with this finding." Alert_Machine_Entity_Response_Schema: properties: data: type: "array" items: type: "object" properties: criticalAndHighRisk: type: "object" description: "Information about critical and high level severity detections\ \ related to vulnerabilities, attack paths, and alerts associated\ \ with the hostname." properties: internetExposure: type: "string" description: "Internet exposure information related to hostname." vulnerabilities: type: "object" description: "Information about critical and high level severity\ \ vulnerabilities that are fixable from the last seven days." properties: criticalCount: type: "number" description: "Count of vulnerabilities with critical severity." highCount: type: "number" description: "Count of vulnerabilities with high severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to the last 7 days time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." message: type: "string" description: "Error message if there is an error fetching\ \ this detail." alerts: type: "object" description: "Information about critical and high level severity\ \ alerts from the last seven days with the status of open or\ \ in-progress." properties: criticalCount: type: "number" description: "Count of alerts with critical severity." highCount: type: "number" description: "Count of alerts with high severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to the last 7 days time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." message: type: "string" description: "Error message if there is an error fetching\ \ this detail." attackPaths: type: "object" description: "Critical, high, medium, or low severity attack paths\ \ from the last 24 hours. Lacework generates attack paths if\ \ critical vulnerabilities are associated with a cloud asset\ \ and they are exposed to the internet." properties: criticalCount: type: "number" description: "Count of attack paths with critical path severity." otherCount: type: "number" description: "Count of attack paths with high, medium and\ \ low path severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to the last 24 hours time\ \ range from last scan." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 24 hours time range\ \ from last scan." message: type: "string" description: "Error message if there is an error fetching\ \ this detail." machineProperties: type: "object" description: "Machine properties" properties: name: type: "string" description: "Hostname of the machine." ipAddress: type: "string" description: "IP address of the machine." firstKnownTime: type: "number" description: "Time when machine was first detected by the Lacework\ \ agent." lastKnownTime: type: "number" description: "Time when machine was last detected by the Lacework\ \ agent." lastBootTime: type: "number" description: "Last boot up time of the machine as detected by\ \ the Lacework agent." cpu: type: "string" description: "CPU type of the machine." osType: type: "string" description: "OS type of the machine." memoryInfo: type: "string" description: "Total RAM on the machine." kernelRelease: type: "string" description: "Kernel release version of the machine." kernelVersion: type: "string" description: "Kernel version of the machine." macAddres: type: "string" description: "MAC address of the machine." defaultRouter: type: "string" description: "Default router information." promiscuous: type: "string" description: "Whether the machine is running in promiscuous mode." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." machineTagSummary: type: "object" description: "Machine Tags summary." properties: amiId: type: "string" description: "ID of machine image used by the machine." externalIp: type: "string" description: "External IP address of the machine." instanceId: type: "string" description: "Instance ID of the machine." subnetId: type: "string" description: "ID of the subnet in which the machine exists." vmInstanceType: type: "string" description: "The instance type of the machine. For example, the\ \ t2.micro AWS instance type." vmProvider: type: "string" description: "The cloud service provider on which the machine\ \ is running." lwTokenShort: type: "string" description: "The first 30 characters of the agent access token\ \ used by the Lacework agent installed on the machine." internalIp: type: "string" description: "Internal IP address of the machine." arch: type: "string" description: "The machine architecture type." vpcId: type: "string" description: "ID of the VPC in which the machine is running." zone: type: "string" description: "The availability zone in which the machine is running." os: type: "string" description: "OS type of the machine." account: type: "string" startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." customResourceGroups: description: "The custom resource groups associated with this machine." type: "object" properties: resourceGroups: description: "The custom resource groups associated with this\ \ machine." type: "array" items: type: "object" properties: resourceGroups: type: "object" description: "Resource group information." properties: name: type: "string" description: "Resource group name." guid: type: "string" description: "Resource group ID." startTimeRange: type: "number" description: "Current time, as an epoch timestamp." endTimeRange: type: "number" description: "Current time, as an epoch timestamp." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." cloudServiceProvider: type: "object" description: "Information related to the cloud service provider associated\ \ with this host." properties: cloudServiceProvider: type: "string" description: "Name of the cloud service provider." accountAlias: type: "string" description: "The AWS account alias." projectName: type: "string" description: "The Google Cloud project name." subscriptionName: type: "string" description: "The Azure subscription name." accountId: type: "string" description: "The ID of AWS account." projectId: type: "string" description: "The ID of the Google Cloud project." subscriptionId: type: "string" description: "The ID of Azure subscription." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." networkActivityOverview: type: "object" properties: externalServerConn: type: "object" description: "Total number of outgoing network connections to\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalClientConn: type: "object" description: "Total number of incoming network connections from\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalInBytes: type: "object" description: "Total number of bytes received from external IP\ \ addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalOutBytes: type: "object" description: "Total number of bytes sent to external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This matches the start of the time range in which\ \ the alert occurred." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This matches the end of the time range in which\ \ the alert occurred." Alert_Machine_Entity_Response_Schema_Finalized: properties: data: type: "array" items: type: "object" properties: criticalAndHighRisk: type: "object" description: "Information about critical and high severity level detections\ \ related to vulnerabilities, attack paths, and alerts associated\ \ with the hostname." properties: internetExposure: type: "string" description: "Internet exposure information related to the hostname." vulnerabilities: type: "object" description: "Information about critical and high severity level\ \ detections related to vulnerabilities that are fixable from\ \ the last seven days." properties: criticalCount: type: "number" description: "Count of vulnerabilities with critical severity." highCount: type: "number" description: "Count of vulnerabilities with high severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to Last 7 days." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to Last 7 days." message: type: "string" description: "Error message if there is an error fetching\ \ detail." alerts: type: "object" description: "Information about critical and high level severity\ \ alerts from the last seven days with the status of open or\ \ in-progress." properties: criticalCount: type: "number" description: "Count of alerts with critical severity." highCount: type: "number" description: "Count of alerts with high severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to Last 7 days." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to Last 7 days." message: type: "string" description: "Error message if there is an error fetching\ \ detail." attackPaths: type: "object" description: "Critical, high, medium, or low severity attack paths\ \ from the last 24 hours. Lacework generates attack paths if\ \ critical vulnerabilities are associated with a cloud asset\ \ and they are exposed to the internet." properties: criticalCount: type: "number" description: "Count of attack paths with critical path severity." otherCount: type: "number" description: "Count of attack paths with high, medium and\ \ low path severity." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which\ \ data is fetched. This refers to Last 24 hours time range\ \ from last scan." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to Last 24 hours time range from\ \ last scan." message: type: "string" description: "Error message if there is an error fetching\ \ this detail." machineProperties: type: "object" description: "Machine properties." properties: name: type: "string" description: "Hostname of the machine." ipAddress: type: "string" description: "IP address of the machine." firstKnownTime: type: "number" description: "Time when machine was first detected by the Lacework\ \ agent." lastKnownTime: type: "number" description: "Time when machine was last detected by the Lacework\ \ agent." lastBootTime: type: "number" description: "Last boot up time of the machine as detected by\ \ the Lacework agent." cpu: type: "string" description: "CPU type of the machine." osType: type: "string" description: "OS type of the machine." memoryInfo: type: "string" description: "Total RAM on the machine." kernelRelease: type: "string" description: "Kernel release version of the machine." kernelVersion: type: "string" description: "Kernel version of the machine." macAddres: type: "string" description: "MAC address of the machine." defaultRouter: type: "string" description: "Default router information." promiscuous: type: "string" description: "Whether the machine is running in promiscuous mode." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched for. This matches with the alert time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched for. This matches with alert time range." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." machineTagSummary: type: "object" description: "Machine Tags summary." properties: amiId: type: "string" description: "ID of machine image used by the machine." externalIp: type: "string" description: "External IP address of the machine." instanceId: type: "string" description: "Instance ID of the machine." subnetId: type: "string" description: "ID of the subnet in which the machine exists." vmInstanceType: type: "string" description: "The instance type of the machine. For example, the\ \ t2.micro AWS instance type." vmProvider: type: "string" description: "The cloud service provider on which the machine\ \ is running." lwTokenShort: type: "string" description: "The first 30 characters of the agent access token\ \ used by the Lacework agent installed on the machine." internalIp: type: "string" description: "Internal IP address of the machine." arch: type: "string" description: "The machine architecture type." vpcId: type: "string" description: "ID of the VPC in which the machine is running." zone: type: "string" description: "The availability zone in which the machine is running." os: type: "string" description: "OS type of the machine." account: type: "string" description: "ID of the cloud service provider entity in which\ \ the machine exists. For example, the ID of the AWS account,\ \ Azure subscription, or Google Cloud project in which the machine\ \ exists." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched for. This matches with the alert time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched for. This matches with the alert time range." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." customResourceGroups: description: "The custom resource groups associated with this machine." type: "object" properties: resourceGroups: description: "The custom resource groups associated with this\ \ machine." type: "array" items: type: "object" properties: resourceGroups: type: "object" description: "Resource group information." properties: name: type: "string" description: "Resource group name." guid: type: "string" description: "Resource group ID." startTimeRange: type: "number" description: "Start time, as an epoch timestamp." endTimeRange: type: "number" description: "End time, as an epoch timestamp." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." cloudServiceProvider: type: "object" description: "Information related to the cloud service provider associated\ \ with this host." properties: cloudServiceProvider: type: "string" description: "Name of the cloud service provider." accountAlias: type: "string" description: "The AWS account alias." projectName: type: "string" description: "The Google Cloud project name." subscriptionName: type: "string" description: "The Azure subscription name." accountId: type: "string" description: "The ID of AWS account." projectId: type: "string" description: "The ID of the Google Cloud project." subscriptionId: type: "string" description: "The ID of Azure subscription." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched. This refers to the last 7 days time range." message: type: "string" description: "Error message if there is an error fetching this\ \ detail." networkActivityOverview: type: "object" properties: externalServerConn: type: "object" description: "Total number of outgoing network connections to\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalClientConn: type: "object" description: "Total number of incoming network connections from\ \ external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalInBytes: type: "object" description: "Total number of bytes received from external IP\ \ addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." externalOutBytes: type: "object" description: "Total number of bytes sent to external IP addresses." properties: count: type: "number" message: type: "string" description: "Error message if there is an error fetching\ \ this detail." startTimeRange: type: "number" description: "Start time, as an epoch timestamp, for which data\ \ is fetched for. This matches the alert time range." endTimeRange: type: "number" description: "End time, as an epoch timestamp, for which data\ \ is fetched for. This matches the alert time range." Alert_Machine_Entity_Summary_Response_Schema: type: "object" properties: entityValue: type: "string" description: "The identifying value for the entity, that is, its machine\ \ identifier (MID)." externalIp: type: "string" description: "The external IP address of this machine, if any." cpuPercentage: type: "number" description: "The percentage of CPU used" internalIp: type: "string" description: "Internal IP address of the machine." isExternal: type: "boolean" description: "Whether this is an external machine." hostname: type: "string" description: "Hostname associated to the machine" AlertsEntityDetails_Response_Schema: oneOf: - $ref: "#/components/schemas/Alerts_IP_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Machine_Response_Schema_Finalized" discriminator: propertyName: "contextEntityType" mapping: IpAddress: "#/components/schemas/Alerts_IP_Response_Schema_Finalized" Machine: "#/components/schemas/Alerts_Machine_Response_Schema_Finalized" AlertsEntitySummary_Response_Schema: oneOf: - $ref: "#/components/schemas/Alerts_IP_Entity_Summary_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Machine_Entity_Summary_Response_Schema_Finalized" discriminator: propertyName: "contextEntityType" mapping: IpAddress: "#/components/schemas/Alerts_IP_Entity_Summary_Response_Schema_Finalized" Machine: "#/components/schemas/Alerts_Machine_Entity_Summary_Response_Schema_Finalized" Alerts_Details_Response_Schema: properties: entityMap: type: "object" additionalProperties: true Alerts_Details_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Details" - type: "object" properties: data: allOf: - $ref: "#/components/schemas/Alerts_Response_Schema" - $ref: "#/components/schemas/Alerts_Details_Response_Schema" Alerts_Entities_Response_Schema_Finalized: properties: data: type: "array" items: type: "object" properties: entities: type: "object" description: "List of entities associated with a given alert for which\ \ additional context is available." allOf: - $ref: "#/components/schemas/AlertsEntitySummary_Response_Schema" countOfEntities: type: "number" description: "Count of entities that have additional context for the\ \ given alert ID." Alerts_Events_Response_Schema: properties: data: type: "array" items: type: "object" properties: awsRegion: type: "string" description: "The AWS region where the event occurred." eventName: type: "string" description: "The name of the event." eventSource: type: "string" description: "The source domain of the event or where the event occurred,\ \ such as `rds.amazonaws.com`." sourceIpAddress: type: "string" description: "The IP address from which a request associated with\ \ the event was made." recipientAccountId: type: "string" description: "The account ID that received the event." mfa: type: "boolean" description: "Whether MFA is enabled." eventTime: type: "string" description: "A timestamp reflecting when the event occurred." userIdentity: type: "object" description: "The user associated with the event." firstTime: type: "string" description: "The earliest timestamp when a similar event was first\ \ seen." eventTimes: type: "string" description: "The timestamp of the original event in Pacific Time." userName: type: "string" description: "The user name involved in the event." additionalEventInfo: type: "object" description: "Additional information associated with the event, if\ \ available." requestParameters: type: "object" description: "Type-specific request parameters associated with the\ \ event." region: type: "string" description: "The region where the event occurred." projectId: type: "string" description: "The GCP project ID involved in the event." serviceName: type: "string" description: "The service name involved in the event." methodName: type: "string" description: "The method name." principalEmail: type: "string" description: "The principal email address." organizationName: type: "string" description: "The GCP organization name." callerSuppliedUserAgent: type: "string" description: "The caller supplied user agent." request: type: "string" description: "The request info." tenantId: type: "string" description: "The tenant ID." resourceId: type: "string" description: "The resource ID." callerIpAddress: type: "string" description: "The source IP address." identity: type: "string" description: "The identity." operationName: type: "string" description: "The API (operation name)." resultType: type: "string" description: "The result type." subscriptionId: type: "string" description: "The subscription ID." providerName: type: "string" description: "The provider name." eventCategory: type: "string" description: "The event category for the original event." tenantName: type: "string" description: "The tenant name." subscriptionName: type: "string" description: "The subscription name." startTime: type: "string" description: "The start time of the event, related alert, or the composite\ \ observation." endTime: type: "string" description: "The end time of the event, related alert, or the composite\ \ observation." srcIpAddrPort: type: "string" description: "The source IP address and port for the connection." dstIpAddrPort: type: "string" description: "The destination IP address and port for the connection." machine: type: "string" description: "The hostname of the machine." container: type: "string" description: "The name of the container." processIdHash: type: "string" description: "The hash of the process ID." processId: type: "string" description: "The ID of the process." fileExePath: type: "string" description: "The execution path of the file." bytes: type: "string" description: "The number of bytes transferred." compositeEventId: type: "number" description: "The ID of the composite alert." id: type: "string" description: "The ID of the related alert or the composite observation." name: type: "string" description: "The name of the related alert or the composite observation." descriptionText: type: "string" description: "The description of the related alert or the composite\ \ observation." compositeStartTime: type: "string" description: "The start time of the composite alert." compositeEndTime: type: "string" description: "The end time of the composite alert." entityKeys: type: "array" description: "The list of focal entities of the related alert or composite\ \ observation." items: type: "object" description: "The focal entity of a related alert or composite observation." tagMetadata: type: "array" description: "The list of MITRE tags tagged to an alert." items: type: "object" description: "MITRE tag information tagged to an alert." properties: tagMetadata: type: "object" description: "Detailed MITRE tag information tagged to an alert." properties: customerFacingId: type: "string" description: "Customer facing ID for MITRE tag." id: type: "string" description: "MITRE tag ID." name: type: "string" description: "MITRE tag name." orderIndex: type: "string" description: "Priority of the MITRE tag." parentId: type: "string" description: "ID representing the parent tag (MITRE Technique\ \ ID for a given sub-technique)." type: type: "string" description: "Type of MITRE tag." url: type: "string" description: "URL to redirect to MITRE tag information on\ \ the MITRE tag website." version: type: "string" description: "Version of MITRE tag." additionalProperties: true Alerts_Events_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Events" - $ref: "#/components/schemas/Alerts_Events_Response_Schema" Alerts_IP_Entity_Summary_Response_Schema_Finalized: allOf: - type: "object" properties: contextEntityType: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "IpAddress" - $ref: "#/components/schemas/Alert_IP_Entity_Summary_Response_Schema" Alerts_IP_Response_Schema_Finalized: allOf: - type: "object" properties: contextEntityType: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "IpAddress" - $ref: "#/components/schemas/Alert_IP_Entity_Response_Schema" Alerts_Integrations_Response_Schema: properties: data: type: "array" items: type: "object" properties: alertChannel: type: "object" description: "The name of the alert channel." alertIntegrationId: type: "string" description: "The integration identifier." createdTime: type: "string" description: "A timestamp representing the time the alert channel\ \ integration was created." alertId: type: "number" description: "The alert identifier." integrationType: type: "string" description: "The integration type, such as Jira or ServiceNow." integrationContext: type: "object" description: "Arbitrary fields needed for the specific integration\ \ type." intgGuid: type: "string" description: "The unique global identifier for the integration." lastSyncTime: type: "string" description: "The last time Lacework synchronized data with the integrated\ \ system." alertIntegrationStatus: type: "string" description: "Status specific to the integration type, such as a Jira\ \ issue status." status: type: "string" description: "The integration status." isBidirectional: type: "boolean" description: "Whether the integration supports bidirectional events." additionalProperties: true Alerts_Integrations_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Integrations" - $ref: "#/components/schemas/Alerts_Integrations_Response_Schema" Alerts_IntrusionGraph_Response_Schema: properties: data: type: "array" items: type: "object" properties: graphObjectType: type: "string" description: "Identifies the type of the graph object, which can be\ \ `node`, `edge`, `entity` or `relationship`." graphObject: type: "object" description: "Includes the descriptive properties individual `node`,\ \ `edge`, `entity` or `relationship` objects." additionalProperties: true Alerts_Investigation_Response_Schema: properties: data: type: "array" items: type: "object" properties: question: type: "string" description: "Lacework-defined investigative questions that may help\ \ uncover unexpected behaviors relevant to the event." answer: type: "string" description: "The answer to the investigative question, `Yes` or `No`." additionalProperties: true Alerts_Investigation_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Investigation" - $ref: "#/components/schemas/Alerts_Investigation_Response_Schema" Alerts_Machine_Entity_Summary_Response_Schema_Finalized: allOf: - type: "object" properties: contextEntityType: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Machine" - $ref: "#/components/schemas/Alert_Machine_Entity_Summary_Response_Schema" Alerts_Machine_Response_Schema_Finalized: allOf: - type: "object" properties: contextEntityType: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Machine" - $ref: "#/components/schemas/Alert_Machine_Entity_Response_Schema" Alerts_ObservationTimeline_Response_Schema: properties: data: type: "array" items: type: "object" properties: recordUuid: type: "string" description: "Unique identifier for a record in the observation timeline." observationPivotEntityUuids: type: "array" description: "A list of unique identifiers for the primary or 'pivot'\ \ entities that this record describes." observationType: type: "string" description: "The observation type corresponds to the kind of suspicious\ \ activity detected." description: type: "string" description: "A description of the suspicious activity detected." entities: type: "array" items: type: "object" properties: isDetail: type: "boolean" description: "Boolean flag denoting if the entity has special\ \ relevance to the observation to which it belongs." isSubject: type: "boolean" description: "Boolean flag denoting if the entity is the focus\ \ of the observation to which it belongs." entityType: type: "string" description: "The type of the entity." entityKey: type: "object" description: "A list of key-value pairs that identify the entity." entityText: type: "string" description: "Display text for the entity." entityUuid: type: "string" description: "Unique identifier for the entity." relationships: type: "array" items: type: "object" properties: relationshipId: type: "string" description: "Unique identifier for a specific instance of a\ \ relationship." srcEntityType: type: "string" description: "The type of the source entity." dstEntityType: type: "string" description: "The type of the destination entity." srcEntityKey: type: "object" description: "A list of key-value pairs that identify the source\ \ entity." dstEntityKey: type: "object" description: "A list of key-value pairs that identify the destination\ \ entity." srcEntityText: type: "string" description: "Display text for the source entity." dstEntityText: type: "string" description: "Display text for the destination entity." srcEntityUuid: type: "string" description: "Unique identifier for the source entity." dstEntityUuid: type: "string" description: "Unique identifier for the destination entity." startEpoch: type: "number" description: "The start timestamp in epoch seconds of the interval\ \ the observation was detected." endEpoch: type: "number" description: "The end timestamp in epoch seconds of the interval the\ \ observation was detected." formalTags: type: "array" description: "A list of tags that describe each group of observations\ \ in the observation timeline." items: type: "object" additionalProperties: true Alerts_ObservationTimeline_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "ObservationTimeline" - $ref: "#/components/schemas/Alerts_ObservationTimeline_Response_Schema" Alerts_RelatedAlerts_Response_Schema: properties: data: type: "array" items: type: "object" properties: eventType: type: "string" description: "The event type of the related alert." eventId: type: "string" description: "The ID of the related alert." severity: type: "string" description: "The Severity of the related alert." startTime: type: "string" description: "The start time of the alert time range in which the\ \ related alert occurred." endTime: type: "string" description: "The end time of the alert time range in which the related\ \ alert occurred." eventModel: type: "string" description: "The event model of the related alert." eventProps: type: "object" description: "The event properties of the related alert." keys: type: "object" description: "The related alert event keys." rank: type: "number" description: "The rank of the related alert based on a similarity\ \ score." eventInfo: type: "object" description: "Information associated with the related event, such\ \ as its description." eventName: type: "string" description: "The name of the related alert." additionalProperties: true Alerts_RelatedAlerts_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "RelatedAlerts" - $ref: "#/components/schemas/Alerts_RelatedAlerts_Response_Schema" Alerts_Response_Schema: properties: alertId: type: "integer" description: "Alert ID" alertType: type: "string" description: "The alert type" alertName: type: "string" description: "The alert name such as `Service called GCP API`" alertInfo: type: "object" description: "Details of the alert" properties: description: type: "string" description: "The alert description provides why the potential threat\ \ occurred" subject: type: "string" description: "The alert subject. In some cases, the alert subject can\ \ be the same as the alert name." customerCount: type: "number" description: "Number of customers with similar behavior. While this\ \ event occurred for the first time in this Lacework account, it may\ \ be considered less risky if it represents common behavior observed\ \ in other customer cloud deployments." isExpectedLWBehavior: type: "boolean" description: "Whether the alert results from activity related to your\ \ Lacework integration, such as connections between Lacework agents\ \ and the Lacework platform." supportingFacts: type: "array" description: "List of supporting facts of a [composite alert](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=INTRODUCTION_TO_COMPOSITE_ALERTS)." items: type: "object" description: "Supporting facts of a composite alert." properties: supportingFactText: type: "string" description: "The supporting fact indicates why the potential\ \ threat occurred." subElements: type: "array" description: "Sub elements provide more details of supporting\ \ facts in a recursive format." items: type: "object" severity: type: "string" description: "The alert's severity level. See [Alert Severity](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=ALERT_SEVERITY)." internetExposure: type: "string" description: "Whether any entity involved in the alert is exposed to the\ \ internet: yes, no, or unknown." reachability: type: "string" description: "Whether any entity in the alert is reachable." derivedFields: type: "object" description: "The alert category, subcategory, and source." properties: category: type: "string" description: "The alert category. See [Alert Categories](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=ALERT_CATEGORIES)." subCategory: type: "string" description: "The alert subcategory. See [Alert Subcategories](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=ALERT_CATEGORIES#alert-subcategories)." source: type: "string" description: "The origin of the alert: AWS, Azure, GCP, Agent, or K8s." startTime: type: "string" description: "The time and date when the potential threat started" endTime: type: "string" description: "The time and date when the potential threat ended" lastUserUpdatedTime: type: "string" description: "The timestamp for when a user selected a [primary integration](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=JIRA#bidirectional-integration)\ \ or updated the alert status" status: type: "string" description: "The current status of the alert" additionalProperties: true Alerts_Timeline_Response_Schema: properties: data: type: "array" items: type: "object" properties: alertChannel: type: "object" description: "The name of the alert channel." id: type: "number" description: "The timeline item identifier." alertId: type: "number" description: "The alert identifier." createdTime: type: "string" description: "The created time of the timeline item." entryType: type: "string" description: "The type of timeline item." entryAuthorType: type: "string" description: "The timeline item author type, among `SystemUpdate`,\ \ `UserUpdate`, or `Integration`." intgGuid: type: "string" description: "The integration's globally unique identifier." message: type: "object" description: "The message associated with the timeline item." externalTime: type: "string" description: "The timestamp when the timeline item was generated according\ \ to the external alert platform." user: type: "object" description: "The user who created the timeline item." external: type: "boolean" description: "Whether the timeline item was externally generated." updateContext: type: "object" description: "Context information associated with the timeline item." alertIntegration: type: "object" description: "Information about the alert channel integration." additionalProperties: true Alerts_Timeline_Response_Schema_Finalized: allOf: - type: "object" properties: scope: description: "This field is used for the response schema option; it will\ \ not be in the response." type: "string" enum: - "Timeline" - $ref: "#/components/schemas/Alerts_Timeline_Response_Schema" ApiV2AccessTokens: type: "object" required: - "keyId" - "expiryTime" properties: keyId: type: "string" description: "YourAccessKeyID" example: "YourSecretKey" expiryTime: type: "integer" description: "The access token's expiration (in seconds) that you want to\ \ set. Maximum value: 86400 (24 hours)." example: 3600 AuditLogs_Response_Schema: properties: createdTime: type: "string" description: "The creation timestamp of the log file." accountName: type: "string" description: "The account name associated with the logged action." userName: type: "string" description: "The username of the user associated with the logged action." eventName: type: "string" userAction: type: "string" description: "Summary of the action such as `Login with OAuth Succeeded`\ \ or `Alert Channel Created`." eventDescription: type: "string" description: "Summary of the event such as `User test-user@test-domain.net\ \ logged in to ALERTPLATFORM account using OAuth credentials`." additionalProperties: true BaseIntegerFilterItem: type: "object" properties: expression: $ref: "#/components/schemas/NumericFilterExpression" field: type: "string" value: type: "integer" values: type: "array" items: type: "integer" description: "Multiple integer values for filtering." BaseJSONFilterItem: type: "object" properties: expression: $ref: "#/components/schemas/JSONFilterExpression" field: type: "string" value: type: "string" values: type: "array" items: type: "string" description: "Multiple string values for filtering." BaseStringFilterItem: type: "object" properties: expression: $ref: "#/components/schemas/StringFilterExpression" field: type: "string" value: type: "string" values: type: "array" items: type: "string" description: "Multiple string values for filtering." BaseTimestampFilterItem: type: "object" properties: expression: $ref: "#/components/schemas/TimestampFilterExpression" field: type: "string" value: type: "string" values: type: "array" items: type: "string" description: "Multiple string values for filtering." CloudAccounts_AwsCfg_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsCfg_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the\ \ cross-account role that Lacework uses to access your AWS resource.\ \ This is the External ID specified for the Cross-Account IAM\ \ role in your preparatory integration of AWS described in [AWS\ \ Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework\ \ uses to access your AWS resources. This is the ARN specified\ \ for the Cross-Account IAM role in your preparatory integration\ \ of AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" required: - "externalId" - "roleArn" type: "object" description: "Details of the cross-account role that Lacework uses\ \ to access your AWS resource." required: - "crossAccountCredentials" type: "object" CloudAccounts_AwsCfg_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsCfg_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AwsCfg_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the cross-account\ \ role that Lacework uses to access your AWS resource. This is\ \ the External ID specified for the Cross-Account IAM role in\ \ your preparatory integration of AWS described in [AWS Integration\ \ Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework uses\ \ to access your AWS resources. This is the ARN specified for\ \ the Cross-Account IAM role in your preparatory integration of\ \ AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" type: "object" description: "Details of the cross-account role that Lacework uses to\ \ access your AWS resource." type: "object" CloudAccounts_AwsCtSqs_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the\ \ cross-account role that Lacework uses to access your AWS resource.\ \ This is the External ID specified for the Cross-Account IAM\ \ role created as a preparatory task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework\ \ uses to access your AWS resources. This is the ARN specified\ \ for the Cross-Account IAM role created as a preparatory task\ \ in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" required: - "externalId" - "roleArn" type: "object" description: "Details of the cross-account role that Lacework uses\ \ to access your AWS resource." queueUrl: title: "SQSQueueURL" type: "string" description: "The Amazon Simple Queue Service (SQS) URL value. This\ \ is the SQS Queue URL specified for the Cross-Account IAM role\ \ created as a preparatory task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^((http[s]?|ftp):\\/)?\\/?([^:\\/\\s]+)((\\/\\w+)*\\/)([\\\ w\\-\\.]+[^#?\\s]+)(.*)?(#[\\w\\-]+)?$" accountMappingFile: title: "Account Mapping File" format: "data-url" description: "The mapping file to use in the integration. The account\ \ mapping file is a JSON file that maps AWS accounts to Lacework\ \ accounts within a Lacework organization. See [Account Mapping\ \ File](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=AWS_ACCOUNT_MAPPING)." type: "string" pattern: "(^data:.+;base64,)(.+$)" accountMapping: type: "object" description: "If your organization has enabled the [Lacework Organization](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=orgOverview)\ \ feature, when sending a request, you can specify a comma-separated\ \ list of AWS organization names that match Lacework sub-account\ \ names. Based on this AWS organization-to-Lacework sub-account\ \ name mapping, Lacework adds your AWS accounts to the appropriate\ \ Lacework sub-accounts. AWS organization names and Lacework sub-account\ \ names must match. When included in a response, returns a comma-separated\ \ list of AWS organization names that match Lacework sub-account\ \ names." required: - "queueUrl" - "crossAccountCredentials" type: "object" CloudAccounts_AwsCtSqs_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AwsCtSqs_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsCtSqs" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the cross-account\ \ role that Lacework uses to access your AWS resource. This is\ \ the External ID specified for the Cross-Account IAM role created\ \ as a preparatory task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework uses\ \ to access your AWS resources. This is the ARN specified for\ \ the Cross-Account IAM role created as a preparatory task in\ \ [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" type: "object" description: "Details of the cross-account role that Lacework uses to\ \ access your AWS resource." queueUrl: title: "SQSQueueURL" type: "string" description: "The Amazon Simple Queue Service (SQS) URL value. This\ \ is the SQS Queue URL specified for the Cross-Account IAM role created\ \ as a preparatory task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^((http[s]?|ftp):\\/)?\\/?([^:\\/\\s]+)((\\/\\w+)*\\/)([\\\ w\\-\\.]+[^#?\\s]+)(.*)?(#[\\w\\-]+)?$" accountMappingFile: title: "Account Mapping File" format: "data-url" description: "The mapping file to use in the integration. The account\ \ mapping file is a JSON file that maps AWS accounts to Lacework accounts\ \ within a Lacework organization. See [Account Mapping File](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=AWS_ACCOUNT_MAPPING)." type: "string" pattern: "(^data:.+;base64,)(.+$)" accountMapping: type: "object" description: "If your organization has enabled the [Lacework Organization](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=orgOverview)\ \ feature, when sending a request, you can specify a comma-separated\ \ list of AWS organization names that match Lacework sub-account names.\ \ Based on this AWS organization-to-Lacework sub-account name mapping,\ \ Lacework adds your AWS accounts to the appropriate Lacework sub-accounts.\ \ AWS organization names and Lacework sub-account names must match.\ \ When included in a response, returns a comma-separated list of AWS\ \ organization names that match Lacework sub-account names." type: "object" CloudAccounts_AwsEksAudit_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the\ \ cross-account role that Lacework uses to access your AWS resource.\ \ This is the External ID specified for the Cross-Account IAM\ \ role in your preparatory integration of AWS described in [AWS\ \ Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework\ \ uses to access your AWS resources. This is the ARN specified\ \ for the Cross-Account IAM role in your preparatory integration\ \ of AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" required: - "externalId" - "roleArn" type: "object" description: "Details of the cross-account role that Lacework uses\ \ to access your AWS resource." snsArn: title: "SNS ARN" type: "string" description: "The ARN of the SNS topic. An SNS topic is a communication\ \ channel for SQS queue messaging from your AWS environment to Lacework.\ \ See [SNS Topic](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites#sns-topic)." pattern: "^arn:aws(-[a-zA-Z]+)?:sns:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" s3BucketArn: title: "S3 BUCKET ARN" type: "string" pattern: "^arn:aws(?:-[a-z]{2}-gov)?:s3:::(?=.{3,63}$)(?!(\\d+\\.)+\\\ d+$)(?!.*(?:\\.-|-\\.|\\.{2}))[a-z0-9](?:[a-z0-9.-]{0,61}[a-z0-9])?$" required: - "snsArn" - "crossAccountCredentials" type: "object" CloudAccounts_AwsEksAudit_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AwsEksAudit_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsEksAudit" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: awsAccountId: type: "string" title: "Account ID" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the cross-account\ \ role that Lacework uses to access your AWS resource. This is\ \ the External ID specified for the Cross-Account IAM role in\ \ your preparatory integration of AWS described in [AWS Integration\ \ Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework uses\ \ to access your AWS resources. This is the ARN specified for\ \ the Cross-Account IAM role in your preparatory integration of\ \ AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" type: "object" description: "Details of the cross-account role that Lacework uses to\ \ access your AWS resource." snsArn: title: "SNS ARN" type: "string" description: "The ARN of the SNS topic. An SNS topic is a communication\ \ channel for SQS queue messaging from your AWS environment to Lacework.\ \ See [SNS Topic](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites#sns-topic)." pattern: "^arn:aws(-[a-zA-Z]+)?:sns:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" s3BucketArn: title: "S3 BUCKET ARN" type: "string" pattern: "^arn:aws(?:-[a-z]{2}-gov)?:s3:::(?=.{3,63}$)(?!(\\d+\\.)+\\\ d+$)(?!.*(?:\\.-|-\\.|\\.{2}))[a-z0-9](?:[a-z0-9.-]{0,61}[a-z0-9])?$" type: "object" CloudAccounts_AwsUsGovCfg_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: accessKeyCredentials: properties: accountId: title: "Account ID" type: "string" description: "Your AWS account identifier or alias." pattern: "^\\d{12}$" accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." format: "password" pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" required: - "accountId" - "accessKeyId" - "secretAccessKey" type: "object" description: "The credentials of your AWS GovCloud account. AWS GovCloud\ \ (US-East and US-West) are isolated regions within AWS for customers\ \ to host sensitive data for supporting their regulated workflows." required: - "accessKeyCredentials" type: "object" CloudAccounts_AwsUsGovCfg_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AwsUsGovCfg_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsUsGovCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: accessKeyCredentials: properties: accountId: title: "Account ID" type: "string" description: "Your AWS account identifier or alias." pattern: "^\\d{12}$" accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." format: "password" pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" type: "object" description: "The credentials of your AWS GovCloud account. AWS GovCloud\ \ (US-East and US-West) are isolated regions within AWS for customers\ \ to host sensitive data for supporting their regulated workflows." type: "object" CloudAccounts_AwsUsGovCtSqs_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: accessKeyCredentials: properties: accountId: title: "Account ID" type: "string" description: "Your AWS account identifier or alias." pattern: "^\\d{12}$" accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." format: "password" pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" required: - "accountId" - "accessKeyId" - "secretAccessKey" type: "object" description: "The credentials of your AWS GovCloud account. AWS GovCloud\ \ (US-East and US-West) are isolated regions within AWS for customers\ \ to host sensitive data for supporting their regulated workflows." queueUrl: title: "SQSQueueURL" type: "string" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^((http[s]?|ftp):\\/)?\\/?([^:\\/\\s]+)((\\/\\w+)*\\/)([\\\ w\\-\\.]+[^#?\\s]+)(.*)?(#[\\w\\-]+)?$" required: - "queueUrl" - "accessKeyCredentials" type: "object" CloudAccounts_AwsUsGovCtSqs_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AwsUsGovCtSqs_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AwsUsGovCtSqs" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: accessKeyCredentials: properties: accountId: title: "Account ID" type: "string" description: "Your AWS account identifier or alias." pattern: "^\\d{12}$" accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." format: "password" pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" type: "object" description: "The credentials of your AWS GovCloud account. AWS GovCloud\ \ (US-East and US-West) are isolated regions within AWS for customers\ \ to host sensitive data for supporting their regulated workflows." queueUrl: title: "SQSQueueURL" type: "string" description: "Your AWS account identifier or alias. This is the Account\ \ ID specified for the Cross-Account IAM role created as a preparatory\ \ task in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^((http[s]?|ftp):\\/)?\\/?([^:\\/\\s]+)((\\/\\w+)*\\/)([\\\ w\\-\\.]+[^#?\\s]+)(.*)?(#[\\w\\-]+)?$" type: "object" CloudAccounts_AzureAlSeq_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The ApplicationId value from your Azure portal." minLength: 1 clientSecret: title: "Client Secret" type: "string" description: "Your Azure client secret." minLength: 1 type: "object" description: "Your Azure credentials." required: - "clientId" - "clientSecret" tenantId: title: "Tenant ID" type: "string" description: "The DirectoryId value from your Azure portal." minLength: 1 queueUrl: title: "Queue URL" type: "string" description: "The queue URL to access." pattern: "^https://[a-zA-Z0-9-]*.queue.core.windows.net/[a-zA-Z0-9-]*" required: - "tenantId" - "credentials" - "queueUrl" type: "object" CloudAccounts_AzureAlSeq_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AzureAlSeq_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AzureAlSeq" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The ApplicationId value from your Azure portal." minLength: 1 clientSecret: title: "Client Secret" type: "string" description: "Your Azure client secret." minLength: 1 type: "object" description: "Your Azure credentials." tenantId: title: "Tenant ID" type: "string" description: "The DirectoryId value from your Azure portal." minLength: 1 queueUrl: title: "Queue URL" type: "string" description: "The queue URL to access." pattern: "^https://[a-zA-Z0-9-]*.queue.core.windows.net/[a-zA-Z0-9-]*" type: "object" CloudAccounts_AzureCfg_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AzureCfg_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The ApplicationId value from your Azure portal." minLength: 1 clientSecret: title: "Client Secret" type: "string" description: "Your Azure client secret." minLength: 1 type: "object" description: "Your Azure credentials." required: - "clientId" - "clientSecret" tenantId: title: "Tenant ID" type: "string" description: "The DirectoryId value from your Azure portal." minLength: 1 required: - "tenantId" - "credentials" type: "object" CloudAccounts_AzureCfg_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_AzureCfg_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_AzureCfg_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "AzureCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The ApplicationId value from your Azure portal." minLength: 1 clientSecret: title: "Client Secret" type: "string" description: "Your Azure client secret." minLength: 1 type: "object" description: "Your Azure credentials." tenantId: title: "Tenant ID" type: "string" description: "The DirectoryId value from your Azure portal." minLength: 1 type: "object" CloudAccounts_Create_Schema: oneOf: - $ref: "#/components/schemas/CloudAccounts_AwsCfg_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureCfg_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpCfg_Create_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpGkeAudit_Create_Schema" discriminator: propertyName: "type" mapping: AwsCfg: "#/components/schemas/CloudAccounts_AwsCfg_Create_Schema" AwsCtSqs: "#/components/schemas/CloudAccounts_AwsCtSqs_Create_Schema" AwsEksAudit: "#/components/schemas/CloudAccounts_AwsEksAudit_Create_Schema" AwsUsGovCfg: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Create_Schema" AwsUsGovCtSqs: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Create_Schema" AzureAlSeq: "#/components/schemas/CloudAccounts_AzureAlSeq_Create_Schema" AzureCfg: "#/components/schemas/CloudAccounts_AzureCfg_Create_Schema" GcpAtSes: "#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema" GcpCfg: "#/components/schemas/CloudAccounts_GcpCfg_Create_Schema" GcpGkeAudit: "#/components/schemas/CloudAccounts_GcpGkeAudit_Create_Schema" CloudAccounts_GcpAlPubSub_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpAlPubSub_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" description: "The secret key value for your client ID." type: "string" minLength: 1 type: "object" description: "Your GCP credentials." required: - "clientId" - "clientEmail" - "privateKeyId" idType: title: "Integration Level" type: "string" description: "The GCP integration level as either **Organization**\ \ or **Project**." enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate\ \ with your integration." minLength: 1 subscriptionName: title: "Subscription Name" type: "string" description: "The pub/sub queue subscription name." minLength: 1 topicId: title: "Topic ID" type: "string" description: "The topic ID to use in this alert channel." minLength: 1 required: - "id" - "idType" - "credentials" - "subscriptionName" - "topicId" type: "object" CloudAccounts_GcpAlPubSub_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpAlPubSub_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_GcpAlPubSub_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "GcpAlPubSub" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" description: "The secret key value for your client ID." type: "string" minLength: 1 type: "object" description: "Your GCP credentials." idType: title: "Integration Level" type: "string" description: "The GCP integration level as either **Organization** or\ \ **Project**." enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate with\ \ your integration." minLength: 1 subscriptionName: title: "Subscription Name" type: "string" description: "The pub/sub queue subscription name." minLength: 1 topicId: title: "Topic ID" type: "string" description: "The topic ID to use in this alert channel." minLength: 1 type: "object" CloudAccounts_GcpAtSes_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" description: "The secret key value for your client ID." type: "string" minLength: 1 type: "object" description: "Your GCP credentials." required: - "clientId" - "clientEmail" - "privateKeyId" idType: title: "Integration Level" type: "string" description: "The GCP integration level as either **Organization**\ \ or **Project**." enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate\ \ with your integration." minLength: 1 subscriptionName: title: "Subscription Name" type: "string" description: "The pub/sub queue subscription name." minLength: 1 required: - "id" - "idType" - "credentials" - "subscriptionName" type: "object" CloudAccounts_GcpAtSes_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpAtSes_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_GcpAtSes_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "GcpAtSes" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" description: "The secret key value for your client ID." type: "string" minLength: 1 type: "object" description: "Your GCP credentials." idType: title: "Integration Level" type: "string" description: "The GCP integration level as either **Organization** or\ \ **Project**." enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate with\ \ your integration." minLength: 1 subscriptionName: title: "Subscription Name" type: "string" description: "The pub/sub queue subscription name." minLength: 1 type: "object" CloudAccounts_GcpCfg_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpCfg_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier.\n" minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The secret key value for your client ID." minLength: 1 type: "object" description: "Your GCP credentials." required: - "clientId" - "clientEmail" - "privateKeyId" - "privateKey" idType: title: "Integration Level" type: "string" description: "The GCP integration level as either `Organization` or\ \ `Project`" enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate\ \ with your integration." minLength: 1 required: - "id" - "idType" - "credentials" type: "object" CloudAccounts_GcpCfg_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpCfg_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_GcpCfg_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "GcpCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "Your GCP client (application) identifier or alias." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "Your client private key identifier.\n" minLength: 1 clientEmail: title: "Client Email" type: "string" description: "Your client email address." pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The secret key value for your client ID." minLength: 1 type: "object" description: "Your GCP credentials." idType: title: "Integration Level" type: "string" description: "The GCP integration level as either `Organization` or\ \ `Project`" enum: - "ORGANIZATION" - "PROJECT" id: title: "Org/Project ID" type: "string" description: "The organization or project identifier to associate with\ \ your integration." minLength: 1 type: "object" CloudAccounts_GcpGkeAudit_Create_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpGkeAudit_Update_Schema" - type: "object" required: - "type" - "enabled" - "name" - "data" properties: data: properties: credentials: properties: clientId: title: "Client ID" type: "string" minLength: 1 privateKeyId: title: "Private Key ID" type: "string" minLength: 1 clientEmail: title: "Client Email" type: "string" pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" minLength: 1 type: "object" required: - "clientId" - "clientEmail" - "privateKeyId" integrationType: title: "Integration Level" type: "string" enum: - "ORGANIZATION" - "PROJECT" projectId: title: "Project ID" type: "string" minLength: 1 organizationId: title: "Organization ID" type: "string" subscriptionName: title: "Subscription Name" type: "string" minLength: 1 required: - "integrationType" - "credentials" - "projectId" - "subscriptionName" type: "object" CloudAccounts_GcpGkeAudit_Response_Schema: allOf: - $ref: "#/components/schemas/CloudAccounts_GcpGkeAudit_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true CloudAccounts_GcpGkeAudit_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "GcpGkeAudit" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: properties: credentials: properties: clientId: title: "Client ID" type: "string" minLength: 1 privateKeyId: title: "Private Key ID" type: "string" minLength: 1 clientEmail: title: "Client Email" type: "string" pattern: "^[\\w!#$%&’*+/=?`{|}~^-]+(?:\\.[\\w!#$%&’*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" minLength: 1 type: "object" integrationType: title: "Integration Level" type: "string" enum: - "ORGANIZATION" - "PROJECT" projectId: title: "Project ID" type: "string" minLength: 1 organizationId: title: "Organization ID" type: "string" subscriptionName: title: "Subscription Name" type: "string" minLength: 1 type: "object" CloudAccounts_Response_Schema: oneOf: - $ref: "#/components/schemas/CloudAccounts_AwsCfg_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsCtSqs_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsEksAudit_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureAlSeq_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureCfg_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpAtSes_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpCfg_Response_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpGkeAudit_Response_Schema" discriminator: propertyName: "type" mapping: AwsCfg: "#/components/schemas/CloudAccounts_AwsCfg_Response_Schema" AwsCtSqs: "#/components/schemas/CloudAccounts_AwsCtSqs_Response_Schema" AwsEksAudit: "#/components/schemas/CloudAccounts_AwsEksAudit_Response_Schema" AwsUsGovCfg: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Response_Schema" AwsUsGovCtSqs: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Response_Schema" AzureAlSeq: "#/components/schemas/CloudAccounts_AzureAlSeq_Response_Schema" AzureCfg: "#/components/schemas/CloudAccounts_AzureCfg_Response_Schema" GcpAtSes: "#/components/schemas/CloudAccounts_GcpAtSes_Response_Schema" GcpCfg: "#/components/schemas/CloudAccounts_GcpCfg_Response_Schema" GcpGkeAudit: "#/components/schemas/CloudAccounts_GcpGkeAudit_Response_Schema" CloudAccounts_Update_Schema: oneOf: - $ref: "#/components/schemas/CloudAccounts_AwsCfg_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_AzureCfg_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpCfg_Update_Schema" - $ref: "#/components/schemas/CloudAccounts_GcpGkeAudit_Update_Schema" discriminator: propertyName: "type" mapping: AwsCfg: "#/components/schemas/CloudAccounts_AwsCfg_Update_Schema" AwsCtSqs: "#/components/schemas/CloudAccounts_AwsCtSqs_Update_Schema" AwsEksAudit: "#/components/schemas/CloudAccounts_AwsEksAudit_Update_Schema" AwsUsGovCfg: "#/components/schemas/CloudAccounts_AwsUsGovCfg_Update_Schema" AwsUsGovCtSqs: "#/components/schemas/CloudAccounts_AwsUsGovCtSqs_Update_Schema" AzureAlSeq: "#/components/schemas/CloudAccounts_AzureAlSeq_Update_Schema" AzureCfg: "#/components/schemas/CloudAccounts_AzureCfg_Update_Schema" GcpAtSes: "#/components/schemas/CloudAccounts_GcpAtSes_Update_Schema" GcpCfg: "#/components/schemas/CloudAccounts_GcpCfg_Update_Schema" GcpGkeAudit: "#/components/schemas/CloudAccounts_GcpGkeAudit_Update_Schema" CloudActivities: properties: startTime: type: "integer" endTime: type: "integer" eventType: type: "string" eventId: type: "number" eventModel: type: "string" eventActor: type: "string" entityMap: type: "object" CloudActivities_Response_Schema: properties: startTime: type: "string" endTime: type: "string" eventType: type: "string" eventId: type: "number" eventModel: type: "string" eventActor: type: "string" entityMap: type: "object" additionalProperties: true Configs_AzureSubscriptions_Response_Schema: properties: tenant: description: "The Azure tenant." type: "string" subscriptions: description: "The Azure subscriptions." type: "array" items: type: "string" additionalProperties: true Configs_ComplianceEvaluations_Response_Schema: properties: account: type: "object" evalType: type: "string" id: type: "string" reason: type: "string" recommendation: type: "string" region: type: "string" reportTime: type: "string" resource: type: "string" section: type: "string" deprecated: true severity: type: "string" status: type: "string" additionalProperties: true Configs_GcpProjects_Response_Schema: properties: organization: description: "The GCP organization." type: "string" projects: description: "The GCP projects." type: "array" items: type: "string" additionalProperties: true ContainerRegistriesSubtype: oneOf: - type: "string" enum: - "AWS_ECR" - "DOCKERHUB" - "GCP_GCR" - "GHCR" - "INLINE_SCANNER" - "PROXY_SCANNER" - "V2_REGISTRY" title: "ContVulnCfg" ContainerRegistries_ContVulnCfg_Create_Schema: required: - "type" - "enabled" - "name" - "data" properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "ContVulnCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: type: "object" oneOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema" discriminator: propertyName: "registryType" mapping: AWS_ECR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema" AWS_ECR-AWS_ACCESS_KEY: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema" DOCKERHUB: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema" GCP_GCR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema" GCP_GAR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema" V2_REGISTRY: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema" INLINE_SCANNER: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema" GHCR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema" PROXY_SCANNER: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema" ContainerRegistries_ContVulnCfg_Response_Schema: allOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema" - type: "object" properties: isOrg: title: "Is Org Integration" type: "number" description: "Returns `1` if the access token has organization admin permissions.\ \ Otherwise, returns `0`." default: 0 minimum: 0 maximum: 1 props: title: "Props" type: "object" description: "The integration's properties." createdOrUpdatedBy: description: "The user who created or who last updated the integration." type: "string" createdOrUpdatedTime: description: "The timestamp for when the integration was created or last\ \ updated." type: "string" intgGuid: description: "The integration’s globally unique identifier." type: "string" state: description: "The integration’s real-time state, such as Pending, Success,\ \ or Error." type: "object" additionalProperties: true ContainerRegistries_ContVulnCfg_Update_Schema: properties: name: title: "Name" type: "string" description: "When sending a request, use this attribute to specify an integration’\ s name. When included in a response, this attribute returns the specified\ \ integration’s name." pattern: "(?!^ +$)^.+$" minLength: 1 type: title: "Type" type: "string" description: "When sending a request, use this attribute to specify the\ \ type of integration, from the following options. When included in a\ \ response, this attribute returns the specified integration’s type." enum: - "ContVulnCfg" enabled: title: "Enabled" type: "number" description: "When sending a request, use this attribute to enable or disable\ \ an integration. When included in a response, returns `1` for an enabled\ \ integration or `0` for a disabled integration." minimum: 0 maximum: 1 example: 1 cloudId: title: "Cloud ID" type: "string" description: "The cloud account identifier." cloudIdType: title: "Cloud ID Type" type: "string" description: "The type of cloud account identifier." enum: - "AWS_ACCOUNT_ID" - "AZURE_TENANT_ID" - "GCP_PROJECT_ID" - "GCP_ORGANIZATION_ID" - "OCI_TENANT_ID" data: type: "object" oneOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema" - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema" discriminator: propertyName: "registryType" mapping: AWS_ECR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema" AWS_ECR-AWS_ACCESS_KEY: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema" DOCKERHUB: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema" GCP_GCR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema" GCP_GAR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema" V2_REGISTRY: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema" INLINE_SCANNER: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema" GHCR: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema" PROXY_SCANNER: "#/components/schemas/ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema" ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Create_Schema: properties: accessKeyCredentials: type: "object" properties: accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" format: "password" required: - "accessKeyId" - "secretAccessKey" description: "Your AWS account's credentials." awsAuthType: title: "Authentication Type" type: "string" enum: - "AWS_ACCESS_KEY" default: "AWS_ACCESS_KEY" registryType: title: "Registry Type" type: "string" enum: - "AWS_ECR" default: "AWS_ECR" description: "The container registry's type." registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`,\ \ where **YourAWSAcount** is the AWS account number for the AWS IAM user\ \ that has a role with permissions to access the ECR and **YourRegion**\ \ is your AWS region such as us-west-2. **Note**: Do not prefix the URL\ \ with `https://`." pattern: "^(https://)?(http://)?(.*)(.dkr\\.ecr.)(.*)(.amazonaws.com)$" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "awsAuthType" - "accessKeyCredentials" - "registryType" - "registryDomain" title: "AWS ECR - AWS Key ID Access Key" type: "object" ContainerRegistries_ContVulnCfg_data_AWS_ECR-AWS_ACCESS_KEY_Update_Schema: properties: accessKeyCredentials: type: "object" properties: accessKeyId: title: "Access Key ID" type: "string" description: "The AccessKeyId value from your AWS console." pattern: "(^|[^A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" secretAccessKey: title: "Secret Access Key" type: "string" description: "The SecretAccessKey value from your AWS console." pattern: "(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" format: "password" description: "Your AWS account's credentials." awsAuthType: title: "Authentication Type" type: "string" enum: - "AWS_ACCESS_KEY" default: "AWS_ACCESS_KEY" registryType: title: "Registry Type" type: "string" enum: - "AWS_ECR" default: "AWS_ECR" description: "The container registry's type." registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`,\ \ where **YourAWSAcount** is the AWS account number for the AWS IAM user\ \ that has a role with permissions to access the ECR and **YourRegion**\ \ is your AWS region such as us-west-2. **Note**: Do not prefix the URL\ \ with `https://`." pattern: "^(https://)?(http://)?(.*)(.dkr\\.ecr.)(.*)(.amazonaws.com)$" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "AWS ECR - AWS Key ID Access Key" type: "object" ContainerRegistries_ContVulnCfg_data_AWS_ECR_Create_Schema: properties: crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the cross-account\ \ role that Lacework uses to access your AWS resource. This is the\ \ External ID specified for the Cross-Account IAM role in your preparatory\ \ integration of AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework uses to\ \ access your AWS resources. This is the ARN specified for the Cross-Account\ \ IAM role in your preparatory integration of AWS described in [AWS\ \ Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" description: "Details of the cross-account role that Lacework uses to access\ \ your AWS resource." required: - "externalId" - "roleArn" type: "object" awsAuthType: title: "Authentication Type" type: "string" description: "Your AWS authentication type. The default value is `AWS_IAM`." enum: - "AWS_IAM" default: "AWS_IAM" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "AWS_ECR" default: "AWS_ECR" registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`,\ \ where `YourAWSAcount` is the AWS account number for the AWS IAM user\ \ that has a role with permissions to access the ECR and `YourRegion`\ \ is your AWS region such as us-west-2. **Note**: Do not prefix the URL\ \ with `https://`." pattern: "^(https://)?(http://)?(.*)(.dkr\\.ecr.)(.*)(.amazonaws.com)$" limitNumImg: title: "Limit Number of Images per Repo" type: "number" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "awsAuthType" - "crossAccountCredentials" - "registryType" - "registryDomain" title: "AWS ECR - AWS IAM Role" type: "object" ContainerRegistries_ContVulnCfg_data_AWS_ECR_Update_Schema: properties: crossAccountCredentials: properties: externalId: title: "External ID" type: "string" description: "The AWS external ID that is associated with the cross-account\ \ role that Lacework uses to access your AWS resource. This is the\ \ External ID specified for the Cross-Account IAM role in your preparatory\ \ integration of AWS described in [AWS Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." minLength: 1 roleArn: title: "Role ARN" type: "string" description: "The ARN of the cross-account role that Lacework uses to\ \ access your AWS resources. This is the ARN specified for the Cross-Account\ \ IAM role in your preparatory integration of AWS described in [AWS\ \ Integration Prerequisites](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=onboardingAWSIntegrationPrerequisites)." pattern: "^arn:aws(-[a-zA-Z]+)?:iam:([a-zA-Z0-9-_]+)?:([0-9]{12}):([a-zA-Z0-9_-]+)([/:][a-zA-Z0-9_-]+)*$" description: "Details of the cross-account role that Lacework uses to access\ \ your AWS resource." type: "object" awsAuthType: title: "Authentication Type" type: "string" description: "Your AWS authentication type. The default value is `AWS_IAM`." enum: - "AWS_IAM" default: "AWS_IAM" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "AWS_ECR" default: "AWS_ECR" registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry in the following format: `YourAWSAccount.dkr.ecr.YourRegion.amazonaws.com`,\ \ where `YourAWSAcount` is the AWS account number for the AWS IAM user\ \ that has a role with permissions to access the ECR and `YourRegion`\ \ is your AWS region such as us-west-2. **Note**: Do not prefix the URL\ \ with `https://`." pattern: "^(https://)?(http://)?(.*)(.dkr\\.ecr.)(.*)(.amazonaws.com)$" limitNumImg: title: "Limit Number of Images per Repo" type: "number" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "AWS ECR - AWS IAM Role" type: "object" ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Create_Schema: properties: credentials: type: "object" properties: username: title: "User Name" type: "string" description: "The Docker user that has at least read-only permissions\ \ to the Docker Hub container repositories that you want to assess\ \ for vulnerabilities. For more details on how to grant permissions\ \ in Docker, see [Teams and Organizations](https://docs.docker.com/docker-hub/orgs/).\ \ Specify a Docker user that has at least read-only permissions to\ \ the Docker Hub container repositories that you want to assess for\ \ vulnerabilities. Docker uses organizations and teams to grant permissions." password: title: "Password" type: "string" description: "The password for the specified Docker Hub user. Alternatively,\ \ you can use personal access tokens to access Hub images from the\ \ Docker CLI. For details, see [Managing Access Tokens](https://docs.docker.com/docker-hub/access-tokens/)." format: "password" required: - "username" - "password" description: "Your Docker Hub's credentials." registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "DOCKERHUB" default: "DOCKERHUB" registryDomain: title: "Registry Domain" type: "string" description: "This field is pre-populated with this URL of Docker Hub, which\ \ is `index.docker.io`." default: "index.docker.io" enum: - "index.docker.io" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "credentials" - "registryType" - "registryDomain" title: "Docker Hub" type: "object" ContainerRegistries_ContVulnCfg_data_DOCKERHUB_Update_Schema: properties: credentials: type: "object" properties: username: title: "User Name" type: "string" description: "The Docker user that has at least read-only permissions\ \ to the Docker Hub container repositories that you want to assess\ \ for vulnerabilities. For more details on how to grant permissions\ \ in Docker, see [Teams and Organizations](https://docs.docker.com/docker-hub/orgs/).\ \ Specify a Docker user that has at least read-only permissions to\ \ the Docker Hub container repositories that you want to assess for\ \ vulnerabilities. Docker uses organizations and teams to grant permissions." password: title: "Password" type: "string" description: "The password for the specified Docker Hub user. Alternatively,\ \ you can use personal access tokens to access Hub images from the\ \ Docker CLI. For details, see [Managing Access Tokens](https://docs.docker.com/docker-hub/access-tokens/)." format: "password" description: "Your Docker Hub's credentials." registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "DOCKERHUB" default: "DOCKERHUB" registryDomain: title: "Registry Domain" type: "string" description: "This field is pre-populated with this URL of Docker Hub, which\ \ is `index.docker.io`." default: "index.docker.io" enum: - "index.docker.io" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Docker Hub" type: "object" ContainerRegistries_ContVulnCfg_data_GCP_GAR_Create_Schema: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The client ID for the service account that has been [granted\ \ access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access)\ \ that contains the registry (or registries). For more details about\ \ which role to assign to the service account, see [Configure Registry](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryGCRUrl)." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "The private key ID for the private key that should be\ \ used to authenticate the service account that was specified in the\ \ *Client ID* setting." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The client email associated with the service account that\ \ was specified in the *Client ID* setting." pattern: "^[\\w!#$%&'*+/=?`{|}~^-]+(?:\\.[\\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The private key that should be used to authenticate the\ \ service account that was specified in the *Client ID* setting. To\ \ view the private key raw text, enter the following command, where\ \ `YourFileName.json` is the name of the file downloaded when you\ \ created the GCP Service Account to be used for the integration:\ \ `$ cat YourFileName.json | jq -r '.private_key'`" minLength: 1 format: "password" type: "object" description: "Your Google Artifact Registry's credentials." required: - "clientId" - "clientEmail" - "privateKeyId" - "privateKey" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GCP_GAR" default: "GCP_GAR" registryDomain: title: "Registry Domain" type: "string" description: "The supported GCP region to access. For details, see [Repository\ \ and Image Names](https://cloud.google.com/artifact-registry/docs/docker/names)." default: "us-west1-docker.pkg.dev" enum: - "africa-south1-docker.pkg.dev" - "asia-docker.pkg.dev" - "asia-east1-docker.pkg.dev" - "asia-east2-docker.pkg.dev" - "asia-northeast1-docker.pkg.dev" - "asia-northeast2-docker.pkg.dev" - "asia-northeast3-docker.pkg.dev" - "asia-south1-docker.pkg.dev" - "asia-south2-docker.pkg.dev" - "asia-southeast1-docker.pkg.dev" - "asia-southeast2-docker.pkg.dev" - "australia-southeast1-docker.pkg.dev" - "australia-southeast2-docker.pkg.dev" - "docker.me-central2.rep.pkg.dev" - "europe-central2-docker.pkg.dev" - "europe-docker.pkg.dev" - "europe-north1-docker.pkg.dev" - "europe-southwest1-docker.pkg.dev" - "europe-west1-docker.pkg.dev" - "europe-west10-docker.pkg.dev" - "europe-west12-docker.pkg.dev" - "europe-west2-docker.pkg.dev" - "europe-west3-docker.pkg.dev" - "europe-west4-docker.pkg.dev" - "europe-west6-docker.pkg.dev" - "europe-west8-docker.pkg.dev" - "europe-west9-docker.pkg.dev" - "me-central1-docker.pkg.dev" - "me-central2-docker.pkg.dev" - "me-west1-docker.pkg.dev" - "northamerica-northeast1-docker.pkg.dev" - "northamerica-northeast2-docker.pkg.dev" - "southamerica-east1-docker.pkg.dev" - "southamerica-west1-docker.pkg.dev" - "us-central1-docker.pkg.dev" - "us-docker.pkg.dev" - "us-east1-docker.pkg.dev" - "us-east4-docker.pkg.dev" - "us-east5-docker.pkg.dev" - "us-south1-docker.pkg.dev" - "us-west1-docker.pkg.dev" - "us-west2-docker.pkg.dev" - "us-west3-docker.pkg.dev" - "us-west4-docker.pkg.dev" - "us-west8-docker.pkg.dev" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base container repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "credentials" - "registryType" - "registryDomain" title: "Google Container Registry (GAR)" type: "object" ContainerRegistries_ContVulnCfg_data_GCP_GAR_Update_Schema: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The client ID for the service account that has been [granted\ \ access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access)\ \ that contains the registry (or registries). For more details about\ \ which role to assign to the service account, see [Configure Registry](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryGCRUrl)." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "The private key ID for the private key that should be\ \ used to authenticate the service account that was specified in the\ \ *Client ID* setting." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The client email associated with the service account that\ \ was specified in the *Client ID* setting." pattern: "^[\\w!#$%&'*+/=?`{|}~^-]+(?:\\.[\\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The private key that should be used to authenticate the\ \ service account that was specified in the *Client ID* setting. To\ \ view the private key raw text, enter the following command, where\ \ `YourFileName.json` is the name of the file downloaded when you\ \ created the GCP Service Account to be used for the integration:\ \ `$ cat YourFileName.json | jq -r '.private_key'`" minLength: 1 format: "password" type: "object" description: "Your Google Artifact Registry's credentials." registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GCP_GAR" default: "GCP_GAR" registryDomain: title: "Registry Domain" type: "string" description: "The supported GCP region to access. For details, see [Repository\ \ and Image Names](https://cloud.google.com/artifact-registry/docs/docker/names)." default: "us-west1-docker.pkg.dev" enum: - "africa-south1-docker.pkg.dev" - "asia-docker.pkg.dev" - "asia-east1-docker.pkg.dev" - "asia-east2-docker.pkg.dev" - "asia-northeast1-docker.pkg.dev" - "asia-northeast2-docker.pkg.dev" - "asia-northeast3-docker.pkg.dev" - "asia-south1-docker.pkg.dev" - "asia-south2-docker.pkg.dev" - "asia-southeast1-docker.pkg.dev" - "asia-southeast2-docker.pkg.dev" - "australia-southeast1-docker.pkg.dev" - "australia-southeast2-docker.pkg.dev" - "docker.me-central2.rep.pkg.dev" - "europe-central2-docker.pkg.dev" - "europe-docker.pkg.dev" - "europe-north1-docker.pkg.dev" - "europe-southwest1-docker.pkg.dev" - "europe-west1-docker.pkg.dev" - "europe-west10-docker.pkg.dev" - "europe-west12-docker.pkg.dev" - "europe-west2-docker.pkg.dev" - "europe-west3-docker.pkg.dev" - "europe-west4-docker.pkg.dev" - "europe-west6-docker.pkg.dev" - "europe-west8-docker.pkg.dev" - "europe-west9-docker.pkg.dev" - "me-central1-docker.pkg.dev" - "me-central2-docker.pkg.dev" - "me-west1-docker.pkg.dev" - "northamerica-northeast1-docker.pkg.dev" - "northamerica-northeast2-docker.pkg.dev" - "southamerica-east1-docker.pkg.dev" - "southamerica-west1-docker.pkg.dev" - "us-central1-docker.pkg.dev" - "us-docker.pkg.dev" - "us-east1-docker.pkg.dev" - "us-east4-docker.pkg.dev" - "us-east5-docker.pkg.dev" - "us-south1-docker.pkg.dev" - "us-west1-docker.pkg.dev" - "us-west2-docker.pkg.dev" - "us-west3-docker.pkg.dev" - "us-west4-docker.pkg.dev" - "us-west8-docker.pkg.dev" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base container repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Google Container Registry (GAR)" type: "object" ContainerRegistries_ContVulnCfg_data_GCP_GCR_Create_Schema: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The client ID for the service account that has been [granted\ \ access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access)\ \ that contains the registry (or registries). For more details about\ \ which role to assign to the service account, see [Configure Registry](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryGCRUrl)." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "The private key ID for the service account that has granted\ \ `storage.objectViewer` role for access to the Google project that\ \ contains the Google Container Registry (GCR)." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The client email associated with the service account that\ \ has granted `storage.objectViewer` role for access to the Google\ \ project that contains the Google Container Registry (GCR)." pattern: "^[\\w!#$%&'*+/=?`{|}~^-]+(?:\\.[\\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The private key for the specified private key ID. See\ \ [Private Key Format](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url)\ \ for guidance on formatting your key." minLength: 1 format: "password" type: "object" description: "Your Google Container Registry's credentials." required: - "clientId" - "clientEmail" - "privateKeyId" - "privateKey" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GCP_GCR" default: "GCP_GCR" registryDomain: title: "Registry Domain" type: "string" description: "The supported GCP region to access. For more information,\ \ see [Container Registry Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling)." default: "gcr.io" enum: - "gcr.io" - "us.gcr.io" - "eu.gcr.io" - "asia.gcr.io" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "credentials" - "registryType" - "registryDomain" title: "Google Container Registry (GCR)" type: "object" ContainerRegistries_ContVulnCfg_data_GCP_GCR_Update_Schema: properties: credentials: properties: clientId: title: "Client ID" type: "string" description: "The client ID for the service account that has been [granted\ \ access to the organization, folder, or project](https://cloud.google.com/iam/docs/granting-changing-revoking-access)\ \ that contains the registry (or registries). For more details about\ \ which role to assign to the service account, see [Configure Registry](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryGCRUrl)." minLength: 1 privateKeyId: title: "Private Key ID" type: "string" description: "The private key ID for the service account that has granted\ \ `storage.objectViewer` role for access to the Google project that\ \ contains the Google Container Registry (GCR)." minLength: 1 clientEmail: title: "Client Email" type: "string" description: "The client email associated with the service account that\ \ has granted `storage.objectViewer` role for access to the Google\ \ project that contains the Google Container Registry (GCR)." pattern: "^[\\w!#$%&'*+/=?`{|}~^-]+(?:\\.[\\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\\\ .)+[a-zA-Z]{2,6}$" minLength: 1 privateKey: title: "Private Key" type: "string" description: "The private key for the specified private key ID. See\ \ [Private Key Format](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url)\ \ for guidance on formatting your key." minLength: 1 format: "password" type: "object" description: "Your Google Container Registry's credentials." registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GCP_GCR" default: "GCP_GCR" registryDomain: title: "Registry Domain" type: "string" description: "The supported GCP region to access. For more information,\ \ see [Container Registry Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling)." default: "gcr.io" enum: - "gcr.io" - "us.gcr.io" - "eu.gcr.io" - "asia.gcr.io" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" description: "When sending a request, if you do not want to discover/assess\ \ all repositories in this registry, specify a comma-separated list of\ \ repositories to discover/assess (without spaces recommended). To change\ \ which repositories you want to assess, update this field so the change\ \ is captured during the next polling period. When included in a response,\ \ returns a list of repositories to discover/assess." default: [] type: "array" items: type: "string" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Google Container Registry (GCR)" type: "object" ContainerRegistries_ContVulnCfg_data_GHCR_Create_Schema: properties: credentials: type: "object" description: "Your GitHub Container Registry's credentials." properties: username: title: "Username" type: "string" description: "The user that has permissions to pull the images (that\ \ will be assessed) from the container registry." minLength: 1 password: title: "Password" type: "string" description: "The GitHub token. For details about generating a new token,\ \ see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).\ \ The required permission is `read:packages`." format: "password" ssl: title: "SSL" type: "boolean" description: "When sending a request, set to `True` if the registry\ \ uses SSL. You can use either a valid SSL certificate issued by a\ \ trusted Certificate Authority (CA) or a self-signed certificate.\ \ If you set it to `False`, you will use an unencrypted communication\ \ channel. When included in a response, returns `True` for enabled\ \ SSL encryption, or returns `False` for disabled SSL encryption." default: true required: - "username" - "password" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GHCR" default: "GHCR" registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry. The default URL is `ghcr.io`." default: "ghcr.io" enum: - "ghcr.io" registryNotifications: title: "Subscribe to Registry Notifications" type: "boolean" description: "When sending a request, if the [container registry supports\ \ notifications](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url),\ \ you can optionally set to `True`. When included in a response, returns\ \ `True` if registry notifications are enabled, or returns `False` if\ \ registry notifications are disabled." limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "credentials" - "registryType" - "registryDomain" title: "Github Container Registry" type: "object" ContainerRegistries_ContVulnCfg_data_GHCR_Update_Schema: properties: credentials: type: "object" description: "Your GitHub Container Registry's credentials." properties: username: title: "Username" type: "string" description: "The user that has permissions to pull the images (that\ \ will be assessed) from the container registry." minLength: 1 password: title: "Password" type: "string" description: "The GitHub token. For details about generating a new token,\ \ see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).\ \ The required permission is `read:packages`." format: "password" ssl: title: "SSL" type: "boolean" description: "When sending a request, set to `True` if the registry\ \ uses SSL. You can use either a valid SSL certificate issued by a\ \ trusted Certificate Authority (CA) or a self-signed certificate.\ \ If you set it to `False`, you will use an unencrypted communication\ \ channel. When included in a response, returns `True` for enabled\ \ SSL encryption, or returns `False` for disabled SSL encryption." default: true registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "GHCR" default: "GHCR" registryDomain: title: "Registry Domain" type: "string" description: "The URL of your registry. The default URL is `ghcr.io`." default: "ghcr.io" enum: - "ghcr.io" registryNotifications: title: "Subscribe to Registry Notifications" type: "boolean" description: "When sending a request, if the [container registry supports\ \ notifications](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url),\ \ you can optionally set to `True`. When included in a response, returns\ \ `True` if registry notifications are enabled, or returns `False` if\ \ registry notifications are disabled." limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" default: [] type: "array" items: type: "string" nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Github Container Registry" type: "object" ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Create_Schema: properties: registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "INLINE_SCANNER" default: "INLINE_SCANNER" limitNumScan: title: "Limit number of scans for this Integration" description: "The maximum number of scans per hour that this integration\ \ can perform." type: "string" default: "60" identifierTag: title: "Identifier Tag(s) for Scan" description: "Identifier tags as `key:value` pairs." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "registryType" title: "Inline Scanner" type: "object" ContainerRegistries_ContVulnCfg_data_INLINE_SCANNER_Update_Schema: properties: registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "INLINE_SCANNER" default: "INLINE_SCANNER" limitNumScan: title: "Limit number of scans for this Integration" description: "The maximum number of scans per hour that this integration\ \ can perform." type: "string" default: "60" identifierTag: title: "Identifier Tag(s) for Scan" description: "Identifier tags as `key:value` pairs." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Inline Scanner" type: "object" ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Create_Schema: properties: registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "PROXY_SCANNER" default: "PROXY_SCANNER" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" default: [] type: "array" items: type: "string" limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "registryType" title: "Proxy Scanner" type: "object" ContainerRegistries_ContVulnCfg_data_PROXY_SCANNER_Update_Schema: properties: registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "PROXY_SCANNER" default: "PROXY_SCANNER" limitNumImg: title: "Limit Number of Images per Repo" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify the maximum number of newest container images\ \ to discover/assess per repository. The default value is `5`. When included\ \ in a response, returns the number of newest container images to discover/assess\ \ per repository." type: "number" default: 5 enum: - 5 - 10 - 15 limitByRep: title: "Limit by Repository (optional)" default: [] type: "array" items: type: "string" limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Proxy Scanner" type: "object" ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Create_Schema: properties: credentials: type: "object" description: "Your Docker V2 Registry's credentials." properties: username: title: "Username" type: "string" description: "The user that has permissions to pull the images (that\ \ will be assessed) from the container registry." minLength: 1 password: title: "Password" type: "string" description: "The password for the specified user." format: "password" ssl: title: "SSL" type: "boolean" description: "When sending a request, set to `True` if the registry\ \ uses SSL. You can use either a valid SSL certificate issued by a\ \ trusted Certificate Authority (CA) or a self-signed certificate.\ \ If you set it to `False`, you will use an unencrypted communication\ \ channel.
\n When included in a response, returns `True` for\ \ enabled SSL encryption, or returns `False` for disabled SSL encryption.\ \ **Known Issue for JFrog:** JFrog Cloud integrations must be SSL-enabled\ \ due to a known issue." required: - "username" - "password" registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "V2_REGISTRY" default: "V2_REGISTRY" registryDomain: title: "Registry Domain" type: "string" description: "When sending a request, if you use `docker login `:`,\ \ specify the domain as `:`. If you use `docker\ \ login `, specify the domain as: ``. If you use\ \ `docker login :`, specify the domain as: `:`.\ \ When included in a response, returns the registry domain." registryNotifications: title: "Subscribe to Registry Notifications" type: "boolean" description: "When sending a request, if the [container registry supports\ \ notifications](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url),\ \ you can optionally set to `True`. When included in a response, returns\ \ `True` if registry notifications are enabled; or returns `False` if\ \ registry notifications are disabled." nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" required: - "credentials" - "registryType" - "registryDomain" title: "Docker V2 Registry" type: "object" ContainerRegistries_ContVulnCfg_data_V2_REGISTRY_Update_Schema: properties: credentials: type: "object" description: "Your Docker V2 Registry's credentials." properties: username: title: "Username" type: "string" description: "The user that has permissions to pull the images (that\ \ will be assessed) from the container registry." minLength: 1 password: title: "Password" type: "string" description: "The password for the specified user." format: "password" ssl: title: "SSL" type: "boolean" description: "When sending a request, set to `True` if the registry\ \ uses SSL. You can use either a valid SSL certificate issued by a\ \ trusted Certificate Authority (CA) or a self-signed certificate.\ \ If you set it to `False`, you will use an unencrypted communication\ \ channel.
\n When included in a response, returns `True` for\ \ enabled SSL encryption, or returns `False` for disabled SSL encryption.\ \ **Known Issue for JFrog:** JFrog Cloud integrations must be SSL-enabled\ \ due to a known issue." registryType: title: "Registry Type" type: "string" description: "The container registry's type." enum: - "V2_REGISTRY" default: "V2_REGISTRY" registryDomain: title: "Registry Domain" type: "string" description: "When sending a request, if you use `docker login `:`,\ \ specify the domain as `:`. If you use `docker\ \ login `, specify the domain as: ``. If you use\ \ `docker login :`, specify the domain as: `:`.\ \ When included in a response, returns the registry domain." registryNotifications: title: "Subscribe to Registry Notifications" type: "boolean" description: "When sending a request, if the [container registry supports\ \ notifications](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=containerRegistryDockerV2Url),\ \ you can optionally set to `True`. When included in a response, returns\ \ `True` if registry notifications are enabled; or returns `False` if\ \ registry notifications are disabled." nonOsPackageEval: description: "This feature is enabled by default. When sending a request,\ \ set to `False` if you want to disable scanning of [language libraries](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide?cshid=CONTAINER_IMAGE_SUPPORT).\ \ When included in a response, returns `True` if the scanning of language\ \ libraries is enabled, or returns `False` if the scanning of language\ \ libraries is disabled." type: "boolean" default: true limitByTag: title: "Limit by Tag(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify text from an image tag so that only images\ \ with matching tag text will be assessed. To change which images you\ \ want to assess, update this field so the change is captured during the\ \ next polling period. You can input multiple tags. If you specify tag\ \ and label limits, they function as an AND. When included in a response,\ \ returns a list of texts that will be used to assess images." default: [] type: "array" items: type: "string" pattern: "^[\\w.\\-]*[*]?[\\w.\\-]{0,127}$" baseImageRepo: title: "Add base image repositories (optional)" description: "If you have base images that you want to discover/assess,\ \ add a comma-separated list with base image repositories" default: [] type: "array" items: type: "string" limitByLabel: title: "Limit by Label(s) (optional)" description: "When sending a request, if you do not want to assess all images\ \ in this registry, specify `key:value` pairs so that only images with\ \ matching label `key:value` pairs will be assessed. To change which images\ \ you want to assess, update this field so the change is captured during\ \ the next polling period. Supported field input: `key:value`. If you\ \ specify tag and label limits, they function as an AND. When included\ \ in a response, returns a list of labels that will be used to assess\ \ images." default: [] type: "array" items: type: "object" example: - key1: "value1" - key2: "value2" title: "Docker V2 Registry" type: "object" ContainerRegistries_Create_Schema: oneOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema" discriminator: propertyName: "type" mapping: ContVulnCfg: "#/components/schemas/ContainerRegistries_ContVulnCfg_Create_Schema" ContainerRegistries_Response_Schema: oneOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_Response_Schema" discriminator: propertyName: "type" mapping: ContVulnCfg: "#/components/schemas/ContainerRegistries_ContVulnCfg_Response_Schema" ContainerRegistries_Update_Schema: oneOf: - $ref: "#/components/schemas/ContainerRegistries_ContVulnCfg_Update_Schema" discriminator: propertyName: "type" mapping: ContVulnCfg: "#/components/schemas/ContainerRegistries_ContVulnCfg_Update_Schema" ContractInfo: properties: objName: type: "string" props: type: "object" ContractInfo_Response_Schema: properties: objName: type: "string" description: "The license's name." props: type: "object" description: "The contract details." additionalProperties: true DataExportRules: allOf: - $ref: "#/components/schemas/DataExportRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" DataExportRules_Create_Schema: allOf: - $ref: "#/components/schemas/DataExportRules_Update_Schema" - type: "object" required: - "filters" - "intgGuidList" - "type" properties: type: type: "string" description: "The data export rule's type such as `Dataexport`." enum: - "Dataexport" filters: type: "object" description: "When sending a request, use this object to define the new\ \ data export rule. When included in a response, this object contains\ \ details of a data export rule.
You can use these attributes\ \ when searching for existing data export rules by invoking a POST request." required: - "name" - "enabled" properties: name: type: "string" description: "The data export rule's name." minLength: 1 description: type: "string" description: "Summary of the data export rule." enabled: description: "When sending a request, use this attribute to enable\ \ or disable a data export rule. When included in a response, returns\ \ `1` for enabled data export rules, or returns `0` for disabled\ \ data export rules." enum: - 0 - 1 example: 1 profileVersions: type: "array" description: "A list of profile versions." uniqueItems: true items: type: "string" DataExportRules_Response_Schema: allOf: - $ref: "#/components/schemas/DataExportRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" description: "Data Export Rule ID" additionalProperties: true DataExportRules_Update_Schema: type: "object" properties: filters: type: "object" description: "When sending a request, use this object to define the new\ \ data export rule. When included in a response, this object contains\ \ details of a data export rule.
You can use these attributes when\ \ searching for existing data export rules by invoking a POST request." properties: name: type: "string" description: "The data export rule's name." minLength: 1 description: type: "string" description: "Summary of the data export rule." enabled: description: "When sending a request, use this attribute to enable or\ \ disable a data export rule. When included in a response, returns\ \ `1` for enabled data export rules, or returns `0` for disabled data\ \ export rules." enum: - 0 - 1 example: 1 profileVersions: type: "array" description: "A list of profile versions." uniqueItems: true items: type: "string" intgGuidList: type: "array" description: "The alert channels for the rule to use." minItems: 1 uniqueItems: true items: type: "string" Dataset_2_Request_Body_Schema: allOf: - $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" - type: "object" additionalProperties: false properties: csp: description: "Cloud service provider. You must specify either `csp` or\ \ `dataset` in the request." enum: - "AWS" - "Azure" - "GCP" dataset: deprecated: true description: "You must specify either `csp` or `dataset` in the request." enum: - "AwsCompliance" - "GcpCompliance" Dataset_Request_Body_Schema: allOf: - $ref: "#/components/schemas/GET_DATA_REQUEST_BODY_TIME_FILTERS" - type: "object" additionalProperties: false required: - "dataset" properties: dataset: enum: - "AwsCompliance" - "AzureCompliance" - "GcpCompliance" - "K8sCompliance" Datasources_Response_Schema: required: - "name" - "description" properties: name: description: "Name of the datasource" type: "string" description: description: "Description of the datasource" type: "string" resultSchema: description: "The datasource's schema that can be used to write queries\ \ for the datasource." type: "array" items: type: "object" properties: name: type: "string" description: "Name of the column." dataType: type: "string" description: "The data type of this column." description: type: "string" description: "Description of the data that this column holds." sourceRelationships: description: "The relationship between this datasource and other datasources." type: "array" items: type: "object" properties: from: type: "string" description: "The table that is the source of the relationship. For\ \ example, MACHINES." to: type: "string" description: "The table that is the destination of the relationship.\ \ For example, DNS_REQUESTS." name: type: "string" description: "Name of this relationship. For example, Machines-to-DNS-Requests." description: type: "string" description: "Description of the relationship. For example, DNS requests\ \ made from this machine." toCardinality: type: "string" description: "The cardinality of values from a single source value." additionalProperties: true Entities_Applications_Response_Schema: properties: startTime: type: "string" endTime: type: "string" mid: type: "integer" appName: type: "string" exePath: type: "string" username: type: "object" propsMachine: type: "object" containerInfo: type: "object" netStats: type: "object" props: type: "object" additionalProperties: true Entities_CommandLines_Response_Schema: properties: createdTime: type: "string" cmdlineHash: type: "string" cmdline: type: "string" additionalProperties: true Entities_Containers_Response_Schema: properties: startTime: type: "string" endTime: type: "string" mid: type: "integer" containerName: type: "string" podName: type: "string" imageId: type: "string" propsContainer: type: "object" tags: type: "object" additionalProperties: true Entities_Files_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" filePath: type: "string" filedataHash: type: "string" size: type: "integer" mtime: type: "string" additionalProperties: true Entities_Images_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" imageId: type: "string" repo: type: "string" tag: type: "string" size: type: "integer" containerType: type: "string" additionalProperties: true Entities_InternalIPAddresses_Response_Schema: properties: startTime: type: "string" endTime: type: "string" ipAddr: type: "string" mid: type: "integer" additionalProperties: true Entities_K8sPods_Response_Schema: properties: startTime: type: "string" endTime: type: "string" mid: type: "integer" podName: type: "string" primaryIpAddr: type: "string" propsContainer: type: "object" additionalProperties: true Entities_MachineDetails_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" hostname: type: "string" domain: type: "string" os: type: "string" osVersion: type: "string" kernel: type: "string" kernelRelease: type: "string" kernelVersion: type: "string" tags: type: "object" awsInstanceId: type: "string" awsZone: type: "string" additionalProperties: true Entities_Machines_Response_Schema: properties: startTime: type: "string" endTime: type: "string" mid: type: "integer" hostname: type: "string" machineTags: type: "object" primaryIpAddr: type: "string" entityType: type: "string" additionalProperties: true Entities_NetworkInterfaces_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" name: type: "string" hwAddr: type: "string" ipAddr: type: "string" additionalProperties: true Entities_NewFileHashes_Response_Schema: properties: startTime: type: "string" endTime: type: "string" filedataHash: type: "string" additionalProperties: true Entities_Packages_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" packageName: type: "string" version: type: "string" arch: type: "string" additionalProperties: true Entities_Processes_Response_Schema: properties: startTime: type: "string" endTime: type: "string" mid: type: "integer" pid: type: "integer" ppid: type: "integer" username: type: "string" uid: type: "integer" filePath: type: "string" cmdlineHash: type: "string" podName: type: "string" processStartTime: type: "string" containerId: type: "string" additionalProperties: true Entities_Users_Response_Schema: properties: createdTime: type: "string" mid: type: "integer" username: type: "string" uid: type: "integer" primaryGroupName: type: "string" otherGroupNames: type: "string" additionalProperties: true Events_Response_Schema: properties: id: type: "number" startTime: type: "string" endTime: type: "string" eventType: type: "string" srcEvent: type: "object" srcType: type: "string" dstEvent: type: "object" dstType: type: "string" eventCount: type: "number" additionalProperties: true Exceptions_Create_Schema: allOf: - $ref: "#/components/schemas/Exceptions_Update_Schema" - type: "object" required: - "constraints" properties: {} Exceptions_Response_Schema: allOf: - $ref: "#/components/schemas/Exceptions_Create_Schema" - type: "object" properties: exceptionId: description: "Unique identifier of the new exception.\n\n" type: "string" nullable: false additionalProperties: true Exceptions_Update_Schema: type: "object" properties: description: description: "A brief description of the new exception." type: "string" constraints: description: "The detailed constraints applied to the exception." type: "array" items: type: "object" properties: fieldKey: type: "string" description: "A representation of an identifier for a specific data\ \ element." nullable: false fieldValues: type: "array" description: "A list of the field values from the dataset." items: type: "object" nullable: false FilterItemaccountAlias: title: "accountAlias" description: "Filter item for the 'accountAlias' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "accountAlias" FilterItemaccountId: title: "accountId" description: "Filter item for the 'accountId' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "accountId" FilterItemactiveContainerCount: title: "activeContainerCount" description: "Filter item for the 'activeContainerCount' field, which expects\ \ an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "activeContainerCount" FilterItemagentLastDiscoveredTime: title: "agentLastDiscoveredTime" description: "Filter item for the 'agentLastDiscoveredTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "agentLastDiscoveredTime" FilterItemagentlessLastDiscoveredTime: title: "agentlessLastDiscoveredTime" description: "Filter item for the 'agentlessLastDiscoveredTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "agentlessLastDiscoveredTime" FilterItemavdEnabled: title: "avdEnabled" description: "Filter item for the 'avdEnabled' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "avdEnabled" FilterItemcloudProvider: title: "cloudProvider" description: "Filter item for the 'cloudProvider' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cloudProvider" FilterItemcoverageType: title: "coverageType" description: "Filter item for the 'coverageType' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "coverageType" FilterItemcvssAttackComplexity: title: "cvssAttackComplexity" description: "Filter item for the 'cvssAttackComplexity' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssAttackComplexity" FilterItemcvssAttackVector: title: "cvssAttackVector" description: "Filter item for the 'cvssAttackVector' field, which expects a\ \ string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssAttackVector" FilterItemcvssAuthentication: title: "cvssAuthentication" description: "Filter item for the 'cvssAuthentication' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssAuthentication" FilterItemcvssAvailability: title: "cvssAvailability" description: "Filter item for the 'cvssAvailability' field, which expects a\ \ string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssAvailability" FilterItemcvssConfidentiality: title: "cvssConfidentiality" description: "Filter item for the 'cvssConfidentiality' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssConfidentiality" FilterItemcvssExploitabilityScore: title: "cvssExploitabilityScore" description: "Filter item for the 'cvssExploitabilityScore' field, which expects\ \ an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssExploitabilityScore" FilterItemcvssImpactScore: title: "cvssImpactScore" description: "Filter item for the 'cvssImpactScore' field, which expects an\ \ integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssImpactScore" FilterItemcvssIntegrity: title: "cvssIntegrity" description: "Filter item for the 'cvssIntegrity' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssIntegrity" FilterItemcvssPrivilegesRequired: title: "cvssPrivilegesRequired" description: "Filter item for the 'cvssPrivilegesRequired' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssPrivilegesRequired" FilterItemcvssScope: title: "cvssScope" description: "Filter item for the 'cvssScope' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssScope" FilterItemcvssScore: title: "cvssScore" description: "Filter item for the 'cvssScore' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssScore" FilterItemcvssUserInteraction: title: "cvssUserInteraction" description: "Filter item for the 'cvssUserInteraction' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssUserInteraction" FilterItemcvssVectorString: title: "cvssVectorString" description: "Filter item for the 'cvssVectorString' field, which expects a\ \ string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssVectorString" FilterItemcvssVersion: title: "cvssVersion" description: "Filter item for the 'cvssVersion' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "cvssVersion" FilterItemexternalIp: title: "externalIp" description: "Filter item for the 'externalIp' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "externalIp" FilterItemfixVersion: title: "fixVersion" description: "Filter item for the 'fixVersion' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "fixVersion" FilterItemfixable: title: "fixable" description: "Filter item for the 'fixable' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "fixable" FilterItemhasActiveContainers: title: "hasActiveContainers" description: "Filter item for the 'hasActiveContainers' field, which expects\ \ an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "hasActiveContainers" FilterItemhasAvdEnabledContainers: title: "hasAvdEnabledContainers" description: "Filter item for the 'hasAvdEnabledContainers' field, which expects\ \ an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "hasAvdEnabledContainers" FilterItemhostAvdEnabledLastDiscoveredTime: title: "hostAvdEnabledLastDiscoveredTime" description: "Filter item for the 'hostAvdEnabledLastDiscoveredTime' field,\ \ which expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostAvdEnabledLastDiscoveredTime" FilterItemhostFirstDiscoveredTime: title: "hostFirstDiscoveredTime" description: "Filter item for the 'hostFirstDiscoveredTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostFirstDiscoveredTime" FilterItemhostIpPropsLastDiscoveredTime: title: "hostIpPropsLastDiscoveredTime" description: "Filter item for the 'hostIpPropsLastDiscoveredTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostIpPropsLastDiscoveredTime" FilterItemhostLastDiscoveredTime: title: "hostLastDiscoveredTime" description: "Filter item for the 'hostLastDiscoveredTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostLastDiscoveredTime" FilterItemhostLastEvalTime: title: "hostLastEvalTime" description: "Filter item for the 'hostLastEvalTime' field, which expects an\ \ ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostLastEvalTime" FilterItemhostMachineId: title: "hostMachineId" description: "Filter item for the 'hostMachineId' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "hostMachineId" FilterItemhostName: title: "hostName" description: "Filter item for the 'hostName' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "hostName" FilterItemhostRiskScore: title: "hostRiskScore" description: "Filter item for the 'hostRiskScore' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "hostRiskScore" FilterItemhostRiskScoreLastUpdated: title: "hostRiskScoreLastUpdated" description: "Filter item for the 'hostRiskScoreLastUpdated' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "hostRiskScoreLastUpdated" FilterItemimageCreatedTime: title: "imageCreatedTime" description: "Filter item for the 'imageCreatedTime' field, which expects an\ \ ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageCreatedTime" FilterItemimageDigests: title: "imageDigests" description: "Filter item for the 'imageDigests' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageDigests" FilterItemimageFirstDiscoveredTime: title: "imageFirstDiscoveredTime" description: "Filter item for the 'imageFirstDiscoveredTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageFirstDiscoveredTime" FilterItemimageId: title: "imageId" description: "Filter item for the 'imageId' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "imageId" FilterItemimageLastDiscoveredTime: title: "imageLastDiscoveredTime" description: "Filter item for the 'imageLastDiscoveredTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageLastDiscoveredTime" FilterItemimageLastScanTime: title: "imageLastScanTime" description: "Filter item for the 'imageLastScanTime' field, which expects an\ \ ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageLastScanTime" FilterItemimageLatestScanSuccessful: title: "imageLatestScanSuccessful" description: "Filter item for the 'imageLatestScanSuccessful' field, which expects\ \ an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "imageLatestScanSuccessful" FilterItemimageLatestSuccessfulScanTime: title: "imageLatestSuccessfulScanTime" description: "Filter item for the 'imageLatestSuccessfulScanTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageLatestSuccessfulScanTime" FilterItemimageNames: title: "imageNames" description: "Filter item for the 'imageNames' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageNames" FilterItemimageRegistries: title: "imageRegistries" description: "Filter item for the 'imageRegistries' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageRegistries" FilterItemimageRepositories: title: "imageRepositories" description: "Filter item for the 'imageRepositories' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageRepositories" FilterItemimageRequestSources: title: "imageRequestSources" description: "Filter item for the 'imageRequestSources' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageRequestSources" FilterItemimageRiskScore: title: "imageRiskScore" description: "Filter item for the 'imageRiskScore' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "imageRiskScore" FilterItemimageRiskScoreLastUpdated: title: "imageRiskScoreLastUpdated" description: "Filter item for the 'imageRiskScoreLastUpdated' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "imageRiskScoreLastUpdated" FilterItemimageScanErrorMessage: title: "imageScanErrorMessage" description: "Filter item for the 'imageScanErrorMessage' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageScanErrorMessage" FilterItemimageScanStatus: title: "imageScanStatus" description: "Filter item for the 'imageScanStatus' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "imageScanStatus" FilterItemimageSize: title: "imageSize" description: "Filter item for the 'imageSize' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "imageSize" FilterItemimageTags: title: "imageTags" description: "Filter item for the 'imageTags' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "imageTags" FilterItemimageType: title: "imageType" description: "Filter item for the 'imageType' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "imageType" FilterIteminternalIp: title: "internalIp" description: "Filter item for the 'internalIp' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "internalIp" FilterIteminternetExposed: title: "internetExposed" description: "Filter item for the 'internetExposed' field, which expects an\ \ integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "internetExposed" FilterIteminternetExposedLastUpdated: title: "internetExposedLastUpdated" description: "Filter item for the 'internetExposedLastUpdated' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "internetExposedLastUpdated" FilterItemmachineImage: title: "machineImage" description: "Filter item for the 'machineImage' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "machineImage" FilterItemmachineStatus: title: "machineStatus" description: "Filter item for the 'machineStatus' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "machineStatus" FilterItemmachineStatusLastDiscoveredTime: title: "machineStatusLastDiscoveredTime" description: "Filter item for the 'machineStatusLastDiscoveredTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "machineStatusLastDiscoveredTime" FilterItemmachineTags: title: "machineTags" description: "Filter item for the 'machineTags' field." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseJSONFilterItem" - type: "object" properties: field: type: "string" enum: - "machineTags" FilterItemobservationFirstDiscoveredTime: title: "observationFirstDiscoveredTime" description: "Filter item for the 'observationFirstDiscoveredTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "observationFirstDiscoveredTime" FilterItemobservationFixedTime: title: "observationFixedTime" description: "Filter item for the 'observationFixedTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "observationFixedTime" FilterItemobservationLastDiscoveredTime: title: "observationLastDiscoveredTime" description: "Filter item for the 'observationLastDiscoveredTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "observationLastDiscoveredTime" FilterItemobservationStatus: title: "observationStatus" description: "Filter item for the 'observationStatus' field, which expects a\ \ string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "observationStatus" FilterItemobservationStatusCategory: title: "observationStatusCategory" description: "Filter item for the 'observationStatusCategory' field, which expects\ \ a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "observationStatusCategory" FilterItemobservationVulnerableSinceTime: title: "observationVulnerableSinceTime" description: "Filter item for the 'observationVulnerableSinceTime' field, which\ \ expects an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "observationVulnerableSinceTime" FilterItemorganizationId: title: "organizationId" description: "Filter item for the 'organizationId' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "organizationId" FilterItemos: title: "os" description: "Filter item for the 'os' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "os" FilterItemosEolDate: title: "osEolDate" description: "Filter item for the 'osEolDate' field, which expects an ISO 8601\ \ UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "osEolDate" FilterItemosName: title: "osName" description: "Filter item for the 'osName' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "osName" FilterItemosNamespace: title: "osNamespace" description: "Filter item for the 'osNamespace' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "osNamespace" FilterItemosOutOfDate: title: "osOutOfDate" description: "Filter item for the 'osOutOfDate' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "osOutOfDate" FilterItemosRebootRequired: title: "osRebootRequired" description: "Filter item for the 'osRebootRequired' field, which expects an\ \ integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "osRebootRequired" FilterItemosType: title: "osType" description: "Filter item for the 'osType' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "osType" FilterItemosUpdatesDisabled: title: "osUpdatesDisabled" description: "Filter item for the 'osUpdatesDisabled' field, which expects an\ \ integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "osUpdatesDisabled" FilterItemosVersion: title: "osVersion" description: "Filter item for the 'osVersion' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "osVersion" FilterItempackageLastActiveTime: title: "packageLastActiveTime" description: "Filter item for the 'packageLastActiveTime' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "packageLastActiveTime" FilterItempackageName: title: "packageName" description: "Filter item for the 'packageName' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "packageName" FilterItempackageNamespace: title: "packageNamespace" description: "Filter item for the 'packageNamespace' field, which expects a\ \ string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "packageNamespace" FilterItempackagePath: title: "packagePath" description: "Filter item for the 'packagePath' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "packagePath" FilterItempackageStatus: title: "packageStatus" description: "Filter item for the 'packageStatus' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "packageStatus" FilterItempackageVersion: title: "packageVersion" description: "Filter item for the 'packageVersion' field, which expects a string\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "packageVersion" FilterItempublicFacing: title: "publicFacing" description: "Filter item for the 'publicFacing' field, which expects an integer\ \ value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "publicFacing" FilterItemseverity: title: "severity" description: "Filter item for the 'severity' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "severity" FilterItemvulnId: title: "vulnId" description: "Filter item for the 'vulnId' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "vulnId" FilterItemvulnLink: title: "vulnLink" description: "Filter item for the 'vulnLink' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "vulnLink" FilterItemvulnPublicExploitAvailable: title: "vulnPublicExploitAvailable" description: "Filter item for the 'vulnPublicExploitAvailable' field, which\ \ expects an integer value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseIntegerFilterItem" - type: "object" properties: field: type: "string" enum: - "vulnPublicExploitAvailable" FilterItemvulnPublicExploitDate: title: "vulnPublicExploitDate" description: "Filter item for the 'vulnPublicExploitDate' field, which expects\ \ an ISO 8601 UTC timestamp value. See docs more details." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseTimestampFilterItem" - type: "object" properties: field: type: "string" enum: - "vulnPublicExploitDate" FilterItemzone: title: "zone" description: "Filter item for the 'zone' field, which expects a string value." allOf: - $ref: "#/components/schemas/GenericFilterItem" - $ref: "#/components/schemas/BaseStringFilterItem" - type: "object" properties: field: type: "string" enum: - "zone" GENERIC_FILTERS: properties: filters: type: "array" description: "One or more condition statements you can use to refine the\ \ data returned by the request. Only records that satisfy filtering conditions\ \ are returned. If there are multiple conditions, a record must satisfy\ \ all conditions for a match." items: type: "object" required: - "expression" - "field" properties: expression: type: "string" description: "The comparison operator for the filter condition." enum: - "eq" - "ne" - "in" - "not_in" - "like" - "ilike" - "not_like" - "not_ilike" - "not_rlike" - "rlike" - "gt" - "ge" - "lt" - "le" - "between" field: type: "string" description: "The name of the data field to which the condition applies." value: type: "string" description: "The value that the condition checks for in the specified\ \ field. Use this attribute when specifying a single value." values: type: "array" description: "The values that the condition checks for in the specified\ \ field. Use this attribute when specifying multiple values." items: type: "string" GENERIC_FILTERS_FOR_ALERTS: properties: filters: type: "array" description: "One or more condition statements you can use to refine the\ \ data returned by the request. Only records that satisfy filtering conditions\ \ are returned. If there are multiple conditions, a record must satisfy\ \ all conditions for a match." items: type: "object" required: - "expression" - "field" properties: expression: type: "string" description: "The comparison operator for the filter condition." enum: - "eq" field: type: "string" description: "The name of the data field to which the condition applies." enum: - "alertId" - "alertType" - "severity" - "status" - "subCategory" - "category" - "source" value: type: "string" description: "The value that the condition checks for in the specified\ \ field." GET_DATA_REQUEST_BODY_FILTERS: allOf: - $ref: "#/components/schemas/GENERIC_FILTERS" - $ref: "#/components/schemas/RETURN_FIELDS" GET_DATA_REQUEST_BODY_TIME_FILTERS: allOf: - $ref: "#/components/schemas/TIME_FILTER" - $ref: "#/components/schemas/GENERIC_FILTERS" - $ref: "#/components/schemas/RETURN_FIELDS" GET_DATA_REQUEST_BODY_TIME_FILTERS_FOR_ALERTS: allOf: - $ref: "#/components/schemas/TIME_FILTER" - $ref: "#/components/schemas/GENERIC_FILTERS_FOR_ALERTS" - $ref: "#/components/schemas/RETURN_FIELDS" GenericFilterItem: type: "object" required: - "expression" - "field" properties: expression: type: "string" description: "The comparison operator for the filter condition." field: type: "string" description: "The name of the data field to which the condition applies." value: type: "string" description: "The value that the condition checks for in the specified field.\ \ Use this attribute when specifying a single value." values: type: "array" description: "The values that the condition checks for in the specified\ \ field. Use this attribute when specifying multiple values." items: type: "string" Inventory_Response_Schema: properties: apiKey: type: "string" cloudDetails: type: "object" csp: type: "string" endTime: type: "string" resourceConfig: type: "object" resourceId: type: "string" resourceRegion: type: "string" resourceTags: type: "object" resourceType: type: "string" service: type: "string" startTime: type: "string" status: type: "object" urn: type: "string" additionalProperties: true JSONFilterExpression: type: "string" description: "Comparison operator for JSON values." enum: - "eq" - "ne" - "between" - "in" - "not_in" - "gt" - "ge" - "lt" - "le" - "like" - "ilike" - "not_like" - "not_ilike" - "rlike" - "not_rlike" NumericFilterExpression: type: "string" description: "Comparison operator for numeric values." enum: - "eq" - "ne" - "in" - "not_in" - "gt" - "ge" - "lt" - "le" - "between" OrganizationInfo_Response_Schema: properties: orgAccount: type: "boolean" orgAccountUrl: type: "string" additionalProperties: true PASSTHROUGH_API_FILTERS: properties: filters: type: "array" description: "One or more condition statements you can use to refine the\ \ data returned by the request. Only records that satisfy filtering conditions\ \ are returned. If there are multiple conditions, a record must satisfy\ \ all conditions for a match.\n\n To use wildcards with the `LIKE`, `ILIKE`\ \ `NOT_LIKE` OR `NOT_ILIKE` filters, use the % symbol to match any string.\ \ This allows you to perform more flexible and broad searches for text\ \ data.\n\n - `%` represents a wildcard to match zero or more characters\ \ \n - `_` (underscore) represents a wildcard match for a single character\ \ \n" items: type: "object" required: - "expression" - "field" properties: expression: type: "string" description: "The comparison operator for the filter condition." enum: - "eq" - "ne" - "in" - "not_in" - "like" - "ilike" - "not_like" - "not_ilike" - "gt" - "ge" - "lt" - "le" - "between" field: type: "string" description: "The name of the data field to which the condition applies." value: type: "string" description: "The value that the condition checks for in the specified\ \ field. Use this attribute when specifying a single value." values: type: "array" description: "The values that the condition checks for in the specified\ \ field. Use this attribute when specifying multiple values." items: type: "string" Paging_Schema: description: "Details of the response's pagination" properties: rows: type: "number" description: "The number of rows displayed on each page" totalRows: type: "number" description: "The number of rows returned from the query" urls: type: "object" description: "Pagination-related URLs" properties: nextPage: type: "string" description: "The next page's URL" Policies_Create_Schema: allOf: - $ref: "#/components/schemas/Policies_Update_Schema" - type: "object" required: - "title" - "enabled" - "description" - "queryId" - "remediation" - "severity" - "alertEnabled" properties: policyId: type: "string" description: "Policy ID. The convention for policy ID creation is `accountName-remainder`,\ \ for example, lws-special-100. When sending a request, you can simply\ \ provide `$account-`, and Lacework will substitute the `$account`\ \ prefix with your actual account name. **Note:** The `-remainder` must\ \ use the regex pattern (`^[a-z]{1,16}(-\\d{1,8})?$`), and cannot be\ \ `default` or start with `default-`." Policies_Response_Schema: allOf: - $ref: "#/components/schemas/Policies_Create_Schema" - type: "object" properties: evaluatorId: description: "Evaluator ID. For POST and PATCH endpoints, the `evaluatorId`\ \ field is still accepted but is ignored. No warning is returned if\ \ an `evaluatorId` is provided; this behavior may change in the future.\ \ For responses from all of these calls, an `evaluatorId` field is no\ \ longer returned." type: "string" owner: type: "string" description: "The user who created the policy." lastUpdateTime: type: "string" description: "The timestamp for when the policy was last updated." lastUpdateUser: description: "The user who last updated the policy." type: "string" exceptionConfiguration: description: "The configuration of policy exceptions when it is applicable." type: "object" required: - "constraintFields" properties: constraintFields: description: "List of constraint fields that can be used to create\ \ policy exceptions." type: "array" items: type: "object" required: - "fieldKey" - "dataType" - "multiValue" properties: fieldKey: type: "string" description: "Field ID that can be used to apply the exception\ \ on a policy." dataType: type: "string" description: "Type can be `String` or `KVTagPair`." multiValue: type: "boolean" description: "Allow multiple values or not." additionalProperties: true Policies_Update_Schema: type: "object" properties: policyType: type: "string" description: "The policy type such as `Violation`." enum: - "Violation" queryId: type: "string" description: "Identifier of the query that executes while running the policy." title: type: "string" description: "The policy's title." enabled: type: "boolean" description: "When sending a request, use this attribute to enable or disable\ \ a policy. When included in a response, returns `True` for enabled policies,\ \ or returns `False` for disabled policies." description: type: "string" description: "Information about the new policy." remediation: type: "string" description: "Remediation strategy for the events triggered by the policy." severity: type: "string" description: "The severity of an event triggered by the policy." enum: - "info" - "low" - "medium" - "high" - "critical" limit: type: "number" description: "The maximum number of records that each policy will return.\ \ The default value is 1000." minimum: 1 default: 1000 evalFrequency: type: "string" deprecated: true description: "Frequency at which the policy will be evaluated" enum: - "Hourly" - "Daily" alertEnabled: type: "boolean" description: "When sending a request, set to `True` if you want to send\ \ alerts to an alert profile when the policy is triggered. Set to `False`\ \ if you want to mute alerts when the policy is triggered." alertProfile: type: "string" description: "The alert profile to use for sending alerts when the policy\ \ is triggered." tags: description: "A list of policy tags." type: "array" items: type: "string" Queries_Create_Schema: allOf: - $ref: "#/components/schemas/Queries_Update_Schema" - type: "object" required: - "queryId" - "queryText" properties: queryId: type: "string" description: "Identifier of the query that executes while running the\ \ policy." Queries_Response_Schema: allOf: - $ref: "#/components/schemas/Queries_Create_Schema" - type: "object" properties: evaluatorId: description: "Optional identifier of the evaluator where the query is\ \ run. This field is only for `CloudTrail` queries and policies." type: "string" owner: type: "string" description: "User that created the query" lastUpdateTime: type: "string" description: "Timestamp in the form yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" lastUpdateUser: description: "User that last affected the state of this query" type: "string" resultSchema: type: "array" description: "A list of schemas that match your query." items: type: "object" properties: name: type: "string" default: "Name of the column." description: "Name of the result column" dataType: type: "string" default: "The data type of this column." description: "LQL type of the result column" description: type: "string" description: "Description of the data that this column holds." additionalProperties: true Queries_Update_Schema: type: "object" properties: queryText: type: "string" description: "When sending a request, provide a human-readable text syntax\ \ for specifying selection, filtering, and manipulation of data." Query_Execute_Options: properties: limit: type: "integer" minimum: 1 nullable: false description: "The limit field specifies the maximum number of records to\ \ return from the query. If specified, the limit must be at least 1." RETURN_FIELDS: properties: returns: type: "array" description: "Use this attribute to specify which top-level fields of the\ \ response schema you want to receive." items: type: "string" ReportConfigurations_Create_Schema: allOf: - $ref: "#/components/schemas/ReportConfigurations_Update_Schema" - type: "object" required: - "templateGuid" - "name" - "format" - "type" - "frequency" - "userGroupGuid" - "alertChannels" - "resourceGroups" properties: templateGuid: type: "string" description: "The identifier for the assessment template to be included\ \ in this configuration." format: type: "string" enum: - "pdf" description: "The report's format." type: type: "string" enum: - "Compliance" description: "The report's type." userGroupGuid: type: "string" description: "The user group identifier." ReportConfigurations_Response_Schema: allOf: - $ref: "#/components/schemas/ReportConfigurations_Create_Schema" - type: "object" properties: reportConfigGuid: type: "string" description: "The identifier for this report configuration." additionalProperties: true ReportConfigurations_Update_Schema: type: "object" properties: name: type: "string" description: "The unique name that you assign for this report configuration." frequency: type: "string" enum: - "daily" - "weekly" - "biweekly" - "monthly" description: "How often a report is generated and distributed through this\ \ distribution channel." alertChannels: type: "array" description: "One or more alert channels that are targeted for this report\ \ configuration by alert channel ID." items: type: "string" resourceGroups: type: "array" description: "One or more resource groups that are targeted for this report\ \ configuration by resource group ID." items: type: "string" filters: type: "object" description: "Filters in the report configuration." properties: severities: type: "array" description: "List of severities in the report configuration." items: type: "string" enum: - "critical" - "high" - "medium" - "low" - "info" description: "Severity to filter by." violations: type: "array" description: "List of violations in the report configuration." items: type: "string" enum: - "Compliant" - "NonCompliant" - "Suppressed" - "CouldNotAssess" - "Manual" description: "Violation status to filter by." ReportRules: allOf: - $ref: "#/components/schemas/ReportRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" ReportRules_Create_Schema: allOf: - $ref: "#/components/schemas/ReportRules_Update_Schema" - type: "object" required: - "filters" - "intgGuidList" - "type" - "reportNotificationTypes" properties: type: type: "string" description: "The data type as `Report`." enum: - "Report" filters: type: "object" description: "When sending a request, use this object to define the new\ \ report rule. When included in a response, this object contains details\ \ of a report rule. You can use these attributes when searching for\ \ existing report rules by invoking a GET request." required: - "name" - "enabled" properties: name: type: "string" description: "The report rule's name." minLength: 1 description: type: "string" description: "Summary of the report rule." enabled: description: "When sending a request, use this attribute to enable\ \ or disable a report rule. When included in a response, returns\ \ `1` for enabled report rules, or returns `0` for disabled report\ \ rules." enum: - 0 - 1 example: 1 resourceGroups: type: "array" description: "The resource groups that you want the rule to apply\ \ to." items: type: "string" severity: description: "The severities that you want the rule to apply to. 1=Critical\ \ 2=High 3=Medium 4=Low 5=Info" type: "array" minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 default: [] ReportRules_Response_Schema: allOf: - $ref: "#/components/schemas/ReportRules_Create_Schema" - type: "object" properties: mcGuid: type: "string" description: "Report Rule ID." additionalProperties: true ReportRules_Update_Schema: type: "object" properties: filters: type: "object" description: "When sending a request, use this object to define the new\ \ report rule. When included in a response, this object contains details\ \ of a report rule. You can use these attributes when searching for existing\ \ report rules by invoking a GET request." properties: name: type: "string" description: "The report rule's name." minLength: 1 description: type: "string" description: "Summary of the report rule." enabled: description: "When sending a request, use this attribute to enable or\ \ disable a report rule. When included in a response, returns `1`\ \ for enabled report rules, or returns `0` for disabled report rules." enum: - 0 - 1 example: 1 resourceGroups: type: "array" description: "The resource groups that you want the rule to apply to." items: type: "string" severity: description: "The severities that you want the rule to apply to. 1=Critical\ \ 2=High 3=Medium 4=Low 5=Info" type: "array" minItems: 1 uniqueItems: true items: enum: - 1 - 2 - 3 - 4 - 5 default: [] intgGuidList: type: "array" description: "The alert channels for the rule to access." minItems: 1 uniqueItems: true items: type: "string" reportNotificationTypes: description: "The report types that you want the rule to apply to." properties: agentEvents: type: "boolean" awsCis14: type: "boolean" awsCis401: type: "boolean" awsCisS3: type: "boolean" awsCloudtrailEvents: type: "boolean" awsComplianceEvents: type: "boolean" awsCis14IsoIec270022022: type: "boolean" awsCyberEssentials22: type: "boolean" awsCsaCcm405: type: "boolean" azureActivityLogEvents: type: "boolean" azureCis: type: "boolean" azureCis131: type: "boolean" azureComplianceEvents: type: "boolean" azurePci: type: "boolean" azurePciRev2: type: "boolean" azureSoc: type: "boolean" azureSocRev2: type: "boolean" azureIso27001: type: "boolean" azureHipaa: type: "boolean" azureNistCsf: type: "boolean" azureNist80053Rev5: type: "boolean" azureNist800171Rev2: type: "boolean" gcpAuditTrailEvents: type: "boolean" gcpCis: type: "boolean" gcpComplianceEvents: type: "boolean" gcpHipaa: type: "boolean" gcpHipaaRev2: type: "boolean" gcpIso27001: type: "boolean" gcpCis12: type: "boolean" gcpCis13: type: "boolean" gcpK8s: type: "boolean" gcpPci: type: "boolean" gcpPciRev2: type: "boolean" gcpSoc: type: "boolean" gcpSocRev2: type: "boolean" gcpNistCsf: type: "boolean" gcpNist80053Rev4: type: "boolean" gcpNist800171Rev2: type: "boolean" hipaa: type: "boolean" iso2700: type: "boolean" k8sAuditLogEvents: type: "boolean" nist800-53Rev4: type: "boolean" nist800-171Rev2: type: "boolean" openShiftCompliance: type: "boolean" pci: type: "boolean" platformEvents: type: "boolean" soc: type: "boolean" awsSocRev2: type: "boolean" trendReport: type: "boolean" awsPciDss321: type: "boolean" awsNist80053Rev5: type: "boolean" awsSoc2: type: "boolean" awsNist800171Rev2: type: "boolean" awsNistCsf: type: "boolean" awsCmmc102: type: "boolean" awsHipaa: type: "boolean" awsIso270012013: type: "boolean" incidentEvents: type: "boolean" Reports_Response_Schema: properties: {} ResourceGroups_AWS_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_AWS_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_AWS_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_AWS_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `true` if this is a default resource group. Otherwise,\ \ returns `false`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_AWS_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "AWS" default: "AWS" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_AZURE_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_AZURE_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_AZURE_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_AZURE_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `true` if this is a default resource group. Otherwise,\ \ returns `false`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_AZURE_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "AZURE" default: "AZURE" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_CONTAINER_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_CONTAINER_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_CONTAINER_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_CONTAINER_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `true` if this is a default resource group. Otherwise,\ \ returns `false`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_CONTAINER_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "CONTAINER" default: "CONTAINER" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_Create_Schema: oneOf: - $ref: "#/components/schemas/ResourceGroups_AWS_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_GCP_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_AZURE_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_MACHINE_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_CONTAINER_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_OCI_Create_Schema" - $ref: "#/components/schemas/ResourceGroups_KUBERNETES_Create_Schema" discriminator: propertyName: "resourceType" mapping: AWS: "#/components/schemas/ResourceGroups_AWS_Create_Schema" GCP: "#/components/schemas/ResourceGroups_GCP_Create_Schema" AZURE: "#/components/schemas/ResourceGroups_AZURE_Create_Schema" MACHINE: "#/components/schemas/ResourceGroups_MACHINE_Create_Schema" CONTAINER: "#/components/schemas/ResourceGroups_CONTAINER_Create_Schema" OCI: "#/components/schemas/ResourceGroups_OCI_Create_Schema" KUBERNETES: "#/components/schemas/ResourceGroups_KUBERNETES_Create_Schema" ResourceGroups_GCP_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_GCP_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_GCP_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_GCP_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `1` if this is a default resource group. Otherwise,\ \ returns `0`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_GCP_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "GCP" default: "GCP" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_KUBERNETES_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_KUBERNETES_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_KUBERNETES_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_KUBERNETES_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `true` if this is a default resource group. Otherwise,\ \ returns `false`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_KUBERNETES_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "KUBERNETES" default: "KUBERNETES" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_MACHINE_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_MACHINE_Update_Schema" - type: "object" required: - "resourceName" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_MACHINE_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_MACHINE_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `true` if this is a default resource group. Otherwise,\ \ returns `false`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_MACHINE_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "MACHINE" default: "MACHINE" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_OCI_Create_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_OCI_Update_Schema" - type: "object" required: - "name" - "resourceType" - "query" properties: query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value\ \ is an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on\ \ which to filter." required: - "field" - "operation" - "values" expression: type: "object" description: "Query expression that defines how the filters should\ \ be combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" required: - "operator" - "children" required: - "filters" - "expression" ResourceGroups_OCI_Response_Schema: allOf: - $ref: "#/components/schemas/ResourceGroups_OCI_Create_Schema" - type: "object" properties: resourceGroupGuid: type: "string" description: "Resource Group ID." guid: type: "string" description: "Returns the customer ID." isDefaultBoolean: type: "boolean" description: "Returns `1` if this is a default resource group. Otherwise,\ \ returns `0`." updatedBy: type: "string" description: "The email of the Lacework user who last updated the resource\ \ group configuration." updatedTime: type: "number" description: "When this resource group configuration last changed." additionalProperties: true ResourceGroups_OCI_Update_Schema: properties: name: type: "string" description: "The resource group's name." pattern: "(?!^ +$)^.+$" minLength: 1 description: type: "string" description: "A brief description of the resource group." resourceType: type: "string" description: "The resource type such as cloud accounts, containers, or machines." enum: - "OCI" default: "OCI" query: type: "object" description: "The query used to fetch resources matching the filters defined\ \ here." properties: filters: type: "array" description: "The predicate that a resource should apply to." items: type: "object" properties: ^\w+$: description: "A name-value pair where the name is the name of\ \ the filter to be applied in an expression and the value is\ \ an object that defines the filter expression." type: "object" properties: field: type: "string" description: "The field on which to apply the predicate." operation: $ref: "#/components/schemas/ResourceGroups_operation" values: type: "array" description: "The values that the predicate should match." minItems: 1 items: type: "string" key: type: "string" description: "For fields that support a tag, the key on which\ \ to filter." expression: type: "object" description: "Query expression that defines how the filters should be\ \ combined." properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" children: $ref: "#/components/schemas/ResourceGroups_children" enabled: type: "number" description: "When sending a request, use this attribute to enable or disable\ \ a resource group. When included in a response, returns `1` for enabled\ \ resource groups, or returns `0` for disabled resource groups." enum: - 0 - 1 example: 1 default: 1 ResourceGroups_Response_Schema: oneOf: - $ref: "#/components/schemas/ResourceGroups_AWS_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_GCP_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_AZURE_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_MACHINE_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_CONTAINER_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_OCI_Response_Schema" - $ref: "#/components/schemas/ResourceGroups_KUBERNETES_Response_Schema" discriminator: propertyName: "resourceType" mapping: AWS: "#/components/schemas/ResourceGroups_AWS_Response_Schema" GCP: "#/components/schemas/ResourceGroups_GCP_Response_Schema" AZURE: "#/components/schemas/ResourceGroups_AZURE_Response_Schema" MACHINE: "#/components/schemas/ResourceGroups_MACHINE_Response_Schema" CONTAINER: "#/components/schemas/ResourceGroups_CONTAINER_Response_Schema" OCI: "#/components/schemas/ResourceGroups_OCI_Response_Schema" KUBERNETES: "#/components/schemas/ResourceGroups_KUBERNETES_Response_Schema" ResourceGroups_Update_Schema: oneOf: - $ref: "#/components/schemas/ResourceGroups_AWS_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_GCP_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_AZURE_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_MACHINE_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_CONTAINER_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_OCI_Update_Schema" - $ref: "#/components/schemas/ResourceGroups_KUBERNETES_Update_Schema" discriminator: propertyName: "resourceType" mapping: AWS: "#/components/schemas/ResourceGroups_AWS_Update_Schema" GCP: "#/components/schemas/ResourceGroups_GCP_Update_Schema" AZURE: "#/components/schemas/ResourceGroups_AZURE_Update_Schema" MACHINE: "#/components/schemas/ResourceGroups_MACHINE_Update_Schema" CONTAINER: "#/components/schemas/ResourceGroups_CONTAINER_Update_Schema" OCI: "#/components/schemas/ResourceGroups_OCI_Update_Schema" KUBERNETES: "#/components/schemas/ResourceGroups_KUBERNETES_Update_Schema" ResourceGroups_children: type: "array" description: "Combines one or more filters. You must specify either `filterName`\ \ or `children` in a filter." minItems: 1 items: type: "object" properties: operator: $ref: "#/components/schemas/ResourceGroups_operator" filterName: type: "string" description: "Name of the filter defined in `filters`. You must specify\ \ either `filterName` or `children` in a filter." children: $ref: "#/components/schemas/ResourceGroups_children" ResourceGroups_operation: type: "string" description: "Type of operation to apply." enum: - "STARTS_WITH" - "INCLUDES" - "ENDS_WITH" - "EQUALS" ResourceGroups_operator: type: "string" description: "Type of operator to apply." enum: - "AND" - "OR" Response4xxApiV2AccessTokens: type: "object" properties: message: type: "string" example: "Access Key is null." ResponseApiV2AccessTokens: type: "object" properties: expiresAt: description: "The timestamp for when the access token expires in RFC3339\ \ date time format (yyyy-MM-ddTHH:mm:ss.SSSZ)" type: "string" example: "2021-08-18T08:00:00.000Z" token: description: "The access token." type: "string" ResponseApiV2SchemasType: type: "object" example: - name: "accountName" type: "string" - name: "createdTime" type: "integer" - name: "eventDescription" type: "string" - name: "eventName" type: "string" - name: "userAction" type: "string" - name: "userName" type: "string" ResponseApiV2SchemasTypeSubtype: type: "object" example: - required: - "type" - "enabled" - "name" - "data" properties: name: type: "string" minLength: 1 type: type: "string" enum: - "SlackChannel" enabled: type: "number" minimum: 0 maximum: 1 data: properties: slackUrl: type: "string" pattern: "^https://hooks.slack.com([/][a-zA-Z0-9#-_]+)+$" required: - "slackUrl" additionalProperties: true type: "object" ResponseInvalidApiV2SchemasType: type: "object" properties: message: type: "string" example: "Invalid type: Audits. Available type(s): [AlertChannels, AuditLogs]" ResponseInvalidApiV2SchemasTypeSubtype: type: "object" properties: message: type: "string" example: "Invalid type: AlertChannels with Slack. Available subtype(s):\ \ [SlackChannel]" StringFilterExpression: type: "string" description: "Comparison operator for string values." enum: - "eq" - "ne" - "between" - "in" - "not_in" - "like" - "ilike" - "not_like" - "not_ilike" - "rlike" - "not_rlike" TIME_FILTER: properties: timeFilter: type: "object" description: "The date/time range during which actions occurred." properties: startTime: type: "string" description: "Returns only recorded actions that occurred after this\ \ timestamp." endTime: type: "string" description: "Returns only recorded actions that occurred before this\ \ timestamp. If empty or missing, the current time is used." TeamMembers_Create_Schema: oneOf: - $ref: "#/components/schemas/TeamMembers_With_Org-Access_Create_Schema" - $ref: "#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema" discriminator: propertyName: "schemaOption" mapping: With_Org-Access: "#/components/schemas/TeamMembers_With_Org-Access_Create_Schema" Without_Org-Access: "#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema" TeamMembers_Response_Schema: oneOf: - $ref: "#/components/schemas/TeamMembers_With_Org-Access_Response_Schema" - $ref: "#/components/schemas/TeamMembers_Without_Org-Access_Response_Schema" discriminator: propertyName: "schemaOption" mapping: With_Org-Access: "#/components/schemas/TeamMembers_With_Org-Access_Response_Schema" Without_Org-Access: "#/components/schemas/TeamMembers_Without_Org-Access_Response_Schema" TeamMembers_Update_Schema: oneOf: - $ref: "#/components/schemas/TeamMembers_With_Org-Access_Update_Schema" - $ref: "#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema" discriminator: propertyName: "schemaOption" mapping: With_Org-Access: "#/components/schemas/TeamMembers_With_Org-Access_Update_Schema" Without_Org-Access: "#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema" TeamMembers_With_Org-Access_Create_Schema: allOf: - $ref: "#/components/schemas/TeamMembers_With_Org-Access_Update_Schema" - type: "object" required: - "props" - "userName" - "adminRoleAccounts" - "userRoleAccounts" - "userEnabled" properties: props: type: "object" properties: firstName: type: "string" lastName: type: "string" company: type: "string" accountAdmin: type: "boolean" default: false description: "If team member is a current account admin, this field\ \ will be ignored if org-access is true" required: - "firstName" - "company" userName: type: "string" description: "user email address" TeamMembers_With_Org-Access_Response_Schema: allOf: - $ref: "#/components/schemas/TeamMembers_With_Org-Access_Create_Schema" - type: "object" properties: userGuid: type: "string" description: "user guid" additionalProperties: true TeamMembers_With_Org-Access_Update_Schema: properties: schemaOption: type: "string" enum: - "With_Org-Access" description: "Not required." props: type: "object" properties: firstName: type: "string" lastName: type: "string" company: type: "string" accountAdmin: type: "boolean" default: false description: "If team member is a current account admin, this field\ \ will be ignored if org-access is true" orgAdmin: type: "boolean" default: false description: "When sending a request, set to `True` to make the team member\ \ an organization admin. Otherwise, set to `False`. When included in a\ \ response, returns the role assigned to the team member. **Note:** If\ \ the team member is currently an organization admin, Lacework ignores\ \ the `adminRoleAccounts` and `userRoleAccounts` attributes." orgUser: type: "boolean" default: false description: "When sending a request, set to `True` to make the new member\ \ an organization user. Otherwise, set to `False` When included in a response,\ \ returns the role assigned to the new member. **Note:** If the team member\ \ is currently an organization user, Lacework will ignore the `userRoleAccounts`\ \ attribute." adminRoleAccounts: type: "array" items: type: "string" description: "A list of account names for which this team member will be\ \ an admin." userRoleAccounts: type: "array" items: type: "string" description: "A list of account names for which this team member will be\ \ a user." userEnabled: type: "integer" enum: - 1 - 0 TeamMembers_Without_Org-Access_Create_Schema: allOf: - $ref: "#/components/schemas/TeamMembers_Without_Org-Access_Update_Schema" - type: "object" required: - "props" - "userName" - "userEnabled" properties: props: type: "object" description: "Details of the new team member. The data varies based on\ \ the value of the `schemaOptions` attribute." properties: firstName: type: "string" description: "The new team member's first name." lastName: type: "string" description: "The new team member's last name." company: type: "string" description: "The new team member's company." accountAdmin: type: "boolean" default: false description: "When sending a request, set to `True` to make the new\ \ member an account admin. Set to `False` to make the new member\ \ an account user. When included in a response, returns the role\ \ assigned to the new member. **Note:** If the team member is currently\ \ an account admin, and the `schemaOption` is set to `With_Org-Access`,\ \ Lacework will ignore this attribute." required: - "firstName" - "company" userName: type: "string" description: "The new team member's email address." TeamMembers_Without_Org-Access_Response_Schema: allOf: - $ref: "#/components/schemas/TeamMembers_Without_Org-Access_Create_Schema" - type: "object" properties: userGuid: type: "string" description: "user guid" custGuid: type: "string" description: "customer guid" additionalProperties: true TeamMembers_Without_Org-Access_Update_Schema: properties: schemaOption: type: "string" enum: - "Without_Org-Access" description: "Select `Without_Org-Access` to create team members for an\ \ account. Select `With_Org-Access` to create team members for an organization." props: type: "object" description: "Details of the new team member. The data varies based on the\ \ value of the `schemaOptions` attribute." properties: firstName: type: "string" description: "The new team member's first name." lastName: type: "string" description: "The new team member's last name." company: type: "string" description: "The new team member's company." accountAdmin: type: "boolean" default: false description: "When sending a request, set to `True` to make the new\ \ member an account admin. Set to `False` to make the new member an\ \ account user. When included in a response, returns the role assigned\ \ to the new member. **Note:** If the team member is currently an\ \ account admin, and the `schemaOption` is set to `With_Org-Access`,\ \ Lacework will ignore this attribute." userEnabled: type: "integer" description: "When sending a request, use this attribute to enable or disable\ \ a team member's access. When included in a response, returns `1` for\ \ enabled team members, or returns `0` for disabled team members." enum: - 1 - 0 TeamUsers_Create_Schema: oneOf: - $ref: "#/components/schemas/TeamUsers_StandardUser_Create_Schema" - $ref: "#/components/schemas/TeamUsers_ServiceUser_Create_Schema" discriminator: propertyName: "type" mapping: StandardUser: "#/components/schemas/TeamUsers_StandardUser_Create_Schema" ServiceUser: "#/components/schemas/TeamUsers_ServiceUser_Create_Schema" TeamUsers_Response_Schema: oneOf: - $ref: "#/components/schemas/TeamUsers_StandardUser_Response_Schema" - $ref: "#/components/schemas/TeamUsers_ServiceUser_Response_Schema" discriminator: propertyName: "type" mapping: StandardUser: "#/components/schemas/TeamUsers_StandardUser_Response_Schema" ServiceUser: "#/components/schemas/TeamUsers_ServiceUser_Response_Schema" TeamUsers_ServiceUser: type: "object" required: - "name" properties: name: type: "string" description: "A name for the user." description: type: "string" userGuid: type: "string" description: "A unique ID for the user. Use this value to get details for\ \ a user or to update or delete a user's account." userEnabled: type: "number" enum: - 0 - 1 description: "When sending a request, use this attribute to enable or disable\ \ a team user's access. When included in a response, returns `1` for enabled\ \ team members, or returns `0` for disabled team members." uniqueId: type: "string" apiKeys: type: "array" items: properties: createdDate: type: "string" keyId: type: "string" createdUser: type: "string" status: type: "string" type: type: "string" enum: - "ServiceUser" lastLoginTime: type: "number" description: "When the user last logged in to the Lacework Console." orgAccess: type: "string" enum: - "NO_ORG_ACCESS" description: "This field shows if the user has no org, org admin or org\ \ user access" TeamUsers_ServiceUser_Create_Schema: allOf: - $ref: "#/components/schemas/TeamUsers_ServiceUser_Update_Schema" - type: "object" required: - "type" - "name" properties: {} TeamUsers_ServiceUser_Response_Schema: allOf: - $ref: "#/components/schemas/TeamUsers_ServiceUser_Create_Schema" - type: "object" properties: userGuid: type: "string" description: "A unique ID for the service user. Use this value to get\ \ details for a user or to update or delete a user's account." serviceUserId: type: "string" description: "The unique displayable identifier for a service user, similar\ \ to the email address for a standard user." apiKeys: type: "array" items: properties: createdDate: type: "string" keyId: type: "string" createdUser: type: "string" status: type: "string" lastLoginTime: type: "number" description: "When the user last logged in to the Lacework Console." orgAccess: type: "string" enum: - "NO_ORG_ACCESS" description: "This field shows if the user has no org, org admin or org\ \ user access" additionalProperties: true TeamUsers_ServiceUser_Update_Schema: type: "object" properties: type: type: "string" enum: - "ServiceUser" description: "The user type. This type cannot be changed after the user\ \ is created." name: type: "string" description: "A name for the service user." description: type: "string" description: "The description for the service user." userEnabled: type: "number" enum: - 0 - 1 default: 1 description: "When sending a request, use this attribute to enable or disable\ \ a team user's access. When included in a response, returns `1` for enabled\ \ team users, or returns `0` for disabled team users. NOTE: This will\ \ eventually change to being `true`/`false`" TeamUsers_StandardUser: type: "object" required: - "name" - "company" - "email" properties: name: type: "string" description: "The name of the user." company: type: "string" description: "The name of the business or organization associated with the\ \ user." email: type: "string" description: "The user's email address." userGuid: type: "string" description: "A unique ID for the user. Use this value to get details for\ \ a user or to update or delete a user's account." userEnabled: type: "number" enum: - 0 - 1 description: "When sending a request, use this attribute to enable or disable\ \ a team user's access. When included in a response, returns `1` for enabled\ \ team members, or returns `0` for disabled team members." type: type: "string" enum: - "StandardUser" lastLoginTime: type: "number" description: "When the user last logged in to the Lacework Console." orgAccess: type: "string" enum: - "NO_ORG_ACCESS" description: "This field shows if the user has no org, org admin or org\ \ user access" TeamUsers_StandardUser_Create_Schema: allOf: - $ref: "#/components/schemas/TeamUsers_StandardUser_Update_Schema" - type: "object" required: - "type" - "name" - "company" - "email" properties: company: type: "string" description: "The name of the business or organization associated with\ \ the user." email: type: "string" description: "The user's email address." TeamUsers_StandardUser_Response_Schema: allOf: - $ref: "#/components/schemas/TeamUsers_StandardUser_Create_Schema" - type: "object" properties: userGuid: type: "string" description: "A unique ID for the standard user. Use this value to get\ \ details for a user or to update or delete a user's account." lastLoginTime: type: "number" description: "When the user last logged in to the Lacework Console." orgAccess: type: "string" enum: - "NO_ORG_ACCESS" description: "This field shows if the user has no org, org admin or org\ \ user access" additionalProperties: true TeamUsers_StandardUser_Update_Schema: type: "object" properties: type: type: "string" enum: - "StandardUser" description: "The user type. This type cannot be changed after the user\ \ is created." name: type: "string" description: "A name for the standard user." userEnabled: type: "number" enum: - 0 - 1 default: 1 description: "When sending a request, use this attribute to enable or disable\ \ a team user's access. When included in a response, returns `1` for enabled\ \ team users, or returns `0` for disabled team users. NOTE: This will\ \ eventually change to being `true`/`false`." TeamUsers_Update_Schema: oneOf: - $ref: "#/components/schemas/TeamUsers_StandardUser_Update_Schema" - $ref: "#/components/schemas/TeamUsers_ServiceUser_Update_Schema" discriminator: propertyName: "type" mapping: StandardUser: "#/components/schemas/TeamUsers_StandardUser_Update_Schema" ServiceUser: "#/components/schemas/TeamUsers_ServiceUser_Update_Schema" TemplateFiles_Response_Schema: properties: {} TimestampFilterExpression: type: "string" description: "Comparison operator for timestamp values." enum: - "eq" - "ne" - "between" - "in" - "not_in" - "gt" - "ge" - "lt" - "le" UserGroups_AddUsers_Response_Schema: required: - "userGuids" - "userGroupGuid" properties: userGuids: type: "array" items: type: "string" minItems: 1 userGroupGuid: type: "string" additionalProperties: true UserGroups_Create_Schema: allOf: - $ref: "#/components/schemas/UserGroups_Update_Schema" - type: "object" required: - "name" - "roleGuids" properties: {} UserGroups_Relations_Request_Schema: type: "object" required: - "userGuids" properties: userGuids: type: "array" items: type: "string" minItems: 1 UserGroups_Response_Schema: allOf: - $ref: "#/components/schemas/UserGroups_Create_Schema" - type: "object" properties: userGroupGuid: type: "string" description: "A unique ID for the user group." guid: type: "string" description: "A unique ID for the account that the user group belongs\ \ to." createdTime: type: "string" description: "The time and date when the user group was created." updatedTime: type: "string" description: "The time and date when the user group was last updated." createdBy: type: "string" description: "The user who created the user group." updatedBy: type: "string" description: "The user who last updated the user group." additionalProperties: true UserGroups_Update_Schema: type: "object" properties: name: type: "string" description: "Name of the user group." maxLength: 120 roleGuids: type: "array" items: type: "string" minItems: 1 description: "An array of user group roles. Currently multiple roles cannot\ \ be assigned to a single user group." userGuids: type: "array" items: type: "string" description: "An array of user GUIDs in the user group." resourceGroupGuids: type: "array" items: type: "string" description: "An array of resource groups attached to the user group." description: type: "string" description: "A brief description of the user group." maxLength: 120 UserProfile: required: - "username" - "orgAccount" - "accounts" properties: username: type: "string" orgAccount: type: "boolean" url: type: "string" orgAdmin: type: "boolean" orgUser: type: "boolean" accounts: type: "array" minItems: 1 description: "list of accounts this user has access to" items: type: "object" properties: admin: type: "boolean" accountName: type: "string" custGuid: type: "string" userGuid: type: "string" userEnabled: type: "number" enum: - 0 - 1 UserProfile_Response_Schema: required: - "username" - "orgAccount" - "accounts" properties: username: type: "string" description: "The sub-account's username." orgAccount: type: "boolean" description: "Your organization account. An organization contains the organization\ \ account (the one used to enroll the organization) and possibly multiple\ \ sub-accounts." url: type: "string" description: "Your Lacework URL that is used for the organization and all\ \ sub-accounts in the organization." orgAdmin: type: "boolean" description: "Returns `True` if this member is an organization admin." orgUser: type: "boolean" description: "Returns `True` if this member is an organization user." accounts: type: "array" minItems: 1 description: "A list of accounts this member can access." items: type: "object" properties: admin: type: "boolean" description: "Returns `True` if this member is an account admin." accountName: type: "string" description: "The account name this member can access." custGuid: type: "string" description: "Customer ID." userGuid: type: "string" description: "User ID." userEnabled: type: "number" enum: - 0 - 1 additionalProperties: true Vulnerabilities_Containers_Response_Schema: properties: startTime: type: "string" vulnId: type: "string" imageId: type: "string" evalCtx: type: "object" evalGuid: type: "string" featureKey: type: "object" featureProps: type: "object" packageStatus: type: "string" fixInfo: type: "object" severity: type: "string" status: type: "string" props: type: "object" riskScore: type: "number" deprecated: true riskInfo: type: "object" deprecated: true cveRiskScore: type: "number" cveRiskInfo: type: "object" imageRiskScore: type: "number" imageRiskInfo: type: "object" additionalProperties: true Vulnerabilities_Hosts_Response_Schema: properties: startTime: type: "string" endTime: type: "string" vulnId: type: "string" mid: type: "string" machineTags: type: "object" evalCtx: type: "object" evalGuid: type: "string" featureKey: type: "object" packageStatus: type: "string" severity: type: "string" fixInfo: type: "object" status: type: "string" cveProps: type: "object" props: type: "object" riskScore: type: "number" deprecated: true riskInfo: type: "object" deprecated: true cveRiskScore: type: "number" cveRiskInfo: type: "object" hostRiskScore: type: "number" hostRiskInfo: type: "object" additionalProperties: true Vulnerabilities_ImageSummary_Response_Schema: properties: startTime: type: "string" imageId: type: "string" imageDigest: type: "string" imageRegistry: type: "string" imageCreatedTime: type: "string" imageRepo: type: "string" imageScanStatus: type: "string" imageScanRank: type: "string" evalGuid: type: "string" evalType: type: "string" evalStatus: type: "string" ndvContainers: type: "number" numExceptions: type: "number" numFixes: type: "number" numVulnerabilities: type: "number" additionalProperties: true VulnerabilityExceptions_Container_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Container_Update_Schema" - type: "object" required: - "exceptionName" - "exceptionType" - "exceptionReason" - "vulnerabilityCriteria" - "props" properties: exceptionType: description: "Exception Type" type: "string" enum: - "Container" VulnerabilityExceptions_Container_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Container_Create_Schema" - type: "object" properties: exceptionGuid: description: "Vulnerability Exception ID" type: "string" createdTime: description: "The time and date when the vulnerability exception was created." type: "string" updatedTime: description: "The time and date when the vulnerability exception was last\ \ updated." type: "string" additionalProperties: true VulnerabilityExceptions_Container_Update_Schema: properties: exceptionName: description: "Name of the exception." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 exceptionReason: description: "Reason for creating an exception" type: "string" enum: - "False Positive" - "Accepted Risk" - "Compensating Controls" - "Fix Pending" - "Other" resourceScope: type: "object" description: "The set of resources this exception can apply to. The data\ \ varies based on the value of the `exceptionType` attribute." minProperties: 1 properties: imageId: type: "array" description: "The SHA-256 hash that was generated for the container\ \ image. For example, `sha256:ex4ampl3`." minItems: 1 items: type: "string" pattern: "^\\S*$" imageTag: type: "array" description: "The container image tag." minItems: 1 items: type: "string" registry: type: "array" description: "The container registry." minItems: 1 items: type: "string" repository: type: "array" description: "The container repository." minItems: 1 items: type: "string" namespace: type: "array" description: "The namespace for the package distribution (for example,\ \ an operating system or language package)." minItems: 1 items: type: "string" vulnerabilityCriteria: type: "object" description: "When sending a request, use this object to define the criteria\ \ of the vulnerability to be excluded. The criteria value changes depending\ \ on the type of criteria selected." minProperties: 1 properties: cve: type: "array" description: "The vulnerability (CVE) ID that you want to constrain\ \ the exception to. You can provide multiple IDs.\n\n" minItems: 1 items: type: "string" package: type: "array" description: "The package name (for example, an operating system or\ \ language package). This can include a version number. You can provide\ \ multiple package names." minItems: 1 items: type: "object" severity: type: "array" description: "The severity levels of the vulnerability to constrain\ \ the exception to a **Critical**, **High**, **Medium**, **Low**,\ \ or **Info** vulnerability. You can provide multiple severity levels.\ \ You can provide multiple severity levels." minItems: 1 items: type: "string" enum: - "Info" - "Low" - "Medium" - "High" - "Critical" fixable: type: "array" description: "When sending a request, set to `True` or `False` to constrain\ \ the exception to a fixable or non-fixable vulnerability." minItems: 1 items: type: "number" enum: - 0 - 1 expiryTime: description: "The exception's expiration date and time." type: "string" state: description: "State" type: "number" enum: - 1 props: type: "object" description: "The vulnerability exception's properties." properties: description: type: "string" description: "A brief description of the exception creation." createdBy: type: "string" description: "The user who creates the exception." updatedBy: type: "string" description: "The user who updates the exception." VulnerabilityExceptions_Create_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Container_Create_Schema" - $ref: "#/components/schemas/VulnerabilityExceptions_Host_Create_Schema" discriminator: propertyName: "exceptionType" mapping: Container: "#/components/schemas/VulnerabilityExceptions_Container_Create_Schema" Host: "#/components/schemas/VulnerabilityExceptions_Host_Create_Schema" VulnerabilityExceptions_Host_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Host_Update_Schema" - type: "object" required: - "exceptionName" - "exceptionType" - "exceptionReason" - "vulnerabilityCriteria" - "props" properties: exceptionType: description: "Exception Type" type: "string" enum: - "Host" VulnerabilityExceptions_Host_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Host_Create_Schema" - type: "object" properties: exceptionGuid: description: "Vulnerability Exception ID" type: "string" createdTime: description: "The time and date when the vulnerability exception was created." type: "string" updatedTime: description: "The time and date when the vulnerability exception was last\ \ updated." type: "string" additionalProperties: true VulnerabilityExceptions_Host_Update_Schema: properties: exceptionName: description: "Name of the exception." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 exceptionReason: description: "Reason for creating an exception" type: "string" enum: - "False Positive" - "Accepted Risk" - "Compensating Controls" - "Fix Pending" - "Other" resourceScope: type: "object" description: "The set of resources this exception can apply to. The data\ \ varies based on the value of the `exceptionType` attribute." minProperties: 1 properties: hostname: type: "array" description: "The hostname of the machine." minItems: 1 items: type: "string" externalIp: type: "array" description: "The external IP address." minItems: 1 items: type: "string" clusterName: type: "array" description: "The cluster name for the group of hosts." minItems: 1 items: type: "string" namespace: type: "array" description: "The namespace for the package distribution (for example,\ \ an operating system or language package)." minItems: 1 items: type: "string" vulnerabilityCriteria: type: "object" description: "When sending a request, use this object to define the criteria\ \ of the vulnerability to be excluded. The criteria value changes depending\ \ on the type of criteria selected." minProperties: 1 properties: cve: type: "array" description: "The vulnerability (CVE) ID that you want to constrain\ \ the exception to. You can provide multiple IDs." minItems: 1 items: type: "string" package: type: "array" description: "The package name (for example, an operating system or\ \ language package). This can include a version number. You can provide\ \ multiple package names." minItems: 1 items: type: "object" severity: type: "array" description: "The severity constrains the vulnerability severity levels\ \ for an exception, from **Critical**, **High**, **Medium**, **Low**,\ \ or **Info**. You can provide multiple severity levels." minItems: 1 items: type: "string" enum: - "Info" - "Low" - "Medium" - "High" - "Critical" fixable: type: "array" description: "When sending a request, set to `True` or `False` to constrain\ \ the exception to a fixable or non-fixable vulnerability.\n\n" minItems: 1 items: type: "number" enum: - 0 - 1 expiryTime: description: "The exception's expiration date and time." type: "string" state: description: "State" type: "number" enum: - 1 props: type: "object" description: "The vulnerability exception's properties." properties: description: type: "string" description: "A brief description of the exception creation." createdBy: type: "string" description: "The user who creates the exception." updatedBy: type: "string" description: "The user who updates the exception." VulnerabilityExceptions_Response_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Container_Response_Schema" - $ref: "#/components/schemas/VulnerabilityExceptions_Host_Response_Schema" discriminator: propertyName: "exceptionType" mapping: Container: "#/components/schemas/VulnerabilityExceptions_Container_Response_Schema" Host: "#/components/schemas/VulnerabilityExceptions_Host_Response_Schema" VulnerabilityExceptions_Update_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityExceptions_Container_Update_Schema" - $ref: "#/components/schemas/VulnerabilityExceptions_Host_Update_Schema" discriminator: propertyName: "exceptionType" mapping: Container: "#/components/schemas/VulnerabilityExceptions_Container_Update_Schema" Host: "#/components/schemas/VulnerabilityExceptions_Host_Update_Schema" VulnerabilityObservationsHostsSearchRequestBody: description: "Request body for searching Host Vulnerability Observations, specifying\ \ allowed filter fields and their values." allOf: - $ref: "#/components/schemas/RETURN_FIELDS" - type: "object" properties: filters: type: "array" description: "One or more condition statements you can use to refine the\ \ data returned by the request. Only records that satisfy filtering\ \ conditions are returned. If there are multiple conditions, a record\ \ must satisfy all conditions for a match." items: oneOf: - $ref: "#/components/schemas/FilterItemaccountAlias" - $ref: "#/components/schemas/FilterItemaccountId" - $ref: "#/components/schemas/FilterItemagentLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemagentlessLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemavdEnabled" - $ref: "#/components/schemas/FilterItemcloudProvider" - $ref: "#/components/schemas/FilterItemcoverageType" - $ref: "#/components/schemas/FilterItemcvssAttackComplexity" - $ref: "#/components/schemas/FilterItemcvssAttackVector" - $ref: "#/components/schemas/FilterItemcvssAuthentication" - $ref: "#/components/schemas/FilterItemcvssAvailability" - $ref: "#/components/schemas/FilterItemcvssConfidentiality" - $ref: "#/components/schemas/FilterItemcvssExploitabilityScore" - $ref: "#/components/schemas/FilterItemcvssImpactScore" - $ref: "#/components/schemas/FilterItemcvssIntegrity" - $ref: "#/components/schemas/FilterItemcvssPrivilegesRequired" - $ref: "#/components/schemas/FilterItemcvssScope" - $ref: "#/components/schemas/FilterItemcvssScore" - $ref: "#/components/schemas/FilterItemcvssUserInteraction" - $ref: "#/components/schemas/FilterItemcvssVectorString" - $ref: "#/components/schemas/FilterItemcvssVersion" - $ref: "#/components/schemas/FilterItemexternalIp" - $ref: "#/components/schemas/FilterItemfixVersion" - $ref: "#/components/schemas/FilterItemfixable" - $ref: "#/components/schemas/FilterItemhostAvdEnabledLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemhostFirstDiscoveredTime" - $ref: "#/components/schemas/FilterItemhostIpPropsLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemhostLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemhostLastEvalTime" - $ref: "#/components/schemas/FilterItemhostMachineId" - $ref: "#/components/schemas/FilterItemhostName" - $ref: "#/components/schemas/FilterItemhostRiskScore" - $ref: "#/components/schemas/FilterItemhostRiskScoreLastUpdated" - $ref: "#/components/schemas/FilterIteminternalIp" - $ref: "#/components/schemas/FilterIteminternetExposed" - $ref: "#/components/schemas/FilterIteminternetExposedLastUpdated" - $ref: "#/components/schemas/FilterItemmachineImage" - $ref: "#/components/schemas/FilterItemmachineStatus" - $ref: "#/components/schemas/FilterItemmachineStatusLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemmachineTags" - $ref: "#/components/schemas/FilterItemobservationFirstDiscoveredTime" - $ref: "#/components/schemas/FilterItemobservationFixedTime" - $ref: "#/components/schemas/FilterItemobservationLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemobservationStatus" - $ref: "#/components/schemas/FilterItemobservationStatusCategory" - $ref: "#/components/schemas/FilterItemobservationVulnerableSinceTime" - $ref: "#/components/schemas/FilterItemorganizationId" - $ref: "#/components/schemas/FilterItemosEolDate" - $ref: "#/components/schemas/FilterItemosName" - $ref: "#/components/schemas/FilterItemosNamespace" - $ref: "#/components/schemas/FilterItemosOutOfDate" - $ref: "#/components/schemas/FilterItemosRebootRequired" - $ref: "#/components/schemas/FilterItemosType" - $ref: "#/components/schemas/FilterItemosUpdatesDisabled" - $ref: "#/components/schemas/FilterItemosVersion" - $ref: "#/components/schemas/FilterItempackageLastActiveTime" - $ref: "#/components/schemas/FilterItempackageName" - $ref: "#/components/schemas/FilterItempackageNamespace" - $ref: "#/components/schemas/FilterItempackagePath" - $ref: "#/components/schemas/FilterItempackageStatus" - $ref: "#/components/schemas/FilterItempackageVersion" - $ref: "#/components/schemas/FilterItempublicFacing" - $ref: "#/components/schemas/FilterItemseverity" - $ref: "#/components/schemas/FilterItemvulnId" - $ref: "#/components/schemas/FilterItemvulnLink" - $ref: "#/components/schemas/FilterItemvulnPublicExploitAvailable" - $ref: "#/components/schemas/FilterItemvulnPublicExploitDate" - $ref: "#/components/schemas/FilterItemzone" VulnerabilityObservationsImagesSearchRequestBody: description: "Request body for searching Image Vulnerability Observations, specifying\ \ allowed filter fields and their values." allOf: - $ref: "#/components/schemas/RETURN_FIELDS" - type: "object" properties: filters: type: "array" description: "One or more condition statements you can use to refine the\ \ data returned by the request. Only records that satisfy filtering\ \ conditions are returned. If there are multiple conditions, a record\ \ must satisfy all conditions for a match." items: oneOf: - $ref: "#/components/schemas/FilterItemactiveContainerCount" - $ref: "#/components/schemas/FilterItemcvssAttackComplexity" - $ref: "#/components/schemas/FilterItemcvssAttackVector" - $ref: "#/components/schemas/FilterItemcvssAuthentication" - $ref: "#/components/schemas/FilterItemcvssAvailability" - $ref: "#/components/schemas/FilterItemcvssConfidentiality" - $ref: "#/components/schemas/FilterItemcvssExploitabilityScore" - $ref: "#/components/schemas/FilterItemcvssImpactScore" - $ref: "#/components/schemas/FilterItemcvssIntegrity" - $ref: "#/components/schemas/FilterItemcvssPrivilegesRequired" - $ref: "#/components/schemas/FilterItemcvssScope" - $ref: "#/components/schemas/FilterItemcvssScore" - $ref: "#/components/schemas/FilterItemcvssUserInteraction" - $ref: "#/components/schemas/FilterItemcvssVectorString" - $ref: "#/components/schemas/FilterItemcvssVersion" - $ref: "#/components/schemas/FilterItemfixVersion" - $ref: "#/components/schemas/FilterItemfixable" - $ref: "#/components/schemas/FilterItemhasActiveContainers" - $ref: "#/components/schemas/FilterItemhasAvdEnabledContainers" - $ref: "#/components/schemas/FilterItemimageCreatedTime" - $ref: "#/components/schemas/FilterItemimageDigests" - $ref: "#/components/schemas/FilterItemimageFirstDiscoveredTime" - $ref: "#/components/schemas/FilterItemimageId" - $ref: "#/components/schemas/FilterItemimageLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemimageLastScanTime" - $ref: "#/components/schemas/FilterItemimageLatestScanSuccessful" - $ref: "#/components/schemas/FilterItemimageLatestSuccessfulScanTime" - $ref: "#/components/schemas/FilterItemimageNames" - $ref: "#/components/schemas/FilterItemimageRegistries" - $ref: "#/components/schemas/FilterItemimageRepositories" - $ref: "#/components/schemas/FilterItemimageRequestSources" - $ref: "#/components/schemas/FilterItemimageRiskScore" - $ref: "#/components/schemas/FilterItemimageRiskScoreLastUpdated" - $ref: "#/components/schemas/FilterItemimageScanErrorMessage" - $ref: "#/components/schemas/FilterItemimageScanStatus" - $ref: "#/components/schemas/FilterItemimageSize" - $ref: "#/components/schemas/FilterItemimageTags" - $ref: "#/components/schemas/FilterItemimageType" - $ref: "#/components/schemas/FilterIteminternetExposed" - $ref: "#/components/schemas/FilterIteminternetExposedLastUpdated" - $ref: "#/components/schemas/FilterItemobservationFirstDiscoveredTime" - $ref: "#/components/schemas/FilterItemobservationFixedTime" - $ref: "#/components/schemas/FilterItemobservationLastDiscoveredTime" - $ref: "#/components/schemas/FilterItemobservationStatus" - $ref: "#/components/schemas/FilterItemobservationStatusCategory" - $ref: "#/components/schemas/FilterItemobservationVulnerableSinceTime" - $ref: "#/components/schemas/FilterItemos" - $ref: "#/components/schemas/FilterItempackageLastActiveTime" - $ref: "#/components/schemas/FilterItempackageName" - $ref: "#/components/schemas/FilterItempackageNamespace" - $ref: "#/components/schemas/FilterItempackagePath" - $ref: "#/components/schemas/FilterItempackageStatus" - $ref: "#/components/schemas/FilterItempackageVersion" - $ref: "#/components/schemas/FilterItemseverity" - $ref: "#/components/schemas/FilterItemvulnId" - $ref: "#/components/schemas/FilterItemvulnLink" - $ref: "#/components/schemas/FilterItemvulnPublicExploitAvailable" - $ref: "#/components/schemas/FilterItemvulnPublicExploitDate" VulnerabilityObservations_Hosts_Response_Schema: properties: hostMachineId: type: "string" hostFirstDiscoveredTime: type: "number" hostLastDiscoveredTime: type: "number" agentLastDiscoveredTime: type: "number" agentlessLastDiscoveredTime: type: "number" hostName: type: "string" hostRiskScore: type: "number" osNamespace: type: "string" osName: type: "string" osVersion: type: "string" osType: type: "string" osOutOfDate: type: "number" osUpdatesDisabled: type: "number" osRebootRequired: type: "number" osEolDate: type: "string" externalIp: type: "string" internalIp: type: "string" publicFacing: type: "number" internetExposed: type: "number" internetExposedLastUpdated: type: "number" zone: type: "string" machineImage: type: "string" machineTags: type: "string" coverageType: type: "string" avdEnabled: type: "number" hostLastEvalTime: type: "number" accountId: type: "string" accountAlias: type: "string" organizationId: type: "string" cloudProvider: type: "string" packageLastActiveTime: type: "number" observationFixedTime: type: "number" observationVulnerableSinceTime: type: "number" vulnId: type: "string" packageName: type: "string" packageNamespace: type: "string" packageVersion: type: "string" packagePath: type: "string" fixable: type: "number" fixVersion: type: "string" observationFirstDiscoveredTime: type: "number" observationLastDiscoveredTime: type: "number" vulnLink: type: "string" cvssExploitabilityScore: type: "number" cvssImpactScore: type: "number" cvssScore: type: "number" cvssVectorString: type: "string" cvssVersion: type: "string" cvssAttackVector: type: "string" cvssAttackComplexity: type: "string" cvssPrivilegesRequired: type: "string" cvssAuthentication: type: "string" cvssUserInteraction: type: "string" cvssScope: type: "string" cvssConfidentiality: type: "string" cvssIntegrity: type: "string" cvssAvailability: type: "string" vulnPublicExploitDate: type: "number" vulnPublicExploitAvailable: type: "number" machineStatus: type: "string" observationStatus: type: "string" observationStatusCategory: type: "string" packageStatus: type: "string" severity: type: "string" additionalProperties: true VulnerabilityObservations_ImageSummary_Response_Schema: properties: imageId: type: "string" registry: type: "string" repository: type: "string" tag: type: "string" digest: type: "string" lastScanTime: type: "string" scanStatus: type: "string" containerCount: type: "number" vulnCountCritical: type: "number" vulnCountHigh: type: "number" vulnCountMedium: type: "number" vulnCountLow: type: "number" vulnCountInfo: type: "number" vulnCountCriticalFixable: type: "number" vulnCountHighFixable: type: "number" vulnCountMediumFixable: type: "number" vulnCountLowFixable: type: "number" vulnCountInfoFixable: type: "number" additionalProperties: true VulnerabilityObservations_Images_Response_Schema: properties: imageId: type: "string" imageDigests: type: "string" imageNames: type: "string" os: type: "string" imageSize: type: "number" imageRegistries: type: "string" imageRepositories: type: "string" imageRiskScore: type: "number" internetExposed: type: "number" internetExposedLastUpdated: type: "number" imageLastScanTime: type: "number" imageCreatedTime: type: "number" imageType: type: "string" imageTags: type: "string" imageScanStatus: type: "string" imageScanErrorMessage: type: "string" imageLatestScanSuccessful: type: "number" imageLatestSuccessfulScanTime: type: "number" imageRequestSources: type: "string" imageFirstDiscoveredTime: type: "number" imageLastDiscoveredTime: type: "number" hasAvdEnabledContainers: type: "number" activeContainerCount: type: "number" hasActiveContainers: type: "number" packageLastActiveTime: type: "number" observationFixedTime: type: "number" observationVulnerableSinceTime: type: "number" vulnId: type: "string" packageName: type: "string" packageNamespace: type: "string" packageVersion: type: "string" packagePath: type: "string" fixable: type: "number" fixVersion: type: "string" observationFirstDiscoveredTime: type: "number" observationLastDiscoveredTime: type: "number" vulnLink: type: "string" cvssExploitabilityScore: type: "number" cvssImpactScore: type: "number" cvssScore: type: "number" cvssVectorString: type: "string" cvssVersion: type: "string" cvssAttackVector: type: "string" cvssAttackComplexity: type: "string" cvssPrivilegesRequired: type: "string" cvssAuthentication: type: "string" cvssUserInteraction: type: "string" cvssScope: type: "string" cvssConfidentiality: type: "string" cvssIntegrity: type: "string" cvssAvailability: type: "string" vulnPublicExploitDate: type: "number" vulnPublicExploitAvailable: type: "number" observationStatus: type: "string" observationStatusCategory: type: "string" packageStatus: type: "string" severity: type: "string" additionalProperties: true VulnerabilityPolicies_CVE: type: "object" minProperties: 1 properties: cveIds: type: "array" description: "The CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678.\ \ You can specify multiple values but they will be considered as \"or\"\ \ values (rather than \"and\")." minItems: 1 items: type: "string" pattern: "(?!^ +$)^.+$" packageNames: type: "array" minItems: 1 items: type: "string" pattern: "(?!^ +$)^.+$" severityInfo: $ref: "#/components/schemas/VulnerabilityPolicies_severityFilter" description: "The CVE’s severity ranking, which is assigned by the vendor\ \ or computed from CVSS v3 or CVSS v2 scores (in that order of precedence)." severityLow: $ref: "#/components/schemas/VulnerabilityPolicies_severityFilter" description: "Contains only vulnerabilities with a low severity level." severityMedium: $ref: "#/components/schemas/VulnerabilityPolicies_severityFilter" description: "Contains only vulnerabilities with a medium severity level." severityHigh: $ref: "#/components/schemas/VulnerabilityPolicies_severityFilter" description: "Contains only vulnerabilities with a high severity level." severityCritical: $ref: "#/components/schemas/VulnerabilityPolicies_severityFilter" description: "Contains only vulnerabilities with a critical severity level." VulnerabilityPolicies_CVE_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema" - type: "object" required: - "policyName" - "policyType" - "severity" - "filter" - "state" - "props" properties: {} description: "CVE Policy" VulnerabilityPolicies_CVE_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema" - type: "object" properties: policyGuid: description: "Vulnerability Policy ID" type: "string" createdTime: description: "The time and date when the vulnerability policy was created." type: "string" updatedTime: description: "The time and date when the vulnerability policy was last\ \ updated." type: "string" isDefault: description: "Returns `1` if this is a default vulnerability policy. Otherwise,\ \ returns `0`." type: "number" enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_CVE_Update_Schema: properties: policyType: description: "The policy type such as `DockerFile`, `DockerConfig`, or `Image`." type: "string" enum: - "CVE" policyName: description: "Name of the policy." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 policyEvalType: description: "The evaluation type to use for the policy. The default value\ \ is `local`." type: "string" default: "local" enum: - "local" severity: description: "The severity level of the policy; Info, Low, Medium, High,\ \ or Critical." type: "string" enum: - "Critical" - "High" - "Medium" - "Low" - "Info" failOnViolation: description: "When sending a request, use this attribute to define what\ \ action is taken when a policy failure occurs. Set to `1` to permits\ \ container image deployment to continue even when the policy fails. Set\ \ to `0` to blocks container image deployment when the policy fails." type: "number" default: 0 enum: - 0 - 1 alertOnViolation: description: "When sending a request, set to `1` if you want to send alerts\ \ to an alert profile when a violation is detected. Set to `0` if you\ \ want to mute alerts when a violation is detected." type: "number" default: 0 enum: - 0 - 1 state: description: "When sending a request, set to `1` to enable the policy. Set\ \ to `0` to disable the policy." type: "number" enum: - 0 - 1 filter: $ref: "#/components/schemas/VulnerabilityPolicies_CVE" description: "A set of filters that you can use to refine your search results\ \ when searching for policies. The data varies based on the value of the\ \ `policyType` attribute." props: type: "object" description: "The vulnerability policy's properties." properties: description: type: "string" description: "A brief description of the policy creation." createdBy: type: "string" description: "The user who creates the policy." updatedBy: type: "string" description: "The user who updates the policy." description: "CVE Policy" VulnerabilityPolicies_Create_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_Image_Create_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_File_Create_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema" discriminator: propertyName: "policyType" mapping: DockerFile: "#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema" DockerConfig: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema" Image: "#/components/schemas/VulnerabilityPolicies_Image_Create_Schema" File: "#/components/schemas/VulnerabilityPolicies_File_Create_Schema" CVE: "#/components/schemas/VulnerabilityPolicies_CVE_Create_Schema" VulnerabilityPolicies_DockerConfig: type: "object" required: - "operator" - "values" properties: operator: type: "string" description: "The search operator such as `include`, `exclude`, `equals`,\ \ or `notEquals`." enum: - "include" - "exclude" - "equals" - "notEquals" values: type: "array" description: "A list of search values you want to use." minItems: 1 items: type: "object" required: - "key" - "value" properties: key: type: "string" pattern: "(?!^ +$)^.+$" value: type: "string" VulnerabilityPolicies_DockerConfig_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema" - type: "object" required: - "policyName" - "policyType" - "severity" - "filter" - "state" - "props" properties: {} description: "Docker Config Policy" VulnerabilityPolicies_DockerConfig_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Create_Schema" - type: "object" properties: policyGuid: description: "Vulnerability Policy ID" type: "string" createdTime: description: "The time and date when the vulnerability policy was created." type: "string" updatedTime: description: "The time and date when the vulnerability policy was last\ \ updated." type: "string" isDefault: description: "Returns `1` if this is a default vulnerability policy. Otherwise,\ \ returns `0`." type: "number" enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_DockerConfig_Update_Schema: properties: policyType: description: "The policy type such as `DockerFile`, `DockerConfig`, or `Image`." type: "string" enum: - "DockerConfig" policyName: description: "Name of the policy." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 policyEvalType: description: "The evaluation type to use for the policy. The default value\ \ is `local`." type: "string" default: "local" enum: - "local" severity: description: "The severity level of the policy; Info, Low, Medium, High,\ \ or Critical." type: "string" enum: - "Critical" - "High" - "Medium" - "Low" - "Info" failOnViolation: description: "When sending a request, use this attribute to define what\ \ action is taken when a policy failure occurs. Set to `1` to permit container\ \ image deployment to continue even when the policy fails. Set to `0`\ \ to block container image deployment when the policy fails." type: "number" default: 0 enum: - 0 - 1 alertOnViolation: description: "When sending a request, set to `1` if you want to send alerts\ \ to an alert profile when a violation is detected. Set to `0` if you\ \ want to mute alerts when a violation is detected." type: "number" default: 0 enum: - 0 - 1 state: description: "When sending a request, set to `1` to enable the policy. Set\ \ to `0` to disable the policy." type: "number" enum: - 0 - 1 filter: $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig" description: "A set of filters that you can use to refine your search results\ \ when searching for policies. The data varies based on the value of the\ \ `policyType` attribute." props: type: "object" description: "The vulnerability policy's properties." properties: description: type: "string" description: "A brief description of the policy creation." createdBy: type: "string" description: "The user who creates the policy." updatedBy: type: "string" description: "The user who updates the policy." description: "Docker Config Policy" VulnerabilityPolicies_DockerFile: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_filterObject" VulnerabilityPolicies_DockerFile_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema" - type: "object" required: - "policyName" - "policyType" - "severity" - "filter" - "state" - "props" properties: {} description: "Docker File Policy" VulnerabilityPolicies_DockerFile_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile_Create_Schema" - type: "object" properties: policyGuid: description: "Vulnerability Policy ID" type: "string" createdTime: description: "The time and date when the vulnerability policy was created." type: "string" updatedTime: description: "The time and date when the vulnerability policy was last\ \ updated." type: "string" isDefault: description: "Returns `1` if this is a default vulnerability policy. Otherwise,\ \ returns `0`." type: "number" enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_DockerFile_Update_Schema: properties: policyType: description: "The policy type such as `DockerFile`, `DockerConfig`, or `Image`." type: "string" enum: - "DockerFile" policyName: description: "Name of the policy." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 policyEvalType: description: "The evaluation type to use for the policy. The default value\ \ is `local`." type: "string" default: "local" enum: - "local" severity: description: "The severity level of the policy; Info, Low, Medium, High,\ \ or Critical." type: "string" enum: - "Critical" - "High" - "Medium" - "Low" - "Info" failOnViolation: description: "When sending a request, use this attribute to define what\ \ action is taken when a policy failure occurs. Set to `1` to permit container\ \ image deployment to continue even when the policy fails. Set to `0`\ \ to block container image deployment when the policy fails." type: "number" default: 0 enum: - 0 - 1 alertOnViolation: description: "When sending a request, set to `1` if you want to send alerts\ \ to an alert profile when a violation is detected. Set to `0` if you\ \ want to mute alerts when a violation is detected." type: "number" default: 0 enum: - 0 - 1 state: description: "When sending a request, set to `1` to enable the policy. Set\ \ to `0` to disable the policy." type: "number" enum: - 0 - 1 filter: $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile" description: "A set of filters that you can use to refine your search results\ \ when searching for policies. The data varies based on the value of the\ \ `policyType` attribute." props: type: "object" description: "The vulnerability policy's properties." properties: description: type: "string" description: "A brief description of the policy creation." createdBy: type: "string" description: "The user who creates the policy." updatedBy: type: "string" description: "The user who updates the policy." description: "Docker File Policy" VulnerabilityPolicies_File: type: "object" required: - "fileType" - "pathPrefix" - "fileNameFilter" - "fileContentFilter" - "filePermissionFilter" properties: fileType: type: "string" description: "The file type such as `EXE`, `DockerFile`." enum: - "EXE" - "DockerFile" - "ALL" pathPrefix: type: "string" description: "The file path's prefix such as `LW_FIM`." pattern: "(?!^ +$)^.+$" minLength: 1 fileNameFilter: $ref: "#/components/schemas/VulnerabilityPolicies_filterObject" description: "Filter by file names." fileContentFilter: $ref: "#/components/schemas/VulnerabilityPolicies_filterObject" filePermissionFilter: type: "object" description: "Filter by file permissions." required: - "executable" - "writable" - "symlink" - "setUid" - "setGid" properties: executable: $ref: "#/components/schemas/VulnerabilityPolicies_permissionFilter" description: "The executable permission." writable: $ref: "#/components/schemas/VulnerabilityPolicies_permissionFilter" description: "The writable permission." symlink: $ref: "#/components/schemas/VulnerabilityPolicies_permissionFilter" description: "The symbolic link permission." setUid: $ref: "#/components/schemas/VulnerabilityPolicies_permissionFilter" description: "SetUID is a Linux file permission setting that allows\ \ a user to execute that file or program with the permission of the\ \ owner of that file." setGid: $ref: "#/components/schemas/VulnerabilityPolicies_permissionFilter" description: "The SetGID permission is similar to the SetGUID permission.\ \ The process's effective group ID (GID) is changed to the group that\ \ owns the file, and a user is granted access based on the permissions\ \ that are granted to that group.\n\n" VulnerabilityPolicies_File_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_File_Update_Schema" - type: "object" required: - "policyName" - "policyType" - "severity" - "filter" - "state" - "props" properties: {} description: "File Policy" VulnerabilityPolicies_File_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_File_Create_Schema" - type: "object" properties: policyGuid: description: "Vulnerability Policy ID" type: "string" createdTime: description: "The time and date when the vulnerability policy was created." type: "string" updatedTime: description: "The time and date when the vulnerability policy was last\ \ updated." type: "string" isDefault: description: "Returns `1` if this is a default vulnerability policy. Otherwise,\ \ returns `0`." type: "number" enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_File_Update_Schema: properties: policyType: description: "The policy type such as `DockerFile`, `DockerConfig`, or `Image`." type: "string" enum: - "File" policyName: description: "Name of the policy." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 policyEvalType: description: "The evaluation type to use for the policy. The default value\ \ is `local`." type: "string" default: "local" enum: - "local" severity: description: "The severity level of the policy; Info, Low, Medium, High,\ \ or Critical." type: "string" enum: - "Critical" - "High" - "Medium" - "Low" - "Info" failOnViolation: description: "When sending a request, use this attribute to define what\ \ action is taken when a policy failure occurs. Set to `1` to permits\ \ container image deployment to continue even when the policy fails. Set\ \ to `0` to blocks container image deployment when the policy fails." type: "number" default: 0 enum: - 0 - 1 alertOnViolation: description: "When sending a request, set to `1` if you want to send alerts\ \ to an alert profile when a violation is detected. Set to `0` if you\ \ want to mute alerts when a violation is detected." type: "number" default: 0 enum: - 0 - 1 state: description: "When sending a request, set to `1` to enable the policy. Set\ \ to `0` to disable the policy." type: "number" enum: - 0 - 1 filter: $ref: "#/components/schemas/VulnerabilityPolicies_File" description: "A set of filters that you can use to refine your search results\ \ when searching for policies. The data varies based on the value of the\ \ `policyType` attribute." props: type: "object" description: "The vulnerability policy's properties." properties: description: type: "string" description: "A brief description of the policy creation." createdBy: type: "string" description: "The user who creates the policy." updatedBy: type: "string" description: "The user who updates the policy." description: "File Policy" VulnerabilityPolicies_Image: type: "object" minProperties: 1 properties: allowedLabelKey: $ref: "#/components/schemas/VulnerabilityPolicies_filterObject" allowedTag: $ref: "#/components/schemas/VulnerabilityPolicies_filterObject" description: "Filter vulnerability policies by image tags." VulnerabilityPolicies_Image_Create_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_Image_Update_Schema" - type: "object" required: - "policyName" - "policyType" - "severity" - "filter" - "state" - "props" properties: {} description: "Image Policy" VulnerabilityPolicies_Image_Response_Schema: allOf: - $ref: "#/components/schemas/VulnerabilityPolicies_Image_Create_Schema" - type: "object" properties: policyGuid: description: "Vulnerability Policy ID" type: "string" createdTime: description: "The time and date when the vulnerability policy was created." type: "string" updatedTime: description: "The time and date when the vulnerability policy was last\ \ updated." type: "string" isDefault: description: "Returns `1` if this is a default vulnerability policy. Otherwise,\ \ returns `0`." type: "number" enum: - 0 - 1 additionalProperties: true VulnerabilityPolicies_Image_Update_Schema: properties: policyType: description: "The policy type such as `DockerFile`, `DockerConfig`, or `Image`." type: "string" enum: - "Image" policyName: description: "Name of the policy." type: "string" pattern: "(?!^ +$)^.+$" minLength: 1 policyEvalType: description: "The evaluation type to use for the policy. The default value\ \ is `local`." type: "string" default: "local" enum: - "local" severity: description: "The severity level of the policy; Info, Low, Medium, High,\ \ or Critical." type: "string" enum: - "Critical" - "High" - "Medium" - "Low" - "Info" failOnViolation: description: "When sending a request, use this attribute to define what\ \ action is taken when a policy failure occurs. Set to `1` to permit container\ \ image deployment to continue even when the policy fails. Set to `0`\ \ to block container image deployment when the policy fails." type: "number" default: 0 enum: - 0 - 1 alertOnViolation: description: "When sending a request, set to `1` if you want to send alerts\ \ to an alert profile when a violation is detected. Set to `0` if you\ \ want to mute alerts when a violation is detected." type: "number" default: 0 enum: - 0 - 1 state: description: "When sending a request, set to `1` to enable the policy. Set\ \ to `0` to disable the policy." type: "number" enum: - 0 - 1 filter: $ref: "#/components/schemas/VulnerabilityPolicies_Image" description: "A set of filters that you can use to refine your search results\ \ when searching for policies. The data varies based on the value of the\ \ `policyType` attribute." props: type: "object" description: "The vulnerability policy's properties." properties: description: type: "string" description: "A brief description of the policy creation." createdBy: type: "string" description: "The user who creates the policy." updatedBy: type: "string" description: "The user who updates the policy." description: "Image Policy" VulnerabilityPolicies_Response_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile_Response_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Response_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_Image_Response_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_File_Response_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_CVE_Response_Schema" discriminator: propertyName: "policyType" mapping: DockerFile: "#/components/schemas/VulnerabilityPolicies_DockerFile_Response_Schema" DockerConfig: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Response_Schema" Image: "#/components/schemas/VulnerabilityPolicies_Image_Response_Schema" File: "#/components/schemas/VulnerabilityPolicies_File_Response_Schema" CVE: "#/components/schemas/VulnerabilityPolicies_CVE_Response_Schema" VulnerabilityPolicies_Update_Schema: oneOf: - $ref: "#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_Image_Update_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_File_Update_Schema" - $ref: "#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema" discriminator: propertyName: "policyType" mapping: DockerFile: "#/components/schemas/VulnerabilityPolicies_DockerFile_Update_Schema" DockerConfig: "#/components/schemas/VulnerabilityPolicies_DockerConfig_Update_Schema" Image: "#/components/schemas/VulnerabilityPolicies_Image_Update_Schema" File: "#/components/schemas/VulnerabilityPolicies_File_Update_Schema" CVE: "#/components/schemas/VulnerabilityPolicies_CVE_Update_Schema" VulnerabilityPolicies_filterObject: type: "object" required: - "rule" properties: rule: $ref: "#/components/schemas/VulnerabilityPolicies_internalFilter" description: "Filter by rules." exception: $ref: "#/components/schemas/VulnerabilityPolicies_internalFilter" description: "Filter vulnerability policies for Docker files by policy exceptions." VulnerabilityPolicies_internalFilter: type: "object" required: - "operator" - "values" properties: operator: type: "string" description: "The search operator such as `include`, `exclude`, `equals`,\ \ or `notEquals`." enum: - "include" - "exclude" - "equals" - "notEquals" values: type: "array" description: "A list of search values you want to use." minItems: 1 items: type: "string" pattern: "(?!^ +$)^.+$" VulnerabilityPolicies_permissionFilter: type: "object" required: - "allow" properties: allow: type: "number" description: "When sending a request, set to 1 to enable the executable\ \ permission. Set to 0 to disable the executable permission." exception: $ref: "#/components/schemas/VulnerabilityPolicies_internalFilter" description: "Filter vulnerability policies for Docker files by policy exceptions." VulnerabilityPolicies_severityFilter: type: "object" required: - "allowedCounts" - "allowedFixable" properties: allowedCounts: type: "number" description: "The number of vulnerabilities of that severity level that\ \ is allowed in your environment. `-1` means unlimited." allowedFixable: type: "number" description: "The number of fixable vulnerabilities of that severity level\ \ that is allowed in your environment. `-1` means unlimited. `0` means\ \ all fixable vulnerabilities must be addressed." Vulnerability_Container_Scan_Request_Body_Schema: required: - "registry" - "repository" - "tag" properties: registry: type: "string" description: "The container registry to be assessed." repository: type: "string" description: "The repository within the container registry to be assessed." tag: type: "string" description: "The identifier tag as `key:value` pairs." example: registry: "index.docker.io" repository: "yourDockerOrg/yourRepository" tag: "yourTag" Vulnerability_SW_Pkg_Scan_Request_Body_Schema: required: - "osPkgInfoList" properties: osPkgInfoList: type: "array" minItems: 1 description: "A list of supported OS types." items: type: "object" properties: os: type: "string" description: "The OS type." osVer: type: "string" description: "The OS version." pkg: type: "string" description: "The package name." pkgVer: type: "string" description: "The version of the package." example: osPkgInfoList: - os: "Ubuntu" osVer: "18.04" pkg: "openssl" pkgVer: "1.1.1-1ubuntu2.1~18.04.5" responses: response4XX: description: "Client Error" content: application/json: schema: type: "object" properties: message: type: "string" example: "Invalid ..." responseInternalError: description: "Internal Server Error" content: application/json: schema: type: "object" properties: message: type: "string" example: "Internal Server Error" responseAsync_Scan_Response_Schema: description: "No Error (Request Id and Status)" content: application/json: schema: type: "object" properties: data: type: "object" properties: requestId: type: "string" status: type: "string" additionalProperties: true example: data: requestId: "abcdef124..." status: "scanning" responseAsync_Scan_Status_Response_Schema: description: "No Error (Request Status)" content: application/json: schema: type: "object" properties: data: type: "object" properties: status: type: "string" enum: - "scanning" - "completed" evalGuid: type: "string" description: "This field is returned when the scan status is `completed`,\ \ and can be used to get the results of the scan operation." additionalProperties: true examples: Completed: value: data: status: "completed" evalGuid: "1234567a89012b34567890123cd56e78" Scanning: value: data: status: "scanning" responseVulnerability_SW_Package_Scan_Response_Schema: description: "No Error (List of all specified packages found in the supported\ \ OSs) \n\n There are two unique eval_status returned in the response. \n\ \ * FIX_INFO:eval_status is the fine-grain evaluation result for each set\ \ of OS, OS version, package, and package version specified in the input body\ \ parameter. \n * SUMMARY:eval_status is the overall overview evaluation result." content: application/json: schema: type: "object" properties: data: type: "array" items: type: "object" properties: osPkgInfo: type: "object" properties: namespace: type: "string" os: type: "string" osVer: type: "string" pkg: type: "string" pkgVer: type: "string" versionFormat: type: "string" vulnId: type: "string" severity: type: "string" featureKey: type: "object" properties: name: type: "string" namespace: type: "string" cveProps: type: "object" properties: cveBatchId: type: "string" description: type: "string" link: type: "string" metadata: type: "object" fixInfo: type: "object" description: "**FIX_INFO:eval_status** can equal \"GOOD\", \"\ VULNERABLE\" or \"\". \n * **GOOD** - A returned FIX_INFO:eval_status\ \ of \"GOOD\" means the assessment found no vulnerabilities\ \ (CVEs) associated with the specified OS, OS version, package,\ \ and package version. \n * **VULNERABLE** - A returned FIX_INFO:eval_status\ \ of \"VULNERABLE\" means the assessment found at least one\ \ vulnerability (CVE) associated with the specified OS, OS\ \ version, package, and package version. \n * **EMPTY STR**\ \ - A returned FIX_INFO:eval_status of \"\" means that Lacework\ \ did not find any entries in the CVE database that match\ \ the specified OS, OS version, and package." summary: type: "object" description: "**SUMMARY:eval_status** can equal \"MATCH_NO_VULN\"\ , \"MATCH_VULN\", or \"NOT_MATCH\". \n * **MATCH_NO_VULN**\ \ - A returned SUMMARY:eval_status of \"MATCH_NO_VULN\" means\ \ there are valid entries in the Lacework CVE database that\ \ match the specified set of OS, OS version, and package but\ \ no vulnerability (CVE) were found for the specified package\ \ version. \n * **MATCH_VULN** - A returned SUMMARY:eval_status\ \ of \"MATCH_VULN\" means there are valid entries in the Lacework\ \ CVE database that match the specified set of OS, OS version,\ \ and package and at least one vulnerability (CVE) was found\ \ for the specified package version. \n * **NOT_MATCH** -\ \ A returned SUMMARY:eval_status of \"NOT_MATCH\" means that\ \ Lacework did not find any entries in the CVE database that\ \ match the specified OS, OS version, and package. This could\ \ occur, for example, if the os name specified was misspelled\ \ or if Lacework does not have information in its database\ \ for the specified OS, OS version, and package." props: type: "object" example: data: - osPkgInfo: namespace: "ubuntu:18.04" os: "Ubuntu" osVer: "18.04" pkg: "openssl" pkgVer: "1.1.1-1ubuntu2.1~18.04.5" versionFormat: "dpkg" vulnId: "CVE-2017-3731" severity: "Medium" featureKey: name: "openssl" namespace: "ubuntu:18.04" cveProps: cveBatchId: "087956A88D8B89A79D0DC1F2E5E8269C" description: "If an SSL/TLS server or client is running on a 32-bit\ \ host, and a specific cipher is being used, then a truncated packet\ \ can cause that server or client to perform an out-of-bounds read,\ \ usually resulting in a crash. For OpenSSL 1.1.0, the crash can\ \ be triggered when using CHACHA20/POLY1305; users should upgrade\ \ to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when\ \ using RC4-MD5; users who have not disabled that algorithm should\ \ update to 1.0.2k." link: "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-3731" metadata: nvd: cvssv2: publisheddatetime: "2017-05-04T19:29Z" score: 5 vectors: "AV:N/AC:L/Au:N/C:N/I:N/A:P" cvssv3: exploitabilityscore: 3.9 impactscore: 3.6 score: 7.5 vectors: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" fixInfo: fixAvailable: "1" fixedVersion: "0:1.0.2g-1ubuntu11" summary: evalCreatedTime: "2021-09-16 18:41:04.161 -0700" evalStatus: "MATCH_VULN" numFixableVuln: 10 numFixableVulnBySeverity: "1": 0 "2": 3 "3": 5 "4": 2 "5": 0 numTotal: 70 numVuln: 10 numVulnBySeverity: "1": 0 "2": 3 "3": 5 "4": 2 "5": 0 props: evalAlgo: "1001" responseAgentAccessTokens_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/AgentAccessTokens_Response_Schema" example: data: accessToken: "47d102752b57caa18b..." createdTime: "2020-12-16T16:43:37.915Z" props: createdTime: "2020-12-16T16:43:37.915Z" description: "testing agent" subscription: "enterprise" tokenAlias: "Ops Agent" tokenEnabled: "1" version: "0.1" responseAgentAccessTokensList_Response_Schema: description: "No Error (List of Agent Access Tokens)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/AgentAccessTokens_Response_Schema" example: data: - accessToken: "47d102752b57caa18b..." createdTime: "2020-12-16T16:43:37.915Z" props: createdTime: "2020-12-16T16:43:37.915Z" description: "testing agent" subscription: "enterprise" tokenAlias: "Ops Agent" tokenEnabled: "1" version: "0.1" - accessToken: "e2f32885791213cb41..." createdTime: "2020-12-10T18:14:05.754Z" props: createdTime: "2020-12-10T18:14:05.754Z" description: "testing agent 1" subscription: "professional" tokenAlias: "Dev Agent" tokenEnabled: "1" version: "0.1" responseAlertChannels_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/AlertChannels_Response_Schema" examples: AwsS3: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsS3" data: s3CrossAccountCredentials: externalId: "123456" roleArn: "arn:aws:iam::..." bucketArn: "arn:aws:s3:::..." CiscoSparkWebhook: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "CiscoSparkWebhook" data: webhook: "https://api.ciscospark.com/v1/webhooks/incoming/abc" CloudwatchEb: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "CloudwatchEb" data: issueGrouping: "Events" eventBusArn: "arn:aws:events:us-west-2:123456789012:event-bus/abc" Datadog: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Datadog" data: datadogType: "Logs Summary" datadogSite: "com" apiKey: "" EmailUser: value: data: createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2020-12-18T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Email User" props: "{object}" state: "{object}" type: "EmailUser" data: notificationTypes: "...": "..." channelProps: recipients: "user@example.com,info@example.com" GcpPubsub: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpPubsub" data: issueGrouping: "Events" credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" projectId: "project_id" topicId: "topic_id" IbmQradar: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "IbmQradar" data: qradarCommType: "HTTPS Self Signed Cert" qradarHostUrl: "127.0.0.1" qradarHostPort: 12345 Jira: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Jira" data: jiraType: "JIRA_CLOUD" issueGrouping: "Events" jiraUrl: "https://xyz.atlassian.com/abc" projectId: "project_id" issueType: "issue_type" username: "support" apiToken: "api_token" MicrosoftTeams: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "MicrosoftTeams" data: teamsUrl: "https://webhook.office.com/webhook/xyz" NewRelicInsights: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "NewRelicInsights" data: insertKey: "Xyz123Abc456Def789..." accountId: 123456 PagerDutyApi: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "PagerDutyApi" data: apiIntgKey: "Xyz123Abc456Def789..." ServiceNowRest: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "ServiceNowRest" data: issueGrouping: "Events" userName: "support" password: "" instanceUrl: "https://xyz.service-now.com/abc" SlackChannel: value: data: createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2020-12-18T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Slack Channel LW" props: "{object}" state: "{object}" type: "SlackChannel" data: slackUrl: "https://hooks.slack.com/services/xyz/abc/def" SplunkHec: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "SplunkHec" data: hecToken: "12345678-abcd-1234-5678-1234abcd5678" channel: "channel123" host: "xyz.cloud.splunk.com" port: 8088 ssl: true eventData: index: "main" source: "src" VictorOps: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "VictorOps" data: intgUrl: "https://alert.victorops.com/integrations/generic/xyz/alert/abc" Webhook: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Webhook" data: webhookUrl: "https://wh.xyz.com/abc" responseAlertChannelsList_Response_Schema: description: "No Error (List of Alert Channels)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/AlertChannels_Response_Schema" examples: AwsS3: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsS3" data: s3CrossAccountCredentials: externalId: "123456" roleArn: "arn:aws:iam::..." bucketArn: "arn:aws:s3:::..." - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "AwsS3" data: s3CrossAccountCredentials: externalId: "123456" roleArn: "arn:aws:iam::..." bucketArn: "arn:aws:s3:::..." AwsUsGovCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCfg" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Info" props: "{object}" state: "{object}" type: "AwsUsGovCfg" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" AwsUsGovCtSqs: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCtSqs" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" queueUrl": "https://sqs.us-gov-west-1.amazonaws.com/..." - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "AwsUsGovCtSqs" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" queueUrl": "https://sqs.us-gov-west-1.amazonaws.com/..." AzureAlSeq: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureAlSeq" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" queueUrl": "https://xyz.queue.core.windows.net/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "AzureAlSeq" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" queueUrl": "https://xyz.queue.core.windows.net/abc" AzureCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureCfg" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "AzureCfg" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" CiscoSparkWebhook: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "CiscoSparkWebhook" data: webhook: "https://api.ciscospark.com/v1/webhooks/incoming/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "CiscoSparkWebhook" data: webhook: "https://api.ciscospark.com/v1/webhooks/incoming/abc" CloudwatchEb: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "CloudwatchEb" data: issueGrouping: "Events" eventBusArn: "arn:aws:events:us-west-2:123456789012:event-bus/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "CloudwatchEb" data: issueGrouping: "Events" eventBusArn: "arn:aws:events:us-west-2:123456789012:event-bus/abc" Datadog: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Datadog" data: datadogType: "Logs Summary" datadogSite: "com" apiKey: "" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "Datadog" data: datadogType: "Logs Summary" datadogSite: "com" apiKey: "" EmailUser: value: data: - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2020-12-18T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Lacework Information" props: "{object}" state: "{object}" type: "EmailUser" data: notificationTypes: "...": "..." channelProps: recipients: "user@example.com,info@example.com" - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Lacework Support" props: "{object}" state: "{object}" type: "EmailUser" data: notificationTypes: "...": "..." channelProps: recipients: "user@example.com,info@example.com" GcpPubsub: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpPubsub" data: issueGrouping: "Events" credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" projectId: "project_id" topicId: "topic_id" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "GcpPubsub" data: issueGrouping: "Events" credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" projectId: "project_id" topicId: "topic_id" IbmQradar: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "IbmQradar" data: qradarCommType: "HTTPS Self Signed Cert" qradarHostUrl: "127.0.0.1" qradarHostPort: 12345 - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "IbmQradar" data: qradarCommType: "HTTPS" qradarHostUrl: "127.0.0.1" qradarHostPort: 23456 Jira: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Jira" data: jiraType: "JIRA_CLOUD" issueGrouping: "Events" jiraUrl: "https://xyz.atlassian.com/abc" projectId: "project_id" issueType: "issue_type" username: "support" apiToken: "api_token" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "Jira" data: jiraType: "JIRA_CLOUD" issueGrouping: "Resources" jiraUrl: "https://xyz.atlassian.com/abc" projectId: "project_id" issueType: "issue_type" username: "info" apiToken: "api_token" MicrosoftTeams: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "MicrosoftTeams" data: teamsUrl: "https://webhook.office.com/webhook/xyz" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "MicrosoftTeams" data: teamsUrl: "https://webhook.office.com/webhook/xyz" NewRelicInsights: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "NewRelicInsights" data: insertKey: "Xyz123Abc456Def789..." accountId: 123456 - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "NewRelicInsights" data: insertKey: "Xyz123Abc456Def789..." accountId: 123456 PagerDutyApi: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "PagerDutyApi" data: apiIntgKey: "Xyz123Abc456Def789..." - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "PagerDutyApi" data: apiIntgKey: "Xyz123Abc456Def789..." ServiceNowRest: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "ServiceNowRest" data: issueGrouping: "Events" userName: "support" password: "" instanceUrl: "https://xyz.service-now.com/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "ServiceNowRest" data: issueGrouping: "Events" userName: "info" password: "" instanceUrl: "https://xyz.service-now.com/abc" SlackChannel: value: data: - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2020-12-18T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Slack Channel LW" props: "{object}" state: "{object}" type: "SlackChannel" data: slackUrl: "https://hooks.slack.com/services/xyz/abc/def" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2020-12-18T11:38:28Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Slack Channel LW Dev" props: "{object}" state: "{object}" type: "SlackChannel" data: slackUrl: "https://hooks.slack.com/services/xyz/ghi/jkl" SplunkHec: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "SplunkHec" data: hecToken: "12345678-abcd-1234-5678-1234abcd5678" channel: "channel123" host: "xyz.cloud.splunk.com" port: 8088 ssl: true eventData: index: "main" source: "src" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "SplunkHec" data: hecToken: "12345678-abcd-1234-5678-1234abcd5678" channel: "channel123" host: "xyz.cloud.splunk.com" port: 8088 ssl: true eventData: index: "main" source: "src" VictorOps: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "VictorOps" data: intgUrl: "https://alert.victorops.com/integrations/generic/xyz/alert/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "VictorOps" data: intgUrl: "https://alert.victorops.com/integrations/generic/xyz/alert/abc" Webhook: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "Webhook" data: webhookUrl: "https://wh.xyz.com/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "Webhook" data: webhookUrl: "https://wh.xyz.com/abc" responseAlertRules_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/AlertRules_Response_Schema" example: data: mcGuid: "QA42F6C8_97..." filters: name: "Default Rule" createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2020-02-18T16:52:57.726Z" enabled: 1 resourcegroups: - "QA402035_43..." severity: - 1 - 2 - 3 eventcategory: - "App" - "Compliance" - "Cloud" - "File" - "K8sActivity" - "Machine" - "Platform" - "User" subCategory: - "Application" - "Compliance" - "Cloud Activity" - "File" - "Kubernetes Activity" - "Machine" - "Platform" - "User" intgGuidList: - "QA402035_66..." type: "Event" responseAlertRulesList_Response_Schema: description: "No Error (List of Alert Rules)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/AlertRules_Response_Schema" example: data: - mcGuid: "QA42F6C8_97..." filters: name: "Default Rule" createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2020-02-18T16:52:57.726Z" enabled: 1 resourcegroups: - "QA402035_43.." severity: - 1 - 2 - 3 eventcategory: - "App" - "Compliance" - "Cloud" - "File" - "K8sActivity" - "Machine" - "Platform" - "User" subCategory: - "Application" - "Compliance" - "Cloud Activity" - "File" - "Kubernetes Activity" - "Machine" - "Platform" - "User" intgGuidList: - "QA402035_66..." type: "Event" - mcGuid: "QA42F6C8_83..." filters: name: "test" createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2020-01-15T07:07:21.989Z" enabled: 1 resourcegroups: - "QA402035_EB..." - "QA402035_BA..." severity: - 1 - 2 - 3 eventcategory: - "User" - "Cloud" subCategory: - "User" - "Cloud Activity" intgGuidList: - "QA402035_01..." - "QA402035_A6..." type: "Event" responseAuditLogsList_Response_Schema: description: "No Error (List of Audit Logs)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/AuditLogs_Response_Schema" example: data: - accountName: "Lacework" createdTime: "2020-12-18T18:38:28Z" eventDescription: "User info@example.com logged in to Lacework account\ \ using OAuth credentials" eventName: "User Login" userAction: "Login with OAuth Succeeded" userName: "info@example.com" - accountName: "Lacework" createdTime: "2020-12-18T22:38:28Z" eventDescription: "User info@example.com logged in to Lacework account\ \ using OAuth credentials" eventName: "User Login" userAction: "Login with OAuth Succeeded" userName: "info@example.com" responseCloudActivitiesList_Response_Schema: description: "No Error (List of Cloud Activities)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/CloudActivities_Response_Schema" example: paging: rows: 5000 totalRows: 5020 urls: nextPage: "https://YourLacework.lacework.net/api/v2/CloudActivities/AbcdEfgh123..." data: - startTime: "2021-12-18T06:00:00Z" endTime: "2021-12-18T06:30:00Z" eventType: "CloudTrailDefaultAlert" eventId: 291028 eventModel: "CloudTrailCep" eventActor: "Aws" eventMap: API: - KEY: api: "DeleteUser" service: "iam.amazonaws.com" PROPS: source_ip_address_list: - "34.221.221.117" user_list: - "AssumedRole/631664038012:dev-test-instances" CT_User: - KEY: account: "631664038012" mfa: 0 principalId: "ABCDEFGHIJKL123456789" username: "AssumedRole/631664038012:dev-test-instances" PROPS: api_list: - "DeleteUser" region_list: - "us-east-1" Region: - KEY: region: "us-east-1" PROPS: account_list: - "631668038012" Resource: - KEY: name: "userName" value: "demomon13dec21083001" - KEY: name: "userName" value: "demomon13dec21083001" RulesTriggered: - KEY: triggered_rule_id: "lw-dev-1" PROPS: rule_description: "An existing user was deleted." rule_id: "lw-dev-1" rule_severity: 3 rule_title: "Delete User" SourceIpAddress: - KEY: ip_addr: "34.221.221.117" PROPS: api_list: - "DeleteUser" - startTime: "2021-12-18T08:00:00Z" endTime: "2021-12-18T08:30:00Z" eventType: "IAMAccessKeyChanged" eventId: 19018 eventModel: "CloudTrailCep" eventActor: "Aws" eventMap: API: - KEY: api: "CreateAccessKey" service: "iam.amazonaws.com" PROPS: source_ip_address_list: - "34.221.221.117" user_list: - "AssumedRole/631664038012:dev-test-instances" - KEY: api: "DeleteAccessKey" service: "iam.amazonaws.com" PROPS: source_ip_address_list: - "34.221.221.117" user_list: - "AssumedRole/631664038012:dev-test-instances" CT_User: - KEY: account: "631664038012" mfa: 0 principalId: "ABCDEFGHIJKL123456789" username: "AssumedRole/631664038012:dev-test-instances" PROPS: api_list: - "CreateAccessKey" - "DeleteAccessKey" region_list: - "us-east-1" Region: - KEY: region: "us-east-1" PROPS: account_list: - "631664038012" Resource: - KEY: name: "accessKeyId" value: "ABCD1234567890" - KEY: name: "userName" value: "demomon13dec21083001" - KEY: name: "accessKeyId" value: "ABCD9876543210" - KEY: name: "userName" value: "demomon13dec21083001" RulesTriggered: - KEY: triggered_rule_id: "lw-global-12" PROPS: rule_description: "An IAM access key was created or deleted." rule_id: "lw-global-12" rule_severity: 2 rule_title: "IAM Access Key Change" SourceIpAddress: - KEY: ip_addr: "34.221.221.117" PROPS: api_list: - "CreateAccessKey" - "DeleteAccessKey" responseContractInfoList_Response_Schema: description: "No Error (List of Contract Info)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/ContractInfo_Response_Schema" example: data: - objName: "CloudActivities" props: contractStartUtc: "2020-12-01T00:00:00Z" renewalUtc: "2021-03-01T00:00:00Z" numPurchased: 1 dataRetentionInDay: 90 - objName: "AWSConfig" props: contractStartUtc: "2020-12-01T00:00:00Z" renewalUtc: "2021-03-01T00:00:00Z" numPurchased: 1 dataRetentionInDay: 90 responseReportRules_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/ReportRules_Response_Schema" example: data: mcGuid: "QA42F6C8_83..." filters: name: "LW Rule 1" createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-12T23:16:08.418Z" enabled: 1 resourceGroups: - "QA402035_BA..." severity: - 1 - 2 - 3 intgGuidList: - "QA402035_32..." reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: true agentEvents: false awsCisS3: false gcpAuditTrailEvents: false openShiftCompliance: false azureSoc: true awsComplianceEvents: false azureComplianceEvents: false azureCis: true azureActivityLogEvents: false awsCloudtrailEvents: false type: "Report" responseReportRulesList_Response_Schema: description: "No Error (List of Report Rules)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/ReportRules_Response_Schema" example: data: - mcGuid: "QA42F6C8_83..." filters: name: "LW Rule 1" createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-12T23:16:08.418Z" enabled: 1 resourceGroups: - "QA402035_BA..." severity: - 1 - 2 - 3 intgGuidList: - "QA402035_32..." reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: false agentEvents: false awsCisS3: true gcpAuditTrailEvents: false openShiftCompliance: false azureSoc: false awsComplianceEvents: true azureComplianceEvents: false azureCis: false azureActivityLogEvents: false awsCloudtrailEvents: true type: "Report" - mcGuid: "QA42F6C8_88..." filters: name: "LW Rule 2" createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-12T23:18:08.418Z" enabled: 1 resourceGroups: - "QA402035_BC..." severity: - 1 - 2 - 3 intgGuidList: - "QA402035_33..." reportNotificationTypes: gcpCis: false gcpComplianceEvents: false trendReport: false azurePci: true agentEvents: false awsCisS3: false gcpAuditTrailEvents: false openShiftCompliance: false azureSoc: true awsComplianceEvents: false azureComplianceEvents: false azureCis: true azureActivityLogEvents: false awsCloudtrailEvents: false type: "Report" responseTeamMembers_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/TeamMembers_Response_Schema" examples: With Org-Access: value: data: userName: "user1@example.com" orgAccount: true url: "url" orgAdmin: false orgUser: false accounts: - admin: "true" custGuid: "CUST_GUID" userGuid: "USER1_GUID" userEnabled: 1 Without Org-Access: value: data: props: firstName: "User1" lastName: "Test" accountAdmin: true userGuid: "USER1_GUID" custGuid: "CUST_GUID" userEnabled: 1 userName: "user1@example.com" responseUpdateTeamMember: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/TeamMembers_Update_Schema" examples: With Org-Access: value: data: userName: "user1@example.com" orgAccount: true url: "url" orgAdmin: false orgUser: false accounts: - admin: "true" custGuid: "CUST_GUID" userGuid: "USER1_GUID" userEnabled: 1 Without Org-Access: value: data: props: firstName: "User1" lastName: "Test" accountAdmin: true userGuid: "USER1_GUID" custGuid: "CUST_GUID" userEnabled: 1 userName: "user1@example.com" responseTeamMembersList_Response_Schema: description: "No Error (List of Team Members)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/TeamMembers_Response_Schema" example: data: - props: firstName: "User1" lastName: "Test" accountAdmin: true userGuid: "USER1_GUID" custGuid: "CUST_GUID" userEnabled: 1 userName: "user1@example.com" - props: firstName: "User2" lastName: "Test" accountAdmin: true userGuid: "USER2_GUID" custGuid: "CUST_GUID" userEnabled: 1 userName: "user2@example.com" responseCloudAccounts_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/CloudAccounts_Response_Schema" examples: AwsCfg: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsCfg" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" AwsCtSqs: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsCtSqs" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" issueGrouping: "Events" queueUrl: "https://sqs.us-west-2.amazonaws.com/..." AwsEksAudit: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsEksAudit" data: snsArn: "arn:aws:sns::..." s3BucketArn: "arn:aws:s3::..." crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" AwsUsGovCfg: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCfg" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" AwsUsGovCtSqs: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCtSqs" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" queueUrl": "https://sqs.us-gov-west-1.amazonaws.com/..." AzureAlSeq: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureAlSeq" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" queueUrl": "https://xyz.queue.core.windows.net/abc" AzureCfg: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureCfg" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" GcpAtSes: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpAtSes" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "prod1-xyz-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" GcpCfg: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpCfg" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "abc" GcpGkeAudit: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" type: "GcpGkeAudit" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" integrationType: "PROJECT" projectId: "prod1-xyz-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" responseCloudAccountsList_Response_Schema: description: "No Error (List of Cloud Accounts)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/CloudAccounts_Response_Schema" examples: AwsCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-01-28T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsCfg" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-30T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Info" props: "{object}" state: "{object}" type: "AwsCfg" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" AwsCtSqs: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsCtSqs" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" issueGrouping: "Events" queueUrl: "https://sqs.us-west-2.amazonaws.com/..." - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T18:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Info" props: "{object}" state: "{object}" type: "AwsCtSqs" data: awsAccountId: "123456789012" crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" issueGrouping: "Events" queueUrl: "https://sqs.us-west-2.amazonaws.com/..." AwsEksAudit: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsEksAudit" data: snsArn: "arn:aws:sns::..." s3BucketArn: "arn:aws:s3::..." crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsEksAudit" data: snsArn: "arn:aws:sns::..." s3BucketArn: "arn:aws:s3::..." crossAccountCredentials: roleArn: "arn:aws:iam::..." externalId: "123456" AwsUsGovCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCfg" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCfg" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" AwsUsGovCtSqs: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCtSqs" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" queueUrl": "https://sqs.us-gov-west-1.amazonaws.com/..." - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AwsUsGovCtSqs" data: accessKeyCredentials: accountId: "123456789012" accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" queueUrl": "https://sqs.us-gov-west-1.amazonaws.com/..." AzureAlSeq: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureAlSeq" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" queueUrl": "https://xyz.queue.core.windows.net/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureAlSeq" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" queueUrl": "https://xyz.queue.core.windows.net/abc" AzureCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureCfg" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "AzureCfg" data: credentials: clientId: "12345678-9012-3456-abcd-efghijklijkl" clientSecret: "" tenantId: "12345678-9012-3456-abcd-efghijklijkl" GcpAtSes: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpAtSes" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "prod1-xyz-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "GcpAtSes" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "prod1-xyz-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" GcpGkeAudit: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" type: "GcpGkeAudit" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" integrationType: "PROJECT" projectId: "prod1-xyz-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 1 name: "info" type: "GcpGkeAudit" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" integrationType: "ORGANIZATION" projectId: "prod1-xyz-gcp" organizationId: "prod1-xyz-org-gcp" subscriptionName: "projects/prod1-xyz-gcp/subscriptions/abc" GcpCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpCfg" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "abc" - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "GcpCfg" data: credentials: clientId: "1234567890..." privateKeyId: "1234567890abcdefgh" clientEmail: "abc@xyz.com" privateKey: "" idType: "PROJECT" id: "abc" responseContainerRegistries_Response_Schema: description: "No Error " content: application/json: schema: properties: data: $ref: "#/components/schemas/ContainerRegistries_Response_Schema" examples: ContVulnCfg: value: data: createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "ContVulnCfg" data: accessKeyCredentials: accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" registryType: "AWS_ECR" registryDomain: "12345678.abc.ecr.us-west-2.amazonaws.com" limitByTag: - "latest*" limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: "tag_1" - tag2: "tag_2" responseContainerRegistriesList_Response_Schema: description: "No Error (List of Container Registries)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/ContainerRegistries_Response_Schema" examples: ContVulnCfg: value: data: - createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "Support" props: "{object}" state: "{object}" type: "ContVulnCfg" data: accessKeyCredentials: accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" registryType: "AWS_ECR" registryDomain: "12345678.abc.ecr.us-west-2.amazonaws.com" limitByTag: - "latest*" limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: "tag_1" - tag2: "tag_2" - createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-02-08T08:28:18Z" enabled: 1 intgGuid: "LWXYZ..." isOrg: 0 name: "info" props: "{object}" state: "{object}" type: "ContVulnCfg" data: accessKeyCredentials: accessKeyId: "ABCDEFGHIJKLMNOPQRST" secretAccessKey: "" registryType: "AWS_ECR" registryDomain: "12345678.abc.ecr.us-west-2.amazonaws.com" limitByTag: - "latest*" limitByLabel: [] limitByRep": [] limitNumImg: 5 identifierTag: - tag1: "tag_1" - tag2: "tag_2" responseUserProfileList_Response_Schema: description: "List of Sub-accounts" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/UserProfile_Response_Schema" example: - username: "user@example.com" orgAccount: true url: "url" orgAdmin: true orgUser: false accounts: - admin: true accountName: "accountName1" custGuid: "custGuid1" userGuid: "userGuid1" userEnabled: 1 - admin: true accountName: "accountName2" custGuid: "custGuid2" userGuid: "userGuid2" userEnabled: 1 responsePolicies_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/Policies_Response_Schema" example: data: evaluatorId: "Cloudtrail" policyId: "lacework..." policyType: "Violation" queryId: "LW_Custom_AWS_CTA_AuroraPasswordChange" queryText: "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents\ \ } FILTER ..." title: "Cloudtrail Policy 2" enabled: false description: "Cloudtrail Policy 2" remediation: "Policy remediation 2" severity: "medium" limit: 100 evalFrequency: "Hourly" alertEnabled: true alertProfile: "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource" owner: "user@example.com" lastUpdateTime: "2022-10-03T16:23:38.915Z" lastUpdateUser: "user@example.com" tags: - "domain:Host" - "subdomain:Container" responsePoliciesList_Response_Schema: description: "No Error (List of Policies)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Policies_Response_Schema" example: data: - policyId: "lacework-global-89" policyType: "Compliance" queryId: "" queryText: "" title: "EC2 instance does not have any tags" enabled: false description: "Tags allow users to better organize resources and assist\ \ the collection of metrics..." remediation: "Perform the following to add tags:\n1. Log in to the AWS\ \ Management Console..." severity: "high" alertEnabled: false alertProfile: "" owner: "Lacework" lastUpdateTime: "2021-05-31T19:00:00.000Z" lastUpdateUser: "Lacework" tags: - "framework:aws-lacework-security-1-0" - "domain:AWS" - "subdomain:Configuration" exceptionConfiguration: constraintFields: - fieldKey: "accountIds" dataType: "String" multiValue: true - fieldKey: "regionNames" dataType: "String" multiValue: true - fieldKey: "resourceNames" dataType: "String" multiValue: false - fieldKey: "resourceTags" dataType: "KVTagPair" multiValue: true - evaluatorId: "Cloudtrail" policyId: "lacework..." policyType: "Violation" queryId: "LW_Custom_AWS_CTA_AuroraPasswordChange" queryText: "LW_Custom_AWS_CTA_AuroraPasswordChange { SOURCE { CloudTrailRawEvents\ \ } FILTER ..." title: "Cloudtrail Policy 2" enabled: false description: "Cloudtrail Policy 2" remediation: "Policy remediation 2" severity: "medium" limit: 100 evalFrequency: "Hourly" alertEnabled: true alertProfile: "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource" owner: "user@example.com" lastUpdateTime: "2022-10-03T16:23:38.915Z" lastUpdateUser: "user@example.com" tags: - "domain:Host" - "subdomain:Container" responsePolicyTags_Response_Schema: description: "No Error" content: application/json: schema: properties: data: type: "array" items: type: "string" example: data: - "domain:AWS" - "domain:Host" - "subdomain:Cloudtrail" - "subdomain:Container" responseQueries_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/Queries_Response_Schema" example: data: evaluatorId: "Cloudtrail" queryId: "LW_Global_..." queryText: "Query..." owner: "user@example.com" lastUpdateTime: "2020-12-16T16:43:37.915Z" lastUpdateUser: "user@example.com" resultSchema: - name: "EVENT" dataType: "JSON" description: "Description of the result" - name: "EVENT_TIME" dataType: "Timestamp" description: "Description of the result" responseQueriesList_Response_Schema: description: "No Error (List of Queries)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Queries_Response_Schema" example: data: - evaluatorId: "Cloudtrail" queryId: "LW_Global_..." queryText: "Query..." owner: "user@example.com" lastUpdateTime: "2020-12-16T16:43:37.915Z" lastUpdateUser: "user@example.com" resultSchema: - name: "EVENT" dataType: "JSON" description: "Description of the result" - name: "EVENT_TIME" dataType: "Timestamp" description: "Description of the result" - evaluatorId: "Cloudtrail" queryId: "LW_Global2_..." queryText: "Query..." owner: "user@example.com" lastUpdateTime: "2020-12-16T16:43:37.915Z" lastUpdateUser: "user@example.com" resultSchema: - name: "EVENT" dataType: "JSON" description: "Description of the result" - name: "EVENT_TIME" dataType: "Timestamp" description: "Description of the result" responseQueriesExecute: description: "No Error" content: application/json: schema: properties: data: type: "array" description: "Result records, schema determined by query" items: {} example: data: - {} responseQueriesValidate: description: "No Error" content: application/json: schema: properties: data: type: "object" properties: evaluatorId: description: "Optional identifier of the evaluator where the policy\ \ is run. This field is only for CloudTrail queries and policies.\n" type: "string" queryText: description: "When sending a request, provide a human-readable\ \ text syntax for specifying selection, filtering, and manipulation\ \ of data." type: "string" queryId: type: "string" description: "Identifier of the query" resultSchema: type: "array" items: type: "object" properties: name: type: "string" description: "Name of the result column" dataType: type: "string" description: "LQL type of the result column" example: data: evaluatorId: "Cloudtrail" queryId: "LW_Global_..." queryText: "Query..." resultSchema: - name: "column1" dataType: "" - name: "column2" dataType: "" responseTemplateFilesList_Response_Schema: description: "No Error (Template File Content)" content: application/octet-stream: schema: $ref: "#/components/schemas/TemplateFiles_Response_Schema" responseEntities_MachinesList_Response_Schema: description: "No Error (List of Machines)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Machines_Response_Schema" example: paging: rows: 5000 totalRows: 6318 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Machines/AbcdEfgh123..." data: - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 12345 hostname: "ip-172-31-22-135.us-west-2.compute.internal" machineTags: ExternalIp: "35.163.78.148" Hostname: "ip-172-31-22-135.us-west-2.compute.internal" InstanceId: "i-07927817a7a532c81" InstanceName: "vpc-39c60f41" InternalIp: "172.31.22.135" NumericProjectId: "ami-038b12f51d612b5db" ProjectId: "632668038012" SubnetId: "subnet-ec136995" VmInstanceType: "t2.xlarge" VmProvider: "AWS" Zone: "us-west-2" primaryIpAddr: "172-31-22-135" entityType: "Machine" - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 12346 hostname: "ip-172-31-22-138.us-west-2.compute.internal" machineTags: ExternalIp: "35.163.78.138" Hostname: "ip-172-31-22-138.us-west-2.compute.internal" InstanceId: "i-07927817a7a532c83" InstanceName: "vpc-39c60f31" InternalIp: "172.31.22.138" NumericProjectId: "ami-038b12f51d312b5db" ProjectId: "632668038013" SubnetId: "subnet-ec136965" VmInstanceType: "t2.xlarge" VmProvider: "AWS" Zone: "us-west-2" primaryIpAddr: "172-31-22-138" entityType: "Machine" responseActivities_UserLoginsList_Response_Schema: description: "No Error (List of User Logins)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Activities_UserLogins_Response_Schema" example: paging: rows: 5000 totalRows: 5050 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Activities/UserLogins/AbcdEfgh123..." data: - createdTime: "2021-09-10T05:35:45.382Z" mid: 12345 activityTime: "2021-08-06T06:05:05.260Z" activityType: "LOGIN" username: "ec2-user" uid: 1000 sourceIpAddr: "2.141.452.76" - createdTime: "2021-09-10T05:35:45.382Z" mid: 12345 activityTime: "2021-08-06T06:05:05.260Z" activityType: "LOGOFF" username: "ec2-user" uid: 1000 sourceIpAddr: "2.141.452.76" responseEntities_ApplicationsList_Response_Schema: description: "No Error (List of Applications)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Applications_Response_Schema" example: paging: rows: 5000 totalRows: 8368 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Applications/AbcdEfgh123..." data: - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 12345 appName: "appName1" exePath: "exePath1" username: effective: "example1" original: "example2" propsMachine: hostname: "ip-10-100-20-200" ip_addr: "10.100.20.200" mem_kbytes: 340000049 num_users: 5 primary_tags: - "primaryTag1" tags: {} up_time: 45 containerInfo: k8s_cluster: "cluster value" pod_name: "lacework-agent-ab8ok" pod_namespace: "kube-system" pod_type: "lacework-agent" vmType: "VM type 1" netStats: {} props: {} - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 12346 appName: "appName2" exePath: "exePath2" username: effective: "example3" original: "example4" propsMachine: hostname: "ip-10-100-20-201" ip_addr: "10.100.20.201" mem_kbytes: 340000050 num_users: 7 primary_tags: - "primaryTag6" tags: {} up_time: 60 containerInfo: k8s_cluster: "cluster value 2" pod_name: "lacework-agent-ab8st" pod_namespace: "kube-system" pod_type: "lacework-agent" vmType: "VM type 2" netStats: {} props: {} responseEntities_ImagesList_Response_Schema: description: "No Error (List of Images)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Images_Response_Schema" example: paging: rows: 5000 totalRows: 6298 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Images/AbcdEfgh123..." data: - createdTime: "2021-08-28T21:00:00Z" mid: 12345 imageId: "sha256:1234sjfd3343592a320392..." repo: "repo1" tag: "tag1" size: 1234567 containerType: "DOCKER" - createdTime: "2021-08-28T21:00:00Z" mid: 98765 imageId: "sha256:1264kfdjg45430fdl..." repo: "repo2" tag: "tag2" size: 5687 containerType: "DOCKER" responseEntities_UsersList_Response_Schema: description: "No Error (List of Users)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Users_Response_Schema" example: paging: rows: 5000 totalRows: 12345 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Users/AbcdEfgh123..." data: - createdTime: "2021-08-28T21:00:00Z" mid: 12345 username: "username1" uid: 55 primaryGroupName: "primaryName1" otherGroupNames: "[\n \"groupName1\",\n \"groupName2\"\n]" - createdTime: "2021-08-28T21:00:00Z" mid: 98765 username: "username2" uid: 532 primaryGroupName: "primaryName2" otherGroupNames: "[\n \"groupName3\"\n]" responseDatasources_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/Datasources_Response_Schema" example: data: name: "LW_DATASOURCE_1" description: "Details about datasource" resultSchema: - name: "START_TIME" dataType: "Timestamp" description: "Beginning of time interval" - name: "END_TIME" dataType: "Timestamp" description: "End of time interval" - name: "CREATED_TIME" dataType: "Timestamp" description: "Record creation time" sourceRelationships: - from: "MACHINES" to: "DNS_REQUESTS" name: "Machines-to-DNS-Requests" description: "DNS requests made from this machine" toCardinality: "MANY" - from: "MACHINES" to: "USER_LOGINS" name: "Machines-to-User-Logins" description: "User logins made on this machine" toCardinality: "MANY" responseDatasourcesList_Response_Schema: description: "No Error (List of Datasources)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Datasources_Response_Schema" example: data: - name: "LW_DATASOURCE_1" description: "Details about datasource" resultSchema: - name: "START_TIME" dataType: "Timestamp" description: "Beginning of time interval" - name: "END_TIME" dataType: "Timestamp" description: "End of time interval" - name: "CREATED_TIME" dataType: "Timestamp" description: "Record creation time" sourceRelationships: - from: "MACHINES" to: "DNS_REQUESTS" name: "Machines-to-DNS-Requests" description: "DNS requests made from this machine" toCardinality: "MANY" - from: "MACHINES" to: "USER_LOGINS" name: "Machines-to-User-Logins" description: "User logins made on this machine" toCardinality: "MANY" - name: "LW_DATASOURCE_2" description: "Details about datasource" resultSchema: - name: "START_TIME" dataType: "Timestamp" description: "Beginning of time interval" - name: "END_TIME" dataType: "Timestamp" description: "End of time interval" - name: "CREATED_TIME" dataType: "Timestamp" description: "Record creation time" sourceRelationships: - from: "CONNECTIONS" to: "MACHINES" name: "Connections-to-Machines" description: "Machine the connection was recorded on" toCardinality: "ONE" responseActivities_ConnectionsList_Response_Schema: description: "No Error (List of Connections)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Activities_Connections_Response_Schema" example: paging: rows: 5000 totalRows: 1233301 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Activities/Connections/AbcdEfgh123..." data: - dstEntityId: mid: 116015 pid_hash: -8627328323700991000 dstEntityType: "Process" dstInBytes: 162688 dstOutBytes: 3572 endpointDetails: - dst_ip_addr: "10.245.48.175" dst_port: 2878 protocol: "TCP" src_ip_addr: "10.245.187.233" endTime: "2022-08-18T01:00:00.000Z" numConns: 38 srcEntityId: mid: 114151 pid_hash: 6612898627139247000 srcEntityType: "Process" srcInBytes: 3572 srcOutBytes: 162688 startTime: "2022-08-18T00:00:00.000Z" - dstEntityId: mid: 116015 pid_hash: -8627328323700991000 dstEntityType: "Process" dstInBytes: 252673 dstOutBytes: 4418 endpointDetails: - dst_ip_addr: "10.245.48.175" dst_port: 2878 protocol: "TCP" src_ip_addr: "10.245.172.126" endTime: "2022-08-18T01:00:00.000Z" numConns: 47 srcEntityId: mid: 114151 pid_hash: 6143690005229381000 srcEntityType: "Process" srcInBytes: 4418 srcOutBytes: 252673 startTime: "2022-08-18T00:00:00.000Z" responseActivities_DNSsList_Response_Schema: description: "No Error (List of DNS Summaries)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Activities_DNSs_Response_Schema" example: paging: rows: 5000 totalRows: 17519 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Activities/DNSs/AbcdEfgh123..." data: - createdTime: "2021-09-10T05:35:45.382Z" mid: 12345 fqdn: "sqs.us-west-2.amazonaws.com" hostIpAddr: "22.94.218.126" ttl: 1 dnsServerIp: "11.251.0.9" - createdTime: "2021-09-10T05:35:45.382Z" mid: 12314 fqdn: "sqs.us-west-2.amazonaws.com" hostIpAddr: "22.94.228.126" ttl: 60 dnsServerIp: "11.312.0.9" responseActivities_ChangedFilesList_Response_Schema: description: "No Error (List of Changed Files)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Activities_ChangedFiles_Response_Schema" example: paging: rows: 5000 totalRows: 654455 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Activities/ChangedFiles/AbcdEfgh123..." data: - startTime: "2021-09-10T23:00:00Z" endTime: "2021-09-11T00:00:00Z" mid: 12345 filePath: "/usr/bin/curl" filedataHash: "d055afd3h16f11460b3549885a9u8a40f1905df1f9d83cf16gbfa8a3157c29ac" mtime: "1631306708492" size: 210944 threatInfo: "null" - startTime: "2021-09-10T23:00:00Z" endTime: "2021-09-11T00:00:00Z" mid: 12345 filePath: "/bin/sleep" filedataHash: "ada88f7fd24bcdfdde10294c76968a335c2414ea7d43c5e3829b65cb037e90a4" mtime: "1631317667570" size: 0 threatInfo: "null" responseConfigs_ComplianceEvaluationsList_Response_Schema: description: "No Error (List of Compliance Evaluations)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Configs_ComplianceEvaluations_Response_Schema" example: paging: rows: 5000 totalRows: 9838 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Configs/ComplianceEvaluations/AbcdEfgh123..." data: - account: AccountId": "812212113623" Account_Alias: "lacework" evalType: "LW_SA" id: "LW_AWS_IAM_7" reason: "Iam user is created but it is not active in the last 30 days" recommendation: "Iam user should not be inactive from last 30 days or\ \ more" reportTime: "2021-09-02T11:04:45.817Z" resource: "arn:aws:iam::812252663823:user/lwUser" severity: "Medium" status: "NonCompliant" - account: AccountId": "812212113623" Account_Alias: "lacework" evalType: "LW_SA" id: "LW_AWS_NETWORKING_2" reason: "Security Groups have Unrestricted Inbound Traffic other than\ \ port 80 and 443" recommendation: "Network ACLs do not allow unrestricted inbound traffic" region: "eu-west-2" reportTime: "2021-09-02T11:04:45.817Z" resource: "arn:aws:ec2:eu-west-2:855452774823:network-acl/acl-1ue8138" severity: "Critical" status: "NonCompliant" responseConfigs_AzureSubscriptions_Response_Schema: description: "No Error (List of Azure Subscriptions)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Configs_AzureSubscriptions_Response_Schema" example: data: - tenant: "a329d8bf-4557-3ccf-b132-82e7025ea22d (a329d8bf-4557-3ccf-b132-82e7025ea22d)" subscriptions: - "88813981-9B83-2B1F-9368-975D71921ACF ([LW] US-WEST)" - tenant: "e5c2ec8e-d3eb-42d8-b646-c34b6e86fa61 (e5c2ec8e-d3eb-42d8-b646-c34b6e86fa61)" subscriptions: - "81A2D8F9-F8B6-3A5D-B3C7-99680EF0B89F (Pay-As-You-Go)" - "83E80CD8-0802-1576-9B68-551D28393BB0 (Pay-As-You-Go-For-Integration)" responseConfigs_GcpProjects_Response_Schema: description: "No Error (List of GCP Projects)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Configs_GcpProjects_Response_Schema" example: data: - organization: "123456789012" projects: - "lw-us-east (LW-US-East)" - "lw-us-west (LW-US-West)" - "lw-demo" - organization: "234567890123" projects: - "lacework-eu (lacework-eu)" responseVulnerabilities_HostsList_Response_Schema: description: "No Error (List of Host Vulnerabilities)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Vulnerabilities_Hosts_Response_Schema" example: paging: rows: 5000 totalRows: 209082 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Hosts/AbcdEfgh123..." data: - cveProps: description: "In all versions of AppArmor mount rules are accidentally\ \ widened when compiled." link: "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585" metadata: NVD: CVSSv2: PublishedDateTime: "2019-04-22 16:29:01.303 +0000 UTC" Score: 7.5 Vectors: "AV:N/AC:L/Au:N/C:P/I:P/A:P" CVSSv3: ExploitabilityScore: 3.9 ImpactScore: 5.9 Score: 9.8 Vectors: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" RBS: CVSSv2: PublishedDateTime: "2017-11-10T14:07:52Z" Score: 2.1 Vectors: "AV:L/AC:L/Au:N/C:N/I:P/A:N" CVSSv3: ExploitabilityScore: 0 ImpactScore: 0 Score: 0 Vectors: "" classifications: - id: 51 name: "vuln_security_software" - id: 4 name: "location_local" - id: 47 name: "vuln_authentication_required" - id: 15 name: "attack_type_other" - id: 18 name: "impact_integrity" - id: 45 name: "solution_unknown" - id: 21 name: "exploit_public" - id: 65 name: "disclosure_no_vendor_action" cwe_id: CVE-2016-1585: "CWE-254" disclosure_date: "2016-06-28T00:00:00Z" exploit_publish_date: "2016-08-25T00:00:00Z" endTime: "2024-01-25T23:00:00.000Z" evalCtx: collector_type: "Agentless" exception_props: [] hostname: "my-server-hostname" evalGuid: "309b8aadab8e604149a8dc9d64e3570d" featureKey: name: "apparmor" namespace: "ubuntu:20.04" package_active: -2 package_path: "var/lib/dpkg/status" version_installed: "2.13.3-7ubuntu5.3" packageStatus: "NO_AGENT_AVAILABLE" fixInfo: fix_available: "0" fixed_version: "" machineTags: Account: "991966387703" AmiId: "ami-0fa9f275b96db659b" ExternalIp: "0.0.0.0" Hostname: "my-server-hostname" InstanceId: "i-0e98011aba11a1234" InternalIp: "10.0.0.10" LaunchTime: "2024-01-24T20:47:45Z" MachineGuid: "4C57018B-EA72-5898-B0AA-3B1DEC19BBFD" Name: "cloud-activity" State: "running" VmInstanceType: "t2.medium" VmProvider: "AWS" VpcId: "vpc-01abc1111fb8f08ef" Zone: "us-east-2a" lw_InternetExposure: "Yes" lw_InternetExposureLastUpdated: "1706162400000" mid: 7112040530067849000 props: caa_enabled: 0 first_time_seen: "2024-01-24T22:00:00.000Z" isDailyJob: 1 kernel_status: "n/a" last_updated_time: "2024-01-25T22:00:00.000Z" os_out_of_date: false os_type: "Linux" package_status: "N/A" reboot_required: false updates_disabled: false region: "us-east-2" riskInfo: factors: - "cve" - "reachability" - "activeExploits" - "knownExploits" - "packageStatus" factors_breakdown: cve_counts_by_package_status: Active: Critical: 0 High: 0 Medium: 0 Other: 0 Inactive: Critical: 0 High: 0 Medium: 0 Other: 0 Other: Critical: 0 High: 7 Medium: 80 Other: 66 Overall: Critical: 0 High: 7 Info: 13 Low: 53 Medium: 80 exploit_summary: disclosure_in_wild: "No" exploit_public: "Yes" exploit_virus_malware: "No" exploit_wormified: "No" internet_reachability: "Direct" riskScore: 9.74 cveRiskScore: 9.8 cveRiskInfo: cve: HOST_COUNT: 1536 IMAGE_COUNT: 2032 PKG_COUNT: 1 SEVERITY_LEVEL: 4.9 score: 0.8330736355062025 hostRiskInfo: factors: - "cve" - "reachability" - "activeExploits" - "knownExploits" - "packageStatus" factors_breakdown: cve_counts_by_package_status: Active: Critical: 0 High: 0 Medium: 0 Other: 0 Inactive: Critical: 0 High: 0 Medium: 0 Other: 0 Other: Critical: 0 High: 7 Medium: 80 Other: 66 Overall: Critical: 0 High: 7 Info: 13 Low: 53 Medium: 80 exploit_summary: disclosure_in_wild: "No" exploit_public: "Yes" exploit_virus_malware: "No" exploit_wormified: "No" internet_reachability: "Direct" hostRiskScore: 9.74 severity: "Medium" startTime: "2024-01-25T22:00:00.000Z" status: "Active" vulnId: "CVE-2016-1585" responseVulnerabilities_ContainersList_Response_Schema: description: "No Error (List of Container Vulnerabilities)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Vulnerabilities_Containers_Response_Schema" example: paging: rows: 5000 totalRows: 11668 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Vulnerabilities/Containers/AbcdEfgh123..." data: - cveProps: description: "zlib through 1.2.12 has a heap-based buffer over-read\ \ or buffer overflow in inflate in inflate.c via a large gzip header\ \ extra field. NOTE: only applications that call inflateGetHeader\ \ are affected. Some common applications bundle the affected zlib\ \ source code but may be unable to call inflateGetHeader (e.g.,\ \ see the nodejs/node reference)." link: "https://security-tracker.debian.org/tracker/CVE-2022-37434" metadata: NVD: CVSSv2: PublishedDateTime: "" Score: 0 Vectors: "" CVSSv3: ExploitabilityScore: 3.9 ImpactScore: 5.9 Score: 9.8 Vectors: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" RBS: CVSSv2: PublishedDateTime: "2022-09-01T08:37:46Z" Score: 9.3 Vectors: "AV:N/AC:M/Au:N/C:C/I:C/A:C" CVSSv3: ExploitabilityScore: 3.9 ImpactScore: 5.9 Score: 9.8 Vectors: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" classifications: - id: 46 name: "location_context" - id: 12 name: "attack_type_input_manip" - id: 63 name: "exploit_poc_public" - id: 41 name: "disclosure_verified" - id: 43 name: "disclosure_coordinated_disclosure" - id: 18 name: "impact_integrity" - id: 38 name: "solution_upgrade" cwe_id: CVE-2022-37434: "CWE-787" CVE-2023-21100: "CWE-787" disclosure_date: "2022-07-31T00:00:00Z" exploit_publish_date: "" source: "lacework" evalCtx: collector_type: "Inline scanner" cve_batch_info: - cve_created_time: "2024-01-25 17:16:03.206000000" image_info: created_time: 1659431892285 digest: "sha256:9ceb24f8c5f15c053d973a3610866f473690875dc13eb3282b45302189321040" id: "sha256:e09e90144645e02137d087f0dc059f4d2e3c6356ef8f9e40eeb15d1c901dbc73" registry: "" repo: "index.docker.io/library/postgres" scan_created_time: 1677354474 size: 376111959 status: "Success" tags: - "14.4" type: "Docker" integration_props: {} is_reeval: true request_source: "INLINE_SCANNER" scan_batch_id: "63c97ddc-5f6b-4d7c-a133-8a3f26e48a32-1677354530988238402" scan_request_props: data_format_version: "1.0" environment: docker_version: error_message: "" version: Client: ApiVersion: "1.41" Arch: "amd64" BuildTime: "Thu Mar 24 01:48:21 2022" Context: "default" DefaultAPIVersion: "1.41" Experimental: true GitCommit: "a224086" GoVersion: "go1.16.15" Os: "linux" Platform: Name: "Docker Engine - Community" Version: "20.10.14" Server: ApiVersion: "1.41" Arch: "amd64" BuildTime: "2022-05-12T09:15:28.000000000+00:00" Components: - Details: ApiVersion: "1.41" Arch: "amd64" BuildTime: "Thu May 12 09:15:28 2022" Experimental: "false" GitCommit: "f756502" GoVersion: "go1.17.10" KernelVersion: "5.13.0-1025-aws" MinAPIVersion: "1.12" Os: "linux" Name: "Engine" Version: "20.10.16" - Details: GitCommit: "212e8b6fa2f44b9c21b2798135fc6fb7c53efc16" Name: "containerd" Version: "1.6.4" - Details: GitCommit: "v1.1.1-0-g52de29d" Name: "runc" Version: "1.1.1" - Details: GitCommit: "de40ad0" Name: "docker-init" Version: "0.19.0" GitCommit: "f756502" GoVersion: "go1.17.10" KernelVersion: "5.13.0-1025-aws" MinAPIVersion: "1.12" Os: "linux" Platform: Name: "Docker Engine - Community" Version: "20.10.16" tags: build_id: "dev_build" build_plan: "dev_machine" ci_build: "false" hostname: "7e43af97c865" source: "local_image" user: "root" props: data_format_version: "1.0" scanner_version: "0.2.14" scan_start_time: 1677354474 scanner_version: "0.2.14" vuln_batch_id: "97D1C8F55B9F4CFF94D26D5D0FE6AFB8" vuln_created_time: "2024-01-25 17:16:03.206000000" evalGuid: "8692019f5885b6f400d09e5b2f314779" featureKey: name: "zlib" namespace: "debian:11" version: "1:1.2.11.dfsg-2+deb11u1" featureProps: feed: "lacework" introduced_in: "ADD file:0eae0dca665c7044bf242cb1fc92cb8ea744f5af2dd376a558c90bc47349aefe\ \ in /" layer: "sha256:92b250c0387d3b0ffc7ebb94ab2e5f87450799c8e612551185ae2b2cc941e39f" src: "var/lib/dpkg/status" version_format: "dpkg" packageStatus: "NO_AGENT_AVAILABLE" fixInfo: fix_available: 1 fixed_version: "1:1.2.11.dfsg-2+deb11u2" imageId: "sha256:e09e90144645e02137d087f0dc059f4d2e3c6356ef8f9e40eeb15d1c901dbc73" riskInfo: factors: - "cve" - "reachability" - "activeExploits" - "knownExploits" factors_breakdown: active_containers: 1 cve_counts: Critical: 9 High: 37 Medium: 34 Other: 53 exploit_summary: disclosure_in_wild: "No" exploit_public: "Yes" exploit_virus_malware: "No" exploit_wormified: "No" internet_reachability: "Direct" riskScore: 10 cveRiskScore: 9.8 cveRiskInfo: cve: HOST_COUNT: 83 IMAGE_COUNT: 2923 PKG_COUNT: 3 SEVERITY_LEVEL: 4.9 score: 0.8628278617091608 imageRiskInfo: factors: - "cve" - "reachability" - "activeExploits" - "knownExploits" factors_breakdown: active_containers: 1 cve_counts: Critical: 9 High: 37 Medium: 34 Other: 53 exploit_summary: disclosure_in_wild: "No" exploit_public: "Yes" exploit_virus_malware: "No" exploit_wormified: "No" internet_reachability: "Direct" imageRiskScore: 10 severity: "Critical" startTime: "2024-01-25T18:21:38.458Z" status: "VULNERABLE" vulnId: "CVE-2022-37434" responseEntities_CommandLinesList_Response_Schema: description: "No Error (List of Active Command Lines)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_CommandLines_Response_Schema" example: paging: rows: 5000 totalRows: 8368 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/CommandLines/AbcdEfgh123..." data: - createdTime: "2021-08-28T21:00:00Z" cmdlineHash: "sdlkfjl3492343240...." cmdline: "/bin/bash ..." - createdTime: "2021-08-28T21:00:00Z" cmdlineHash: "12345fospdofd000909fsfsd...." cmdline: "kubectl apply ..." responseEntities_ContainersList_Response_Schema: description: "No Error (List of Active Containers)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Containers_Response_Schema" example: paging: rows: 5000 totalRows: 5698 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Containers/AbcdEfgh123..." data: - startTime: "2021-08-29T21:00:00Z" endTime: "2021-08-29T22:00:00Z" mid: 12345 containerName: "container1" podName: "podName1" imageId: "sha256:12345678910abcdefghijklmno..." propsContainer: IMAGE_CREATED_TIME: "2020-08-31T19:16:56.210Z" IMAGE_ID: "sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz" IMAGE_SIZE: 46269990 IMAGE_TAG: "v1.7.0-eksbuild.1" IMAGE_VERSION: "19.03.11" IMAGE_VIRTUAL_SIZE: 46269990 IPV4: "10.238.75.183" NAME: "/k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0" PID_MODE: "Private" POD_IP_ADDR: "10.238.75.183" POD_TYPE: "coredns-559b5db85d" PRIVILEGED: 0 PROPS_LABEL: {} VOLUME_MAP: {} tags: {} - startTime: "2021-08-29T21:00:00Z" endTime: "2021-08-29T22:00:00Z" mid: 98765 containerName: "container2" podName: "podName2" imageId: "sha256:sdkfhjdsk349324823vclkj..." propsContainer: IMAGE_CREATED_TIME: "2020-08-31T19:16:56.210Z" IMAGE_ID: "sha256:e3adaca0b7890abcdefghijklmnopqrstuvwxyz" IMAGE_SIZE: 46269990 IMAGE_TAG: "v1.7.0-eksbuild.1" IMAGE_VERSION: "19.03.11" IMAGE_VIRTUAL_SIZE: 46269990 IPV4: "10.231.32.155" NAME: "/k8s_coredns_coredns-559b5db78d-w72nn_kube-system_12a3d5c0-vea3-6305-a3f9-2733528849d5_0" PID_MODE: "Private" POD_IP_ADDR: "10.231.32.155" POD_TYPE: "coredns-559b5db85d" PRIVILEGED: 0 PROPS_LABEL: {} VOLUME_MAP: {} tags: {} responseEntities_FilesList_Response_Schema: description: "No Error (List of Active Files)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Files_Response_Schema" example: paging: rows: 5000 totalRows: 5698 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Files/AbcdEfgh123..." data: - createdTime: "2021-08-29T21:00:00Z" mid: 12345 filePath: "filePath1" filedataHash: "hash1" size: 1234567 mtime: "1232132198" - createdTime: "2021-08-29T21:00:00Z" mid: 98765 filePath: "filePath2" filedataHash: "hash2" size: 59849509 mtime: "9892347923" responseEntities_ProcessesList_Response_Schema: description: "No Error (List of Active Processes)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Processes_Response_Schema" example: paging: rows: 5000 totalRows: 123680 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Processes/AbcdEfgh123..." data: - startTime: "2021-08-29T21:00:00Z" endTime: "2021-08-29T22:00:00Z" mid: 98765 pid: 12345 ppid: 11 username: "root" uid: 0 filePath: "someFilePath" cmdlineHash: "0011234567abja3495834d3954389fh" podName: "pod1" processStartTime: "2021-08-28T21:00:00Z" containerId: "12345467894329487ofi345987439857439gki349857394857438957349" - startTime: "2021-08-29T21:00:00Z" endTime: "2021-08-29T22:00:00Z" mid: 12345 pid: 98765 ppid: 1100 username: "root" uid: 0 filePath: "someFilePath2" cmdlineHash: "394823749fskdhf349823fh498" podName: "pod2" processStartTime: "2021-08-27T21:00:00Z" containerId: "3454395843759fodsigoiu495385789hgsighdskhgjfdk4843242342342" responseAlertProfiles_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/AlertProfiles_Response_Schema" example: - alertProfileId: "Custom_HE_Machines_AlertProfile" extends: "LW_HE_Machines" fields: - name: "_EVENT_COUNT" - name: "_PRIMARY_TAG" - name: "_RISK" - name: "_SEVERITY" - name: "_POLICY_ID" - name: "HOSTNAME" descriptionKeys: - name: "_POLICY_DESCRIPTION" spec: "{{_POLICY_DESCRIPTION}}" - name: "_POLICY_TITLE" spec: "{{_POLICY_TITLE}}" - name: "HOSTNAME" spec: "{{HOSTNAME}}" alerts: - name: "HE_Machine_NewViolation" eventName: "Custom LW Host Entity Machine New Violation Alert" description: "Custom New Violation for machine {{HOSTNAME}}" subject: "Custom New violation detected for machine {{HOSTNAME}}" - name: "HE_Machine_PolicyChanged" eventName: "Custom LW Host Entity Machine Policy Changed Alert" description: "Custom policy changed for machine {{HOSTNAME}}" subject: "Custom policy change detected for machine {{HOSTNAME}}" responseAlertProfilesList_Response_Schema: description: "No Error (List of Alert Profiles)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/AlertProfiles_Response_Schema" example: - alertProfileId: "Custom_HE_Machines_AlertProfile" extends: "LW_HE_Machines" fields: - name: "_EVENT_COUNT" - name: "_PRIMARY_TAG" - name: "_RISK" - name: "_SEVERITY" - name: "_POLICY_ID" - name: "HOSTNAME" descriptionKeys: - name: "_POLICY_DESCRIPTION" spec: "{{_POLICY_DESCRIPTION}}" - name: "_POLICY_TITLE" spec: "{{_POLICY_TITLE}}" - name: "HOSTNAME" spec: "{{HOSTNAME}}" alerts: - name: "HE_Machine_NewViolation" eventName: "Custom LW Host Entity Machine New Violation Alert" description: "Custom New Violation for machine {{HOSTNAME}}" subject: "Custom New violation detected for machine {{HOSTNAME}}" - name: "HE_Machine_PolicyChanged" eventName: "Custom LW Host Entity Machine Policy Changed Alert" description: "Custom policy changed for machine {{HOSTNAME}}" subject: "Custom policy change detected for machine {{HOSTNAME}}" responseAlerts_Comment_Response_Schema: description: "No Error (Posting a comment to an alert)" content: application/json: schema: $ref: "#/components/schemas/Alerts_Timeline_Response_Schema" examples: Plaintext: value: data: id: 211250 alertId: 871115 createdTime: "2022-07-18T18:28:30.739Z" entryType: "Comment" entryAuthorType: "UserUpdate" message: format: "Plaintext:1.0" value: "test comment" externalTime: "" user: userGuid: "LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D" username: "user@example.com" updateContext: {} Markdown: value: data: id: 211250 alertId: 871115 createdTime: "2022-07-18T18:28:30.739Z" entryType: "Comment" entryAuthorType: "UserUpdate" message: format: "Markdown:1.0" value: "test comment" externalTime: "" user: userGuid: "LW123_6FA99157890E373006F7EE3FA926B02C38D547BD6C79F1D" username: "user@example.com" responseAlerts_Entities_Response_schema: description: "No Error (Alert Entities)" content: application/json: schema: $ref: "#/components/schemas/Alerts_Entities_Response_Schema_Finalized" examples: Entity list: value: data: - entities: - entityValue: "175.178.114.15" contextEntityType: "IpAddress" countOfEntities: 1 No Entities with context panel: value: data: - entities: [] countOfEntities: 0 responseAlertsMachineEntity_Response_Schema: description: "Alert Entity Details" content: application/json: schema: oneOf: - $ref: "#/components/schemas/Alert_Machine_Entity_Response_Schema_Finalized" discriminator: propertyName: "contextEntityType" mapping: Machine: "#/components/schemas/Alert_Machine_Entity_Response_Schema_Finalized" examples: Machine with All data: value: data: criticalAndHighRisk: vulnerabilities: criticalCount: 6 highCount: 1 startTimeRange: 1711135245000 endTimeRange: 1711740045000 alerts: criticalCount: 12 highCount: 2 startTimeRange: 1711135245000 endTimeRange: 1711740045000 attackPaths: criticalCount: 0 otherCount: 2 startTimeRange: 1711714845000 endTimeRange: 1711740045000 customResourceGroups: resourceGroups: - name: "AWS_AP" guid: "TEST_GUID" - name: "Test" guid: "TEST_GUID_2" startTimeRange: 1711135245 endTimeRange: 1711740045 cloudServiceProvider: cloudServiceProvider: "AWS" accountAlias: "zzz-qa-account" accountId: 631664038012 startTimeRange: 1711128431431 endTimeRange: 1711733231431 machineProperties: name: "ip-10-0-1-145" ipAddress: "10.0.1.14" lastBootTime: 1679484911000 cpu: "Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz" osType: "Ubuntu 20.04.4 LTS" memoryInfo: "3958704" kernelRelease: "5.13.0-1031-aws" kernelVersion: "#35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC\ \ 2022" macAddress: "02:12:ac:35:e1:d8" defaultRouter: "10.0.1.1" promiscuous: "Yes" startTimeRange: 1697659200000 endTimeRange: 1697662800000 machineTagSummary: amiId: "ami-01e343b69ce6b4eb4" instanceId: "i-033ce4fe16dad898d" subnetId: "subnet-083f432f3dcd27c8c" vmInstanceType: "t3.medium" vmProvider: "AWS" lwTokenShort: "9e8739e260d5c9c1698ec9e91fdea3" internalIp: "10.0.1.145" arch: "amd64" vpcId: "vpc-0584a661d2321622f" zone: "ap-northeast-2a" os: "linux" account: 631664038012 startTimeRange: 1697659200000 endTimeRange: 1697662800000 networkActivityOverview: externalServerConn: count: 208 externalClientConn: count: 0 externalInBytes: count: 3450 externalOutBytes: count: 7887 startTimeRange: 1697659200000 endTimeRange: 1697662800000 Machine with partial information: value: data: criticalAndHighRisk: vulnerabilities: criticalCount: 6 highCount: 1 startTimeRange: 1711135245000 endTimeRange: 1711740045000 alerts: criticalCount: 0 highCount: 0 startTimeRange: 1711135245000 endTimeRange: 1711740045000 attackPaths: message: "Error fetching Attack Path count" customResourceGroups: resourceGroups: - name: "AWS_AP" guid: "TEST_GUID" - name: "Test" guid: "TEST_GUID_2" startTimeRange: 1711135245 endTimeRange: 1711740045 cloudServiceProvider: cloudServiceProvider: "AWS" accountAlias: "zzz-qa-account" accountId: 631664038012 startTimeRange: 1711128431431 endTimeRange: 1711733231431 machineProperties: null machineTagSummary: message: "Error fetching system details" networkActivityOverview: externalServerConn: count: 208 externalClientConn: count: 0 externalInBytes: count: 3450 externalOutBytes: message: "Error fetching external out bytes details" startTimeRange: 1697659200000 endTimeRange: 1697662800000 responseAlertsEntityDetails_Response_Schema: description: "Alert Entity Details" content: application/json: schema: $ref: "#/components/schemas/AlertsEntityDetails_Response_Schema" examples: IpAddress: value: data: isAgentInstalled: false isInternalIp: false laceworkLabs: customerCount: 12 badIpAddress: true startTimeRange: 1697659200000 endTimeRange: 1697662800000 virusTotal: securityVendorsCount: 2 source: "VirusTotal" network: "1.9.0.0/16" autonomousSystemNumber: 4788 autonomousSystemLabel: "TM TECHNOLOGY SERVICES SDN. BHD." regionalInternalRegistry: "APNIC" country: "IN" continent: "AS" startTimeRange: 1697659200000 endTimeRange: 1697662800000 ipAddressSummary: country: "United States of America" region: "Illinois" city: "Chicago" countryCode: "US" startTimeRange: 1697659200000 endTimeRange: 1697662800000 resolvedIpInformation: resolvedIPInfo: - dnsResolverIp: "567.2.3.5" dnsName: "pip.org" resolvedIp: "127.1.321.1" startTimeRange: 1697659200000 endTimeRange: 1697662800000 uniqueProcessDetails: uniqueProcesses: - cmdLine: "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" launchTime: 1697659200000 hostname: "ip-172-18-0-240" startTimeRange: 1697659200000 endTimeRange: 1697662800000 networkActivityOverview: externalServerConn: count: 208 externalClientConn: count: 0 externalInBytes: count: 3450 externalOutBytes: count: 7887 startTimeRange: 1697659200000 endTimeRange: 1697662800000 Machine: value: data: criticalAndHighRisk: vulnerabilities: criticalCount: 6 highCount: 1 startTimeRange: 1711135245000 endTimeRange: 1711740045000 alerts: criticalCount: 12 highCount: 2 startTimeRange: 1711135245000 endTimeRange: 1711740045000 attackPaths: criticalCount: 0 otherCount: 2 startTimeRange: 1711714845000 endTimeRange: 1711740045000 customResourceGroups: resourceGroups: - name: "AWS_AP" guid: "TEST_GUID" - name: "Test" guid: "TEST_GUID_2" startTimeRange: 1711135245 endTimeRange: 1711740045 cloudServiceProvider: cloudServiceProvider: "AWS" accountAlias: "zzz-qa-account" accountId: 631664038012 startTimeRange: 1711128431431 endTimeRange: 1711733231431 machineProperties: name: "ip-10-0-1-145" ipAddress: "10.0.1.14" lastBootTime: 1679484911000 cpu: "Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz" osType: "Ubuntu 20.04.4 LTS" memoryInfo: "3958704" kernelRelease: "5.13.0-1031-aws" kernelVersion: "#35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC\ \ 2022" macAddress: "02:12:ac:35:e1:d8" defaultRouter: "10.0.1.1" promiscuous: 0 startTimeRange: 1697659200000 endTimeRange: 1697662800000 machineTagSummary: amiId: "ami-01e343b69ce6b4eb4" instanceId: "i-033ce4fe16dad898d" subnetId: "subnet-083f432f3dcd27c8c" vmInstanceType: "t3.medium" vmProvider: "AWS" lwTokenShort: "9e8739e260d5c9c1698ec9e91fdea3" internalIp: "10.0.1.145" arch: "amd64" vpcId: "vpc-0584a661d2321622f" zone: "ap-northeast-2a" os: "linux" account: 631664038012 startTimeRange: 1697659200000 endTimeRange: 1697662800000 networkActivityOverview: externalServerConn: count: 208 externalClientConn: count: 0 externalInBytes: count: 3450 externalOutBytes: count: 7887 startTimeRange: 1697659200000 endTimeRange: 1697662800000 Machine with partial information: value: data: criticalAndHighRisk: vulnerabilities: criticalCount: 6 highCount: 1 startTimeRange: 1711135245000 endTimeRange: 1711740045000 alerts: criticalCount: 0 highCount: 0 startTimeRange: 1711135245000 endTimeRange: 1711740045000 attackPaths: message: "Error fetching Attack Path count" customResourceGroups: resourceGroups: - name: "AWS_AP" guid: "TEST_GUID" - name: "Test" guid: "TEST_GUID_2" startTimeRange: 1711135245 endTimeRange: 1711740045 cloudServiceProvider: cloudServiceProvider: "AWS" accountAlias: "zzz-qa-account" accountId: 631664038012 startTimeRange: 1711128431431 endTimeRange: 1711733231431 machineProperties: null machineTagSummary: message: "Error fetching system details" networkActivityOverview: externalServerConn: count: 208 externalClientConn: count: 0 externalInBytes: count: 3450 externalOutBytes: message: "Error fetching external out bytes details" startTimeRange: 1697659200000 endTimeRange: 1697662800000 responseAlerts_Response_Schema: description: "No Error (Alert Details)" content: application/json: schema: oneOf: - $ref: "#/components/schemas/Alerts_Details_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Investigation_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Events_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_RelatedAlerts_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Integrations_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_Timeline_Response_Schema_Finalized" - $ref: "#/components/schemas/Alerts_ObservationTimeline_Response_Schema_Finalized" discriminator: propertyName: "scope" mapping: Details: "#/components/schemas/Alerts_Details_Response_Schema_Finalized" Investigation: "#/components/schemas/Alerts_Investigation_Response_Schema_Finalized" Events: "#/components/schemas/Alerts_Events_Response_Schema_Finalized" RelatedAlerts: "#/components/schemas/Alerts_RelatedAlerts_Response_Schema_Finalized" Integrations: "#/components/schemas/Alerts_Integrations_Response_Schema_Finalized" Timeline: "#/components/schemas/Alerts_Timeline_Response_Schema_Finalized" ObservationTimeline: "#/components/schemas/Alerts_ObservationTimeline_Response_Schema_Finalized" examples: Details: value: data: alertId: 813628 startTime: "2022-06-30T00:00:00.000Z" alertType: "CloudActivityLogIngestionFailed" severity: "High" endTime: "2022-06-30T01:00:00.000Z" lastUserUpdatedTime: "" status: "Open" alertName: "Clone of Cloud Activity log ingestion failure detected" alertInfo: subject: "Clone of Cloud Activity log ingestion failure detected:\ \ `azure-al-india-dnd` (and `3` more) is failing for data ingestion\ \ into Lacework" description: "New integration failure detected for azure-al-india-dnd\ \ (and 3 more)" isExpectedLWBehavior: true customerCount: 10 supportingFacts: - supportingFactText: "Container Escape" subElements: - supportingFactText: "Use of known container privilege escalation\ \ and exploit tools 6 time(s) on host(s) ip-172-18-0-240" entityMap: API: "{object}" CT_User: "{object}" CT_RawTime: "{object}" Region: "{object}" Resource: "{object}" RulesTriggered: "{object}" SourceIpAddress: "{object}" Investigation: value: data: - question: "Has a new user been involved in the event in the last\ \ 60 days?" answer: "No" - question: "Have the users involved in the event authenticated without\ \ MFA in the last 60 days?" answer: "Yes" - question: "Have any of the users involved in the event used the\ \ Root account in the last 60 days?" answer: "No" Events: value: data: - awsRegion: "us-west-2" eventName: "GetEbsEncryptionByDefault" eventSource: "ec2.amazonaws.com" sourceIpAddress: "123.80.321.98" recipientAccountId: "812352663828" mfa: false eventTime: "2022-07-18T17:25:30Z" userIdentity: "{object}" additionalEventInfo: errorCode: "Client.UnauthorizedOperation" errorMessage: "You are not authorized to perform this operation." eventID: "de75431e-6e1d-45d0-92a0-22addfd02f1d" eventTime: "2022-07-18 10:25:30.000 -0700" eventType: "AwsApiCall" eventVersion: "1.08" readOnly: true requestID: "ea5f07f6-459a-47d9-885c-140ace09d811" userAgent: "Botocore/1.21.52 Python/3.9.13 Linux/5.4.181-99.354.amzn2.x86_64" requestParameters: "{\"GetEbsEncryptionByDefaultRequest\":\"\"}" compositeEventId: 439210 id: "431141" name: "New vulnerable application" descriptionText: "Vulnerable application java net.lacework.qa.J11_L4J2_14_1_EC2A_NewExternalServerToIPConnFromVuln_06230413Z_vuln[log4j]\ \ running on host ip-172-31-19-152.us-west-2.compute.internal" compositeStartTime: "2023-06-23T04:00:00Z" compositeEndTime: "2023-07-20T13:18:36Z" entityKeys: [] tagMetadata: - tagMetadata: customerFacingId: "T195.002" id: "T195.002" name: "Vulnerability Scanning" orderIndex: "4" parentId: "T1595" type: "MitreSubTechnique" url: "https://attack.mitre.org/techniques/T1595/002" version: "13.1" - tagMetadata: customerFacingId: "T1068" id: "T1068" name: "Exploitation for Privilege Escalation" orderIndex: "321" parentId: "TA004" type: "MitreTechnique" url: "https://attack.mitre.org/techniques/T1068" version: "13.1" RelatedAlerts: value: data: - eventType: "CloudTrailDefaultAlert" eventId: "831168" severity: "3" startTime: "2022-06-13T18:00:00Z" endTime: "2022-06-13T19:00:00Z" eventModel: "CloudTrailCep" eventProps: description: "{object}" dstEntities: "{object}" eventActor: "Aws" srcEntities: "{object}" keys: "{object}" rank: 6 eventInfo: subject: "CTA UnauthorizedAPICall only for Client: For account:\ \ `812252663823` : event `CTA UnauthorizedAPICall only for\ \ Client.` occurred `334` times" description: " For account: 812252663823 : event CTA UnauthorizedAPICall\ \ only for Client. occurred 334 times by user ABCDEFGHIJKL:Lacework\ \ " eventName: "CTA UnauthorizedAPICall only for Client" Integrations: value: data: - alertChannel: "{object}" alertIntegrationId: "361f69b8-8fdf-2d6c-640c-e62bb68623cd" createdTime: "2022-07-13T18:29:16.961Z" alertId: 876951 integrationType: "JIRA" integrationContext: id: "LW-Win-123" link: "https://lacework-windows.atlassian.net/browse/LW-Win-123" intgGuid: "LWWIN123_FC43532CB8288DF8A2A74BC52A4579C564597C3B8221AB9" lastSyncTime: "2022-07-13T18:29:15.776Z" alertIntegrationStatus: "To Do" status: "Open" isBidirectional: true Timeline: value: data: - alertChannel: "{object}" id: 134138 alertId: 871115 createdTime: "2022-07-11T00:11:31.563Z" entryType: "IntegrationCreate" entryAuthorType: "Integration" intgGuid: "LWWIN123_15DE38A0090190A81719D6EF0DCCC4FED34839DC3356A23" message: {} externalTime: "" user: "{object}" updateContext: newIntegration: createdTime: "" alertId: 871115 lastSyncTime: "2022-07-11T00:11:31.560Z" alertIntegrationStatus: "To Do" status: "Open" isBidirectional: false alertIntegration": "{object}" ObservationTimeline: value: data: - recordUuid: "38ab1470-87f0-5f21-a413-0414d069ad7a" observationPivotEntityUuids: - "KH6MwF6XFcMrb6er2PZxNo" observationType: "linux_discovery_container_and_docker_information" description: "Detection of container and docker information discovery\ \ commands" startEpoch: 1728425529 endEpoch: 1728425529 entities: - isDetail: false isSubject: false entity_key: exe_path: "/usr/bin/grep" mid: "5801056842124948691" entity_props: internal_ip_addr: "10.1.0.33" entityText: "/usr/bin/grep" entityType: "file_exe_path" entityUuid: "NrBg4dxMnBPsLSoqHQH2bi" - isDetail: false isSubject: true srcEntityKey: hostname: "developer-target-afca37ed.us-central1-a.c.lwintqs20240312032058-1.internal" mid: "5801056842124948691" entityText: "developer-target-afca37ed.us-central1-a.c.lwintqs20240312032058-1.internal" entityType: "machine" entityUuid: "6ZHW5C9UNic5wSqa4GwfaL" - isDetail: true isSubject: false relationshipId: "4d8526017cc8e95004f8836f7c5afeb4b39dd28e" srcEntityKey: mid: "5801056842124948691" pid_hash: "-2217992435045301091" entityText: "grep container=lxc -qa" entityType: "process" entityUuid: "S5EA85BdvukPxVyZwPZNLX" relationships: - isDetail: false isSubject: false relationshipId: "e0eaf1c55c6f5a973c36fe794658aab9f0fc3232" srcEntityKey: exe_path: "/usr/bin/grep" mid: "5801056842124948691" srcEntityText: "/usr/bin/grep" srcEntityType: "file_exe_path" srcEntityUuid: "NrBg4dxMnBPsLSoqHQH2bi" - isDetail: false isSubject: true relationshipId: "65645e83d8adc7c1096300fcb3561c21fcf6d81b" srcEntityKey: hostname: "developer-target-afca37ed.us-central1-a.c.lwintqs20240312032058-1.internal" mid: "5801056842124948691" srcEntityText: "developer-target-afca37ed.us-central1-a.c.lwintqs20240312032058-1.internal" srcEntityType: "machine" srcEntityUuid: "6ZHW5C9UNic5wSqa4GwfaL" - isDetail: true isSubject: false relationshipId: "00aaffbe6c24112d7a8c25e0ece0f7ba265e3a7e" srcEntityKey: mid: "5801056842124948691" pid_hash: "-2217992435045301091" srcEntityText: "grep container=lxc -qa" srcEntityType: "process" srcEntityUuid: "S5EA85BdvukPxVyZwPZNLX" formalTags: - customer_facing_id: "T1098.004" id: "T1098.004" name: "SSH Authorized Keys" order_index: "43" parent_id: "T1098" url: "https://attack.mitre.org/techniques/T1098/004" responseAlertsList_Response_Schema: description: "No Error (List of Alerts)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Alerts_Response_Schema" example: paging: rows: 1000 totalRows: 3120 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Alerts/AbcdEfgh123..." data: - alertId: 855628 startTime: "2022-06-30T00:00:00.000Z" alertType: "MaliciousFile" severity: "Critical" internetExposure: "UnknownInternetExposure" reachability: "UnknownReachability" derivedFields: category: "Anomaly" sub_category: "File" source: "Agent" endTime: "2022-06-30T01:00:00.000Z" lastUserUpdatedTime: "" status: "Open" alertName: "Clone of Cloud Activity log ingestion failure detected" alertInfo: subject: "Clone of Cloud Activity log ingestion failure detected:\ \ `azure-al-india-dnd` (and `3` more) is failing for data ingestion\ \ into Lacework" description: "New integration failure detected for azure-al-india-dnd\ \ (and 3 more)" policyId: "CUSTOM_PLATFORM_130" - alertId: 855629 startTime: "2022-06-30T00:00:00.000Z" alertType: "ChangedFile" severity: "Critical" internetExposure: "UnknownInternetExposure" reachability: "UnknownReachability" derivedFields: category: "Policy" sub_category: "File" source: "Agent" endTime: "2022-06-30T01:00:00.000Z" lastUserUpdatedTime: "2022-06-30T01:26:51.392Z" status: "Open" alertName: "Unauthorized API Call" alertInfo: subject: "Unauthorized API Call: For account: `1234567890`: Unauthorized\ \ API call was attempted `4` times" description: "For account: 1234567890: Unauthorized API call was attempted\ \ 4 times by user ABCD1234:Lacework" responseOrganizationInfoList_Response_Schema: description: "No Error (Organization Info)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/OrganizationInfo_Response_Schema" example: - orgAccount: true orgAccountUrl: "YourLacework.lacework.net" responseEntities_PackagesList_Response_Schema: description: "No Error (List of Packages)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_Packages_Response_Schema" example: paging: rows: 5000 totalRows: 123680 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/Packages/AbcdEfgh123..." data: - createdTime: "2021-10-12T09:00:00Z" mid: 21099 packageName: "package-1" version: "version-1" arch: "noarch" - createdTime: "2021-10-12T10:00:00Z" mid: 12345 packageName: "package-2" version: "version-2" arch: "noarch" responseEntities_MachineDetailsList_Response_Schema: description: "No Error (List of Machine Details)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_MachineDetails_Response_Schema" example: paging: rows: 5000 totalRows: 6138 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/MachineDetails/AbcdEfgh123..." data: - createdTime: "2021-10-12T09:00:00Z" mid: 21099 hostname: "ip-1-2-3-4.us-west-2.compute.internal" domain: "domainName-1" os: "Amazon Linux" osVersion: "v1" kernel: "Linux" kernalRelease: "release-1" kernelVersion: "kernelVersion1" tags: Account: "631663038012" AmiId: "ami-0b83c6233cdbe5c3e" Env: "k8s" ExternalIp: "65.12.33.13" Hostname: "ip-172-20-48-251.ap-south-1.compute.internal" InstanceId: "i-086d43d6a3b95577b" InternalIp: "172.20.48.251" KubernetesCluster: "k8s.pr3-india.k8s.local" SubnetId: "subnet-00632df802c188943" VmInstanceType: "t2.large" VmProvider: "AWS" VpcId: "vpc-0b27d7188aa120476" Zone: "ap-south-1a" arch: "amd64" os: "linux" awsInstanceId: "i-1" awsZone: "us-west-2a" - createdTime: "2021-10-12T10:00:00Z" mid: 12345 hostname: "ip-10-29-39-40.us-west-2.compute.internal" domain: "domainName-2" os: "Amazon Linux" osVersion: "v2" kernel: "Linux" kernalRelease: "release-2" kernelVersion: "kernelVersion2" tags: Account: "631663038222" AmiId: "ami-0b82c6233cdbe5c3e" Env: "k8s" ExternalIp: "65.12.33.12" Hostname: "ip-172-20-48-252.ap-south-1.compute.internal" InstanceId: "i-086d43d6a3b95577b" InternalIp: "172.20.48.252" KubernetesCluster: "k8s.pr2-india.k8s.local" SubnetId: "subnet-02632df802c188923" VmInstanceType: "t2.large" VmProvider: "AWS" VpcId: "vpc-0b27d7188aa120276" Zone: "ap-south-1a" arch: "amd64" os: "linux" awsInstanceId: "i-2" awsZone: "us-west-2b" responseEntities_InternalIPAddressesList_Response_Schema: description: "No Error (List of Internal IP Addresses)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_InternalIPAddresses_Response_Schema" example: paging: rows: 5000 totalRows: 6298 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/InternalIPAddresses/AbcdEfgh123..." data: - startTime: "2021-10-12T09:00:00Z" endTime: "2021-10-12T10:00:00Z" ipAddr: "10.123.987.0" mid: 21099 - startTime: "2021-10-12T08:00:00Z" endTime: "2021-10-12T09:00:00Z" ipAddr: "19.567.921.3" mid: 12345 responseEntities_K8sPodsList_Response_Schema: description: "No Error (List of K8s Pods)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_K8sPods_Response_Schema" example: paging: rows: 5000 totalRows: 12398 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/K8sPods/AbcdEfgh123..." data: - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 12345 podName: "name1" primaryIpAddr: "10.100.20.200" propsContainer: CONTAINER_TYPE: "DOCKER" IMAGE_CREATED_TIME: "2018-06-03T23:17:09.859Z" IMAGE_ID: "sha256:9e862c010bf39766f9821926848754adccf58225aa652cc18a97fccba273df39" IMAGE_REPO: "602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64" IMAGE_SIZE: 742472 IMAGE_TAG: "3.1" IMAGE_VERSION: "17.06.2-ce" IMAGE_VIRTUAL_SIZE: 742472 IPV4: "0.0.0.0" NAME: "/k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0" NETWORK_MODE: "None" PID_MODE: "Private" POD_TYPE: "vmalert-vm" PRIVILEGED: 0 PROPS_LABEL: {} - startTime: "2021-08-28T21:00:00Z" endTime: "2021-08-28T22:00:00Z" mid: 98763 podName: "name2" primaryIpAddr: "10.100.20.201" propsContainer: CONTAINER_TYPE: "DOCKER" IMAGE_CREATED_TIME: "2018-06-03T23:17:09.859Z" IMAGE_ID: "sha256:9e862c010bf39766f9821926828754adccf58225aa652cc18a97fccba273df39" IMAGE_REPO: "602801163852.dkr.ecr.us-west-2.amazonaws.com/eks/pause-amd64" IMAGE_SIZE: 742472 IMAGE_TAG: "3.1" IMAGE_VERSION: "17.06.2-ce" IMAGE_VIRTUAL_SIZE: 742472 IPV4: "0.0.0.0" NAME: "/k8s_POD_vmalert-vm-5865bffbd6-f6c7l_vm_b46fdbf1-8103-667b-ab5b-8efbff0fe8ae_0" NETWORK_MODE: "Host" PID_MODE: "Host" PRIVILEGED: 0 PROPS_LABEL: {} responseEntities_NewFileHashesList_Response_Schema: description: "No Error (List of New File Hashes)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_NewFileHashes_Response_Schema" example: paging: rows: 5000 totalRows: 123456 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/NewFileHashes/AbcdEfgh123..." data: - startTime: "2020-12-18T08:00:00Z" endTime: "2020-12-18T08:30:00Z" filedataHash: "3209482304949038fjdksjfk324923840fuiewf498274923odiu32049" - startTime: "2020-12-18T08:00:00Z" endTime: "2020-12-18T08:30:00Z" filedataHash: "lksjfldkjfl5j345uioert94t344920349j03f9ejf34900tj40934940" responseEntities_NetworkInterfacesList_Response_Schema: description: "No Error (List of Network Interfaces)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Entities_NetworkInterfaces_Response_Schema" example: paging: rows: 5000 totalRows: 23680 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Entities/NetworkInterfaces/AbcdEfgh123..." data: - createdTime: "2020-12-18T08:00:00Z" mid: 12345 name: "name-1" hwAddr: "a5:3d:f4:7o:hy" ipAddr: "hg97::kdjf:klj9:kin8:lej4" - createdTime: "2020-12-18T08:30:00Z" mid: 98765 name: "name-2" hwAddr: "b7:k0:bh:8n" ipAddr: "som4::skd8:kj99:hg72:lk98" responseVulnerabilityExceptions_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/VulnerabilityExceptions_Response_Schema" example: data: createdTime: "2021-12-18T08:30:00Z" exceptionGuid: "LWABC" exceptionName: "Container Vulnerability Exception" exceptionReason: "Accepted Risk" exceptionType: "Container" expiryTime: "2021-12-28T08:30:00Z" props: description: "This is a Container Vulnerability Exception" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" resourceScope: registry: - "registry1" - "registry2" state: 1 updatedTime: "2021-12-18T08:30:00Z" vulnerabilityCriteria: severity: - "Low" responseVulnerabilityExceptionsList_Response_Schema: description: "No Error (List of Vulnerability Exceptions)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/VulnerabilityExceptions_Response_Schema" example: data: - createdTime: "2021-12-18T08:30:00Z" exceptionGuid: "LWABC" exceptionName: "Container Vulnerability Exception" exceptionReason: "Accepted Risk" exceptionType: "Container" expiryTime: "2021-12-28T08:30:00Z" props: description: "This is a Container Vulnerability Exception" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" resourceScope: registry: - "registry1" - "registry2" state: 1 updatedTime: "2021-12-18T08:30:00Z" vulnerabilityCriteria: severity: - "Low" - createdTime: "2021-12-18T08:30:00Z" exceptionGuid: "LWDEF" exceptionName: "Host Vulnerability Exception" exceptionReason: "Other" exceptionType: "Host" expiryTime: "2021-12-28T08:30:00Z" props: description: "This is a Host Vulnerability Exception" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" resourceScope: hostname: - "hostname" state: 1 updatedTime: "2021-12-18T08:30:00Z" vulnerabilityCriteria: severity: - "High" - "Medium" responseVulnerabilityPolicies_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/VulnerabilityPolicies_Response_Schema" example: data: policyGuid: "LWABC" policyName: "DockerFile Vulnerability Policy" policyType: "DockerFile" policyEvalType: "local" severity: "Critical" failOnViolation: 0 alertOnViolation: 0 filter: rule: operator: "include" values: - "setgid" - "setuid" state: 1 isDefault: 0 props: description: "This is a DockerFile Vulnerability Policy" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" createdTime: "2022-03-04T22:32:14.685Z" updatedTime: "2022-03-04T22:32:14.685Z" responseVulnerabilityPoliciesList_Response_Schema: description: "No Error (List of Vulnerability Policies)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/VulnerabilityPolicies_Response_Schema" example: data: - policyGuid: "LWABC" policyName: "DockerFile Vulnerability Policy" policyType: "DockerFile" policyEvalType: "local" severity: "Critical" failOnViolation: 0 alertOnViolation: 0 filter: rule: operator: "include" values: - "setgid" - "setuid" state: 1 isDefault: 0 props: description: "This is a DockerFile Vulnerability Policy" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" createdTime: "2022-03-04T22:32:14.685Z" updatedTime: "2022-03-04T22:32:14.685Z" - policyGuid: "LWABC" policyName: "CVE Vulnerability Policy" policyType: "CVE" policyEvalType: "local" severity: "High" failOnViolation: 0 alertOnViolation: 0 filter: cveIds: - "CVE-140" state: 1 isDefault: 0 props: description: "This is a CVE Vulnerability Policy" createdBy: "abc@xyz.com" updatedBy: "abc@xyz.com" createdTime: "2022-03-04T22:32:14.685Z" updatedTime: "2022-03-04T22:32:14.685Z" responseEventsList_Response_Schema: description: "No Error (List of Events)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Events_Response_Schema" example: data: - endTime: "2022-03-18T01:00:00.000Z" eventCount: 7738 eventType: "CloudTrailDefaultAlert" id: 438898 srcEvent: awsRegion: "us-west-2" event: additionalEventData: AuthenticationMethod: "AuthHeader" CipherSuite: "ECDHE-RSA-AES128-GCM-SHA256" SignatureVersion: "SigV4" bytesTransferredIn: 0 bytesTransferredOut: 137 x-amz-id-2: "wl+gKI0I80T1CIBzz8d96nX5XcesTU/eIeo8SwdNqmSH2ZYFZssPmlqNhJJnhvewgefx6Babcqc=" awsRegion: "us-west-2" eventCategory: "Management" eventID: "1dddd61c-7608-87d8-b9f8-4a52495bdbb1" eventName: "GetBucketLocation" eventSource: "s3.amazonaws.com" eventTime: "2022-03-18T00:04:08Z" eventType: "AwsApiCall" eventVersion: "1.08" managementEvent: true readOnly: true recipientAccountId: "631668038012" requestID: "SRZY6EVTR8Q3ADSJ" requestParameters: Host: "s3.us-west-2.amazonaws.com" bucketName: "redhat-k8-crio-bucket" location: "" resources: - ARN: "arn:aws:s3:::redhat-k8-crio-bucket" accountId: "631668038012" type: "Aws::s3::bucket" sourceIPAddress: "36.223.225.183" tlsDetails: cipherSuite: "ECDHE-RSA-AES128-GCM-SHA256" clientProvidedHostHeader: "s3.us-west-2.amazonaws.com" tlsVersion: "TLSv1.2" userAgent: "[aws-sdk-go/1.37.0 (go1.15.8; linux; amd64)]" userIdentity: accessKeyId: "ABCDEFGHIJKLMNOPQRST" accountId: "631668038012" arn: "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957" principalId: "ABCDEFGHIJKL123456789" sessionContext: attributes: creationDate: "2022-03-17T23:58:00Z" mfaAuthenticated: "false" ec2RoleDelivery: "2.0" sessionIssuer: accountId: "631668038012" arn: "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local" principalId: "ABCDEFGHIJKL123456789" type: "Role" userName: "masters.redhatk8crio.k8s.local" webIdFederationData: {} type: "Assumedrole" eventName: "GetBucketLocation" eventSource: "s3.amazonaws.com" is_assumed_role: true principalId: "ABCDEFGHIJKL123456789" recipientAccountId: "631668038012" sourceIPAddress: "36.223.225.183" userIdentity: accessKeyId: "ABCDEFGHIJKLMNOPQRST" accountId: "631668038012" arn: "arn:aws:sts::631668038012:assumed-role/masters.redhatk8crio.k8s.local/i-06443e34ddc641957" principalId: "ABCDEFGHIJKL123456789" sessionContext: attributes: creationDate: "2022-03-17T23:58:00Z" mfaAuthenticated: "false" ec2RoleDelivery: "2.0" sessionIssuer: accountId: "631668038012" arn: "arn:aws:iam::631668038012:role/masters.redhatk8crio.k8s.local" principalId: "ABCDEFGHIJKL123456789" type: "Role" userName: "masters.redhatk8crio.k8s.local" webIdFederationData: {} type: "Assumedrole" userIdentityAccount: "631668038012" userIdentityName: "masters.redhatk8crio.k8s.local" userIdentityType: "AssumedRole" username: "AssumedRole/631668038012:masters.redhatk8crio.k8s.local" srcType: "AwsResource" startTime: "2022-03-18T00:00:00.000Z" - endTime: "2022-03-18T01:00:00.000Z" eventCount: 7738 eventType: "CloudTrailDefaultAlert" id: 438898 srcEvent: awsRegion: "us-west-2" event: additionalEventData: AuthenticationMethod: "AuthHeader" CipherSuite: "ECDHE-RSA-AES128-GCM-SHA256" SignatureVersion: "SigV4" bytesTransferredIn: 0 bytesTransferredOut: 137 x-amz-id-2: "hhxqxS6lksuIoI/E8eZqZ1xg+yqLSVwoXBgFb3doT0+e3QJzoDyGuQ6RqVkL8zjyhVBKhbQGC9E=" awsRegion: "us-west-2" eventCategory: "Management" eventID: "1338a37d-4309-44bb-9f68-30c39ce152b0" eventName: "GetBucketLocation" eventSource: "s3.amazonaws.com" eventTime: "2022-03-18T00:17:27Z" eventType: "AwsApiCall" eventVersion: "1.08" managementEvent: true readOnly: true recipientAccountId: "631668038012" requestID: "T7SB5GS78Q8ZA4KV" requestParameters: Host: "s3.us-west-2.amazonaws.com" bucketName: "asset-mgt-dev-697" location: "" resources: - ARN: "arn:aws:s3:::asset-mgt-dev-697" accountId: "631668038012" type: "Aws::s3::bucket" sourceIPAddress: "10.0.198.115" tlsDetails: cipherSuite: "ECDHE-RSA-AES128-GCM-SHA256" clientProvidedHostHeader: "s3.us-west-2.amazonaws.com" tlsVersion: "TLSv1.2" userAgent: "[aws-sdk-go/1.40.53 (go1.16; linux; amd64)]" userIdentity: accessKeyId: "ABCDEFGHIJKLMNOPQRST" accountId: "631668038012" arn: "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss" principalId: "ABCDEFGHIJKL123456789" type: "Iamuser" userName: "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss" vpcEndpointId: "vpce-0b01b13fbbcec47fa" eventName: "GetBucketLocation" eventSource: "s3.amazonaws.com" is_assumed_role: false principalId: "ABCDEFGHIJKL123456789" recipientAccountId: "631668038012" sourceIPAddress: "10.0.198.115" userIdentity: accessKeyId: "ABCDEFGHIJKLMNOPQRST" accountId: "631668038012" arn: "arn:aws:iam::631668038012:user/user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss" principalId: "ABCDEFGHIJKL123456789" type: "Iamuser" userName: "user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss" userIdentityAccount: "631668038012" userIdentityType: "IAMUser" username: "IAMUser/631668038012:user1-7nsnk-managed-velero-operator-iam-credentia-dr7ss" srcType: "AwsResource" startTime: "2022-03-18T00:00:00.000Z" responseExceptions_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/Exceptions_Response_Schema" example: data: exceptionId: "510c8bc5-f06b-8afb-8028-0203d6e582de" description: "wildcard exception" constraints: - fieldKey: "fieldKey1" fieldValues: - "*" lastUpdateTime: "2022-04-05T01:53:11.809Z" lastUpdateUser: "info@example.com" responseExceptionsList_Response_Schema: description: "No Error (List of Policy Exceptions)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Exceptions_Response_Schema" example: data: - exceptionId: "510c8bc5-f06b-8afb-8028-0203d6e582da" description: "wildcard exception" constraints: - fieldKey: "fieldKey1" fieldValues: - "*" lastUpdateTime: "2022-04-05T01:53:11.809Z" lastUpdateUser: "info@example.com" - exceptionId: "510c8bc5-f06b-8afb-8028-0203d6e582d" description: "exception for eu regions" constraints: - fieldKey: "fieldKey1" fieldValues: - "eu-central-1" - "eu-north-1" lastUpdateTime: "2022-04-05T01:56:21.808Z" lastUpdateUser: "info@example.com" responseAgentInfoList_Response_Schema: description: "No Error (List of Agent Information)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: description: "For details about what agent information is available,\ \ see [AGENT_MANAGEMENT_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/901452/agent-management-v-view)." type: "array" items: $ref: "#/components/schemas/AgentInfo_Response_Schema" example: paging: rows: 5000 totalRows: 5060 urls: nextPage: "https://YourLacework.lacework.net/api/v2/AgentInfo/AbcdEfgh123..." data: - agentVersion: "5.5.0-6ecefc7f" createdTime: "2021-03-30T12:40:19.087Z" hostname: "ip-10-231-16-188.us-west-2.compute.internal" ipAddr: "10.231.16.188" lastUpdate: "2022-04-27 16:59:11.283 -0700" mid: 1898 mode: "normal" os: "Linux" status: "ACTIVE" tags: Account: "289356771585" AmiId: "ami-0d9ef0d807e565a36" COGS: "OPEX" Env: "lw" ExternalIp: "" Hostname: "ip-10-231-16-188.us-west-2.compute.internal" InstanceId: "i-05bd72db3d5678c23" InternalIp: "10.231.16.188" KubernetesCluster: "lw" LwTokenShort: "2e568b3b9a3c5de63116422e41fccc" Name: "prod-node.lw" Owner: "lacework" SubnetId: "subnet-0a83c026ef1437f0e" VmInstanceType: "m5.large" VmProvider: "AWS" VpcId: "vpc-0df6f5ed0cd993ff2" WavefrontProxy: "wavefront-proxy.kube-system.svc.cluster.local" Zone: "us-west-2a" arch: "amd64" aws:autoscaling:groupName: "lw-cluster-123" cluster: "eks-lw" environment: "prod" kubernetes.io/cluster/prod: "owned" lw_KubernetesCluster: "prod" os: "linux" role: "default" - agentVersion: "5.5.0-6ecefc7f" createdTime: "2022-04-26T11:34:58.316Z" hostname: "ip-10-231-168-119.us-west-2.compute.internal" ipAddr: "10.231.168.119" lastUpdate: "2022-04-28 11:05:58.317 -0700" mid: 85282 mode: "ebpf" os: "Linux" status: "INACTIVE" tags: Account: "239656771685" AmiId: "ami-03b6ddb2869abcd51" Env: "lw" ExternalIp: "" Hostname: "ip-10-231-168-119.us-west-2.compute.internal" InstanceId: "i-06f6569862686630e" InternalIp: "10.231.168.119" KubernetesCluster: "lw" LwTokenShort: "2e568b3b9a3c5de63116422e51fccc" Name: "on-demand.prod.lw" SubnetId: "subnet-0b2a51e40b1a0bde8" VmInstanceType: "r5.xlarge" VmProvider: "AWS" VpcId: "vpc-0df6f8ed0cd993ff2" Zone: "us-west-2c" arch: "amd64" cluster: "eks-lw" environment: "prod" kubernetes.io/cluster/prod: "owned" lw-role: "on-demand" lw_KubernetesCluster: "prod" os: "linux" spotinst:accountId: "act-b0b9eea2" spotinst:aws:ec2:group:createdBy: "spotinst" spotinst:aws:ec2:group:id: "oesg-9a6dca03" spotinst:aws:ec2:group:name: "Spotinst::Ocean::prod" spotinst:ocean:launchspec:id: "ols-fad9bf81" spotinst:ocean:launchspec:name: "on-demand" responseInventoryScanStatus_Response_Schema: description: "No Error (Scan status)" content: application/json: schema: type: "object" properties: data: type: "object" properties: status: type: "string" details: type: "string" examples: Available: value: data: status: "available" details: "Scan is available" Scanning: value: data: status: "scanning" details: "Scan is in progress" Pending: value: data: status: "pending" details: "Scan recently completed within an hour" responseInventoryList_Response_Schema: description: "No Error (List of Inventory)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: description: "For details about what cloud resource information is\ \ available, see [CLOUD_CONFIGURATION_V View](https://docs.fortinet.com/document/lacework-forticnapp/latest/administration-guide/479324/cloud-configuration-v-view)." type: "array" items: $ref: "#/components/schemas/Inventory_Response_Schema" example: paging: rows: 5000 totalRows: 78623 urls: nextPage: "https://YourLacework.lacework.net/api/v2/Inventory/AbcdEfgh123..." data: - apiKey: "describe-db-subnet-groups" cloudDetails: accountAlias: "abc-prod-account" accountID: "631668038012" csp: "AWS" endTime: "2022-04-28T04:00:00.000Z" resourceConfig: AmiLaunchIndex: 0 Architecture: "x86_64" BlockDeviceMappings: - DeviceName: "/dev/sda1" Ebs: AttachTime: "2019-10-13T18:27:30.000Z" DeleteOnTermination: true Status: "attached" VolumeId: "vol-05620dfe2b7fcc0d6" CapacityReservationSpecification: CapacityReservationPreference: "open" ClientToken: "" CpuOptions: CoreCount: 1 ThreadsPerCore: 1 EbsOptimized: false EnaSupport: true EnclaveOptions: Enabled: false HibernationOptions: Configured: false Hypervisor: "xen" ImageId: "ami-06d31e91cea0dac8d" InstanceId: "i-011a36c1169995c86" InstanceType: "t2.micro" KeyName: "test1" LaunchTime: "2019-10-13T18:27:29.000Z" MetadataOptions: HttpEndpoint: "enabled" HttpProtocolIpv6: "disabled" HttpPutResponseHopLimit: 1 HttpTokens: "optional" State: "applied" Monitoring: State: "disabled" NetworkInterfaces: - Attachment: AttachTime: "2019-10-13T18:27:29.000Z" AttachmentId: "eni-attach-02c2609c0fe4758a0" DeleteOnTermination: true DeviceIndex: 0 NetworkCardIndex: 0 Status: "attached" Description": "" Groups: - GroupId: "sg-0dee9782b9ba32717" GroupName: "launch-wizard-23" InterfaceType: "interface" Ipv6Addresses: [] MacAddress: "06:8e:88:e8:50:2e" NetworkInterfaceId: "eni-054e319950b404c1e" OwnerId: "631664038012" PrivateDnsName: "ip-172-31-40-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.40.205" PrivateIpAddresses: - Primary: true PrivateDnsName: "ip-172-31-40-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.40.205" SourceDestCheck": true Status: "in-use" SubnetId: "subnet-c592d68e" VpcId: "vpc-39c60f41" Placement: AvailabilityZone: "us-west-2a" GroupName: "" Tenancy: "default" PlatformDetails: "Linux/UNIX" PrivateDnsName: "ip-172-31-20-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.20.205" ProductCodes: [] PublicDnsName: "" RootDeviceName: "/dev/sda1" RootDeviceType: "ebs" SecurityGroups: - GroupId: "sg-0dee9774b9ba32717" GroupName: "launch-wizard-23" SourceDestCheck: true State: Code: 80 Name: "stopped" StateReason: Code: "Server.ScheduledStop" Message: "Server.ScheduledStop: Stopped due to scheduled retirement" StateTransitionReason: "Server.InternalError" SubnetId: "subnet-c592d68e" UsageOperation: "RunInstances" UsageOperationUpdateTime: "2019-10-13T18:27:29.000Z" VirtualizationType: "hvm" VpcId: "vpc-39c60f41" resourceId: "i-011a76c1169995c76" resourceRegion: "us-west-2" resourceTags: KubernetesCluster: "auto-02272022-160719-prod.k8s.local" Name: "a.etcd-main.auto-02272022-160719-prod.k8s.local" k8s.io/etcd/main: "a/a" k8s.io/role/master: "1" kubernetes.io/cluster/auto-02272022-160719-prod.k8s.local: "owned" resourceType: "ec2:instance" service: "ec2" startTime: "2022-04-28T03:00:00.000Z" status: formatVersion: 2 props: {} status: "success" urn: "arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76" - apiKey: "describe-account-attributes" cloudDetails: accountAlias: "abc-prod-account" accountID: "631668038012" csp: "AWS" endTime: "2022-04-28T04:00:00.000Z" resourceConfig: AmiLaunchIndex: 0 Architecture: "x86_64" BlockDeviceMappings: - DeviceName: "/dev/sda1" Ebs: AttachTime: "2019-10-13T18:27:30.000Z" DeleteOnTermination: true Status: "attached" VolumeId: "vol-05620dfe2b7fcc0d6" CapacityReservationSpecification: null CapacityReservationPreference: "open" ClientToken: "" CpuOptions: CoreCount: 1 ThreadsPerCore: 1 EbsOptimized: false EnaSupport: true EnclaveOptions: Enabled: false HibernationOptions: Configured: false Hypervisor: "xen" ImageId: "ami-06d31e91cea0dac8d" InstanceId: "i-011a36c1169995c86" InstanceType: "t2.micro" KeyName: "test1" LaunchTime: "2019-10-13T18:27:29.000Z" MetadataOptions: HttpEndpoint: "enabled" HttpProtocolIpv6: "disabled" HttpPutResponseHopLimit: 1 HttpTokens: "optional" State: "applied" Monitoring: State: "disabled" NetworkInterfaces: - Attachment: AttachTime: "2019-10-13T18:27:29.000Z" AttachmentId: "eni-attach-02c2609c0fe4758a0" DeleteOnTermination: true DeviceIndex: 0 NetworkCardIndex: 0 Status: "attached" Description": "" Groups: - GroupId: "sg-0dee9782b9ba32717" GroupName: "launch-wizard-23" InterfaceType: "interface" Ipv6Addresses: [] MacAddress: "06:8e:88:e8:50:2e" NetworkInterfaceId: "eni-054e319950b404c1e" OwnerId: "631664038012" PrivateDnsName: "ip-172-31-40-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.40.205" PrivateIpAddresses: - Primary: true PrivateDnsName: "ip-172-31-40-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.40.205" SourceDestCheck": true Status: "in-use" SubnetId: "subnet-c592d68e" VpcId: "vpc-39c60f41" Placement: AvailabilityZone: "us-west-2a" GroupName: "" Tenancy: "default" PlatformDetails: "Linux/UNIX" PrivateDnsName: "ip-172-31-20-205.us-west-2.compute.internal" PrivateIpAddress: "172.31.20.205" ProductCodes: [] PublicDnsName: "" RootDeviceName: "/dev/sda1" RootDeviceType: "ebs" SecurityGroups: - GroupId: "sg-0dee9774b9ba32717" GroupName: "launch-wizard-23" SourceDestCheck: true State: Code: 80 Name: "stopped" StateReason: Code: "Server.ScheduledStop" Message: "Server.ScheduledStop: Stopped due to scheduled retirement" StateTransitionReason: "Server.InternalError" SubnetId: "subnet-c592d68e" UsageOperation: "RunInstances" UsageOperationUpdateTime: "2019-10-13T18:27:29.000Z" VirtualizationType: "hvm" VpcId: "vpc-39c60f41" resourceId: "i-011a76c1169995c76" resourceRegion: "us-west-2" resourceTags: {} resourceType: "ec2:instance" service: "ec2" startTime: "2022-04-28T03:00:00.000Z" status: formatVersion: 2 props: {} status: "success" urn: "arn:aws:ec2:us-west-2:631664038012:instance/i-011a76c1169995c76" responseDataExportRules_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/DataExportRules_Response_Schema" example: data: mcGuid: "QA42F6C8_97..." filters: name: "Default Data Export Rule" createdOrUpdatedBy: "user@example.com" createdOrUpdatedTime: "2020-02-18T16:52:57.726Z" enabled: 1 profileVersions: - "V1" intgGuidList: - "QA402035_66..." type: "Dataexport" responseDataExportRulesList_Response_Schema: description: "No Error (List of DataExportRules)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/DataExportRules_Response_Schema" example: data: - mcGuid: "QA42F6C8_83..." filters: name: "LW Data Export Rule 1" createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-12T23:16:08.418Z" enabled: 1 profileVersions: - "V1" intgGuidList: - "QA402035_32..." type: "Dataexport" - mcGuid: "QA42F6C8_88..." filters: name: "LW Data Export Rule 2" createdOrUpdatedBy: "info@example.com" createdOrUpdatedTime: "2021-01-12T23:18:08.418Z" enabled: 1 profileVersions: - "V1" intgGuidList: - "QA402035_33..." type: "Dataexport" responseReportsList_Response_Schema: description: "No Error (List of Reports)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/Reports_Response_Schema" example: data: - reportType: "AWS CIS Benchmark and S3" reportTitle: "AWS CIS Benchmark and S3" recommendations: - ACCOUNT_ID: "24903813429804" ACCOUNT_ALIAS: "aws-account" START_TIME: 1648833313141 SUPPRESSIONS: - "suppressions" INFO_LINK: "https://info-link.net/info/link" ASSESSED_RESOURCE_COUNT: 627 STATUS: "NonCompliant" REC_ID: "LW_S3_1" CATEGORY: "S3" SERVICE: "aws:s3" TITLE: "Ensure the S3 bucket ACL does not grant 'Everyone' READ permission\ \ [list S3 objects]" VIOLATIONS: - reasons: - "ReadAccessGranted" resource: "arn:aws:s3:::eco-s3-acl-aws" - reasons: - "ReadAccessGranted" resource: "arn:aws:s3:::ecosystem-s3-acl-aws" RESOURCE_COUNT: 632 SEVERITY: 1 summary: - NUM_RECOMMENDATIONS: 160 NUM_SEVERITY_2_NON_COMPLIANCE: 60 NUM_SEVERITY_4_NON_COMPLIANCE: 4 NUM_SEVERITY_1_NON_COMPLIANCE: 23 NUM_COMPLIANT: 35 NUM_SEVERITY_3_NON_COMPLIANCE: 18 ASSESSED_RESOURCE_COUNT: 88129 NUM_SUPPRESSED: 0 NUM_SEVERITY_5_NON_COMPLIANCE: 1 NUM_NOT_COMPLIANT: 106 VIOLATED_RESOURCE_COUNT: 15823 SUPPRESSED_RESOURCE_COUNT: 0 accountId: "24903813429804" accountAlias: "aws-account" reportTime: "2022-04-01T17:15:13.141Z" responseTeamUsers_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/TeamUsers_Response_Schema" examples: StandardUser: value: data: name: "Support" company: "LW" email: "user@example.com" userGuid: "LWXYZ..." userEnabled: 1 type: "StandardUser" userGroups: - userGroupGuid: "BCFKL_1233245" userGroupName: "User group name" lastLoginTime: 1234567891011 orgAccess: "NO_ORG_ACCESS" ServiceUser: value: data: name: "Support" description: "Some description" userGuid: "LWXYZ..." userEnabled: 1 serviceUserId: "dsfldsfask3dj334j" apiKeys: - createdDate: "Feb 03 2023 01:57" keyId: "KSJKJD_DK333..." createdUser: "Support User" status: "Active" userGroups: - userGroupGuid: "ABC_12345" userGroupName: "User group name" type: "ServiceUser" lastLoginTime: 1234567891011 orgAccess: "NO_ORG_ACCESS" responseTeamUsersList_Response_Schema: description: "No Error (List of Team Users)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/TeamUsers_Response_Schema" example: data: - name: "Support 1" company: "LW" email: "user1@example.com" userGuid: "LWXYZ..." userEnabled: 1 type: "StandardUser" userGroups: - userGroupGuid: "FLKDJF_23423" userGroupName: "Admin" lastLoginTime: 1234567891011 orgAccess: "NO_ORG_ACCESS" - name: "Support 2" description: "Some description" userGuid: "LWXYZ..." userEnabled: 1 serviceUserId: "dsfldsfask3dj334j" apiKeys: - createdDate: "Feb 03 2023 01:57" keyId: "KSJKJD_DK333..." createdUser: "Support User" status: "Active" userGroups: - userGroupGuid: "ABC_12345" userGroupName: "User group name" type: "ServiceUser" lastLoginTime: 1234567891011 orgAccess: "NO_ORG_ACCESS" responseUserGroups_AddUsers_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/UserGroups_AddUsers_Response_Schema" example: data: userGuids: - "fskdjfsdk..." userGroupGuid: "group43p2fspfos..." responseUserGroups_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/UserGroups_Response_Schema" example: "" responseUserGroupsList_Response_Schema: description: "No Error (List of User Groups)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/UserGroups_Response_Schema" example: data: userGuids: - "fskdjfsdk..." userGroupGuid: "group43p2fspfos..." responseReports_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/Reports_Response_Schema" example: "" responseVulnerabilities_ImageSummaryList_Response_Schema: description: "No Error (List of Vulnerabilities_ImageSummary)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/Vulnerabilities_ImageSummary_Response_Schema" example: "TBA (change 'example' to 'examples' for multiple examples)" responseResourceGroups_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/ResourceGroups_Response_Schema" example: data: - resourceGroupGuid: "LW_ABC..." name: "AWS Resource Group" query: filters: filter1: field: "Resource Tag" operation: "EQUALS" values: - "*" key: "HOST" filter2: field": "Region" operation: "EQUALS" values: - "*" expression: operator: "OR" children: - filterName: "filter1" - filterName: "filter2" guid: "LW_XYZ..." createdTime: "2024-10-23T18:03:51.639Z" createdBy: "abc@xyz.com" updatedTime: "2024-10-23T18:03:51.639Z" updatedBy: "abc@xyz.com" resourceType: "AWS" enabled: 1 isDefaultBoolean: false responseResourceGroupsList_Response_Schema: description: "No Error (List of ResourceGroups)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/ResourceGroups_Response_Schema" example: data: - resourceGroupGuid: "LW_ABC..." name: "AWS Resource Group" query: filters: filter1: field: "Resource Tag" operation: "EQUALS" values: - "*" key: "HOST" filter2: field": "Region" operation: "EQUALS" values: - "*" expression: operator: "OR" children: - filterName: "filter1" - filterName: "filter2" guid: "LW_XYZ..." createdTime: "2024-10-23T18:03:51.639Z" createdBy: "abc@xyz.com" updatedTime: "2024-10-23T18:03:51.639Z" updatedBy: "abc@xyz.com" resourceType: "AWS" enabled: 1 isDefaultBoolean: false - resourceGroupGuid: "LW_ABC..." name: "AWS Resource Group" query: filters: filter1: field: "Resource Tag" operation: "EQUALS" values: - "*" key: "HOST" filter2: field": "Region" operation: "EQUALS" values: - "*" expression: operator: "OR" children: - filterName: "filter1" - filterName: "filter2" guid: "LW_XYZ..." createdTime: "2024-10-23T18:03:51.639Z" createdBy: "abc@xyz.com" updatedTime: "2024-10-23T18:03:51.639Z" updatedBy: "abc@xyz.com" resourceType: "AWS" enabled: 1 isDefaultBoolean: false responseVulnerabilityObservations_HostsList_Response_Schema: description: "No Error (List of VulnerabilityObservations_Hosts)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/VulnerabilityObservations_Hosts_Response_Schema" example: paging: rows: 5000 totalRows: 209082 urls: nextPage: "https://YourLacework.lacework.net/api/v2/VulnerabilityObservations/Hosts/ZmVlYjA2YmQtMzBkOS00OGI3LTg4MjctZjgyNmJmMjg2ZWNiLDUwMDAsNTAwMDAwLDA" data: - accountAlias: "sgm-test" accountId: "phonic-jetty-391416" agentlessLastDiscoveredTime: "2025-01-27T16:00:00Z" avdEnabled: 0 cloudProvider: "GCP" coverageType: "Agentless" cvssAttackComplexity: "Low" cvssAttackVector: "Network" cvssAvailability: "High" cvssConfidentiality: "High" cvssImpactScore: 6 cvssIntegrity: "High" cvssPrivilegesRequired: "None" cvssScope: "None" cvssScore: 10 cvssUserInteraction: "None" cvssVectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" cvssVersion: "3.1" externalIp: "" fixable: false hostFirstDiscoveredTime: "2024-10-22T16:00:00Z" hostLastDiscoveredTime: "2025-01-27T16:00:00Z" hostLastEvalTime: "2025-01-27T16:00:00Z" hostMachineId: "1026950228410111150" hostName: "l4-xlb-targetpool-target-instance" hostRiskScore: 10 internalIp: "10.142.0.7" internetExposed: true internetExposedLastUpdated: 1737993600000 machineImage: "" machineStatus: "Launched" machineTags: Account: "phonic-jetty-391416" AmiId: "" ExternalIp: "" Hostname: "l4-xlb-targetpool-target-instance" InstanceId: "2958770005172974878" InternalIp: "10.142.0.7" LaunchTime: "2023-07-31T07:57:54.629-07:00" MachineGuid: "4C57015E-003F-5224-8C62-54DD8F48D1F7" OrganizationId: "" ProjectId: "phonic-jetty-391416" ProjectName: "sgm-test" State: "running" VmInstanceType: "e2-micro" VmProvider: "GCP" VpcId: "phonic-jetty-391416/global/networks/vcp-network" Zone: "us-east1" lw_InternetExposure: "Yes" lw_InternetExposureLastUpdated: "1737993600000" observationFirstDiscoveredTime: "2025-01-12T16:00:00Z" observationFixedTime: "2035-12-31T23:59:59.999Z" observationLastDiscoveredTime: "2025-01-27T16:00:00Z" observationStatus: "Active" observationStatusCategory: "Vulnerable" observationVulnerableSinceTime: "2025-01-12T16:00:00Z" organizationId: "" osName: "Debian GNU/Linux" osNamespace: "debian:12" osOutOfDate: false osRebootRequired: false osType: "Linux" osUpdatesDisabled: false osVersion: "12 (bookworm)" packageName: "glib2.0" packageNamespace: "debian:12" packagePath: "var/lib/dpkg/status" packageStatus: "N/A" packageVersion: "2.74.6-2+deb12u5" publicFacing: false severity: "Critical" vulnId: "CVE-2024-52533" vulnLink: "https://security-tracker.debian.org/tracker/CVE-2024-52533" vulnPublicExploitAvailable: false zone: "us-east1" responseVulnerabilityObservations_ImagesList_Response_Schema: description: "No Error (List of VulnerabilityObservations_Images)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/VulnerabilityObservations_Images_Response_Schema" example: paging: rows: 5000 totalRows: 11668 urls: nextPage: "https://YourLacework.lacework.net/api/v2/VulnerabilityObservations/Images/ZTJjMzM0OTgtOTIwZi00N2MzLWE3ZmEtOTBmZjU2MWUxYzU3LDUwMDAsNTAwMDAwLDA" data: - activeContainerCount: 0 cvssAttackComplexity: "Low" cvssAttackVector: "Network" cvssAvailability: "High" cvssConfidentiality: "High" cvssImpactScore: 6 cvssIntegrity: "High" cvssPrivilegesRequired: "None" cvssScope: "None" cvssScore: 10 cvssUserInteraction: "None" cvssVectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" cvssVersion: "3.1" fixable: true fixVersion: "1.3.2" hasActiveContainers: false hasAvdEnabledContainers: false imageDigests: [] imageFirstDiscoveredTime: "2024-09-07T20:00:00Z" imageId: "sha256:68f10e4d54fe1b42d7f22b9751977344aa798aa9c16d5c14baf69568e9e1662a" imageLastDiscoveredTime: "2024-10-30T18:00:00Z" imageLastScanTime: "2024-10-30T18:00:00Z" imageLatestScanSuccessful: false imageNames: [] imageRegistries: [] imageRepositories: [] imageRequestSources: [] imageRiskScore: 8 imageScanStatus: "Unscanned" observationFirstDiscoveredTime: "2024-10-23T18:01:27.292Z" observationFixedTime: "2035-12-31T23:59:59.999Z" observationLastDiscoveredTime: "2024-10-23T18:02:22.681Z" observationStatus: "Active" observationStatusCategory: "Vulnerable" observationVulnerableSinceTime: "2024-10-23T18:01:27.292Z" packageName: "mixin-deep" packageNamespace: "npm" packagePath: "usr/local/lib/node_modules/npm/node_modules/psl/yarn.lock" packageStatus: "N/A" packageVersion: "1.3.1" severity: "Critical" vulnId: "CVE-2019-10746" vulnLink: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10746" vulnPublicExploitAvailable: false responseVulnerabilityObservations_ImageSummaryList_Response_Schema: description: "No Error (List of VulnerabilityObservations_ImageSummary)" content: application/json: schema: properties: paging: $ref: "#/components/schemas/Paging_Schema" data: type: "array" items: $ref: "#/components/schemas/VulnerabilityObservations_ImageSummary_Response_Schema" example: "TBA (change 'example' to 'examples' for multiple examples)" responseReportConfigurations_Response_Schema: description: "No Error" content: application/json: schema: properties: data: $ref: "#/components/schemas/ReportConfigurations_Response_Schema" example: data: reportConfigGuid: "500A52B5" name: "report configuration name" format: "pdf" type: "Compliance" templateGuid: "20057328359ED9B98AB29BB418C1D1A48FFDC656FBF0BAF4802581C1" userGroupGuid: "LACEWORK_USER_GROUP_ADMIN" frequency: "daily" createdBy: "user@example.com" createdTime: "2023-12-05T19:04:02.812Z" updatedTime: "2023-12-07T09:52:05.273Z" updatedBy: "user@example.com" enabled: 1 alertChannels: - "CUST_51754A55353841C2A747043EFCD33FEFDAE01B9A5F77679" resourceGroups: - "CUST_A2E816D4E892AAB8743B72B14DCE8BC724E5345650009AC" filters: severities: - "critical" - "high" - "medium" - "low" - "info" violations: - "NonCompliant" - "Compliant" - "Suppressed" - "Manual" - "CouldNotAssess" responseReportConfigurationsList_Response_Schema: description: "No Error (List of ReportConfigurations)" content: application/json: schema: properties: data: type: "array" items: $ref: "#/components/schemas/ReportConfigurations_Response_Schema" example: data: - reportConfigGuid: "500A52B5" name: "report configuration 1" format: "pdf" type: "Compliance" templateGuid: "20057328359ED9B98AB29BB418C1D1A48FFDC656FBF0BAF4802581C1" userGroupGuid: "LACEWORK_USER_GROUP_ADMIN" frequency: "daily" createdBy: "user@example.com" createdTime: "2023-12-05T19:04:02.812Z" updatedTime: "2023-12-07T09:52:05.273Z" updatedBy: "user@example.com" enabled: 1 alertChannels: - "CUST_51754A55353841C2A747043EFCD33FEFDAE01B9A5F77679" resourceGroups: - "CUST_A2E816D4E892AAB8743B72B14DCE8BC724E5345650009AC" filters: severities: - "critical" - "high" violations: - "NonCompliant" - reportConfigGuid: "500A52B5" name: "report configuration 2" format: "pdf" type: "Compliance" templateGuid: "20057328359ED9B98AB29BB418C1D1A48FFDC656FBF0BAF4802581C1" userGroupGuid: "LACEWORK_USER_GROUP_ADMIN" frequency: "weekly" createdBy: "user@example.com" createdTime: "2023-12-05T19:04:02.812Z" updatedTime: "2023-12-07T09:52:05.273Z" updatedBy: "user@example.com" enabled: 1 alertChannels: - "CUST_51754A55353841C2A747043EFCD33FEFDAE01B9A5F77679" resourceGroups: - "CUST_A2E816D4E892AAB8743B72B14DCE8BC724E5345650009AC" filters: severities: - "medium" - "low" - "info" violations: - "NonCompliant" - "Compliant" - "Suppressed" - "Manual" - "CouldNotAssess"