SOS Objects Pt1

the sos objects pt1 connector enables seamless interaction with a multitude of security and operational tasks, providing a versatile toolkit for data retrieval and management sos objects pt1 is a comprehensive security automation platform that captures elusive telemetry and broadens the scope of actions beyond the conventional xdr ecosystem this connector enables seamless integration with third party tools, allowing users to install and utilize capabilities from various services within swimlane playbooks by leveraging this connector, users can effortlessly configure inputs and outputs for apis, enhancing their security operations with code free automation prerequisites none actions actor retrieve details for a specified actor from sos objects pt1, requiring the 'actor' input parameter endpoint method get input argument name type required description actor object required parameter for actor actor process object optional the process that initiated the activity actor process cmd line string optional the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used actor process created time dt string optional the time when the process was created/started actor process file object optional the process file object actor process file accessed time dt string optional the time when the file was last accessed actor process file accessor string optional the name of the user who last accessed the object actor process file attributes integer optional the bitmask value that represents the file attributes actor process file company name string optional the name of the company that published the file for example microsoft corporation actor process file confidentiality string optional the file content confidentiality, as defined by the event source actor process file created time dt string optional the time when the file was created actor process file creator string optional the user that created the file actor process file desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type actor process file fingerprints array optional an array of digital fingerprint objects actor process file fingerprints algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint actor process file fingerprints value string required the digital fingerprint value actor process file is system boolean optional the indication of whether the object is part of the operating system actor process file mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable actor process file modified time dt string optional the time when the file was last modified actor process file modifier string optional the user that last modified the file actor process file name string required the name of the file for example svchost exe actor process file owner string optional the user that owns the file/object actor process file parent folder string optional the parent folder in which the file resides for example c \windows\system32 actor process file path string optional the full path to the file for example c \windows\system32\svchost exe actor process file product object optional the product that created or installed the file input example {"actor" {"process" {"cmd line" "string","created time dt" "string","file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {},"security descriptor" "string","signature" {},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {"cmd line" "string","created time dt" "string","file" {},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {},"xattributes" {}},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"xattributes" {}},"user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[{"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"}}} output parameter type description process object the process that initiated the activity process cmd line string the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used process created time dt string the time when the process was created/started process file object the process file object process file accessed time dt string the time when the file was last accessed process file accessor string the name of the user who last accessed the object process file attributes integer the bitmask value that represents the file attributes process file company name string the name of the company that published the file for example microsoft corporation process file confidentiality string the file content confidentiality, as defined by the event source process file created time dt string the time when the file was created process file creator string the user that created the file process file desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type process file fingerprints array an array of digital fingerprint objects process file fingerprints algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint process file fingerprints value string the digital fingerprint value process file is system boolean the indication of whether the object is part of the operating system process file mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable process file modified time dt string the time when the file was last modified process file modifier string the user that last modified the file process file name string the name of the file for example svchost exe process file owner string the user that owns the file/object process file parent folder string the parent folder in which the file resides for example c \windows\system32 process file path string the full path to the file for example c \windows\system32\svchost exe process file product object the product that created or installed the file process file product feature object the feature that reported the event output example {"process" {"cmd line" "string","created time dt" "string","file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string"},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example attack executes an attack action within sos objects pt1 using the specified 'attack' parameter endpoint method get input argument name type required description attack object required parameter for attack attack tactics array required the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attack tactics name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attack tactics uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm attack technique object required the attack technique attack technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise attack technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 attack version string required the att\&ck matrix version input example {"attack" {"tactics" \[{"name" "example name","uid" "string"}],"technique" {"name" "example name","uid" "string"},"version" "string"}} output parameter type description tactics array the a list of tactic id's/names that are associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactics uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm technique object the attack technique technique name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise technique uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 version string the att\&ck matrix version output example {"tactics" \[],"technique" {"name" "example name","uid" "string"},"version" "string"} cloud interact with cloud services to perform operations specified by the 'cloud' input parameter in sos objects pt1 endpoint method get input argument name type required description cloud object required parameter for cloud cloud account name string optional the name of the account (e g aws account name) cloud account type string optional the user account type, as defined by the event source cloud account uid string optional the unique identifier of the account (e g aws account id) cloud org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id cloud project uid string optional cloud project identifier cloud provider string required the unique name of the cloud services provider, such as aws, ms azure, gcp, etc cloud region string optional the name of the cloud region, as defined by the cloud provider cloud resource uid string optional the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id cloud zone string optional the availability zone in the cloud region, as defined by the cloud provider input example {"cloud" {"account name" "example name","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"}} output parameter type description account name string the name of the account (e g aws account name) account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id project uid string cloud project identifier provider string the unique name of the cloud services provider, such as aws, ms azure, gcp, etc region string the name of the cloud region, as defined by the cloud provider resource uid string the unique identifier of a cloud resource for example, s3 bucket name, ec2 instance id zone string the availability zone in the cloud region, as defined by the cloud provider output example {"account name" "string","account type" "string","account uid" "string","org uid" "string","project uid" "string","provider" "string","region" "string","resource uid" "string","zone" "string"} compliance details initiates a compliance check within sos objects pt1 using the provided 'compliance' input endpoint method get input argument name type required description compliance object required parameter for compliance details compliance requirements array optional a list of applicable compliance requirements for which this finding is related to compliance status string optional the event status, as reported by the event source compliance status detail string optional the status details contains additional information about the event outcome input example {"compliance" {"requirements" \["string"],"status" "active","status detail" "active"}} output parameter type description requirements array a list of applicable compliance requirements for which this finding is related to status string the event status, as reported by the event source status detail string the status details contains additional information about the event outcome output example {"requirements" \[],"status" "string","status detail" "string"} cve retrieve details for a specified common vulnerabilities and exposures (cve) identifier from sos objects pt1 endpoint method get input argument name type required description cve object required parameter for cve cve created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cve cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability cve cvss base score number required the cvss base score for example 9 1 cve cvss depth string optional the cvss depth represents a depth of the equation used to calculate cvss score cve cvss metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } cve cvss metrics name string required the name of the metric cve cvss metrics value object required the value of the metric cve cvss overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 cve cvss severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) cve cvss vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h cve cvss version string required the cvss version for example 3 1 cve cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cve cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html cve modified time dt string optional the record modified date identifies when the cve record was last updated cve product object optional the product where the vulnerability was discovered cve product feature object optional the feature that reported the event cve product feature name string optional the name of the product feature cve product feature uid string optional the unique identifier of the product feature cve product feature version string optional the version of the product feature cve product lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) cve product name string required the name of the product cve product path string optional the installation path of the product cve product uid string optional the unique identifier of the product cve product vendor name string required the name of the vendor of the product input example {"cve" {"created time dt" "string","cvss" {"base score" 123,"depth" "string","metrics" \[{"name" "example name","value" {}}],"overall score" 123,"severity" "string","vector string" "string","version" "string"},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"type" "string","uid" "string"}} output parameter type description created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability cvss base score number the cvss base score for example 9 1 cvss depth string the cvss depth represents a depth of the equation used to calculate cvss score cvss metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } cvss metrics name string the name of the metric cvss metrics value object the value of the metric cvss overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 cvss severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) cvss vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h cvss version string the cvss version for example 3 1 cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html modified time dt string the record modified date identifies when the cve record was last updated product object the product where the vulnerability was discovered product feature object the feature that reported the event product feature name string the name of the product feature product feature uid string the unique identifier of the product feature product feature version string the version of the product feature product lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) product name string the name of the product product path string the installation path of the product product uid string the unique identifier of the product product vendor name string the name of the vendor of the product product version string the version of the product, as defined by the event source for example 2013 1 3 beta output example {"created time dt" "string","cvss" {"base score" 123,"depth" "string","metrics" \[{}],"overall score" 123,"severity" "string","vector string" "string","version" "string"},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"type" "string","uid" "string"} cvss score retrieve the common vulnerability scoring system (cvss) score for a specified vulnerability endpoint method get input argument name type required description cvss object required parameter for cvss score cvss base score number required the cvss base score for example 9 1 cvss depth string optional the cvss depth represents a depth of the equation used to calculate cvss score cvss metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } cvss metrics name string required the name of the metric cvss metrics value object required the value of the metric cvss overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 cvss severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) cvss vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h cvss version string required the cvss version for example 3 1 input example {"cvss" {"base score" 123,"depth" "string","metrics" \[{"name" "example name","value" {}}],"overall score" 123,"severity" "string","vector string" "string","version" "string"}} output parameter type description base score number the cvss base score for example 9 1 depth string the cvss depth represents a depth of the equation used to calculate cvss score metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } metrics name string the name of the metric metrics value object the value of the metric overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h version string the cvss version for example 3 1 output example {"base score" 123,"depth" "string","metrics" \[],"overall score" 123,"severity" "string","vector string" "string","version" "string"} device retrieve or interact with a specific device using its unique identifier within the sos objects pt1 ecosystem endpoint method get input argument name type required description device object required parameter for device device autoscale uid string optional the unique identifier of the cloud autoscale configuration device desc string optional the description of the device, ordinarily as reported by the operating system device domain string optional the network domain where the device resides for example work example com device groups array optional the group names to which the device belongs for example \["windows laptops", "engineering"] device groups desc string optional the group description device groups name string required the group name device groups privileges array optional the group privileges device groups type string optional the type of the group or account device groups uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group device hostname string optional the device hostname device hw info object optional the device hardware information device hw info bios date string optional the bios date for example 03/31/16 device hw info bios manufacturer string optional the bios manufacturer for example lenovo device hw info bios ver string optional the bios version for example lenovo g5eta2ww (2 62) device hw info chassis string optional the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types device hw info cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 device hw info cpu cores integer optional the number of processor cores in all installed processors for example 42 device hw info cpu count integer optional the number of physical processors on a system for example 1 device hw info cpu speed integer optional the speed of the processor in mhz for example 4200 device hw info cpu type string optional the processor type for example x86 family 6 model 37 stepping 5 device hw info desktop display object optional the desktop display affiliated with the event device hw info desktop display color depth integer optional the numeric color depth device hw info desktop display physical height integer optional the numeric physical height of display device hw info desktop display physical orientation integer optional the numeric physical orientation of display input example {"device" {"autoscale uid" "string","desc" "string","domain" "string","groups" \[{"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}],"hostname" "example name","hw info" {"bios date" "string","bios manufacturer" "string","bios ver" "string","chassis" "string","cpu bits" 123,"cpu cores" 123,"cpu count" 123,"cpu speed" 123,"cpu type" "string","desktop display" {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123},"keyboard info" {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" 123,"keyboard type" "string"},"ram size" 123,"serial number" "string"},"hypervisor" "string","image" {"labels" \["string"],"name" "example name","path" "string","tag" "string","uid" "string"},"imei" "string","instance uid" "string","interface uid" "string","ip" "string","is compliant"\ true,"is managed"\ true,"is personal"\ true,"is trusted"\ true,"location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"},"mac" "string","name" "example name","network interfaces" \[{"hostname" "example name","ip" "string","mac" "string","name" "example name","namespace" "example name","reputation" {"base score" 123,"provider" "string","score" "string"},"type" "string","uid" "string"}],"org unit" "string","os" {"build" "string","country" "string","cpu bits" 123,"edition" "string","lang" "string","name" "example name","sp name" "example name","sp ver" 123,"type" "string","version" "string"},"region" "string","reputation" {"base score" 123,"provider" "string","score" "string"},"risk level" "string","risk score" 123,"subnet" "string","subnet uid" "string","type" "string","uid" "string","vlan uid" "string","vpc uid" "string"}} output parameter type description autoscale uid string the unique identifier of the cloud autoscale configuration desc string the description of the device, ordinarily as reported by the operating system domain string the network domain where the device resides for example work example com groups array the group names to which the device belongs for example \["windows laptops", "engineering"] groups desc string the group description groups name string the group name groups privileges array the group privileges groups type string the type of the group or account groups uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group hostname string the device hostname hw info object the device hardware information hw info bios date string the bios date for example 03/31/16 hw info bios manufacturer string the bios manufacturer for example lenovo hw info bios ver string the bios version for example lenovo g5eta2ww (2 62) hw info chassis string the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types hw info cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 hw info cpu cores integer the number of processor cores in all installed processors for example 42 hw info cpu count integer the number of physical processors on a system for example 1 hw info cpu speed integer the speed of the processor in mhz for example 4200 hw info cpu type string the processor type for example x86 family 6 model 37 stepping 5 hw info desktop display object the desktop display affiliated with the event hw info desktop display color depth integer the numeric color depth hw info desktop display physical height integer the numeric physical height of display hw info desktop display physical orientation integer the numeric physical orientation of display hw info desktop display physical width integer the numeric physical width of display output example {"autoscale uid" "string","desc" "string","domain" "string","groups" \[],"hostname" "string","hw info" {"bios date" "string","bios manufacturer" "string","bios ver" "string","chassis" "string","cpu bits" 123,"cpu cores" 123,"cpu count" 123,"cpu speed" 123,"cpu type" "string","desktop display" {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123},"keyboard info" {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" device hardware info retrieve detailed hardware information for a specified device using the sos objects pt1 connector endpoint method get input argument name type required description device hw info object required parameter for device hardware info device hw info bios date string optional the bios date for example 03/31/16 device hw info bios manufacturer string optional the bios manufacturer for example lenovo device hw info bios ver string optional the bios version for example lenovo g5eta2ww (2 62) device hw info chassis string optional the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types device hw info cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 device hw info cpu cores integer optional the number of processor cores in all installed processors for example 42 device hw info cpu count integer optional the number of physical processors on a system for example 1 device hw info cpu speed integer optional the speed of the processor in mhz for example 4200 device hw info cpu type string optional the processor type for example x86 family 6 model 37 stepping 5 device hw info desktop display object optional the desktop display affiliated with the event device hw info desktop display color depth integer optional the numeric color depth device hw info desktop display physical height integer optional the numeric physical height of display device hw info desktop display physical orientation integer optional the numeric physical orientation of display device hw info desktop display physical width integer optional the numeric physical width of display device hw info desktop display scale factor integer optional the numeric scale factor of display device hw info keyboard info object optional the keyboard detailed information device hw info keyboard info function keys integer optional the number of function keys on client keyboard device hw info keyboard info ime string optional the input method editor (ime) file name device hw info keyboard info keyboard layout string optional the keyboard locale identifier name (e g , en us) device hw info keyboard info keyboard subtype integer optional the keyboard numeric code device hw info keyboard info keyboard type string optional the keyboard type (e g , xt, ico) device hw info ram size integer optional the ctotal amount of installed ram, in megabytes for example 2048 device hw info serial number string optional the device manufacturer serial number input example {"device hw info" {"bios date" "string","bios manufacturer" "string","bios ver" "string","chassis" "string","cpu bits" 123,"cpu cores" 123,"cpu count" 123,"cpu speed" 123,"cpu type" "string","desktop display" {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123},"keyboard info" {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" 123,"keyboard type" "string"},"ram size" 123,"serial number" "string"}} output parameter type description bios date string the bios date for example 03/31/16 bios manufacturer string the bios manufacturer for example lenovo bios ver string the bios version for example lenovo g5eta2ww (2 62) chassis string the chassis type describes the system enclosure or physical form factor such as the following examples for windows https //docs microsoft com/en us/windows/win32/cimwin32prov/win32 systemenclosure windows chassis types cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 cpu cores integer the number of processor cores in all installed processors for example 42 cpu count integer the number of physical processors on a system for example 1 cpu speed integer the speed of the processor in mhz for example 4200 cpu type string the processor type for example x86 family 6 model 37 stepping 5 desktop display object the desktop display affiliated with the event desktop display color depth integer the numeric color depth desktop display physical height integer the numeric physical height of display desktop display physical orientation integer the numeric physical orientation of display desktop display physical width integer the numeric physical width of display desktop display scale factor integer the numeric scale factor of display keyboard info object the keyboard detailed information keyboard info function keys integer the number of function keys on client keyboard keyboard info ime string the input method editor (ime) file name keyboard info keyboard layout string the keyboard locale identifier name (e g , en us) keyboard info keyboard subtype integer the keyboard numeric code keyboard info keyboard type string the keyboard type (e g , xt, ico) ram size integer the ctotal amount of installed ram, in megabytes for example 2048 serial number string the device manufacturer serial number output example {"bios date" "string","bios manufacturer" "string","bios ver" "string","chassis" "string","cpu bits" 123,"cpu cores" 123,"cpu count" 123,"cpu speed" 123,"cpu type" "string","desktop display" {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123},"keyboard info" {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" 123,"keyboard type" "string"},"ram size" 123,"serial number" "string"} digital signature validates the digital signature provided as input to ensure authenticity and integrity of data endpoint method get input argument name type required description digital signature object required parameter for digital signature digital signature company name string required the name of the company that published the file for example microsoft corporation digital signature created time dt string optional the time when the digital signature was created digital signature developer uid string optional the developer id on the certificate that signed the file digital signature fingerprints array optional an array of digital fingerprint objects digital signature fingerprints algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint digital signature fingerprints value string required the digital fingerprint value digital signature issuer name string optional the certificate issuer name digital signature serial number string optional the serial number of the digital signature input example {"digital signature" {"company name" "example name","created time dt" "string","developer uid" "string","fingerprints" \[{"algorithm" "string","value" "string"}],"issuer name" "example name","serial number" "string"}} output parameter type description company name string the name of the company that published the file for example microsoft corporation created time dt string the time when the digital signature was created developer uid string the developer id on the certificate that signed the file fingerprints array an array of digital fingerprint objects fingerprints algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint fingerprints value string the digital fingerprint value issuer name string the certificate issuer name serial number string the serial number of the digital signature output example {"company name" "string","created time dt" "string","developer uid" "string","fingerprints" \[],"issuer name" "string","serial number" "string"} display renders the specified object from sos objects pt1 for user visualization, requiring a 'display' input endpoint method get input argument name type required description display object required parameter for display display color depth integer optional the numeric color depth display physical height integer optional the numeric physical height of display display physical orientation integer optional the numeric physical orientation of display display physical width integer optional the numeric physical width of display display scale factor integer optional the numeric scale factor of display input example {"display" {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123}} output parameter type description color depth integer the numeric color depth physical height integer the numeric physical height of display physical orientation integer the numeric physical orientation of display physical width integer the numeric physical width of display scale factor integer the numeric scale factor of display output example {"color depth" 123,"physical height" 123,"physical orientation" 123,"physical width" 123,"scale factor" 123} email initiates the sending of an email through sos objects pt1, requiring the recipient's email address as input endpoint method get input argument name type required description email object required parameter for email email cc array optional the email header cc values, as defined by rfc 5322 email contains array optional lists of observables contained within this observable email contains enrichments array optional a list of enrichments email contains enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record email contains enrichments name string optional the name of the attribute to which the enriched data pertains email contains enrichments provider string optional the enrichment data provider name email contains enrichments type string optional the enrichment type for example location email contains enrichments value object optional the value of the attribute to which the enriched data pertains email contains name string optional the name of the observable attribute for example file name email contains type string required the observable value type name email contains value object optional the value associated with the observable attribute the meaning of the data depends on the observable type email content type string optional the request header that identifies the original https //www iana org/assignments/media types/media types xhtml media type of the resource (prior to any content encoding applied for sending) email delivered to string optional the delivered to email header field email direction string optional the direction of the email, as defined by the direction id value email from string required the email header from values, as defined by rfc 5322 email message uid string optional the email header message id value, as defined by rfc 5322 email mime parts array optional mime parts of an email email mime parts content object optional contents of the mime part email mime parts content description string optional response content email mime parts content file string optional response content email mime parts content file name string optional name of the resource email mime parts content disposition string optional value of the content disposition header field of the mime part email mime parts content text string optional text contents of the mime part email mime parts content type string optional value of the content type header field of the mime part input example {"email" {"cc" \["string"],"contains" \[{"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}],"content type" "string","delivered to" "string","direction" "string","from" "string","message uid" "string","mime parts" \[{"content" {"description" "string","file" "string","file name" "example name"},"content disposition" "string","content text" "string","content type" "string"}],"reply to" "string","size" 123,"smtp from" "string","smtp headers" \[{"name" "example name","value" {}}],"smtp hello" "string","smtp to" \["string"],"subject" "string","to" \["string"],"x originating ip" \["string"]}} output parameter type description cc array the email header cc values, as defined by rfc 5322 contains array lists of observables contained within this observable contains enrichments array a list of enrichments contains enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record contains enrichments name string the name of the attribute to which the enriched data pertains contains enrichments provider string the enrichment data provider name contains enrichments type string the enrichment type for example location contains enrichments value object the value of the attribute to which the enriched data pertains contains name string the name of the observable attribute for example file name contains type string the observable value type name contains value object the value associated with the observable attribute the meaning of the data depends on the observable type content type string the request header that identifies the original https //www iana org/assignments/media types/media types xhtml media type of the resource (prior to any content encoding applied for sending) delivered to string the delivered to email header field direction string the direction of the email, as defined by the direction id value from string the email header from values, as defined by rfc 5322 message uid string the email header message id value, as defined by rfc 5322 mime parts array mime parts of an email mime parts content object contents of the mime part mime parts content description string response content mime parts content file string response content mime parts content file name string name of the resource mime parts content disposition string value of the content disposition header field of the mime part mime parts content text string text contents of the mime part mime parts content type string value of the content type header field of the mime part reply to string the email header reply to values, as defined by rfc 5322 output example {"cc" \[],"contains" \[],"content type" "string","delivered to" "string","direction" "string","from" "string","message uid" "string","mime parts" \[],"reply to" "string","size" 123,"smtp from" "string","smtp headers" \[],"smtp hello" "string","smtp to" \[],"subject" "string"} email authentication authenticate using an email address to enable further actions within the sos objects pt1 service endpoint method get input argument name type required description email auth object required parameter for email authentication email auth dkim string optional the domainkeys identified mail (dkim) status of the email email auth dkim domain string optional the domainkeys identified mail (dkim) signing domain of the email email auth dmarc string optional the domain based message authentication, reporting and conformance (dmarc) status of the email email auth dmarc override string optional the domain based message authentication, reporting and conformance (dmarc) override action email auth dmarc policy string optional the domain based message authentication, reporting and conformance (dmarc) policy status email auth raw header string optional the email authentication header email auth spf string optional the sender policy framework (spf) status of the email input example {"email auth" {"dkim" "string","dkim domain" "string","dmarc" "string","dmarc override" "string","dmarc policy" "string","raw header" "string","spf" "string"}} output parameter type description dkim string the domainkeys identified mail (dkim) status of the email dkim domain string the domainkeys identified mail (dkim) signing domain of the email dmarc string the domain based message authentication, reporting and conformance (dmarc) status of the email dmarc override string the domain based message authentication, reporting and conformance (dmarc) override action dmarc policy string the domain based message authentication, reporting and conformance (dmarc) policy status raw header string the email authentication header spf string the sender policy framework (spf) status of the email output example {"dkim" "string","dkim domain" "string","dmarc" "string","dmarc override" "string","dmarc policy" "string","raw header" "string","spf" "string"} enrichment enrich data by adding contextual information to sos objects pt1 entities, requiring an 'enrichment' input endpoint method get input argument name type required description enrichment object required parameter for enrichment enrichment data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record enrichment name string optional the name of the attribute to which the enriched data pertains enrichment provider string optional the enrichment data provider name enrichment type string optional the enrichment type for example location enrichment value object optional the value of the attribute to which the enriched data pertains input example {"enrichment" {"data" {},"name" "example name","provider" "string","type" "string","value" {}}} output parameter type description data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record name string the name of the attribute to which the enriched data pertains provider string the enrichment data provider name type string the enrichment type for example location value object the value of the attribute to which the enriched data pertains output example {"data" {},"name" "string","provider" "string","type" "string","value" {}} feature initiate the 'feature' action within sos objects pt1, requiring a specific feature input endpoint method get input argument name type required description feature object required parameter for feature feature name string optional the name of the product feature feature uid string optional the unique identifier of the product feature feature version string optional the version of the product feature input example {"feature" {"name" "example name","uid" "string","version" "string"}} output parameter type description name string the name of the product feature uid string the unique identifier of the product feature version string the version of the product feature output example {"name" "string","uid" "string","version" "string"} file upload a specified file to sos objects pt1, requiring the file as mandatory input endpoint method get input argument name type required description file object required parameter for file file accessed time dt string optional the time when the file was last accessed file accessor string optional the name of the user who last accessed the object file attributes integer optional the bitmask value that represents the file attributes file company name string optional the name of the company that published the file for example microsoft corporation file confidentiality string optional the file content confidentiality, as defined by the event source file created time dt string optional the time when the file was created file creator string optional the user that created the file file desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type file fingerprints array optional an array of digital fingerprint objects file fingerprints algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint file fingerprints value string required the digital fingerprint value file is system boolean optional the indication of whether the object is part of the operating system file mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable file modified time dt string optional the time when the file was last modified file modifier string optional the user that last modified the file file name string required the name of the file for example svchost exe file owner string optional the user that owns the file/object file parent folder string optional the parent folder in which the file resides for example c \windows\system32 file path string optional the full path to the file for example c \windows\system32\svchost exe file product object optional the product that created or installed the file file product feature object optional the feature that reported the event file product feature name string optional the name of the product feature file product feature uid string optional the unique identifier of the product feature file product feature version string optional the version of the product feature input example {"file" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[{"algorithm" "string","value" "string"}],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"security descriptor" "string","signature" {"company name" "example name","created time dt" "string","developer uid" "string","fingerprints" \[{"algorithm" "string","value" "string"}],"issuer name" "example name","serial number" "string"},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}}} output parameter type description accessed time dt string the time when the file was last accessed accessor string the name of the user who last accessed the object attributes integer the bitmask value that represents the file attributes company name string the name of the company that published the file for example microsoft corporation confidentiality string the file content confidentiality, as defined by the event source created time dt string the time when the file was created creator string the user that created the file desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type fingerprints array an array of digital fingerprint objects fingerprints algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint fingerprints value string the digital fingerprint value is system boolean the indication of whether the object is part of the operating system mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable modified time dt string the time when the file was last modified modifier string the user that last modified the file name string the name of the file for example svchost exe owner string the user that owns the file/object parent folder string the parent folder in which the file resides for example c \windows\system32 path string the full path to the file for example c \windows\system32\svchost exe product object the product that created or installed the file product feature object the feature that reported the event product feature name string the name of the product feature product feature uid string the unique identifier of the product feature product feature version string the version of the product feature product lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) output example {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "string","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "string","owner" "string"} finding details retrieve detailed information for a specified 'finding' within the sos objects pt1 service endpoint method get input argument name type required description finding object required parameter for finding details finding created time dt string optional the time when the finding was created finding desc string optional the description of the reported finding finding first seen time dt string optional the time when the finding was first observed finding last seen time dt string optional the time when the finding was most recently observed finding log sources array optional the sources of the events generating the finding finding log sources name string optional the name of the entity see specific usage finding log sources type string optional the type of an object or value, as defined by the event source see specific usage finding modified time dt string optional the time when the finding was last modified finding product uid string optional the unique identifier of the product that reported the finding finding related events object optional describes events related to a finding or detection as identified by the security product finding remediation object optional the remediation recommendations on how to fix the identified issue(s) finding remediation desc string optional the description of the remediation strategy finding remediation kb articles array optional the kb article/s related to the entity finding rules array optional the rules that reported the events finding rules category string optional the rule category finding rules desc string optional the description of the rule that generated the event finding rules name string required the name of the rule that generated the event finding rules type string optional the rule type finding rules uid string optional the unique identifier of the rule that generated the event finding rules version string optional the rule version for example 1 1 finding src url string optional the url pointing to the source of the finding finding supporting data array optional additional data supporting a finding as provided by security tool finding title string required the title of the reported finding finding types array optional one or more types of the reported finding input example {"finding" {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "string","log sources" \[{"name" "example name","type" "string"}],"modified time dt" "string","product uid" "string","related events" {},"remediation" {"desc" "string","kb articles" \["string"]},"rules" \[{"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"}],"src url" "string","supporting data" \[],"title" "string","types" \["string"],"uid" "string"}} output parameter type description created time dt string the time when the finding was created desc string the description of the reported finding first seen time dt string the time when the finding was first observed last seen time dt string the time when the finding was most recently observed log sources array the sources of the events generating the finding log sources name string the name of the entity see specific usage log sources type string the type of an object or value, as defined by the event source see specific usage modified time dt string the time when the finding was last modified product uid string the unique identifier of the product that reported the finding related events object describes events related to a finding or detection as identified by the security product remediation object the remediation recommendations on how to fix the identified issue(s) remediation desc string the description of the remediation strategy remediation kb articles array the kb article/s related to the entity rules array the rules that reported the events rules category string the rule category rules desc string the description of the rule that generated the event rules name string the name of the rule that generated the event rules type string the rule type rules uid string the unique identifier of the rule that generated the event rules version string the rule version for example 1 1 src url string the url pointing to the source of the finding supporting data array additional data supporting a finding as provided by security tool title string the title of the reported finding types array one or more types of the reported finding uid string the unique identifier of the reported finding output example {"created time dt" "string","desc" "string","first seen time dt" "string","last seen time dt" "string","log sources" \[],"modified time dt" "string","product uid" "string","remediation" {"desc" "string","kb articles" \["string"]},"rules" \[],"src url" "string","supporting data" \[],"title" "string","types" \[],"uid" "string"} fingerprint generates a unique fingerprint for sos objects pt1 based on the provided input endpoint method get input argument name type required description fingerprint object required parameter for fingerprint fingerprint algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint fingerprint value string required the digital fingerprint value input example {"fingerprint" {"algorithm" "string","value" "string"}} output parameter type description algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint value string the digital fingerprint value output example {"algorithm" "string","value" "string"} group groups objects in sos objects pt1 based on specified criteria, requiring a 'group' parameter endpoint method get input argument name type required description group object required parameter for group group desc string optional the group description group name string required the group name group privileges array optional the group privileges group type string optional the type of the group or account group uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group input example {"group" {"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}} output parameter type description desc string the group description name string the group name privileges array the group privileges type string the type of the group or account uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group output example {"desc" "string","name" "string","privileges" \[],"type" "string","uid" "string"} image retrieve an image from sos objects pt1 using the specified image identifier endpoint method get input argument name type required description image object required parameter for image image labels array optional the image labels image name string optional the image name for example elixir image path string optional the full path to the image file image tag string optional the image tag for example 1 11 alpine image uid string required the unique image id for example 77af4d6b9913 input example {"image" {"labels" \["string"],"name" "example name","path" "string","tag" "string","uid" "string"}} output parameter type description labels array the image labels name string the image name for example elixir path string the full path to the image file tag string the image tag for example 1 11 alpine uid string the unique image id for example 77af4d6b9913 output example {"labels" \[],"name" "string","path" "string","tag" "string","uid" "string"} keyboard information retrieve detailed information about the keyboard setup from sos objects pt1 endpoint method get input argument name type required description keyboard info object required parameter for keyboard information keyboard info function keys integer optional the number of function keys on client keyboard keyboard info ime string optional the input method editor (ime) file name keyboard info keyboard layout string optional the keyboard locale identifier name (e g , en us) keyboard info keyboard subtype integer optional the keyboard numeric code keyboard info keyboard type string optional the keyboard type (e g , xt, ico) input example {"keyboard info" {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" 123,"keyboard type" "string"}} output parameter type description function keys integer the number of function keys on client keyboard ime string the input method editor (ime) file name keyboard layout string the keyboard locale identifier name (e g , en us) keyboard subtype integer the keyboard numeric code keyboard type string the keyboard type (e g , xt, ico) output example {"function keys" 123,"ime" "string","keyboard layout" "string","keyboard subtype" 123,"keyboard type" "string"} geo location retrieve the specified location details from sos objects pt1 using the provided location identifier endpoint method get input argument name type required description location object required parameter for geo location location city string optional the name of the city location continent string optional the name of the continent location coordinates array required a two element array, containing a longitude/latitude pair the format conforms with https //geojson org geojson for example \[ 73 983, 40 719] location country string optional the iso 3166 1 alpha 2 country code for the complete list of country codes see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes note the two letter country code should be capitalized for example us or ca location desc string optional the description of the geographical location location is on premises boolean optional the indication of whether the location is on premises location isp string optional the name of the internet service provider (isp) location postal code string optional the postal code of the location location provider string optional the provider of the geographical location data location region string optional the alphanumeric code that identifies the principal subdivision (e g province or state) of the country region codes are defined at https //www iso org/iso 3166 country codes html iso 3166 2 and have a limit of three characters for example, see https //www iso org/obp/ui/#iso\ code 3166\ us the region codes for the us input example {"location" {"city" "string","continent" "string","coordinates" \[123],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"}} output parameter type description city string the name of the city continent string the name of the continent coordinates array a two element array, containing a longitude/latitude pair the format conforms with https //geojson org geojson for example \[ 73 983, 40 719] country string the iso 3166 1 alpha 2 country code for the complete list of country codes see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes note the two letter country code should be capitalized for example us or ca desc string the description of the geographical location is on premises boolean the indication of whether the location is on premises isp string the name of the internet service provider (isp) postal code string the postal code of the location provider string the provider of the geographical location data region string the alphanumeric code that identifies the principal subdivision (e g province or state) of the country region codes are defined at https //www iso org/iso 3166 country codes html iso 3166 2 and have a limit of three characters for example, see https //www iso org/obp/ui/#iso\ code 3166\ us the region codes for the us output example {"city" "string","continent" "string","coordinates" \[],"country" "string","desc" "string","is on premises"\ true,"isp" "string","postal code" "string","provider" "string","region" "string"} log source retrieve and manage log source information from sos objects pt1, requiring a specified log source identifier endpoint method get input argument name type required description log source object required parameter for log source log source name string optional the name of the entity see specific usage log source type string optional the type of an object or value, as defined by the event source see specific usage input example {"log source" {"name" "example name","type" "string"}} output parameter type description name string the name of the entity see specific usage type string the type of an object or value, as defined by the event source see specific usage output example {"name" "string","type" "string"} malware initiate a malware analysis using the provided malware object within sos objects pt1 endpoint method get input argument name type required description malware object required parameter for malware malware classifications array optional the list of malware classifications, as defined by the event source malware cves array optional list of common vulnerabilities and exposures ( https //cve mitre org/ cve ) malware cves created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve malware cves cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability malware cves cvss base score number required the cvss base score for example 9 1 malware cves cvss depth string optional the cvss depth represents a depth of the equation used to calculate cvss score malware cves cvss metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } malware cves cvss metrics name string required the name of the metric malware cves cvss metrics value object required the value of the metric malware cves cvss overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 malware cves cvss severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) malware cves cvss vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h malware cves cvss version string required the cvss version for example 3 1 malware cves cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 malware cves cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html malware cves modified time dt string optional the record modified date identifies when the cve record was last updated malware cves product object optional the product where the vulnerability was discovered malware cves product feature object optional the feature that reported the event malware cves product feature name string optional the name of the product feature malware cves product feature uid string optional the unique identifier of the product feature malware cves product feature version string optional the version of the product feature malware cves product lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) malware cves product name string required the name of the product malware cves product path string optional the installation path of the product input example {"malware" {"classifications" \["string"],"cves" \[{"created time dt" "string","cvss" {"base score" 123,"depth" "string","metrics" \[],"overall score" 123,"severity" "string","vector string" "string","version" "string"},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"type" "string","uid" "string"}],"name" "example name","path" "string","provider" "string","uid" "string"}} output parameter type description classifications array the list of malware classifications, as defined by the event source cves array list of common vulnerabilities and exposures ( https //cve mitre org/ cve ) cves created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cves cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability cves cvss base score number the cvss base score for example 9 1 cves cvss depth string the cvss depth represents a depth of the equation used to calculate cvss score cves cvss metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } cves cvss metrics name string the name of the metric cves cvss metrics value object the value of the metric cves cvss overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 cves cvss severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) cves cvss vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h cves cvss version string the cvss version for example 3 1 cves cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cves cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html cves modified time dt string the record modified date identifies when the cve record was last updated cves product object the product where the vulnerability was discovered cves product feature object the feature that reported the event cves product feature name string the name of the product feature cves product feature uid string the unique identifier of the product feature cves product feature version string the version of the product feature cves product lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) cves product name string the name of the product cves product path string the installation path of the product cves product uid string the unique identifier of the product output example {"classifications" \[],"cves" \[],"name" "string","path" "string","provider" "string","uid" "string"} metadata obtain metadata details for a specific object within the sos objects pt1 service endpoint method get input argument name type required description metadata object required response data metadata correlation uid string optional the unique identifier used to correlate events metadata labels array optional the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] metadata logged time dt string optional the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different metadata modified time dt string optional the time when the event was last modified or enriched metadata original time string optional the original event time as reported by the event source metadata processed time dt string optional the event processed time, such as an etl operation metadata product object required the product that reported the event metadata product feature object optional the feature that reported the event metadata product feature name string optional the name of the product feature metadata product feature uid string optional the unique identifier of the product feature metadata product feature version string optional the version of the product feature metadata product lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) metadata product name string required the name of the product metadata product path string optional the installation path of the product metadata product uid string optional the unique identifier of the product metadata product vendor name string required the name of the vendor of the product metadata product version string optional the version of the product, as defined by the event source for example 2013 1 3 beta metadata profiles array optional the list of profiles used to create the event metadata sequence integer optional sequence number of the event the sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision metadata uid string optional the logging system assigned unique identifier of an event instance metadata version string required the version of the event class, using semantic versioning specification ( https //semver org semver ) for example 1 0 0 event consumers use the version to determine the available event attributes input example {"metadata" {"correlation uid" "string","labels" \["string"],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \["string"],"sequence" 123,"uid" "string","version" "string"}} output parameter type description correlation uid string the unique identifier used to correlate events labels array the list of category labels attached to the event or specific attributes labels are user defined tags or aliases added at normalization time for example \["network", "connection ip \ destination ", "device ip \ source "] logged time dt string the time when the logging system collected and logged the event this attribute is distinct from the event time in that event time typically contain the time extracted from the original event most of the time, these two times will be different modified time dt string the time when the event was last modified or enriched original time string the original event time as reported by the event source processed time dt string the event processed time, such as an etl operation product object the product that reported the event product feature object the feature that reported the event product feature name string the name of the product feature product feature uid string the unique identifier of the product feature product feature version string the version of the product feature product lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) product name string the name of the product product path string the installation path of the product product uid string the unique identifier of the product product vendor name string the name of the vendor of the product product version string the version of the product, as defined by the event source for example 2013 1 3 beta profiles array the list of profiles used to create the event sequence integer sequence number of the event the sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision uid string the logging system assigned unique identifier of an event instance version string the version of the event class, using semantic versioning specification ( https //semver org semver ) for example 1 0 0 event consumers use the version to determine the available event attributes output example {"correlation uid" "string","labels" \[],"logged time dt" "string","modified time dt" "string","original time" "string","processed time dt" "string","product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"profiles" \[],"sequence" 123,"uid" "string","version" "string"} metric retrieve a specific metric from sos objects pt1 by providing the required metric input endpoint method get input argument name type required description metric object required parameter for metric metric name string required the name of the metric metric value object required the value of the metric input example {"metric" {"name" "example name","value" {}}} output parameter type description name string the name of the metric value object the value of the metric output example {"name" "string","value" {}} mime part extracts the specified mime part from an email object within sos objects pt1, requiring the 'mime part' input endpoint method get input argument name type required description mime part object required parameter for mime part mime part content object optional contents of the mime part mime part content description string optional response content mime part content file string optional response content mime part content file name string optional name of the resource mime part content disposition string optional value of the content disposition header field of the mime part mime part content text string optional text contents of the mime part mime part content type string optional value of the content type header field of the mime part input example {"mime part" {"content" {"description" "string","file" "string","file name" "example name"},"content disposition" "string","content text" "string","content type" "string"}} output parameter type description content object contents of the mime part content description string response content content file string response content content file name string name of the resource content disposition string value of the content disposition header field of the mime part content text string text contents of the mime part content type string value of the content type header field of the mime part output example {"content" {"description" "string","file" "string","file name" "example name"},"content disposition" "string","content text" "string","content type" "string"} network interface retrieve details for a specified network interface from sos objects pt1, requiring the network interface identifier endpoint method get input argument name type required description network interface object required parameter for network interface network interface hostname string optional the hostname associated with the network interface network interface ip string optional the ip address associated with the network interface network interface mac string optional the mac address of the network interface network interface name string optional the name of the network interface network interface namespace string optional the namespace is useful in merger or acquisition situations for example, when similar entities exists that you need to keep separate network interface reputation object optional contains the original and normalized reputation scores network interface reputation base score number required the reputation score as reported by the event source network interface reputation provider string optional the provider of the reputation information network interface reputation score string optional the reputation score, as defined by the event source network interface type string optional the type of network interface network interface uid string optional the unique identifier for the network interface input example {"network interface" {"hostname" "example name","ip" "string","mac" "string","name" "example name","namespace" "example name","reputation" {"base score" 123,"provider" "string","score" "string"},"type" "string","uid" "string"}} output parameter type description hostname string the hostname associated with the network interface ip string the ip address associated with the network interface mac string the mac address of the network interface name string the name of the network interface namespace string the namespace is useful in merger or acquisition situations for example, when similar entities exists that you need to keep separate reputation object contains the original and normalized reputation scores reputation base score number the reputation score as reported by the event source reputation provider string the provider of the reputation information reputation score string the reputation score, as defined by the event source type string the type of network interface uid string the unique identifier for the network interface output example {"hostname" "string","ip" "string","mac" "string","name" "string","namespace" "string","reputation" {"base score" 123,"provider" "string","score" "string"},"type" "string","uid" "string"} object retrieve details for a specified object within the sos objects pt1 service using the provided object identifier endpoint method get input argument name type required description object object required parameter for object input example {"object" {}} observable retrieve details for a specified observable in sos objects pt1 using the required 'observable' input endpoint method get input argument name type required description observable object required parameter for observable observable enrichments array optional a list of enrichments observable enrichments data object required the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record observable enrichments name string optional the name of the attribute to which the enriched data pertains observable enrichments provider string optional the enrichment data provider name observable enrichments type string optional the enrichment type for example location observable enrichments value object optional the value of the attribute to which the enriched data pertains observable name string optional the name of the observable attribute for example file name observable type string required the observable value type name observable value object optional the value associated with the observable attribute the meaning of the data depends on the observable type input example {"observable" {"enrichments" \[{"data" {},"name" "example name","provider" "string","type" "string","value" {}}],"name" "example name","type" "string","value" {}}} output parameter type description enrichments array a list of enrichments enrichments data object the enrichment data associated with the attribute and value the meaning of this data depends on the type the enrichment record enrichments name string the name of the attribute to which the enriched data pertains enrichments provider string the enrichment data provider name enrichments type string the enrichment type for example location enrichments value object the value of the attribute to which the enriched data pertains name string the name of the observable attribute for example file name type string the observable value type name value object the value associated with the observable attribute the meaning of the data depends on the observable type output example {"enrichments" \[],"name" "string","type" "string","value" {}} organization retrieve details for a specified organization within the sos objects pt1 service using the required 'organization' input endpoint method get input argument name type required description organization object required parameter for organization organization data object optional the additional data that is associated with the event or object see specific usage organization name string optional organization name organization sectors array optional the list of industry sectors this organization belongs to organization uid string required the unique identifier see specific usage input example {"organization" {"data" {},"name" "example name","sectors" \["string"],"uid" "string"}} output parameter type description data object the additional data that is associated with the event or object see specific usage name string organization name sectors array the list of industry sectors this organization belongs to uid string the unique identifier see specific usage output example {"data" {},"name" "string","sectors" \[],"uid" "string"} os retrieve operating system details from sos objects pt1 using the specified 'os' parameter endpoint method get input argument name type required description os object required parameter for os os build string optional the operating system build number os country string optional the operating system country code, as defined by the iso 3166 1 standard (alpha 2 code) for the complete list of country codes, see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes os cpu bits integer optional the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 os edition string optional the operating system edition for example professional os lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) os name string required the operating system name os sp name string optional the name of the latest service pack os sp ver integer optional the version number of the latest service pack os type string optional the type of the operating system os version string optional the version of the os running on the device that originated the event for example "windows 10", "os x 10 7", or "ios 9" input example {"os" {"build" "string","country" "string","cpu bits" 123,"edition" "string","lang" "string","name" "example name","sp name" "example name","sp ver" 123,"type" "string","version" "string"}} output parameter type description build string the operating system build number country string the operating system country code, as defined by the iso 3166 1 standard (alpha 2 code) for the complete list of country codes, see https //www iso org/obp/ui/#iso\ pub\ pub500001\ en iso 3166 1 alpha 2 codes cpu bits integer the cpu architecture, the number of bits used for addressing in memory for example 32 or 64 edition string the operating system edition for example professional lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the operating system name sp name string the name of the latest service pack sp ver integer the version number of the latest service pack type string the type of the operating system version string the version of the os running on the device that originated the event for example "windows 10", "os x 10 7", or "ios 9" output example {"build" "string","country" "string","cpu bits" 123,"edition" "string","lang" "string","name" "string","sp name" "string","sp ver" 123,"type" "string","version" "string"} software package create a new package in sos objects pt1 using the specified package details provided by the user endpoint method get input argument name type required description package object required parameter for software package package architecture string optional architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on package epoch integer optional the software package epoch epoch is a way to define weighted dependencies based on version numbers package name string required the software package name package release string optional release is the number of times a version of the software has been packaged package version string required the software package version input example {"package" {"architecture" "string","epoch" 123,"name" "example name","release" "string","version" "string"}} output parameter type description architecture string architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on epoch integer the software package epoch epoch is a way to define weighted dependencies based on version numbers name string the software package name release string release is the number of times a version of the software has been packaged version string the software package version output example {"architecture" "string","epoch" 123,"name" "string","release" "string","version" "string"} process initiates the processing of data for sos objects pt1, requiring a 'process' input to define the operation endpoint method get input argument name type required description process object required parameter for process process cmd line string optional the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used process created time dt string optional the time when the process was created/started process file object object optional the process file object process file object accessed time dt string optional the time when the file was last accessed process file object accessor string optional the name of the user who last accessed the object process file object attributes integer optional the bitmask value that represents the file attributes process file object company name string optional the name of the company that published the file for example microsoft corporation process file object confidentiality string optional the file content confidentiality, as defined by the event source process file object created time dt string optional the time when the file was created process file object creator string optional the user that created the file process file object desc string optional the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type process file object fingerprints array optional an array of digital fingerprint objects process file object fingerprints algorithm string optional the hash algorithm, as reported by the event source, which was used to create the digital fingerprint process file object fingerprints value string required the digital fingerprint value process file object is system boolean optional the indication of whether the object is part of the operating system process file object mime type string optional the multipurpose internet mail extensions (mime) type of the file, if applicable process file object modified time dt string optional the time when the file was last modified process file object modifier string optional the user that last modified the file process file object name string required the name of the file for example svchost exe process file object owner string optional the user that owns the file/object process file object parent folder string optional the parent folder in which the file resides for example c \windows\system32 process file object path string optional the full path to the file for example c \windows\system32\svchost exe process file object product object optional the product that created or installed the file process file object product feature object optional the feature that reported the event input example {"process" {"cmd line" "string","created time dt" "string","file object" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[{"algorithm" "string","value" "string"}],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"security descriptor" "string","signature" {"company name" "example name","created time dt" "string","developer uid" "string","fingerprints" \[],"issuer name" "example name","serial number" "string"},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {"cmd line" "string","created time dt" "string","file object" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string","parent folder" "string","path" "string","product" {},"security descriptor" "string","signature" {},"size" 123,"type" "string","uid" "string","version" "string","xattributes" {}},"integrity" "string","integrity id" 123,"lineage" \["string"],"loaded modules" \["string"],"name" "example name","parent process" {},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"xattributes" {}},"pid" 123,"sandbox" "string","terminated time dt" "string","tid" 123,"uid" "string","user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[{"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"},"xattributes" {}}} output parameter type description cmd line string the full command line used to launch an application, service, process, or job for example ssh user\@10 0 0 10 if the command line is unavailable or missing, the empty string '' is to be used created time dt string the time when the process was created/started file object object the process file object file object accessed time dt string the time when the file was last accessed file object accessor string the name of the user who last accessed the object file object attributes integer the bitmask value that represents the file attributes file object company name string the name of the company that published the file for example microsoft corporation file object confidentiality string the file content confidentiality, as defined by the event source file object created time dt string the time when the file was created file object creator string the user that created the file file object desc string the description of the file, as returned by file system for example the description as returned by the unix file command or the windows file type file object fingerprints array an array of digital fingerprint objects file object fingerprints algorithm string the hash algorithm, as reported by the event source, which was used to create the digital fingerprint file object fingerprints value string the digital fingerprint value file object is system boolean the indication of whether the object is part of the operating system file object mime type string the multipurpose internet mail extensions (mime) type of the file, if applicable file object modified time dt string the time when the file was last modified file object modifier string the user that last modified the file file object name string the name of the file for example svchost exe file object owner string the user that owns the file/object file object parent folder string the parent folder in which the file resides for example c \windows\system32 file object path string the full path to the file for example c \windows\system32\svchost exe file object product object the product that created or installed the file file object product feature object the feature that reported the event file object product feature name string the name of the product feature output example {"cmd line" "string","created time dt" "string","file object" {"accessed time dt" "string","accessor" "string","attributes" 123,"company name" "example name","confidentiality" "string","created time dt" "string","creator" "string","desc" "string","fingerprints" \[{}],"is system"\ true,"mime type" "string","modified time dt" "string","modifier" "string","name" "example name","owner" "string"},"integrity" "string","integrity id" 123,"lineage" \[],"loaded modules" \[],"name" "string","parent process" { product retrieve detailed information about a specific product using its unique identifier endpoint method get input argument name type required description product object required parameter for product product feature object optional the feature that reported the event product feature name string optional the name of the product feature product feature uid string optional the unique identifier of the product feature product feature version string optional the version of the product feature product lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) product name string required the name of the product product path string optional the installation path of the product product uid string optional the unique identifier of the product product vendor name string required the name of the vendor of the product product version string optional the version of the product, as defined by the event source for example 2013 1 3 beta input example {"product" {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"}} output parameter type description feature object the feature that reported the event feature name string the name of the product feature feature uid string the unique identifier of the product feature feature version string the version of the product feature lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) name string the name of the product path string the installation path of the product uid string the unique identifier of the product vendor name string the name of the vendor of the product version string the version of the product, as defined by the event source for example 2013 1 3 beta output example {"feature" {"name" "example name","uid" "string","version" "string"},"lang" "string","name" "string","path" "string","uid" "string","vendor name" "string","version" "string"} remediation initiate a remediation action within sos objects pt1 using the specified parameters endpoint method get input argument name type required description remediation object required parameter for remediation remediation desc string optional the description of the remediation strategy remediation kb articles array optional the kb article/s related to the entity input example {"remediation" {"desc" "string","kb articles" \["string"]}} output parameter type description desc string the description of the remediation strategy kb articles array the kb article/s related to the entity output example {"desc" "string","kb articles" \[]} reputation retrieve the reputation score for a specified entity from sos objects pt1, requiring an input for 'reputation' endpoint method get input argument name type required description reputation object required parameter for reputation reputation base score number required the reputation score as reported by the event source reputation provider string optional the provider of the reputation information reputation score string optional the reputation score, as defined by the event source input example {"reputation" {"base score" 123,"provider" "string","score" "string"}} output parameter type description base score number the reputation score as reported by the event source provider string the provider of the reputation information score string the reputation score, as defined by the event source output example {"base score" 123,"provider" "string","score" "string"} resource retrieve details for a specified resource in sos objects pt1 using the provided resource identifier endpoint method get input argument name type required description resource object required parameter for resource resource account uid string optional the unique identifier of the account that owns the resource (e g aws account id) resource cloud partition string optional the canonical cloud partition name to which the region is assigned (e g aws partitions aws, aws cn, aws us gov) resource criticality string optional the criticality of the resource resource details string optional the details pertaining to the resource resource group name string optional the name of the group that the resource belongs to resource labels array optional the list of labels attached to an event, object, or attribute resource name string optional the name of the resource resource owner string optional the identity of the service or user account that owns the resource resource region string optional the region of the resource resource type string optional the type of the resource resource uid string optional the unique identifier of the resource input example {"resource" {"account uid" "string","cloud partition" "string","criticality" "string","details" "string","group name" "example name","labels" \["string"],"name" "example name","owner" "string","region" "string","type" "string","uid" "string"}} output parameter type description account uid string the unique identifier of the account that owns the resource (e g aws account id) cloud partition string the canonical cloud partition name to which the region is assigned (e g aws partitions aws, aws cn, aws us gov) criticality string the criticality of the resource details string the details pertaining to the resource group name string the name of the group that the resource belongs to labels array the list of labels attached to an event, object, or attribute name string the name of the resource owner string the identity of the service or user account that owns the resource region string the region of the resource type string the type of the resource uid string the unique identifier of the resource output example {"account uid" "string","cloud partition" "string","criticality" "string","details" "string","group name" "string","labels" \[],"name" "string","owner" "string","region" "string","type" "string","uid" "string"} rule create, update, or delete a rule in sos objects pt1 using the specified input parameters endpoint method get input argument name type required description rule object required parameter for rule rule category string optional the rule category rule desc string optional the description of the rule that generated the event rule name string required the name of the rule that generated the event rule type string optional the rule type rule uid string optional the unique identifier of the rule that generated the event rule version string optional the rule version for example 1 1 input example {"rule" {"category" "string","desc" "string","name" "example name","type" "string","uid" "string","version" "string"}} output parameter type description category string the rule category desc string the description of the rule that generated the event name string the name of the rule that generated the event type string the rule type uid string the unique identifier of the rule that generated the event version string the rule version for example 1 1 output example {"category" "string","desc" "string","name" "string","type" "string","uid" "string","version" "string"} smtp header analyzes smtp header data provided as input to extract and return relevant email information endpoint method get input argument name type required description smtp header object required parameter for smtp header smtp header name string required the name of the header smtp header value object required the value of the header input example {"smtp header" {"name" "example name","value" {}}} output parameter type description name string the name of the header value object the value of the header output example {"name" "string","value" {}} tactic retrieve detailed information for a specified tactic from sos objects pt1 using the 'tactic' identifier endpoint method get input argument name type required description tactic object required parameter for tactic tactic name string optional the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm tactic uid string required the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm input example {"tactic" {"name" "example name","uid" "string"}} output parameter type description name string the tactic name that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm uid string the tactic id that is associated with the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm output example {"name" "string","uid" "string"} technique retrieve details for a specified technique from sos objects pt1 using the required 'technique' input endpoint method get input argument name type required description technique object required parameter for technique technique name string optional the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise technique uid string required the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 input example {"technique" {"name" "example name","uid" "string"}} output parameter type description name string the name of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example drive by compromise uid string the unique identifier of the attack technique, as defined by https //attack mitre org/wiki/att\&ck matrix att\&ck matrix tm for example t1189 output example {"name" "string","uid" "string"} user retrieve detailed information for a specified user within the sos objects pt1 service endpoint method get input argument name type required description user object required parameter for user user account type string optional the user account type, as defined by the event source user account uid string optional the unique identifier of the account (e g aws account id) user credential uid string optional the unique identifier of the user's credential for example, aws access key id user domain string optional the domain where the user is defined for example the ldap or active directory domain user email addr string optional the user's email address user groups array optional the administrative groups to which the user belongs user groups desc string optional the group description user groups name string required the group name user groups privileges array optional the group privileges user groups type string optional the type of the group or account user groups uid string optional the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group user name string optional the username for example, janedoe1 user org uid string optional the unique identifier of the organization to which the user belongs for example, active directory or aws org id user session uid string optional the unique id of the user session, as reported by the os examples nix aug 10 17 31 16 ip 192 168 1 1 systemd\[1] started session 222 of user ubuntu session uid == 222 windows logon id 0xd22e9734 session uid == 0xd22e9734 user session uuid string optional the universally unique id of the user session, as reported by the os for example, in windows this is the login guid user type string optional the type of the user for example, system, aws iam user, etc user uid string optional the unique user identifier for example, aws principalid or windows user sid user uuid string optional the universally unique identifier of the user for example, aws arn or windows user guid input example {"user" {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[{"desc" "string","name" "example name","privileges" \["string"],"type" "string","uid" "string"}],"name" "example name","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "12345678 1234 1234 1234 123456789abc"}} output parameter type description account type string the user account type, as defined by the event source account uid string the unique identifier of the account (e g aws account id) credential uid string the unique identifier of the user's credential for example, aws access key id domain string the domain where the user is defined for example the ldap or active directory domain email addr string the user's email address groups array the administrative groups to which the user belongs groups desc string the group description groups name string the group name groups privileges array the group privileges groups type string the type of the group or account groups uid string the unique identifier of the group for example, for windows events this is the security identifier (sid) of the group name string the username for example, janedoe1 org uid string the unique identifier of the organization to which the user belongs for example, active directory or aws org id session uid string the unique id of the user session, as reported by the os examples nix aug 10 17 31 16 ip 192 168 1 1 systemd\[1] started session 222 of user ubuntu session uid == 222 windows logon id 0xd22e9734 session uid == 0xd22e9734 session uuid string the universally unique id of the user session, as reported by the os for example, in windows this is the login guid type string the type of the user for example, system, aws iam user, etc uid string the unique user identifier for example, aws principalid or windows user sid uuid string the universally unique identifier of the user for example, aws arn or windows user guid output example {"account type" "string","account uid" "string","credential uid" "string","domain" "string","email addr" "string","groups" \[],"name" "string","org uid" "string","session uid" "string","session uuid" "string","type" "string","uid" "string","uuid" "string"} vulnerability details retrieve detailed information for a specified vulnerability from sos objects pt1, requiring the 'vulnerability' input endpoint method get input argument name type required description vulnerability object required parameter for vulnerability details vulnerability cve object required the common vulnerabilities and exposures ( https //cve mitre org/ cve ) vulnerability cve created time dt string optional the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve vulnerability cve cvss object optional the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability vulnerability cve cvss base score number required the cvss base score for example 9 1 vulnerability cve cvss depth string optional the cvss depth represents a depth of the equation used to calculate cvss score vulnerability cve cvss metrics array optional the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } vulnerability cve cvss metrics name string required the name of the metric vulnerability cve cvss metrics value object required the value of the metric vulnerability cve cvss overall score number optional the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 vulnerability cve cvss severity string optional the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) vulnerability cve cvss vector string string optional the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h vulnerability cve cvss version string required the cvss version for example 3 1 vulnerability cve cwe uid string optional the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 vulnerability cve cwe url string optional common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html vulnerability cve modified time dt string optional the record modified date identifies when the cve record was last updated vulnerability cve product object optional the product where the vulnerability was discovered vulnerability cve product feature object optional the feature that reported the event vulnerability cve product feature name string optional the name of the product feature vulnerability cve product feature uid string optional the unique identifier of the product feature vulnerability cve product feature version string optional the version of the product feature vulnerability cve product lang string optional the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) vulnerability cve product name string required the name of the product vulnerability cve product path string optional the installation path of the product vulnerability cve product uid string optional the unique identifier of the product input example {"vulnerability" {"cve" {"created time dt" "string","cvss" {"base score" 123,"depth" "string","metrics" \[],"overall score" 123,"severity" "string","vector string" "string","version" "string"},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"type" "string","uid" "string"},"desc" "string","kb articles" \["string"],"packages" \[{"architecture" "string","epoch" 123,"name" "example name","release" "string","version" "string"}],"references" \["string"],"related vulnerabilities" \["string"],"remediation" {"desc" "string","kb articles" \["string"]},"severity" "string","title" "string","vendor name" "example name"}} output parameter type description cve object the common vulnerabilities and exposures ( https //cve mitre org/ cve ) cve created time dt string the record creation date identifies when the cve id was issued to a cve numbering authority (cna) or the cve record was published on the cve list note that the record creation date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in cve cve cvss object the cvss object details common vulnerability scoring system ( https //www first org/cvss/ cvss ) scores from the advisory that are related to the vulnerability cve cvss base score number the cvss base score for example 9 1 cve cvss depth string the cvss depth represents a depth of the equation used to calculate cvss score cve cvss metrics array the common vulnerability scoring system metrics this attribute contains information on the cve's impact if the cve has been analyzed, this attribute will contain any cvssv2 or cvssv3 information associated with the vulnerability for example {{"access vector", "network"}, {"access complexity", "low"}, } cve cvss metrics name string the name of the metric cve cvss metrics value object the value of the metric cve cvss overall score number the cvss overall score, impacted by base, temporal, and environmental metrics for example 9 1 cve cvss severity string the common vulnerability scoring system (cvss) qualitative severity rating a textual representation of the numeric score cvss v2 0 low (0 0 – 3 9) medium (4 0 – 6 9) high (7 0 – 10 0) cvss v3 0 none (0 0) low (0 1 3 9) medium (4 0 6 9) high (7 0 8 9) critical (9 0 10 0) cve cvss vector string string the cvss vector string is a text representation of a set of cvss metrics it is commonly used to record or transfer cvss metric information in a concise form for example 3 1/av \ l /ac \ l /pr \ l /ui \ n /s \ u /c \ h /i \ n /a \ h cve cvss version string the cvss version for example 3 1 cve cwe uid string the https //cwe mitre org/ common weakness enumeration (cwe) unique identifier for example cwe 787 cve cwe url string common weakness enumiration (cwe) definition url for example https //cwe mitre org/data/definitions/787 html cve modified time dt string the record modified date identifies when the cve record was last updated cve product object the product where the vulnerability was discovered cve product feature object the feature that reported the event cve product feature name string the name of the product feature cve product feature uid string the unique identifier of the product feature cve product feature version string the version of the product feature cve product lang string the two letter lower case language codes, as defined by https //en wikipedia org/wiki/iso 639 1 iso 639 1 for example en (english), de (german), or fr (french) cve product name string the name of the product cve product path string the installation path of the product cve product uid string the unique identifier of the product cve product vendor name string the name of the vendor of the product output example {"cve" {"created time dt" "string","cvss" {"base score" 123,"depth" "string","metrics" \[],"overall score" 123,"severity" "string","vector string" "string","version" "string"},"cwe uid" "string","cwe url" "string","modified time dt" "string","product" {"feature" {},"lang" "string","name" "example name","path" "string","uid" "string","vendor name" "example name","version" "string"},"type" "string","uid" "string"},"desc" "string","kb articles" \[],"packages" \[],"references" \[],"related vulnerabiliti response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt