SOS Findings Events

the sos findings events connector facilitates the automation of incident response and findings management tasks within the sos findings events platform sos findings events is a comprehensive security automation platform designed to enhance incident management and response by integrating with swimlane turbine, users can effortlessly enrich findings, associate incidents, and manage security events without manual intervention this connector streamlines the process of capturing telemetry, correlating data, and executing actions within the security ecosystem, providing a significant boost to operational efficiency and threat mitigation capabilities for end users prerequisites none actions enrichment finding enriches a specific finding with additional context and details in sos findings events, requiring an 'enrichment finding' input endpoint method get input argument name type required description enrichment finding object required parameter for enrichment finding activity name string required the event activity name, as defined by the activity id attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array optional a list of applicable compliance requirements for which this finding is related to status string optional the event status, as reported by the event source status detail string optional the status details contains additional information about the event outcome confidence integer optional the confidence of the reported event severity as a percentage 0% 100% output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value enrichment finding cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array a list of applicable compliance requirements for which this finding is related to status string the event status, as reported by the event source status detail string the status details contains additional information about the event outcome example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "compliance" { "requirements" \[], "status" "active", "status detail" "active" }, "confidence" 123, "finding" { "created time dt" "string", "desc" "string", "first seen time dt" "string", "last seen time dt" "string", "log sources" \[], "modified time dt" "string", "product uid" "string", "related events" {}, "remediation" {}, "rules" \[], "src url" "string", "supporting data" \[], "title" "string", "types" \[], "uid" "string" }, "malware" \[], "metadata" { "correlation uid" "string", "labels" \[], "logged time dt" "string", "modified time dt" "string", "original time" "string", "processed time dt" "string", "product" {}, "profiles" \[], "sequence" 123, "uid" "string", "version" "string" }, "observables" \[], "organization" { "data" {}, "name" "example name", "sectors" \[], "uid" "string" } } ] incident associate associates a specified entity with an incident in sos findings events using the 'incident associate' input endpoint method get input argument name type required description incident associate object required unique identifier activity name string required the event activity name, as defined by the activity id cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% correlation uid string required the identifier of the event that is associated with the incident count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains incident uid string required the incident unique identifier output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident associate cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% correlation uid string the identifier of the event that is associated with the incident count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "correlation uid" "string", "count" 123, "data" {}, "duration" 123, "end time dt" "string", "enrichments" \[], "incident uid" "string" } ] incident closure closes an incident within the sos findings events platform, requiring an 'incident close' input endpoint method get input argument name type required description incident close object required unique identifier activity name string required the event activity name, as defined by the activity id cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider comment string optional the user provided comment confidence integer optional the confidence of the reported event severity as a percentage 0% 100% count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains incident uid string required the unique identifier of the incident output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident closure cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "comment" "string", "confidence" 123, "count" 123, "data" {}, "duration" 123, "end time dt" "string", "enrichments" \[], "incident uid" "string" } ] incident creation initiates a new incident within sos findings events using the provided incident details endpoint method get input argument name type required description incident create object required unique identifier activity name string required the event activity name, as defined by the activity id assignee string optional the name of the user who is assigned to the incident attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider comment string optional the user provided comment confidence integer optional the confidence of the reported event severity as a percentage 0% 100% count integer optional the number of times that events in the same logical group occurred during the event start time to end time period creator name string optional the name of the user who created the incident output parameter type description activity name string the event activity name, as defined by the activity id assignee string the name of the user who is assigned to the incident attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident creation cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "assignee" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "comment" "string", "confidence" 123, "count" 123, "creator name" "string", "data" {}, "desc" "string" } ] incident update updates an existing incident within the sos findings events platform using the provided incident details endpoint method get input argument name type required description incident update object required unique identifier activity name string required the event activity name, as defined by the activity id assignee string optional the name of the user who is assigned to the incident cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider comment string optional the user provided comment confidence integer optional the confidence of the reported event severity as a percentage 0% 100% count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional the additional data that is associated with the incident duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains output parameter type description activity name string the event activity name, as defined by the activity id assignee string the name of the user who is assigned to the incident category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident update cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object the additional data that is associated with the incident duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "assignee" "string", "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "comment" "string", "confidence" 123, "count" 123, "data" {}, "duration" 123, "end time dt" "string", "enrichments" \[] } ] reported finding submit a reported finding to sos findings events, requiring specific finding details endpoint method get input argument name type required description reported finding object required parameter for reported finding activity name string required the event activity name, as defined by the activity id attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array optional a list of applicable compliance requirements for which this finding is related to status string optional the event status, as reported by the event source status detail string optional the status details contains additional information about the event outcome confidence integer optional the confidence of the reported event severity as a percentage 0% 100% output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value reported finding cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array a list of applicable compliance requirements for which this finding is related to status string the event status, as reported by the event source status detail string the status details contains additional information about the event outcome example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "compliance" { "requirements" \[], "status" "active", "status detail" "active" }, "confidence" 123, "count" 123, "data" {}, "duration" 123, "end time dt" "string", "enrichments" \[] } ] security finding retrieve detailed information about a specific security finding in sos findings events using the provided identifier endpoint method get input argument name type required description security finding object required parameter for security finding activity name string required the event activity name, as defined by the activity id attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array optional a list of applicable compliance requirements for which this finding is related to status string optional the event status, as reported by the event source status detail string optional the status details contains additional information about the event outcome confidence integer optional the confidence of the reported event severity as a percentage 0% 100% output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value security finding cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details requirements array a list of applicable compliance requirements for which this finding is related to status string the event status, as reported by the event source status detail string the status details contains additional information about the event outcome example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "compliance" { "requirements" \[], "status" "active", "status detail" "active" }, "confidence" 123, "count" 123, "data" {}, "duration" 123, "end time dt" "string", "enrichments" \[] } ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt