SOS Network Activity Events Pt1

the sos network activity events pt1 connector automates the creation of detailed network activity events, streamlining the process of monitoring and responding to network related security incidents sos network activity events pt1 is a comprehensive solution for monitoring and responding to network events this connector enables seamless integration with swimlane turbine, allowing users to automate the detection and handling of dhcp, dns, email, ftp, and http activities by leveraging this connector, security teams can efficiently track network behavior, identify anomalies, and initiate rapid response actions, enhancing the overall security posture and reducing manual intervention capabilities create dhcp activity events create dns activity events create email delivery activity events create email file activity events create email url activity events create ftp activity events create http activity events actions dhcp activity create a dhcp activity event in sos network activity events pt1 using the provided activity data endpoint method get input argument name type required description dhcp activity object required parameter for dhcp activity dhcp activity activity name string required the event activity name, as defined by the activity id dhcp activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged dhcp activity cloud account name string optional the name of the account (e g aws account name) dhcp activity cloud account type string optional the user account type, as defined by the event source dhcp activity cloud account uid string optional the unique identifier of the account (e g aws account id) dhcp activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id dhcp activity cloud project uid string optional cloud project identifier dhcp activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc dhcp activity cloud region string optional the name of the cloud region, as defined by the cloud provider dhcp activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id dhcp activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider dhcp activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% dhcp activity count integer optional the number of times that events in the same logical group occurred during the event start time to end time period dhcp activity data object optional additional data that is associated with the event dhcp activity duration integer optional the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds dhcp activity end time dt string optional the end time of a time period, or the time of the most recent event included in the aggregate event dhcp activity is renewal boolean optional the indication of whether this is a lease/session renewal event dhcp activity lease dur integer optional this represents the length of the dhcp lease in seconds this is present in dhcp ack events (activity id = 1) dhcp activity message string optional the description of the event, as defined by the event source dhcp activity metadata object required the metadata associated with the event dhcp activity metadata correlation uid string optional the unique identifier used to correlate events dhcp activity metadata labels array optional the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] dhcp activity metadata logged time dt string optional the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different dhcp activity metadata modified time dt string optional the time when the event was last modified or enriched input example {"dhcp activity" {"activity name" "example name","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","is renewal"\ true,"lease dur" 123,"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"network interface" {"hostname" "example name","ip" "string","mac" "string","name" "example name","namespace" "example name","reputation" {"base score" 123,"provider" "string","score" "string"},"type" "string","uid" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"raw data" "string","relay" {"hostname" "example name","ip" "string","mac" "string","name" "example name","namespace" "example name","reputation" {"base score" 123,"provider" "string","score" "string"},"type" "string","uid" "string"},"severity" "string","start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"transaction uid" "string","unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value dhcp activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event duration integer the event duration or aggregate time, the amount of time the event covers from start time to end time in milliseconds end time dt string the end time of a time period, or the time of the most recent event included in the aggregate event is renewal boolean the indication of whether this is a lease/session renewal event lease dur integer this represents the length of the dhcp lease in seconds this is present in dhcp ack events (activity id = 1) message string the description of the event, as defined by the event source metadata object the metadata associated with the event metadata correlation uid string the unique identifier used to correlate events metadata labels array the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] metadata logged time dt string the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different output example {"activity name" "string","category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"count" 123,"data" {},"duration" 123,"end time dt" "string","is renewal"\ true,"lease dur" 123,"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modi dns activity create a dns activity event in sos network activity events pt1 using the provided dns activity data endpoint method get input argument name type required description dns activity object required parameter for dns activity dns activity activity name string required the event activity name, as defined by the activity id dns activity answers array optional the domain name system (dns) answers dns activity answers class string required the class of dns data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example in dns activity answers flags array optional the list of dns answer header flags dns activity answers packet uid integer optional the dns packet identifier assigned by the program that generated the query the identifier is copied to the response dns activity answers rdata string required the data describing the dns resource the meaning of this data depends on the type and class of the resource record dns activity answers ttl integer optional the time interval that the resource record may be cached zero value means that the resource record can only be used for the transaction in progress, and should not be cached dns activity answers type string required the type of data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example cname dns activity app name string optional the name of the application that is associated with the event or object dns activity attacks array optional an array of attacks associated with an event dns activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm dns activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm dns activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm dns activity attacks technique object required the attack technique dns activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise dns activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 dns activity attacks version string required the att\&ck matrix version dns activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged dns activity cloud account name string optional the name of the account (e g aws account name) dns activity cloud account type string optional the user account type, as defined by the event source dns activity cloud account uid string optional the unique identifier of the account (e g aws account id) dns activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id dns activity cloud project uid string optional cloud project identifier dns activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc input example {"dns activity" {"activity name" "example name","answers" \[{"class" "string","flags" \["string"],"packet uid" 123,"rdata" "string","ttl" 123,"type" "string"}],"app name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protocol ver" "string","tcp flags" 123,"uid" "string"},"count" 123,"data" {},"disposition" "string","dst endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"duration" 123,"end time dt" "string","malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"proxy" {"hostname" "example name","ip" "string","port" 123,"svc name" "example name","uid" "string"},"query" {"class" "string","hostname" "example name","opcode" "string","opcode id" 123,"packet uid" 123,"type" "string"},"query time dt" "string","raw data" "string","rcode" "string","response time dt" "string","severity" "string","src endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"tls" {"alert" 123,"certificate" {"created time dt" "string","expiration time dt" "string","fingerprint" {},"issuer dn" "string","serial number" "string","subject dn" "string","version" "string"},"certificate chain" \["string"],"cipher" "string","client ciphers" \["string"],"extension list" \[{"data" {},"type" "string"}],"handshake dur" 123,"ja3 fingerprint" {"algorithm" "string","value" "string"},"ja3 string" "string","ja3s fingerprint" {"algorithm" "string","value" "string"},"ja3s string" "string","key length" 123,"sans" \[{"name" "example name","type" "string"}],"server ciphers" \["string"],"sni" "string","version" "string"},"traffic" {"bytes" 123,"bytes in" 123,"bytes out" 123,"packets" 123,"packets in" 123,"packets out" 123},"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id answers array the domain name system (dns) answers answers class string the class of dns data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example in answers flags array the list of dns answer header flags answers packet uid integer the dns packet identifier assigned by the program that generated the query the identifier is copied to the response answers rdata string the data describing the dns resource the meaning of this data depends on the type and class of the resource record answers ttl integer the time interval that the resource record may be cached zero value means that the resource record can only be used for the transaction in progress, and should not be cached answers type string the type of data contained in this resource record see https //www rfc editor org/rfc/rfc1035 txt rfc1035 for example cname app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value dns activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier output example {"activity name" "string","answers" \[],"app name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protocol ver" "string","tcp flags" 123,"uid" " email delivery activity create an email delivery activity event in sos network activity events pt1 using the specified activity data endpoint method get input argument name type required description email delivery activity object required parameter for email delivery activity email delivery activity activity name string required the event activity name, as defined by the activity id email delivery activity attacks array optional an array of attacks associated with an event email delivery activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email delivery activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email delivery activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email delivery activity attacks technique object required the attack technique email delivery activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise email delivery activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 email delivery activity attacks version string required the att\&ck matrix version email delivery activity attempt string optional attempt email delivery activity banner string optional banner email delivery activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged email delivery activity cloud account name string optional the name of the account (e g aws account name) email delivery activity cloud account type string optional the user account type, as defined by the event source email delivery activity cloud account uid string optional the unique identifier of the account (e g aws account id) email delivery activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id email delivery activity cloud project uid string optional cloud project identifier email delivery activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc email delivery activity cloud region string optional the name of the cloud region, as defined by the cloud provider email delivery activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id email delivery activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider email delivery activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% email delivery activity count integer optional the number of times that events in the same logical group occurred during the event start time to end time period email delivery activity data object optional additional data that is associated with the event input example {"email delivery activity" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"attempt" "string","banner" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"count" 123,"data" {},"disposition" "string","duration" 123,"email" {"cc" \["string"],"contains" \[{"enrichments" \[],"name" "example name","type" "string","value" {}}],"content type" "string","delivered to" "string","direction" "string","from" "string","message uid" "string","mime parts" \[{"content" {},"content disposition" "string","content text" "string","content type" "string"}],"reply to" "string","size" 123,"smtp from" "string","smtp headers" \[{"name" "example name","value" {}}],"smtp hello" "string","smtp to" \["string"],"subject" "string","to" \["string"],"x originating ip" \["string"]},"email auth" {"dkim" "string","dkim domain" "string","dmarc" "string","dmarc override" "string","dmarc policy" "string","raw header" "string","spf" "string"},"email uid" "string","end time dt" "string","malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"raw data" "string","receiver hostname" "example name","receiver ip" "string","sender hostname" "example name","sender ip" "string","severity" "string","start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version attempt string attempt banner string banner category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email delivery activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% count integer the number of times that events in the same logical group occurred during the event start time to end time period output example {"activity name" "string","attacks" \[],"attempt" "string","banner" "string","category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"count" 123,"data" {},"disposition" "string","duration" 123,"email" {"cc" \["string"],"contains" \[{}],"content type" "string","delivered to" "string","dir email file activity create an email file activity event in sos network activity events pt1 using the specified details endpoint method get input argument name type required description email file activity object required parameter for email file activity email file activity activity name string required the event activity name, as defined by the activity id email file activity attacks array optional an array of attacks associated with an event email file activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email file activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email file activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email file activity attacks technique object required the attack technique email file activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise email file activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 email file activity attacks version string required the att\&ck matrix version email file activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged email file activity cloud account name string optional the name of the account (e g aws account name) email file activity cloud account type string optional the user account type, as defined by the event source email file activity cloud account uid string optional the unique identifier of the account (e g aws account id) email file activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id email file activity cloud project uid string optional cloud project identifier email file activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc email file activity cloud region string optional the name of the cloud region, as defined by the cloud provider email file activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id email file activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider email file activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% email file activity connection uid string optional the network connection identifier email file activity count integer optional the number of times that events in the same logical group occurred during the event start time to end time period email file activity data object optional additional data that is associated with the event email file activity disposition string optional the event disposition name, as defined by the disposition id input example {"email file activity" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection uid" "string","count" 123,"data" {},"disposition" "string","duration" 123,"email uid" "string","end time dt" "string","file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[{"algorithm" "string","value" "string"}],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"security descriptor" "string","signature" {"company name" "example name","created time dt" "string","developer uid" "string","fingerprints" \[],"issuer name" "example name","serial number" "string"},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"raw data" "string","severity" "string","start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email file activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection uid string the network connection identifier count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event output example {"activity name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection uid" "string","count" 123,"data" {},"disposition" "string","duration" 123,"email uid" "string","end time dt" "string","file" {"accessed time dt" "string","accessor" "string","att email url activity create an email url activity event in sos network activity events pt1 using the specified details endpoint method get input argument name type required description email url activity object required url endpoint for the request email url activity activity name string required the event activity name, as defined by the activity id email url activity attacks array optional an array of attacks associated with an event email url activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email url activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email url activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm email url activity attacks technique object required the attack technique email url activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise email url activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 email url activity attacks version string required the att\&ck matrix version email url activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged email url activity cloud account name string optional the name of the account (e g aws account name) email url activity cloud account type string optional the user account type, as defined by the event source email url activity cloud account uid string optional the unique identifier of the account (e g aws account id) email url activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id email url activity cloud project uid string optional cloud project identifier email url activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc email url activity cloud region string optional the name of the cloud region, as defined by the cloud provider email url activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id email url activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider email url activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% email url activity connection uid string optional the network connection identifier email url activity count integer optional the number of times that events in the same logical group occurred during the event start time to end time period email url activity data object optional additional data that is associated with the event email url activity disposition string optional the event disposition name, as defined by the disposition id input example {"email url activity" {"activity name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection uid" "string","count" 123,"data" {},"disposition" "string","duration" 123,"email uid" "string","end time dt" "string","malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"raw data" "string","severity" "string","start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"unmapped" {},"url" {"categories" \["string"],"hostname" "example name","path" "string","port" 123,"query string" "string","reputation" {"base score" 123,"provider" "string","score" "string"},"resource type" "string","scheme" "string","text" "string"}}} output parameter type description activity name string the event activity name, as defined by the activity id attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value email url activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection uid string the network connection identifier count integer the number of times that events in the same logical group occurred during the event start time to end time period data object additional data that is associated with the event output example {"activity name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection uid" "string","count" 123,"data" {},"disposition" "string","duration" 123,"email uid" "string","end time dt" "string","malware" \[],"message" "string"} ftp activity create an ftp activity event in sos network activity events pt1 using the provided activity details endpoint method get input argument name type required description ftp activity object required parameter for ftp activity ftp activity activity name string required the event activity name, as defined by the activity id ftp activity app name string optional the name of the application that is associated with the event or object ftp activity attacks array optional an array of attacks associated with an event ftp activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm ftp activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm ftp activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm ftp activity attacks technique object required the attack technique ftp activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise ftp activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 ftp activity attacks version string required the att\&ck matrix version ftp activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged ftp activity cloud account name string optional the name of the account (e g aws account name) ftp activity cloud account type string optional the user account type, as defined by the event source ftp activity cloud account uid string optional the unique identifier of the account (e g aws account id) ftp activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id ftp activity cloud project uid string optional cloud project identifier ftp activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc ftp activity cloud region string optional the name of the cloud region, as defined by the cloud provider ftp activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id ftp activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider ftp activity codes array optional the list of return codes to the ftp command ftp activity command string optional the ftp command ftp activity command responses array optional the list of responses to the ftp command ftp activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% input example {"ftp activity" {"activity name" "example name","app name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"codes" \[],"command" "string","command responses" \["string"],"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protocol ver" "string","tcp flags" 123,"uid" "string"},"count" 123,"data" {},"disposition" "string","dst endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"duration" 123,"end time dt" "string","malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"name" "example name","observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"port" 123,"proxy" {"hostname" "example name","ip" "string","port" 123,"svc name" "example name","uid" "string"},"raw data" "string","severity" "string","src endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"tls" {"alert" 123,"certificate" {"created time dt" "string","expiration time dt" "string","fingerprint" {},"issuer dn" "string","serial number" "string","subject dn" "string","version" "string"},"certificate chain" \["string"],"cipher" "string","client ciphers" \["string"],"extension list" \[{"data" {},"type" "string"}],"handshake dur" 123,"ja3 fingerprint" {"algorithm" "string","value" "string"},"ja3 string" "string","ja3s fingerprint" {"algorithm" "string","value" "string"},"ja3s string" "string","key length" 123,"sans" \[{"name" "example name","type" "string"}],"server ciphers" \["string"],"sni" "string","version" "string"},"traffic" {"bytes" 123,"bytes in" 123,"bytes out" 123,"packets" 123,"packets in" 123,"packets out" 123},"type" "string","unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value ftp activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider codes array the list of return codes to the ftp command command string the ftp command command responses array the list of responses to the ftp command output example {"activity name" "string","app name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"codes" \[],"command" "string","command responses" \[],"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protoc http activity create an http activity event in sos network activity events pt1 using the provided activity data endpoint method get input argument name type required description http activity object required parameter for http activity http activity activity name string required the event activity name, as defined by the activity id http activity app name string optional the name of the application that is associated with the event or object http activity attacks array optional an array of attacks associated with an event http activity attacks tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm http activity attacks tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm http activity attacks tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm http activity attacks technique object required the attack technique http activity attacks technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise http activity attacks technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 http activity attacks version string required the att\&ck matrix version http activity cloud object optional describes details about the cloud enviroment where the event was originally created or logged http activity cloud account name string optional the name of the account (e g aws account name) http activity cloud account type string optional the user account type, as defined by the event source http activity cloud account uid string optional the unique identifier of the account (e g aws account id) http activity cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id http activity cloud project uid string optional cloud project identifier http activity cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc http activity cloud region string optional the name of the cloud region, as defined by the cloud provider http activity cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id http activity cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider http activity confidence integer optional the confidence of the reported event severity as a percentage 0% 100% http activity connection info object optional the network connection information http activity connection info boundary string optional the boundary of the connection, as defined by the event source for cloud connections, this translates to the traffic boundary(same vpc, through igw, etc ) for traditional networks, this is described as local, internal, or external http activity connection info direction string optional the direction of the initiated connection input example {"http activity" {"activity name" "example name","app name" "example name","attacks" \[{"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}],"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protocol ver" "string","tcp flags" 123,"uid" "string"},"count" 123,"data" {},"disposition" "string","dst endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"duration" 123,"end time dt" "string","http request" {"args" "string","http headers" \[{"name" "example name","value" {}}],"http method" "string","prefix" "string","referrer" "string","uid" "string","url" {"categories" \["string"],"hostname" "example name","path" "string","port" 123,"query string" "string","reputation" {},"resource type" "string","scheme" "string","text" "string"},"user agent" "string","version" "string","x forwarded for" \["string"]},"http response" {"code" 123,"content type" "string","latency" 123,"length" 123,"message" "string","status" "active"},"http status" 123,"malware" \[{"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}],"message" "string","metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"},"observables" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"proxy" {"hostname" "example name","ip" "string","port" 123,"svc name" "example name","uid" "string"},"raw data" "string","severity" "string","src endpoint" {"domain" "string","hostname" "example name","instance uid" "string","interface uid" "string","intermediate ips" \["string"],"ip" "string","location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","port" 123,"reputation" {"base score" 123,"provider" "string","score" "string"},"subnet uid" "string","svc name" "example name","uid" "string","vlan uid" "string","vpc uid" "string"},"start time dt" "string","status" "active","status detail" "active","time dt" "string","timezone offset" 123,"tls" {"alert" 123,"certificate" {"created time dt" "string","expiration time dt" "string","fingerprint" {},"issuer dn" "string","serial number" "string","subject dn" "string","version" "string"},"certificate chain" \["string"],"cipher" "string","client ciphers" \["string"],"extension list" \[{"data" {},"type" "string"}],"handshake dur" 123,"ja3 fingerprint" {"algorithm" "string","value" "string"},"ja3 string" "string","ja3s fingerprint" {"algorithm" "string","value" "string"},"ja3s string" "string","key length" 123,"sans" \[{"name" "example name","type" "string"}],"server ciphers" \["string"],"sni" "string","version" "string"},"traffic" {"bytes" 123,"bytes in" 123,"bytes out" 123,"packets" 123,"packets in" 123,"packets out" 123},"unmapped" {}}} output parameter type description activity name string the event activity name, as defined by the activity id app name string the name of the application that is associated with the event or object attacks array an array of attacks associated with an event attacks tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attacks technique object the attack technique attacks technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attacks technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attacks version string the att\&ck matrix version category name string the event category name, as defined by category uid value network activity class name string the event class name, as defined by class uid value http activity cloud object describes details about the cloud enviroment where the event was originally created or logged cloud account name string the name of the account (e g aws account name) cloud account type string the user account type, as defined by the event source cloud account uid string the unique identifier of the account (e g aws account id) cloud org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string cloud project identifier cloud provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string the name of the cloud region, as defined by the cloud provider cloud resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string the availability zone in the cloud region, as defined by the cloud provider confidence integer the confidence of the reported event severity as a percentage 0% 100% connection info object the network connection information connection info boundary string the boundary of the connection, as defined by the event source for cloud connections, this translates to the traffic boundary(same vpc, through igw, etc ) for traditional networks, this is described as local, internal, or external output example {"activity name" "string","app name" "string","attacks" \[],"category name" "string","class name" "string","cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"},"confidence" 123,"connection info" {"boundary" "string","direction" "string","protocol name" "example name","protocol num" 123,"protocol ver" "string","tcp flags" 123,"uid" "string"},"cou response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt