SOS Objects Pt1

the sos objects pt1 connector enables seamless interaction with a multitude of security and operational tasks, providing a versatile toolkit for data retrieval and management sos objects pt1 is a comprehensive security automation platform that captures elusive telemetry and broadens the scope of actions beyond the conventional xdr ecosystem this connector enables seamless integration with third party tools, allowing users to install and utilize capabilities from various services within swimlane playbooks by leveraging this connector, users can effortlessly configure inputs and outputs for apis, enhancing their security operations with code free automation prerequisites none actions actor retrieve details for a specified actor from sos objects pt1, requiring the 'actor' input parameter endpoint method get input argument name type required description actor object required parameter for actor process object optional the process that initiated the activity cmd line string optional the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used created time dt string optional the time when the process was created/started file object optional the process file object accessed time dt string optional the time when the file was last accessed accessor string optional the name of the user who last accessed the object attributes integer optional the bitmask value that represents the file attributes company name string optional the name of the company that published the file for example microsoft corporation confidentiality string optional the file content confidentiality, as defined by the event source created time dt string optional the time when the file was created creator string optional the user that created the file desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array optional an array of digital fingerprint objects algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string required the digital fingerprint value is system boolean optional the indication of whether the object is part of the operating system mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string optional the time when the file was last modified modifier string optional the user that last modified the file name string required the name of the file for example svchost exe owner string optional the user that owns the file/object parent folder string optional the parent folder in which the file resides for example c \windows\system32 path string optional the full path to the file for example c \windows\system32\svchost exe product object optional the product that created or installed the file output parameter type description process object the process that initiated the activity cmd line string the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used created time dt string the time when the process was created/started file object the process file object accessed time dt string the time when the file was last accessed accessor string the name of the user who last accessed the object attributes integer the bitmask value that represents the file attributes company name string the name of the company that published the file for example microsoft corporation confidentiality string the file content confidentiality, as defined by the event source created time dt string the time when the file was created creator string the user that created the file desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array an array of digital fingerprint objects algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value is system boolean the indication of whether the object is part of the operating system mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string the time when the file was last modified modifier string the user that last modified the file name string the name of the file for example svchost exe owner string the user that owns the file/object parent folder string the parent folder in which the file resides for example c \windows\system32 path string the full path to the file for example c \windows\system32\svchost exe product object the product that created or installed the file feature object the feature that reported the event example \[ { "process" { "cmd line" "string", "created time dt" "string", "file" {}, "integrity" "string", "integrity id" 123, "lineage" \[], "loaded modules" \[], "name" "example name", "parent process" {}, "pid" 123, "sandbox" "string", "terminated time dt" "string", "tid" 123, "uid" "string", "user" {} }, "user" { "account type" "string", "account uid" "string", "credential uid" "string", "domain" "string", "email addr" "string", "groups" \[], "name" "example name", "org uid" "string", "session uid" "string", "session uuid" "string", "type" "string", "uid" "string", "uuid" "12345678 1234 1234 1234 123456789abc" } } ] attack executes an attack action within sos objects pt1 using the specified 'attack' parameter endpoint method get input argument name type required description attack object required parameter for attack tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object required the attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string required the att\&ck matrix version output parameter type description tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version example \[ { "tactics" \[], "technique" { "name" "example name", "uid" "string" }, "version" "string" } ] cloud interact with cloud services to perform operations specified by the 'cloud' input parameter in sos objects pt1 endpoint method get input argument name type required description cloud object required parameter for cloud account name string optional the name of the account (e g aws account name) account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string optional cloud project identifier provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string optional the name of the cloud region, as defined by the cloud provider resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string optional the availability zone in the cloud region, as defined by the cloud provider output parameter type description account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider example \[ { "account name" "string", "account type" "string", "account uid" "string", "org uid" "string", "project uid" "string", "provider" "string", "region" "string", "resource uid" "string", "zone" "string" } ] compliance details initiates a compliance check within sos objects pt1 using the provided 'compliance' input endpoint method get input argument name type required description compliance object required parameter for compliance details requirements array optional a list of applicable compliance requirements for which this finding is related to status string optional the event status, as reported by the event source status detail string optional the status details contains additional information about the event outcome output parameter type description requirements array a list of applicable compliance requirements for which this finding is related to status string the event status, as reported by the event source status detail string the status details contains additional information about the event outcome example \[ { "requirements" \[], "status" "string", "status detail" "string" } ] cve retrieve details for a specified common vulnerabilities and exposures (cve) identifier from sos objects pt1 endpoint method get input argument name type required description cve object required parameter for cve created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number required the cvss base score for example 9 1 depth string optional the cvss depth represents a depth of the equation used to calculate cvss score metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string required the name of the metric value object required the value of the metric overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string required the cvss version for example 3 1 cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string optional the record modified date identifies when the cve record was last updated product object optional the product where the vulnerability was discovered feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the name of the product path string optional the installation path of the product uid string optional the unique identifier of the product vendor name string required the name of the vendor of the product output parameter type description created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number the cvss base score for example 9 1 depth string the cvss depth represents a depth of the equation used to calculate cvss score metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string the name of the metric value object the value of the metric overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string the cvss version for example 3 1 cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string the record modified date identifies when the cve record was last updated product object the product where the vulnerability was discovered feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product vendor name string the name of the vendor of the product version string the version of the product, as defined by the event source for example 2013 1 3 beta example \[ { "created time dt" "string", "cvss" { "base score" 123, "depth" "string", "metrics" \[], "overall score" 123, "severity" "string", "vector string" "string", "version" "string" }, "cwe uid" "string", "cwe url" "string", "modified time dt" "string", "product" { "feature" {}, "lang" "string", "name" "example name", "path" "string", "uid" "string", "vendor name" "example name", "version" "string" }, "type" "string", "uid" "string" } ] cvss score retrieve the common vulnerability scoring system (cvss) score for a specified vulnerability endpoint method get input argument name type required description cvss object required parameter for cvss score base score number required the cvss base score for example 9 1 depth string optional the cvss depth represents a depth of the equation used to calculate cvss score metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string required the name of the metric value object required the value of the metric overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string required the cvss version for example 3 1 output parameter type description base score number the cvss base score for example 9 1 depth string the cvss depth represents a depth of the equation used to calculate cvss score metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string the name of the metric value object the value of the metric overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string the cvss version for example 3 1 example \[ { "base score" 123, "depth" "string", "metrics" \[], "overall score" 123, "severity" "string", "vector string" "string", "version" "string" } ] device retrieve or interact with a specific device using its unique identifier within the sos objects pt1 ecosystem endpoint method get input argument name type required description device object required parameter for device autoscale uid string optional the unique identifier of the cloud autoscale configuration desc string optional the description of the device, ordinarily as reported by the operating system domain string optional the network domain where the device resides for example work example com groups array optional the group names to which the device belongs for example \["windows laptops", "engineering"] desc string optional the group description name string required the group name privileges array optional the group privileges type string optional the type of the group or account uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group hostname string optional the device hostname hw info object optional the device hardware information bios date string optional the bios date for example 03/31/16 bios manufacturer string optional the bios manufacturer for example lenovo bios ver string optional the bios version for example lenovo g5eta2ww (2 62) chassis string optional the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 cpu cores integer optional the number of processor cores in all installed processors for example 42 cpu count integer optional the number of physical processors on a system for example 1 cpu speed integer optional the speed of the processor in mhz for example 4200 cpu type string optional the processor type for example x86 family 6 model 37 stepping 5 desktop display object optional the desktop display affiliated with the event color depth integer optional the numeric color depth physical height integer optional the numeric physical height of display physical orientation integer optional the numeric physical orientation of display output parameter type description autoscale uid string the unique identifier of the cloud autoscale configuration desc string the description of the device, ordinarily as reported by the operating system domain string the network domain where the device resides for example work example com groups array the group names to which the device belongs for example \["windows laptops", "engineering"] desc string the group description name string the group name privileges array the group privileges type string the type of the group or account uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group hostname string the device hostname hw info object the device hardware information bios date string the bios date for example 03/31/16 bios manufacturer string the bios manufacturer for example lenovo bios ver string the bios version for example lenovo g5eta2ww (2 62) chassis string the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 cpu cores integer the number of processor cores in all installed processors for example 42 cpu count integer the number of physical processors on a system for example 1 cpu speed integer the speed of the processor in mhz for example 4200 cpu type string the processor type for example x86 family 6 model 37 stepping 5 desktop display object the desktop display affiliated with the event color depth integer the numeric color depth physical height integer the numeric physical height of display physical orientation integer the numeric physical orientation of display physical width integer the numeric physical width of display example \[ { "autoscale uid" "string", "desc" "string", "domain" "string", "groups" \[], "hostname" "string", "hw info" { "bios date" "string", "bios manufacturer" "string", "bios ver" "string", "chassis" "string", "cpu bits" 123, "cpu cores" 123, "cpu count" 123, "cpu speed" 123, "cpu type" "string", "desktop display" {}, "keyboard info" {}, "ram size" 123, "serial number" "string" }, "hypervisor" "string", "image" { "labels" \[], "name" "example name", "path" "string", "tag" "string", "uid" "string" }, "imei" "string", "instance uid" "string", "interface uid" "string", "ip" "string", "is compliant" true, "is managed" true, "is personal" true } ] device hardware info retrieve detailed hardware information for a specified device using the sos objects pt1 connector endpoint method get input argument name type required description device hw info object required parameter for device hardware info bios date string optional the bios date for example 03/31/16 bios manufacturer string optional the bios manufacturer for example lenovo bios ver string optional the bios version for example lenovo g5eta2ww (2 62) chassis string optional the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 cpu cores integer optional the number of processor cores in all installed processors for example 42 cpu count integer optional the number of physical processors on a system for example 1 cpu speed integer optional the speed of the processor in mhz for example 4200 cpu type string optional the processor type for example x86 family 6 model 37 stepping 5 desktop display object optional the desktop display affiliated with the event color depth integer optional the numeric color depth physical height integer optional the numeric physical height of display physical orientation integer optional the numeric physical orientation of display physical width integer optional the numeric physical width of display scale factor integer optional the numeric scale factor of display keyboard info object optional the keyboard detailed information function keys integer optional the number of function keys on client keyboard ime string optional the input method editor (ime) file name keyboard layout string optional the keyboard locale identifier name (e g , en us) keyboard subtype integer optional the keyboard numeric code keyboard type string optional the keyboard type (e g , xt, ico) ram size integer optional the ctotal amount of installed ram, in megabytes for example 2048 serial number string optional the device manufacturer serial number output parameter type description bios date string the bios date for example 03/31/16 bios manufacturer string the bios manufacturer for example lenovo bios ver string the bios version for example lenovo g5eta2ww (2 62) chassis string the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 cpu cores integer the number of processor cores in all installed processors for example 42 cpu count integer the number of physical processors on a system for example 1 cpu speed integer the speed of the processor in mhz for example 4200 cpu type string the processor type for example x86 family 6 model 37 stepping 5 desktop display object the desktop display affiliated with the event color depth integer the numeric color depth physical height integer the numeric physical height of display physical orientation integer the numeric physical orientation of display physical width integer the numeric physical width of display scale factor integer the numeric scale factor of display keyboard info object the keyboard detailed information function keys integer the number of function keys on client keyboard ime string the input method editor (ime) file name keyboard layout string the keyboard locale identifier name (e g , en us) keyboard subtype integer the keyboard numeric code keyboard type string the keyboard type (e g , xt, ico) ram size integer the ctotal amount of installed ram, in megabytes for example 2048 serial number string the device manufacturer serial number example \[ { "bios date" "string", "bios manufacturer" "string", "bios ver" "string", "chassis" "string", "cpu bits" 123, "cpu cores" 123, "cpu count" 123, "cpu speed" 123, "cpu type" "string", "desktop display" { "color depth" 123, "physical height" 123, "physical orientation" 123, "physical width" 123, "scale factor" 123 }, "keyboard info" { "function keys" 123, "ime" "string", "keyboard layout" "string", "keyboard subtype" 123, "keyboard type" "string" }, "ram size" 123, "serial number" "string" } ] digital signature validates the digital signature provided as input to ensure authenticity and integrity of data endpoint method get input argument name type required description digital signature object required parameter for digital signature company name string required the name of the company that published the file for example microsoft corporation created time dt string optional the time when the digital signature was created developer uid string optional the developer id on the certificate that signed the file fingerprints array optional an array of digital fingerprint objects algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string required the digital fingerprint value issuer name string optional the certificate issuer name serial number string optional the serial number of the digital signature output parameter type description company name string the name of the company that published the file for example microsoft corporation created time dt string the time when the digital signature was created developer uid string the developer id on the certificate that signed the file fingerprints array an array of digital fingerprint objects algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value issuer name string the certificate issuer name serial number string the serial number of the digital signature example \[ { "company name" "string", "created time dt" "string", "developer uid" "string", "fingerprints" \[], "issuer name" "string", "serial number" "string" } ] display renders the specified object from sos objects pt1 for user visualization, requiring a 'display' input endpoint method get input argument name type required description display object required parameter for display color depth integer optional the numeric color depth physical height integer optional the numeric physical height of display physical orientation integer optional the numeric physical orientation of display physical width integer optional the numeric physical width of display scale factor integer optional the numeric scale factor of display output parameter type description color depth integer the numeric color depth physical height integer the numeric physical height of display physical orientation integer the numeric physical orientation of display physical width integer the numeric physical width of display scale factor integer the numeric scale factor of display example \[ { "color depth" 123, "physical height" 123, "physical orientation" 123, "physical width" 123, "scale factor" 123 } ] email initiates the sending of an email through sos objects pt1, requiring the recipient's email address as input endpoint method get input argument name type required description email object required parameter for email cc array optional the email header cc values, as defined by rfc 5322 contains array optional lists of observables contained within this observable enrichments array optional a list of enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains name string optional the name of the observable attribute for example file name type string required the observable value type name value object optional the value associated with the observable attribute the meaning of the data depends on the observable type content type string optional the request header that identifies the original https //www iana org/assignments/media types/media types xhtml media type of the resource (prior to any content encoding applied for sending) delivered to string optional the delivered to email header field direction string optional the direction of the email, as defined by the direction id value from string required the email header from values, as defined by rfc 5322 message uid string optional the email header message id value, as defined by rfc 5322 mime parts array optional mime parts of an email content object optional contents of the mime part description string optional parameter for email file string optional parameter for email file name string optional name of the resource content disposition string optional value of the content disposition header field of the mime part content text string optional text contents of the mime part content type string optional value of the content type header field of the mime part output parameter type description cc array the email header cc values, as defined by rfc 5322 contains array lists of observables contained within this observable enrichments array a list of enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains name string the name of the observable attribute for example file name type string the observable value type name value object the value associated with the observable attribute the meaning of the data depends on the observable type content type string the request header that identifies the original https //www iana org/assignments/media types/media types xhtml media type of the resource (prior to any content encoding applied for sending) delivered to string the delivered to email header field direction string the direction of the email, as defined by the direction id value from string the email header from values, as defined by rfc 5322 message uid string the email header message id value, as defined by rfc 5322 mime parts array mime parts of an email content object contents of the mime part description string output field description file string output field file file name string name of the resource content disposition string value of the content disposition header field of the mime part content text string text contents of the mime part content type string value of the content type header field of the mime part reply to string the email header reply to values, as defined by rfc 5322 example \[ { "cc" \[], "contains" \[], "content type" "string", "delivered to" "string", "direction" "string", "from" "string", "message uid" "string", "mime parts" \[], "reply to" "string", "size" 123, "smtp from" "string", "smtp headers" \[], "smtp hello" "string", "smtp to" \[], "subject" "string" } ] email authentication authenticate using an email address to enable further actions within the sos objects pt1 service endpoint method get input argument name type required description email auth object required parameter for email authentication dkim string optional the domainkeys identified mail (dkim) status of the email dkim domain string optional the domainkeys identified mail (dkim) signing domain of the email dmarc string optional the domain based message authentication, reporting and conformance (dmarc) status of the email dmarc override string optional the domain based message authentication, reporting and conformance (dmarc) override action dmarc policy string optional the domain based message authentication, reporting and conformance (dmarc) policy status raw header string optional the email authentication header spf string optional the sender policy framework (spf) status of the email output parameter type description dkim string the domainkeys identified mail (dkim) status of the email dkim domain string the domainkeys identified mail (dkim) signing domain of the email dmarc string the domain based message authentication, reporting and conformance (dmarc) status of the email dmarc override string the domain based message authentication, reporting and conformance (dmarc) override action dmarc policy string the domain based message authentication, reporting and conformance (dmarc) policy status raw header string the email authentication header spf string the sender policy framework (spf) status of the email example \[ { "dkim" "string", "dkim domain" "string", "dmarc" "string", "dmarc override" "string", "dmarc policy" "string", "raw header" "string", "spf" "string" } ] enrichment enrich data by adding contextual information to sos objects pt1 entities, requiring an 'enrichment' input endpoint method get input argument name type required description enrichment object required parameter for enrichment data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains output parameter type description data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains example \[ { "data" {}, "name" "string", "provider" "string", "type" "string", "value" {} } ] feature initiate the 'feature' action within sos objects pt1, requiring a specific feature input endpoint method get input argument name type required description feature object required parameter for feature name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature output parameter type description name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature example \[ { "name" "string", "uid" "string", "version" "string" } ] file upload a specified file to sos objects pt1, requiring the file as mandatory input endpoint method get input argument name type required description file object required parameter for file accessed time dt string optional the time when the file was last accessed accessor string optional the name of the user who last accessed the object attributes integer optional the bitmask value that represents the file attributes company name string optional the name of the company that published the file for example microsoft corporation confidentiality string optional the file content confidentiality, as defined by the event source created time dt string optional the time when the file was created creator string optional the user that created the file desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array optional an array of digital fingerprint objects algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string required the digital fingerprint value is system boolean optional the indication of whether the object is part of the operating system mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string optional the time when the file was last modified modifier string optional the user that last modified the file name string required the name of the file for example svchost exe owner string optional the user that owns the file/object parent folder string optional the parent folder in which the file resides for example c \windows\system32 path string optional the full path to the file for example c \windows\system32\svchost exe product object optional the product that created or installed the file feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature output parameter type description accessed time dt string the time when the file was last accessed accessor string the name of the user who last accessed the object attributes integer the bitmask value that represents the file attributes company name string the name of the company that published the file for example microsoft corporation confidentiality string the file content confidentiality, as defined by the event source created time dt string the time when the file was created creator string the user that created the file desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array an array of digital fingerprint objects algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value is system boolean the indication of whether the object is part of the operating system mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string the time when the file was last modified modifier string the user that last modified the file name string the name of the file for example svchost exe owner string the user that owns the file/object parent folder string the parent folder in which the file resides for example c \windows\system32 path string the full path to the file for example c \windows\system32\svchost exe product object the product that created or installed the file feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) example \[ { "accessed time dt" "string", "accessor" "string", "attributes" 123, "company name" "string", "confidentiality" "string", "created time dt" "string", "creator" "string", "desc" "string", "fingerprints" \[], "is system" true, "mime type" "string", "modified time dt" "string", "modifier" "string", "name" "string", "owner" "string" } ] finding details retrieve detailed information for a specified 'finding' within the sos objects pt1 service endpoint method get input argument name type required description finding object required parameter for finding details created time dt string optional the time when the finding was created desc string optional the description of the reported finding first seen time dt string optional the time when the finding was first observed last seen time dt string optional the time when the finding was most recently observed log sources array optional the sources of the events generating the finding name string optional the name of the entity see specific usage type string optional the type of an object or value, as defined by the event source see specific usage modified time dt string optional the time when the finding was last modified product uid string optional the unique identifier of the product that reported the finding related events object optional describes events related to a finding or detection as identified by the security product remediation object optional the remediation recommendations on how to fix the identified issue(s) desc string optional the description of the remediation strategy kb articles array optional the kb article/s related to the entity rules array optional the rules that reported the events category string optional the rule category desc string optional the description of the rule that generated the event name string required the name of the rule that generated the event type string optional the rule type uid string optional the unique identifier of the rule that generated the event version string optional the rule version for example 1 1 src url string optional the url pointing to the source of the finding supporting data array optional additional data supporting a finding as provided by security tool title string required the title of the reported finding types array optional one or more types of the reported finding output parameter type description created time dt string the time when the finding was created desc string the description of the reported finding first seen time dt string the time when the finding was first observed last seen time dt string the time when the finding was most recently observed log sources array the sources of the events generating the finding name string the name of the entity see specific usage type string the type of an object or value, as defined by the event source see specific usage modified time dt string the time when the finding was last modified product uid string the unique identifier of the product that reported the finding related events object describes events related to a finding or detection as identified by the security product remediation object the remediation recommendations on how to fix the identified issue(s) desc string the description of the remediation strategy kb articles array the kb article/s related to the entity rules array the rules that reported the events category string the rule category desc string the description of the rule that generated the event name string the name of the rule that generated the event type string the rule type uid string the unique identifier of the rule that generated the event version string the rule version for example 1 1 src url string the url pointing to the source of the finding supporting data array additional data supporting a finding as provided by security tool title string the title of the reported finding types array one or more types of the reported finding uid string the unique identifier of the reported finding example \[ { "created time dt" "string", "desc" "string", "first seen time dt" "string", "last seen time dt" "string", "log sources" \[], "modified time dt" "string", "product uid" "string", "remediation" { "desc" "string", "kb articles" \[] }, "rules" \[], "src url" "string", "supporting data" \[], "title" "string", "types" \[], "uid" "string" } ] fingerprint generates a unique fingerprint for sos objects pt1 based on the provided input endpoint method get input argument name type required description fingerprint object required parameter for fingerprint algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string required the digital fingerprint value output parameter type description algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value example \[ { "algorithm" "string", "value" "string" } ] group groups objects in sos objects pt1 based on specified criteria, requiring a 'group' parameter endpoint method get input argument name type required description group object required parameter for group desc string optional the group description name string required the group name privileges array optional the group privileges type string optional the type of the group or account uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group output parameter type description desc string the group description name string the group name privileges array the group privileges type string the type of the group or account uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group example \[ { "desc" "string", "name" "string", "privileges" \[], "type" "string", "uid" "string" } ] image retrieve an image from sos objects pt1 using the specified image identifier endpoint method get input argument name type required description image object required parameter for image labels array optional the image labels name string optional the image name for example elixir path string optional the full path to the image file tag string optional the image tag for example 1 11 alpine uid string required the unique image id for example 77af4d6b9913 output parameter type description labels array the image labels name string the image name for example elixir path string the full path to the image file tag string the image tag for example 1 11 alpine uid string the unique image id for example 77af4d6b9913 example \[ { "labels" \[], "name" "string", "path" "string", "tag" "string", "uid" "string" } ] keyboard information retrieve detailed information about the keyboard setup from sos objects pt1 endpoint method get input argument name type required description keyboard info object required parameter for keyboard information function keys integer optional the number of function keys on client keyboard ime string optional the input method editor (ime) file name keyboard layout string optional the keyboard locale identifier name (e g , en us) keyboard subtype integer optional the keyboard numeric code keyboard type string optional the keyboard type (e g , xt, ico) output parameter type description function keys integer the number of function keys on client keyboard ime string the input method editor (ime) file name keyboard layout string the keyboard locale identifier name (e g , en us) keyboard subtype integer the keyboard numeric code keyboard type string the keyboard type (e g , xt, ico) example \[ { "function keys" 123, "ime" "string", "keyboard layout" "string", "keyboard subtype" 123, "keyboard type" "string" } ] geo location retrieve the specified location details from sos objects pt1 using the provided location identifier endpoint method get input argument name type required description location object required parameter for geo location city string optional the name of the city continent string optional the name of the continent coordinates array required a two element array, containing a longitude/latitude pair the format conforms with https //geojson org geojson for example \[ 73 983, 40 719] country string optional the iso 3166 1 alpha 2 country code for the complete list of country codes see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes note the two letter country code should be capitalized for example us or ca desc string optional the description of the geographical location is on premises boolean optional the indication of whether the location is on premises isp string optional the name of the internet service provider (isp) postal code string optional the postal code of the location provider string optional the provider of the geographical location data region string optional the alphanumeric code that identifies the principal subdivision (e g province or state) of the country region codes are defined at https //www iso org/iso 3166 country codes html iso 3166 2 and have a limit of three characters for example, see https //www iso org/obp/ui/#iso\ code 3166\ us the region codes for the us output parameter type description city string the name of the city continent string the name of the continent coordinates array a two element array, containing a longitude/latitude pair the format conforms with https //geojson org geojson for example \[ 73 983, 40 719] country string the iso 3166 1 alpha 2 country code for the complete list of country codes see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes note the two letter country code should be capitalized for example us or ca desc string the description of the geographical location is on premises boolean the indication of whether the location is on premises isp string the name of the internet service provider (isp) postal code string the postal code of the location provider string the provider of the geographical location data region string the alphanumeric code that identifies the principal subdivision (e g province or state) of the country region codes are defined at https //www iso org/iso 3166 country codes html iso 3166 2 and have a limit of three characters for example, see https //www iso org/obp/ui/#iso\ code 3166\ us the region codes for the us example \[ { "city" "string", "continent" "string", "coordinates" \[], "country" "string", "desc" "string", "is on premises" true, "isp" "string", "postal code" "string", "provider" "string", "region" "string" } ] log source retrieve and manage log source information from sos objects pt1, requiring a specified log source identifier endpoint method get input argument name type required description log source object required parameter for log source name string optional the name of the entity see specific usage type string optional the type of an object or value, as defined by the event source see specific usage output parameter type description name string the name of the entity see specific usage type string the type of an object or value, as defined by the event source see specific usage example \[ { "name" "string", "type" "string" } ] malware initiate a malware analysis using the provided malware object within sos objects pt1 endpoint method get input argument name type required description malware object required parameter for malware classifications array optional the list of malware classifications, as defined by the event source cves array optional list of common vulnerabilities and exposures ( https //cve mitre org/ cve ) created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number required the cvss base score for example 9 1 depth string optional the cvss depth represents a depth of the equation used to calculate cvss score metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string required the name of the metric value object required the value of the metric overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string required the cvss version for example 3 1 cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string optional the record modified date identifies when the cve record was last updated product object optional the product where the vulnerability was discovered feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the name of the product path string optional the installation path of the product output parameter type description classifications array the list of malware classifications, as defined by the event source cves array list of common vulnerabilities and exposures ( https //cve mitre org/ cve ) created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number the cvss base score for example 9 1 depth string the cvss depth represents a depth of the equation used to calculate cvss score metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string the name of the metric value object the value of the metric overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string the cvss version for example 3 1 cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string the record modified date identifies when the cve record was last updated product object the product where the vulnerability was discovered feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product example \[ { "classifications" \[], "cves" \[], "name" "string", "path" "string", "provider" "string", "uid" "string" } ] metadata obtain metadata details for a specific object within the sos objects pt1 service endpoint method get input argument name type required description metadata object required response data correlation uid string optional the unique identifier used to correlate events labels array optional the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] logged time dt string optional the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different modified time dt string optional the time when the event was last modified or enriched original time string optional the original event time as reported by the event source processed time dt string optional the event processed time, such as an etl operation product object required the product that reported the event feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the name of the product path string optional the installation path of the product uid string optional the unique identifier of the product vendor name string required the name of the vendor of the product version string optional the version of the product, as defined by the event source for example 2013 1 3 beta profiles array optional the list of profiles used to create the event sequence integer optional sequence number of the event the sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision uid string optional the logging system assigned unique identifier of an event instance version string required the version of the event class, using semantic versioning specification ( https //semver org semver ) for example 1 0 0 event consumers use the version to determine the available event attributes output parameter type description correlation uid string the unique identifier used to correlate events labels array the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] logged time dt string the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different modified time dt string the time when the event was last modified or enriched original time string the original event time as reported by the event source processed time dt string the event processed time, such as an etl operation product object the product that reported the event feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product vendor name string the name of the vendor of the product version string the version of the product, as defined by the event source for example 2013 1 3 beta profiles array the list of profiles used to create the event sequence integer sequence number of the event the sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision uid string the logging system assigned unique identifier of an event instance version string the version of the event class, using semantic versioning specification ( https //semver org semver ) for example 1 0 0 event consumers use the version to determine the available event attributes example \[ { "correlation uid" "string", "labels" \[], "logged time dt" "string", "modified time dt" "string", "original time" "string", "processed time dt" "string", "product" { "feature" {}, "lang" "string", "name" "example name", "path" "string", "uid" "string", "vendor name" "example name", "version" "string" }, "profiles" \[], "sequence" 123, "uid" "string", "version" "string" } ] metric retrieve a specific metric from sos objects pt1 by providing the required metric input endpoint method get input argument name type required description metric object required parameter for metric name string required the name of the metric value object required the value of the metric output parameter type description name string the name of the metric value object the value of the metric example \[ { "name" "string", "value" {} } ] mime part extracts the specified mime part from an email object within sos objects pt1, requiring the 'mime part' input endpoint method get input argument name type required description mime part object required parameter for mime part content object optional contents of the mime part description string optional parameter for mime part file string optional parameter for mime part file name string optional name of the resource content disposition string optional value of the content disposition header field of the mime part content text string optional text contents of the mime part content type string optional value of the content type header field of the mime part output parameter type description content object contents of the mime part description string output field description file string output field file file name string name of the resource content disposition string value of the content disposition header field of the mime part content text string text contents of the mime part content type string value of the content type header field of the mime part example \[ { "content" { "description" "string", "file" "string", "file name" "example name" }, "content disposition" "string", "content text" "string", "content type" "string" } ] network interface retrieve details for a specified network interface from sos objects pt1, requiring the network interface identifier endpoint method get input argument name type required description network interface object required parameter for network interface hostname string optional the hostname associated with the network interface ip string optional the ip address associated with the network interface mac string optional the mac address of the network interface name string optional the name of the network interface namespace string optional the namespace is useful in merger or acquisition situations for example, when similar entities exists that you need to keep separate reputation object optional contains the original and normalized reputation scores base score number required the reputation score as reported by the event source provider string optional the provider of the reputation information score string optional the reputation score, as defined by the event source type string optional the type of network interface uid string optional the unique identifier for the network interface output parameter type description hostname string the hostname associated with the network interface ip string the ip address associated with the network interface mac string the mac address of the network interface name string the name of the network interface namespace string the namespace is useful in merger or acquisition situations for example, when similar entities exists that you need to keep separate reputation object contains the original and normalized reputation scores base score number the reputation score as reported by the event source provider string the provider of the reputation information score string the reputation score, as defined by the event source type string the type of network interface uid string the unique identifier for the network interface example \[ { "hostname" "string", "ip" "string", "mac" "string", "name" "string", "namespace" "string", "reputation" { "base score" 123, "provider" "string", "score" "string" }, "type" "string", "uid" "string" } ] object retrieve details for a specified object within the sos objects pt1 service using the provided object identifier endpoint method get input argument name type required description object object required parameter for object observable retrieve details for a specified observable in sos objects pt1 using the required 'observable' input endpoint method get input argument name type required description observable object required parameter for observable enrichments array optional a list of enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string optional the name of the attribute to which the enriched data pertains provider string optional the enrichment data provider name type string optional the enrichment type for example location value object optional the value of the attribute to which the enriched data pertains name string optional the name of the observable attribute for example file name type string required the observable value type name value object optional the value associated with the observable attribute the meaning of the data depends on the observable type output parameter type description enrichments array a list of enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains name string the name of the observable attribute for example file name type string the observable value type name value object the value associated with the observable attribute the meaning of the data depends on the observable type example \[ { "enrichments" \[], "name" "string", "type" "string", "value" {} } ] organization retrieve details for a specified organization within the sos objects pt1 service using the required 'organization' input endpoint method get input argument name type required description organization object required parameter for organization data object optional the additional data that is associated with the event or object see specific usage name string optional organization name sectors array optional the list of industry sectors this organization belongs to uid string required the unique identifier see specific usage output parameter type description data object the additional data that is associated with the event or object see specific usage name string organization name sectors array the list of industry sectors this organization belongs to uid string the unique identifier see specific usage example \[ { "data" {}, "name" "string", "sectors" \[], "uid" "string" } ] os retrieve operating system details from sos objects pt1 using the specified 'os' parameter endpoint method get input argument name type required description os object required parameter for os build string optional the operating system build number country string optional the operating system country code, as defined by the iso 3166 1 standard (alpha 2 code) for the complete list of country codes, see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 edition string optional the operating system edition for example professional lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the operating system name sp name string optional the name of the latest service pack sp ver integer optional the version number of the latest service pack type string optional the type of the operating system version string optional the version of the os running on the device that originated the event for example "windows 10", "os x 10 7", or "ios 9" output parameter type description build string the operating system build number country string the operating system country code, as defined by the iso 3166 1 standard (alpha 2 code) for the complete list of country codes, see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 edition string the operating system edition for example professional lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the operating system name sp name string the name of the latest service pack sp ver integer the version number of the latest service pack type string the type of the operating system version string the version of the os running on the device that originated the event for example "windows 10", "os x 10 7", or "ios 9" example \[ { "build" "string", "country" "string", "cpu bits" 123, "edition" "string", "lang" "string", "name" "string", "sp name" "string", "sp ver" 123, "type" "string", "version" "string" } ] software package create a new package in sos objects pt1 using the specified package details provided by the user endpoint method get input argument name type required description package object required parameter for software package architecture string optional architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on epoch integer optional the software package epoch epoch is a way to define weighted dependencies based on version numbers name string required the software package name release string optional release is the number of times a version of the software has been packaged version string required the software package version output parameter type description architecture string architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on epoch integer the software package epoch epoch is a way to define weighted dependencies based on version numbers name string the software package name release string release is the number of times a version of the software has been packaged version string the software package version example \[ { "architecture" "string", "epoch" 123, "name" "string", "release" "string", "version" "string" } ] process initiates the processing of data for sos objects pt1, requiring a 'process' input to define the operation endpoint method get input argument name type required description process object required parameter for process cmd line string optional the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used created time dt string optional the time when the process was created/started file object object optional the process file object accessed time dt string optional the time when the file was last accessed accessor string optional the name of the user who last accessed the object attributes integer optional the bitmask value that represents the file attributes company name string optional the name of the company that published the file for example microsoft corporation confidentiality string optional the file content confidentiality, as defined by the event source created time dt string optional the time when the file was created creator string optional the user that created the file desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array optional an array of digital fingerprint objects algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string required the digital fingerprint value is system boolean optional the indication of whether the object is part of the operating system mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string optional the time when the file was last modified modifier string optional the user that last modified the file name string required the name of the file for example svchost exe owner string optional the user that owns the file/object parent folder string optional the parent folder in which the file resides for example c \windows\system32 path string optional the full path to the file for example c \windows\system32\svchost exe product object optional the product that created or installed the file feature object optional the feature that reported the event output parameter type description cmd line string the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used created time dt string the time when the process was created/started file object object the process file object accessed time dt string the time when the file was last accessed accessor string the name of the user who last accessed the object attributes integer the bitmask value that represents the file attributes company name string the name of the company that published the file for example microsoft corporation confidentiality string the file content confidentiality, as defined by the event source created time dt string the time when the file was created creator string the user that created the file desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array an array of digital fingerprint objects algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value is system boolean the indication of whether the object is part of the operating system mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string the time when the file was last modified modifier string the user that last modified the file name string the name of the file for example svchost exe owner string the user that owns the file/object parent folder string the parent folder in which the file resides for example c \windows\system32 path string the full path to the file for example c \windows\system32\svchost exe product object the product that created or installed the file feature object the feature that reported the event name string the name of the product feature example \[ { "cmd line" "string", "created time dt" "string", "file object" { "accessed time dt" "string", "accessor" "string", "attributes" 123, "company name" "example name", "confidentiality" "string", "created time dt" "string", "creator" "string", "desc" "string", "fingerprints" \[], "is system" true, "mime type" "string", "modified time dt" "string", "modifier" "string", "name" "example name", "owner" "string" }, "integrity" "string", "integrity id" 123, "lineage" \[], "loaded modules" \[], "name" "string", "parent process" { "cmd line" "string", "created time dt" "string", "file object" {}, "integrity" "string", "integrity id" 123, "lineage" \[], "loaded modules" \[], "name" "example name", "parent process" {}, "pid" 123, "sandbox" "string", "terminated time dt" "string", "tid" 123, "uid" "string", "user" {} }, "pid" 123, "sandbox" "string", "terminated time dt" "string", "tid" 123, "uid" "string", "user" { "account type" "string", "account uid" "string", "credential uid" "string", "domain" "string", "email addr" "string", "groups" \[], "name" "example name", "org uid" "string", "session uid" "string", "session uuid" "string", "type" "string", "uid" "string", "uuid" "12345678 1234 1234 1234 123456789abc" } } ] product retrieve detailed information about a specific product using its unique identifier endpoint method get input argument name type required description product object required parameter for product feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the name of the product path string optional the installation path of the product uid string optional the unique identifier of the product vendor name string required the name of the vendor of the product version string optional the version of the product, as defined by the event source for example 2013 1 3 beta output parameter type description feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product vendor name string the name of the vendor of the product version string the version of the product, as defined by the event source for example 2013 1 3 beta example \[ { "feature" { "name" "example name", "uid" "string", "version" "string" }, "lang" "string", "name" "string", "path" "string", "uid" "string", "vendor name" "string", "version" "string" } ] remediation initiate a remediation action within sos objects pt1 using the specified parameters endpoint method get input argument name type required description remediation object required parameter for remediation desc string optional the description of the remediation strategy kb articles array optional the kb article/s related to the entity output parameter type description desc string the description of the remediation strategy kb articles array the kb article/s related to the entity example \[ { "desc" "string", "kb articles" \[] } ] reputation retrieve the reputation score for a specified entity from sos objects pt1, requiring an input for 'reputation' endpoint method get input argument name type required description reputation object required parameter for reputation base score number required the reputation score as reported by the event source provider string optional the provider of the reputation information score string optional the reputation score, as defined by the event source output parameter type description base score number the reputation score as reported by the event source provider string the provider of the reputation information score string the reputation score, as defined by the event source example \[ { "base score" 123, "provider" "string", "score" "string" } ] resource retrieve details for a specified resource in sos objects pt1 using the provided resource identifier endpoint method get input argument name type required description resource object required parameter for resource account uid string optional the unique identifier of the account that owns the resource (e g aws account id) cloud partition string optional the canonical cloud partition name to which the region is assigned (e g aws partitions aws, aws cn, aws us gov) criticality string optional the criticality of the resource details string optional the details pertaining to the resource group name string optional the name of the group that the resource belongs to labels array optional the list of labels attached to an event, object, or attribute name string optional the name of the resource owner string optional the identity of the service or user account that owns the resource region string optional the region of the resource type string optional the type of the resource uid string optional the unique identifier of the resource output parameter type description account uid string the unique identifier of the account that owns the resource (e g aws account id) cloud partition string the canonical cloud partition name to which the region is assigned (e g aws partitions aws, aws cn, aws us gov) criticality string the criticality of the resource details string the details pertaining to the resource group name string the name of the group that the resource belongs to labels array the list of labels attached to an event, object, or attribute name string the name of the resource owner string the identity of the service or user account that owns the resource region string the region of the resource type string the type of the resource uid string the unique identifier of the resource example \[ { "account uid" "string", "cloud partition" "string", "criticality" "string", "details" "string", "group name" "string", "labels" \[], "name" "string", "owner" "string", "region" "string", "type" "string", "uid" "string" } ] rule create, update, or delete a rule in sos objects pt1 using the specified input parameters endpoint method get input argument name type required description rule object required parameter for rule category string optional the rule category desc string optional the description of the rule that generated the event name string required the name of the rule that generated the event type string optional the rule type uid string optional the unique identifier of the rule that generated the event version string optional the rule version for example 1 1 output parameter type description category string the rule category desc string the description of the rule that generated the event name string the name of the rule that generated the event type string the rule type uid string the unique identifier of the rule that generated the event version string the rule version for example 1 1 example \[ { "category" "string", "desc" "string", "name" "string", "type" "string", "uid" "string", "version" "string" } ] smtp header analyzes smtp header data provided as input to extract and return relevant email information endpoint method get input argument name type required description smtp header object required parameter for smtp header name string required the name of the header value object required the value of the header output parameter type description name string the name of the header value object the value of the header example \[ { "name" "string", "value" {} } ] tactic retrieve detailed information for a specified tactic from sos objects pt1 using the 'tactic' identifier endpoint method get input argument name type required description tactic object required parameter for tactic name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm output parameter type description name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm example \[ { "name" "string", "uid" "string" } ] technique retrieve details for a specified technique from sos objects pt1 using the required 'technique' input endpoint method get input argument name type required description technique object required parameter for technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 output parameter type description name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 example \[ { "name" "string", "uid" "string" } ] user retrieve detailed information for a specified user within the sos objects pt1 service endpoint method get input argument name type required description user object required parameter for user account type string optional the user account type, as defined by the event source account uid string optional the unique identifier of the account (e g aws account id) credential uid string optional the unique identifier of the user's credential for example, aws access key id domain string optional the domain where the user is defined for example the ldap or active directory domain email addr string optional the user's email address groups array optional the administrative groups to which the user belongs desc string optional the group description name string required the group name privileges array optional the group privileges type string optional the type of the group or account uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group name string optional the username for example, janedoe1 org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id session uid string optional the unique id of the user session, as reported by the os examples nix aug 10 17 31 16 ip 192 168 1 1 systemd\[1] started session 222 of user ubuntu session uid == 222 windows logon id 0xd22e9734 session uid == 0xd22e9734 session uuid string optional the universally unique id of the user session, as reported by the os for example, in windows this is the login guid type string optional the type of the user for example, system, aws iam user, etc uid string optional the unique user identifier for example, aws principalid or windows user sid uuid string optional the universally unique identifier of the user for example, aws arn or windows user guid output parameter type description account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) credential uid string the unique identifier of the user's credential for example, aws access key id domain string the domain where the user is defined for example the ldap or active directory domain email addr string the user's email address groups array the administrative groups to which the user belongs desc string the group description name string the group name privileges array the group privileges type string the type of the group or account uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group name string the username for example, janedoe1 org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id session uid string the unique id of the user session, as reported by the os examples nix aug 10 17 31 16 ip 192 168 1 1 systemd\[1] started session 222 of user ubuntu session uid == 222 windows logon id 0xd22e9734 session uid == 0xd22e9734 session uuid string the universally unique id of the user session, as reported by the os for example, in windows this is the login guid type string the type of the user for example, system, aws iam user, etc uid string the unique user identifier for example, aws principalid or windows user sid uuid string the universally unique identifier of the user for example, aws arn or windows user guid example \[ { "account type" "string", "account uid" "string", "credential uid" "string", "domain" "string", "email addr" "string", "groups" \[], "name" "string", "org uid" "string", "session uid" "string", "session uuid" "string", "type" "string", "uid" "string", "uuid" "string" } ] vulnerability details retrieve detailed information for a specified vulnerability from sos objects pt1, requiring the 'vulnerability' input endpoint method get input argument name type required description vulnerability object required parameter for vulnerability details cve object required the common vulnerabilities and exposures ( https //cve mitre org/ cve ) created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number required the cvss base score for example 9 1 depth string optional the cvss depth represents a depth of the equation used to calculate cvss score metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string required the name of the metric value object required the value of the metric overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string required the cvss version for example 3 1 cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string optional the record modified date identifies when the cve record was last updated product object optional the product where the vulnerability was discovered feature object optional the feature that reported the event name string optional the name of the product feature uid string optional the unique identifier of the product feature version string optional the version of the product feature lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string required the name of the product path string optional the installation path of the product uid string optional the unique identifier of the product output parameter type description cve object the common vulnerabilities and exposures ( https //cve mitre org/ cve ) created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability base score number the cvss base score for example 9 1 depth string the cvss depth represents a depth of the equation used to calculate cvss score metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } name string the name of the metric value object the value of the metric overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string the cvss version for example 3 1 cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html https //cwe mitre org/data/definitions/787 html modified time dt string the record modified date identifies when the cve record was last updated product object the product where the vulnerability was discovered feature object the feature that reported the event name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product vendor name string the name of the vendor of the product example \[ { "cve" { "created time dt" "string", "cvss" {}, "cwe uid" "string", "cwe url" "string", "modified time dt" "string", "product" {}, "type" "string", "uid" "string" }, "desc" "string", "kb articles" \[], "packages" \[], "references" \[], "related vulnerabilities" \[], "remediation" { "desc" "string", "kb articles" \[] }, "severity" "string", "title" "string", "vendor name" "string" } ]