SOS Network Activity Events Pt1

the sos network activity events pt1 connector automates the creation of detailed network activity events, streamlining the process of monitoring and responding to network related security incidents sos network activity events pt1 is a comprehensive solution for monitoring and responding to network events this connector enables seamless integration with swimlane turbine, allowing users to automate the detection and handling of dhcp, dns, email, ftp, and http activities by leveraging this connector, security teams can efficiently track network behavior, identify anomalies, and initiate rapid response actions, enhancing the overall security posture and reducing manual intervention capabilities create dhcp activity events create dns activity events create email delivery activity events create email file activity events create email url activity events create ftp activity events create http activity events actions dhcp activity create a dhcp activity event in sos network activity events pt1 using the provided activity data endpoint method get input argument name type required description dhcp activity object required parameter for dhcp activity activity name string required the event activity name, as defined by the activity id cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event is renewal boolean optional the indication of whether this is a lease/session renewal event lease dur integer optional this represents the length of the dhcp lease in seconds this is present in dhcp ack events (activity id = 1) message string optional the description of the event, as defined by the event source metadata object required the metadata associated with the event correlation uid string optional the unique identifier used to correlate events labels array optional the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] logged time dt string optional the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different modified time dt string optional the time when the event was last modified or enriched output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value dhcp activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event is renewal boolean the indication of whether this is a lease/session renewal event lease dur integer this represents the length of the dhcp lease in seconds this is present in dhcp ack events (activity id = 1) message string the description of the event, as defined by the event source metadata object the metadata associated with the event correlation uid string the unique identifier used to correlate events labels array the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] logged time dt string the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "count" 123, "data" {}, "duration" 123, "end time dt" "string", "is renewal" true, "lease dur" 123, "message" "string" } ] dns activity create a dns activity event in sos network activity events pt1 using the provided dns activity data endpoint method get input argument name type required description dns activity object required parameter for dns activity activity name string required the event activity name, as defined by the activity id answers array optional the domain name system (dns) answers class string required the class of dns data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example in flags array optional the list of dns answer header flags packet uid integer optional the dns packet identifier assigned by the program that generated the query the identifier is copied to the response rdata string required the data describing the dns resource the meaning of this data depends on the type and class of the resource record ttl integer optional the time interval that the resource record may be cached zero value means that the resource record can only be used for the transaction in progress, and should not be cached type string required the type of data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example cname app name string optional the name of the application that is associated with the event or object attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc output parameter type description activity name string the event activity name, as defined by the activity id answers array the domain name system (dns) answers class string the class of dns data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example in flags array the list of dns answer header flags packet uid integer the dns packet identifier assigned by the program that generated the query the identifier is copied to the response rdata string the data describing the dns resource the meaning of this data depends on the type and class of the resource record ttl integer the time interval that the resource record may be cached zero value means that the resource record can only be used for the transaction in progress, and should not be cached type string the type of data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example cname app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value dns activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "answers" \[], "app name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "connection info" { "boundary" "string", "direction" "string", "protocol name" "example name", "protocol num" 123, "protocol ver" "string", "tcp flags" 123, "uid" "string" }, "count" 123, "data" {}, "disposition" "string" } ] email delivery activity create an email delivery activity event in sos network activity events pt1 using the specified activity data endpoint method get input argument name type required description email delivery activity object required parameter for email delivery activity activity name string required the event activity name, as defined by the activity id attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version attempt string optional attempt banner string optional banner cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version attempt string attempt banner string banner category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email delivery activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "attempt" "string", "banner" "string", "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "count" 123, "data" {}, "disposition" "string", "duration" 123 } ] email file activity create an email file activity event in sos network activity events pt1 using the specified details endpoint method get input argument name type required description email file activity object required parameter for email file activity activity name string required the event activity name, as defined by the activity id attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% connection uid string optional the network connection identifier count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event disposition string optional the event disposition name, as defined by the disposition id output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email file activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection uid string the network connection identifier count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "connection uid" "string", "count" 123, "data" {}, "disposition" "string", "duration" 123, "email uid" "string" } ] email url activity create an email url activity event in sos network activity events pt1 using the specified details endpoint method get input argument name type required description email url activity object required url endpoint for the request activity name string required the event activity name, as defined by the activity id attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% connection uid string optional the network connection identifier count integer optional the number of times that events in the same logical group occurred during the event start time to end time period data object optional additional data that is associated with the event disposition string optional the event disposition name, as defined by the disposition id output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email url activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection uid string the network connection identifier count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "connection uid" "string", "count" 123, "data" {}, "disposition" "string", "duration" 123, "email uid" "string" } ] ftp activity create an ftp activity event in sos network activity events pt1 using the provided activity details endpoint method get input argument name type required description ftp activity object required parameter for ftp activity activity name string required the event activity name, as defined by the activity id app name string optional the name of the application that is associated with the event or object attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider codes array optional the list of return codes to the ftp command command string optional the ftp command command responses array optional the list of responses to the ftp command confidence integer optional the confidence of the reported event severity as a percentage 0% 100% output parameter type description activity name string the event activity name, as defined by the activity id app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value ftp activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider codes array the list of return codes to the ftp command command string the ftp command command responses array the list of responses to the ftp command example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "app name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "codes" \[], "command" "string", "command responses" \[], "confidence" 123, "connection info" { "boundary" "string", "direction" "string", "protocol name" "example name", "protocol num" 123, "protocol ver" "string", "tcp flags" 123, "uid" "string" }, "count" 123 } ] http activity create an http activity event in sos network activity events pt1 using the provided activity data endpoint method get input argument name type required description http activity object required parameter for http activity activity name string required the event activity name, as defined by the activity id app name string optional the name of the application that is associated with the event or object attacks array optional an array of attacks associated with an event tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version cloud object optional describes details about the cloud enviroment where the event was originally created or logged account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider confidence integer optional the confidence of the reported event severity as a percentage 0% 100% connection info object optional the network connection information boundary string optional the boundary of the connection, as defined by the event source for cloud connections, this translates to the traffic boundary(same vpc, through igw, etc ) for traditional networks, this is described as local, internal, or external direction string optional the direction of the initiated connection output parameter type description activity name string the event activity name, as defined by the activity id app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value http activity cloud object describes details about the cloud enviroment where the event was originally created or logged account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection info object the network connection information boundary string the boundary of the connection, as defined by the event source for cloud connections, this translates to the traffic boundary(same vpc, through igw, etc ) for traditional networks, this is described as local, internal, or external example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "activity name" "string", "app name" "string", "attacks" \[], "category name" "string", "class name" "string", "cloud" { "account name" "example name", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" }, "confidence" 123, "connection info" { "boundary" "string", "direction" "string", "protocol name" "example name", "protocol num" 123, "protocol ver" "string", "tcp flags" 123, "uid" "string" }, "count" 123, "data" {}, "disposition" "string", "dst endpoint" { "domain" "string", "hostname" "example name", "instance uid" "string", "interface uid" "string", "intermediate ips" \[], "ip" "string", "location" {}, "mac" "string", "name" "example name", "port" 123, "reputation" {}, "subnet uid" "string", "svc name" "example name", "uid" "string", "vlan uid" "string" } } ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt