SOS Findings Events

the sos findings events connector facilitates the automation of incident response and findings management tasks within the sos findings events platform sos findings events is a comprehensive security automation platform designed to enhance incident management and response by integrating with swimlane turbine, users can effortlessly enrich findings, associate incidents, and manage security events without manual intervention this connector streamlines the process of capturing telemetry, correlating data, and executing actions within the security ecosystem, providing a significant boost to operational efficiency and threat mitigation capabilities for end users prerequisites none actions enrichment finding enriches a specific finding with additional context and details in sos findings events, requiring an 'enrichment finding' input endpoint method get input argument name type required description enrichment finding object required parameter for enrichment finding enrichment finding activity name string required the event activity name, as defined by the activity id enrichment finding attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm enrichment finding attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm enrichment finding attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm enrichment finding attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm enrichment finding attacks technique object required the attack technique enrichment finding attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise enrichment finding attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 enrichment finding attacks version string required the att\&ck matrix version enrichment finding cloud object optional describes details about the cloud enviroment where the event was originally created or logged enrichment finding cloud account name string optional the name of the account (e g aws account name) enrichment finding cloud account type string optional the user account type, as defined by the event source enrichment finding cloud account uid string optional the unique identifier of the account (e g aws account id) enrichment finding cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id enrichment finding cloud project uid string optional cloud project identifier enrichment finding cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc enrichment finding cloud region string optional the name of the cloud region, as defined by the cloud provider enrichment finding cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id enrichment finding cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider enrichment finding compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details enrichment finding compliance requirements array optional a list of applicable compliance requirements for which this finding is related to enrichment finding compliance status string optional the event status, as reported by the event source enrichment finding compliance status detail string optional the status details contains additional information about the event outcome enrichment finding confidence integer optional the confidence of the reported event severity as a percentage 0% 100% input example {"enrichment finding" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"finding" {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "string","log sources" \[{"name" "example name","type" "string"}],"modified time dt" "string","product uid" "string","related events" {},"remediation" {"desc" "string","kb articles" \["string"]},"rules" \[{"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"}],"src url" "string","supporting data" \[],"title" "string","types" \["string"],"uid" "string"},"malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"organization" {"data" {},"name" "example name","sectors" \["string"],"uid" "string"},"raw data" "string","resources" \[{"account uid" "string","cloud partition" "string","criticality" "string","details" "string","group name" "example name","labels" \["string"],"name" "example name","owner" "string","region" "string","software inventory" \[{"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"}],"type" "string","uid" "string","unmapped" {}}],"severity" "string","state" "string","status" "active","status detail" "active","time dt" "string","unmapped" {},"vulnerabilities" \[{"cve" {"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"},"desc" "string","kb articles" \["string"],"packages" \[{"architecture" "string","epoch" 123,"name" "example name","release" "string","version" "string"}],"references" \["string"],"related vulnerabilities" \["string"],"severity" "string","title" "string","vendor name" "example name"}]}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value enrichment finding cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details compliance requirements array a list of applicable compliance requirements for which this finding is related to compliance status string the event status, as reported by the event source compliance status detail string the status details contains additional information about the event outcome output example {"activity name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"finding" {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "s incident associate associates a specified entity with an incident in sos findings events using the 'incident associate' input endpoint method get input argument name type required description incident associate object required unique identifier incident associate activity name string required the event activity name, as defined by the activity id incident associate cloud object optional describes details about the cloud enviroment where the event was originally created or logged incident associate cloud account name string optional the name of the account (e g aws account name) incident associate cloud account type string optional the user account type, as defined by the event source incident associate cloud account uid string optional the unique identifier of the account (e g aws account id) incident associate cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id incident associate cloud project uid string optional cloud project identifier incident associate cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc incident associate cloud region string optional the name of the cloud region, as defined by the cloud provider incident associate cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id incident associate cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider incident associate confidence integer optional the confidence of the reported event severity as a percentage 0% 100% incident associate correlation uid string required the identifier of the event that is associated with the incident incident associate count integer optional the number of times that events in the same logical group occurred during the event start time to end time period incident associate data object optional additional data that is associated with the event incident associate duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds incident associate end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event incident associate enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] incident associate enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record incident associate enrichments name string optional the name of the attribute to which the enriched data pertains incident associate enrichments provider string optional the enrichment data provider name incident associate enrichments type string optional the enrichment type for example location incident associate enrichments value object optional the value of the attribute to which the enriched data pertains incident associate incident uid string required the incident unique identifier input example {"incident associate" {"activity name" "example name","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"correlation uid" "string","count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"raw data" "string","severity" "string","start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident associate cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% correlation uid string the identifier of the event that is associated with the incident count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record enrichments name string the name of the attribute to which the enriched data pertains enrichments provider string the enrichment data provider name enrichments type string the enrichment type for example location enrichments value object the value of the attribute to which the enriched data pertains output example {"activity name" "string","category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"correlation uid" "string","count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string incident closure closes an incident within the sos findings events platform, requiring an 'incident close' input endpoint method get input argument name type required description incident close object required unique identifier incident close activity name string required the event activity name, as defined by the activity id incident close cloud object optional describes details about the cloud enviroment where the event was originally created or logged incident close cloud account name string optional the name of the account (e g aws account name) incident close cloud account type string optional the user account type, as defined by the event source incident close cloud account uid string optional the unique identifier of the account (e g aws account id) incident close cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id incident close cloud project uid string optional cloud project identifier incident close cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc incident close cloud region string optional the name of the cloud region, as defined by the cloud provider incident close cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id incident close cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider incident close comment string optional the user provided comment incident close confidence integer optional the confidence of the reported event severity as a percentage 0% 100% incident close count integer optional the number of times that events in the same logical group occurred during the event start time to end time period incident close data object optional additional data that is associated with the event incident close duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds incident close end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event incident close enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] incident close enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record incident close enrichments name string optional the name of the attribute to which the enriched data pertains incident close enrichments provider string optional the enrichment data provider name incident close enrichments type string optional the enrichment type for example location incident close enrichments value object optional the value of the attribute to which the enriched data pertains incident close incident uid string required the unique identifier of the incident input example {"incident close" {"activity name" "example name","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"priority" 123,"raw data" "string","rule" {"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"},"severity" "string","start time dt" "string","state" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident closure cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record enrichments name string the name of the attribute to which the enriched data pertains enrichments provider string the enrichment data provider name enrichments type string the enrichment type for example location enrichments value object the value of the attribute to which the enriched data pertains output example {"activity name" "string","category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logg incident creation initiates a new incident within sos findings events using the provided incident details endpoint method get input argument name type required description incident create object required unique identifier incident create activity name string required the event activity name, as defined by the activity id incident create assignee string optional the name of the user who is assigned to the incident incident create attacks array optional an array of attacks associated with an event incident create attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm incident create attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm incident create attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm incident create attacks technique object required the attack technique incident create attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise incident create attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 incident create attacks version string required the att\&ck matrix version incident create cloud object optional describes details about the cloud enviroment where the event was originally created or logged incident create cloud account name string optional the name of the account (e g aws account name) incident create cloud account type string optional the user account type, as defined by the event source incident create cloud account uid string optional the unique identifier of the account (e g aws account id) incident create cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id incident create cloud project uid string optional cloud project identifier incident create cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc incident create cloud region string optional the name of the cloud region, as defined by the cloud provider incident create cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id incident create cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider incident create comment string optional the user provided comment incident create confidence integer optional the confidence of the reported event severity as a percentage 0% 100% incident create count integer optional the number of times that events in the same logical group occurred during the event start time to end time period incident create creator name string optional the name of the user who created the incident input example {"incident create" {"activity name" "example name","assignee" "string","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"creator name" "example name","data" {},"desc" "string","duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"priority" 123,"raw data" "string","rule" {"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"},"severity" "string","start time dt" "string","state" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id assignee string the name of the user who is assigned to the incident attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident creation cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period output example {"activity name" "string","assignee" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"creator name" "string","data" {},"desc" "string","duration" 123,"end time dt" "string","enrichments" \[]} incident update updates an existing incident within the sos findings events platform using the provided incident details endpoint method get input argument name type required description incident update object required unique identifier incident update activity name string required the event activity name, as defined by the activity id incident update assignee string optional the name of the user who is assigned to the incident incident update cloud object optional describes details about the cloud enviroment where the event was originally created or logged incident update cloud account name string optional the name of the account (e g aws account name) incident update cloud account type string optional the user account type, as defined by the event source incident update cloud account uid string optional the unique identifier of the account (e g aws account id) incident update cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id incident update cloud project uid string optional cloud project identifier incident update cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc incident update cloud region string optional the name of the cloud region, as defined by the cloud provider incident update cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id incident update cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider incident update comment string optional the user provided comment incident update confidence integer optional the confidence of the reported event severity as a percentage 0% 100% incident update count integer optional the number of times that events in the same logical group occurred during the event start time to end time period incident update data object optional the additional data that is associated with the incident incident update duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds incident update end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event incident update enrichments array optional the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] incident update enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record incident update enrichments name string optional the name of the attribute to which the enriched data pertains incident update enrichments provider string optional the enrichment data provider name incident update enrichments type string optional the enrichment type for example location incident update enrichments value object optional the value of the attribute to which the enriched data pertains input example {"incident update" {"activity name" "example name","assignee" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"modified time dt" "string","modifier" "string","observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"priority" 123,"raw data" "string","rule" {"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"},"severity" "string","start time dt" "string","state" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id assignee string the name of the user who is assigned to the incident category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value incident update cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider comment string the user provided comment confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object the additional data that is associated with the incident duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event enrichments array the additional information from an external data source, which is associated with the event for example add location information for the ip address in the dns answers \[{"name" "answers ip", "value" "92 24 47 250", "type" "location", "data" {"city" "socotra", "continent" "asia", "coordinates" \[ 25 4153, 17 0743], "country" "ye", "desc" "yemen"}}] enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record enrichments name string the name of the attribute to which the enriched data pertains enrichments provider string the enrichment data provider name enrichments type string the enrichment type for example location output example {"activity name" "string","assignee" "string","category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"comment" "string","confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[],"incident uid" "string","message" "string","metadata" {"correlation uid" "string","labe reported finding submit a reported finding to sos findings events, requiring specific finding details endpoint method get input argument name type required description reported finding object required parameter for reported finding reported finding activity name string required the event activity name, as defined by the activity id reported finding attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm reported finding attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm reported finding attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm reported finding attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm reported finding attacks technique object required the attack technique reported finding attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise reported finding attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 reported finding attacks version string required the att\&ck matrix version reported finding cloud object optional describes details about the cloud enviroment where the event was originally created or logged reported finding cloud account name string optional the name of the account (e g aws account name) reported finding cloud account type string optional the user account type, as defined by the event source reported finding cloud account uid string optional the unique identifier of the account (e g aws account id) reported finding cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id reported finding cloud project uid string optional cloud project identifier reported finding cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc reported finding cloud region string optional the name of the cloud region, as defined by the cloud provider reported finding cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id reported finding cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider reported finding compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details reported finding compliance requirements array optional a list of applicable compliance requirements for which this finding is related to reported finding compliance status string optional the event status, as reported by the event source reported finding compliance status detail string optional the status details contains additional information about the event outcome reported finding confidence integer optional the confidence of the reported event severity as a percentage 0% 100% input example {"reported finding" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"finding" {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "string","log sources" \[{"name" "example name","type" "string"}],"modified time dt" "string","product uid" "string","related events" {},"remediation" {"desc" "string","kb articles" \["string"]},"rules" \[{"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"}],"src url" "string","supporting data" \[],"title" "string","types" \["string"],"uid" "string"},"malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"organization" {"data" {},"name" "example name","sectors" \["string"],"uid" "string"},"process" {"cmd line" "string","created time dt" "string","file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {},"security descriptor" "string","signature" {},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {"cmd line" "string","created time dt" "string","file" {},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {},"xattributes" {}},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"xattributes" {}},"raw data" "string","reporter" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[{"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"resources" \[{"account uid" "string","cloud partition" "string","criticality" "string","details" "string","group name" "example name","labels" \["string"],"name" "example name","owner" "string","region" "string","software inventory" \[{"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"}],"type" "string","uid" "string","unmapped" {}}],"severity" "string","start time dt" "string","state" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {},"vulnerabilities" \[{"cve" {"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"},"desc" "string","kb articles" \["string"],"packages" \[{"architecture" "string","epoch" 123,"name" "example name","release" "string","version" "string"}],"references" \["string"],"related vulnerabilities" \["string"],"severity" "string","title" "string","vendor name" "example name"}]}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value reported finding cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details compliance requirements array a list of applicable compliance requirements for which this finding is related to compliance status string the event status, as reported by the event source compliance status detail string the status details contains additional information about the event outcome output example {"activity name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[],"finding" {"created time dt" security finding retrieve detailed information about a specific security finding in sos findings events using the provided identifier endpoint method get input argument name type required description security finding object required parameter for security finding security finding activity name string required the event activity name, as defined by the activity id security finding attacks array optional the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm security finding attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm security finding attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm security finding attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm security finding attacks technique object required the attack technique security finding attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise security finding attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 security finding attacks version string required the att\&ck matrix version security finding cloud object optional describes details about the cloud enviroment where the event was originally created or logged security finding cloud account name string optional the name of the account (e g aws account name) security finding cloud account type string optional the user account type, as defined by the event source security finding cloud account uid string optional the unique identifier of the account (e g aws account id) security finding cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id security finding cloud project uid string optional cloud project identifier security finding cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc security finding cloud region string optional the name of the cloud region, as defined by the cloud provider security finding cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id security finding cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider security finding compliance object optional the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details security finding compliance requirements array optional a list of applicable compliance requirements for which this finding is related to security finding compliance status string optional the event status, as reported by the event source security finding compliance status detail string optional the status details contains additional information about the event outcome security finding confidence integer optional the confidence of the reported event severity as a percentage 0% 100% input example {"security finding" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"finding" {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "string","log sources" \[{"name" "example name","type" "string"}],"modified time dt" "string","product uid" "string","related events" {},"remediation" {"desc" "string","kb articles" \["string"]},"rules" \[{"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"}],"src url" "string","supporting data" \[],"title" "string","types" \["string"],"uid" "string"},"malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"organization" {"data" {},"name" "example name","sectors" \["string"],"uid" "string"},"process" {"cmd line" "string","created time dt" "string","file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {},"security descriptor" "string","signature" {},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {"cmd line" "string","created time dt" "string","file" {},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {},"xattributes" {}},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"xattributes" {}},"raw data" "string","resources" \[{"account uid" "string","cloud partition" "string","criticality" "string","details" "string","group name" "example name","labels" \["string"],"name" "example name","owner" "string","region" "string","software inventory" \[{"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"}],"type" "string","uid" "string","unmapped" {}}],"severity" "string","start time dt" "string","state" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {},"vulnerabilities" \[{"cve" {"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"},"desc" "string","kb articles" \["string"],"packages" \[{"architecture" "string","epoch" 123,"name" "example name","release" "string","version" "string"}],"references" \["string"],"related vulnerabilities" \["string"],"severity" "string","title" "string","vendor name" "example name"}]}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array the attack object describes the technique and associated tactics as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value findings class name string the event class name, as defined by class uid value security finding cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider compliance object the complaince object provides context to compliance findings (e g , a check against a specific regulatory or best practice framework such as cis or nist) and contains compliance related details compliance requirements array a list of applicable compliance requirements for which this finding is related to compliance status string the event status, as reported by the event source compliance status detail string the status details contains additional information about the event outcome output example {"activity name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"compliance" {"requirements" \["string"],"status" "active","status detail" "active"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","enrichments" \[],"finding" {"created time dt" response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt