Workload Protection API | IBM Cloud API Docs

Introduction

Last updated: 2024-11-15

In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to protect, monitor, and enhance forensic analysis of your pipeline and runtime components.

IBM Cloud Security and Compliance Center Workload Protection is available natively on IBM Cloud with an API and SDK that is maintained and provided by Sysdig.

For details about using IBM Cloud Security and Compliance Center Workload Protection, see the IBM Cloud docs.

Use the following syntax from a terminal to run a cURL command:

curl -X <METHOD> <ENDPOINT>/<API_URL> <-H HEADERS,> [-d DATA]

Where

<METHOD> indicates the type of REST API call that you want to make.
<ENDPOINT> indicates the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available. For more information, see Endpoints.
<API_URL> The API URL.
HEADERS add additional information such as information to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service.
DATA allows you to pass additional information that might be required.

The code examples on this tab use the client library that is provided for Python.

import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient

# Parse arguments.
def usage():
   print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
   print('ENDPOINT_URL: IBM Cloud endpoint URL (for example https://us-south.security-compliance-secure.cloud.ibm.com')
   print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
   print('INSTANCE_GUID: GUID of an Security and Compliance Center Workload Protection instance.')
   sys.exit(1)

if len(sys.argv) != 4:
   usage()

URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]


# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
Copy to clipboard

Endpoint URL

You can use public and private endpoints. To find out about the available endpoints, see REST API Endpoints.

The endpoint for the IBM Cloud Security and Compliance Center Workload Protection API is in the format: https://cloud.ibm.com.security-compliance-secure.cloud.ibm.com/api For example, the API endpoint for Dallas is: https://us-south.security-compliance-secure.cloud.ibm.com/api

Example request to a Dallas endpoint:

curl -X GET https://us-south.security-compliance-secure.cloud.ibm.com/api/alerts/<ALERT_ID> -H "Authorization: $AUTH_TOKEN" -H "IBMInstanceID: $GUID" -H "TeamID: $TEAM_ID" -H "content-type: application/json"
Copy to clipboard

Replace <ALERT_ID>, AUTH_TOKEN, GUID and TEAM_ID in this example with the values for your particular API call.

Example request to a Dallas endpoint

import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient

# Parse arguments.
def usage():
   print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
   print('ENDPOINT_URL: IBM Cloud endpoint URL (e.g. https://us-south.security-compliance-secure.cloud.ibm.com')
   print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
   print('INSTANCE_GUID: GUID of an IBM Cloud Monitoring instance.')
   sys.exit(1)

if len(sys.argv) != 4:
   usage()

URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]


# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
Copy to clipboard

Authentication

Access to IBM Cloud Security and Compliance Center Workload Protection is controlled by using IBM Cloud Identity and Access Management (IAM), which provides a unified approach to managing user identities and access control across your IBM Cloud services and applications.

This API requires IBM Cloud Identity and Access Management (IAM) authentication. You must pass an IAM token in the Authorization header of the request. You can retrieve your IAM access token, which is prefixed with Bearer, by running the ibmcloud iam oauth-tokens command. You must also set the Account header to the unique ID for your IBM Cloud account. You can retrieve your Account ID by running the ibmcloud account show command.

To call each method, you must be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Controlling access through IAM.

In a cURL command, add the following headers to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service by using an IAM token:

-H "Authorization: $AUTH_TOKEN"
-H "IBMInstanceID: $GUID"
-H "TeamID: $TEAM_ID"

Where

IBMInstanceID indicates the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you want to target with the cURL command.

To get the GUID of the monitoring instance, run the following command: ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
Authorization indicates the IAM token that is used to authenticate with the IBM Cloud Monitoring service instance.

To get the IAM AUTH_TOKEN token, run the following command: ibmcloud iam oauth-tokens | awk '{print $4}'

For more information, see Getting the IAM API token.
TeamID indicates the GUID of a team.

To get the GUID, see Getting the ID of a team.

To use IBM Cloud IAM authentication with the Python client, you must specify an endpoint, an API key, and the GUID from your IBM Cloud Monitoring instance.

Complete the following steps from a terminal:

Get the GUID of your IBM Cloud Security and Compliance Center Workload Protection instance. Run the following command:
```
ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
```
Get the API key. Run the following command to generate a user API key:
```
ibmcloud iam api-key-create KEY_NAME
```
Get the endpoint for the region where the instance is available.
Add the following entries to your Python script:
```
from sdcclient import IbmAuthHelper, SdMonitorClient

URL = <ENDPOINT>
# For example: URL = 'https://us-south.security-compliance-secure.cloud.ibm.com'

APIKEY = <IAM_APIKEY>

GUID = <GUID>

ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
```
Where

<ENDPOINT> must be replaced with the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available.

<IAM_APIKEY> must be replaced with a valid IAM API key. Learn more.

<GUID> must be replaced with the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you obtain in the previous step.

You can now use the sdclient to perform actions that will be authenticated by using IAM.

If you get the error 400 Client Error: Bad Request for url: https://iam.cloud.ibm.com/identity/token, check the API key. The value that you are passing is not valid.

Auditing

You can monitor API activity within your account by using the IBM Cloud Activity Tracker service. Whenever an API method is called, an event is generated that you can then track and audit from within Activity Tracker. The specific event type is listed for each individual method. For more information about how to track IBM Cloud Security and Compliance Center Workload Protection activity, see Auditing the events for IBM Cloud Security and Compliance Center Workload Protection.

Error handling

The IBM Cloud Security and Compliance Center Workload Protection service uses standard HTTP response codes to indicate whether a method completed successfully.

A 200 response always indicates success.
A 400 type response indicates a failure.
A 500 type response usually indicates an internal system error.

Table 1. HTTP error codes
HTTP Error Code	Description
`200`	Success
`201`	Success
`400`	Bad Request
`401`	Unauthorized
`403`	Forbidden
`404`	Not Found
`422`	Validation error, reason stated in the response body
`500`	Internal Server Error

Lists all cloud account IDs for a customer.

GET /api/cloud/v2/accountIDs

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string[]

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.

Example responses

[ "411112345678", "845123456789" ]

Lists all cloud accounts for a customer.

GET /api/cloud/v2/accounts

Request

Query Parameters

provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
includeExternalID
string
Fetches the customer's external id.
includeExternalId
string
Fetches the customer's external id.

Response

Response Body

object[]

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).

No Sample Response

This method does not specify any sample responses.

Creates a Cloud Account for a customer.

POST /api/cloud/v2/accounts

Request

Query Parameters

includeExternalID
string
Fetches the customer's external id.
includeExternalId
string
Fetches the customer's external id.
upsert
string
Upserts the customer's cloud account.

Response

Response Body

object

Status Code

200
Cloud Account is successfully created
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
409
Cloud account already exists.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Registers a Cloud Account.

POST /api/cloud/v2/accounts/register

Request

Request Body

Required*

object

Cloud Account register request.

Response

Response Body

object

Status Code

200
Account is successfully registered
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Deletes a cloud account for a given customer and accountId.

DELETE /api/cloud/v2/accounts/{accountId}

Request

Path Parameters

accountID
Required*
number

Response

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches a cloud account for a given customer and accountId.

GET /api/cloud/v2/accounts/{accountId}

Request

Path Parameters

accountID
Required*
number

Query Parameters

includeExternalID
string
Fetches the customer's external id.
includeExternalId
string
Fetches the customer's external id.

Response

Response Body

object

Status Code

200
OK
401
Invalid or missing auth token.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Edits the alias, role available status, or role name of a given cloud account. Updating the account alias, role availability status, or role name requires the cloud service provider information in the request body. Failing to include the provider in the request body will result in a 400 Bad Request error.

When you request to update the alias field and want to retain the current value for the roleAvailable and role name fields, you need to remember the existing values and supply that in the request. Otherwise, the default roleAvailable value (false) and roleName (empty) will be persisted in the system. Likewise, when you attempt to change the roleAvailable field and want to retain the current account alias and role name, you must supply the current account alias and roleName in the request. In a nutshell, it’s recommended that you supply the expected values for both alias, roleAvailable, and roleName fields in the request, even when the intention is to update either one, more than one, or all of them.

This API also respects the presence of includeExternalID or includeExternalId parameters in the request URL. If specified, the external ID associated with the cloud account will be included in the response. You need to specify either includeExternalID or includeExternalId parameter while sending the request. If you specify both, the server gives precedence to includeExternalId. But you might not notice the difference when seeing the response. The includeExternalID is still maintained for backward compatibility. It’s recommended to use includeExternalId if you want to see the external ID in the response.

PUT /api/cloud/v2/accounts/{accountId}

Request

Path Parameters

accountID
Required*
number

Query Parameters

includeExternalID
string
Fetches the customer's external id.
includeExternalId
string
Fetches the customer's external id.

Request Body

Required*

object

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Uses the role name set upon cloud account creation and attempts to assume that role to determine if the role is valid. Enables the role if not explicitly specified by the customer.

GET /api/cloud/v2/accounts/{accountId}/validateRole

Request

Path Parameters

accountID
Required*
number

Query Parameters

enableOnSuccess
string
Whether to enable the role if it is valid.

Response

Response Body

object

Status Code

200
Role is successfully validated
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Lists the Cloud Account information with regions and clusters.

GET /api/cloud/v2/dataSources/accounts

Request

Query Parameters

provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
filter
string
Free text filter. Searches on the following fields: accountId, region
limit
string
offset
string
sortBy
string
Sort by column. Options: accountId, alias, clustersConnected, platform. Default is accountId
sort
string
Sort order. Options: asc, desc

Response

Response Body

object[]

Datasources Cloud Accounts get request.

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Lists all clusters across a customer's accounts.

GET /api/cloud/v2/dataSources/clusters

Request

Query Parameters

provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
accountId
string
Filter by account ID
connected
boolean
Filter by connected status
filter
string
Free text filter. Searches on the following fields: name, region
limit
string
offset
string
sortBy
string
Sort by column. Options: accountId, status, clusterName, region, platform, nodeCount, version, createdAt. Default is accountId
sort
string
Sort order. Options: asc, desc

Response

Response Body

object[]

Datasources Clusters get request.

Status Code

200
OK
401
Invalid or missing auth token.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

List the Cloud Accounts and Monitor Accounts.

GET /api/cloud/v2/dataSources/filter/accounts

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

List Agent Status.

GET /api/cloud/v2/dataSources/filter/agentStatus

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

List all Agent Versions.

GET /api/cloud/v2/dataSources/filter/agentVersions

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

List the Clusters.

GET /api/cloud/v2/dataSources/filter/clusters

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

List all the Nodes.

GET /api/cloud/v2/dataSources/filter/nodes

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Get the DataSources endpoint status.

GET /api/cloud/v2/dataSources/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
OK
401
Invalid or missing auth token.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.
503
The service is currently unavailable

No Sample Response

This method does not specify any sample responses.

Fetches the list of groups.

GET /api/cloud/v2/groups

Request

Query Parameters

account
number
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
groupName
string
Filter by group name
groupARN
string
Filter by group ARN
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination
riskLabels
string
Filter by risk labels

Allowable values: [Admin,Inactive]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude identities that are still in learning mode from the results.
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]

Response

Response Body

object

Groups paginated response.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of policies attached to the specified group.

GET /api/cloud/v2/groups/policies

Request

Query Parameters

account
Required*
number
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
groupName
Required*
string
Filter by group name
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the policy suggestion. Policy is based only on the action of the users in the group.

GET /api/cloud/v2/groups/policySuggestion

Request

Query Parameters

provider
Required*
string
Allowable values: [aws,gcp,azure]
account
Required*
number
groupName
string
Filter by group name
groupARN
string
Filter by group ARN
includeResource
string
Specify whether to fill out the resource section of the policy suggestion or leave it as '*'

Allowable values: [true,false]

Response

Response Body

object

Status Code

200
OK
204
There is no information.
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of users attached to the specified group.

GET /api/cloud/v2/groups/users

Request

Query Parameters

account
Required*
number
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
groupName
Required*
string
Filter by group name
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Lists all of the supported labels.

GET /api/cloud/v2/labels

Request

Query Parameters

resource
string
Filter by resource: policy, user, role, serviceAccount, group

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.

No Sample Response

This method does not specify any sample responses.

Fetches the list of policies based on Excessive Permissions.

GET /api/cloud/v2/policies

Request

Query Parameters

account
number
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
policyID
string
Filter by policy id
policyName
string
Filter by policy name
resourceWildcard
boolean
actionWildcard
boolean
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination
riskLabels
string
Filter by risk labels

Allowable values: [No MFA,Admin,Root User,Inactive,Multiple Access Keys Active,Access Key 1 Not Rotated,Access Key 2 Not Rotated]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude the policies attached to the identities that are still in learning mode from the results.
policyType
string
Filter by type of policy

Allowable values: [AWS Managed,Customer,Inline]
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]

Response

Response Body

object

Policies paginated response.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of groups for a given policy.

GET /api/cloud/v2/policies/groups

Request

Query Parameters

account
Required*
number
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
policyName
Required*
string
Filter by policy name
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches a single policy document.

GET /api/cloud/v2/policies/policyDoc

Request

Query Parameters

account
Required*
number
policyID
Required*
string
Filter by actor name
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the policy suggestion. Policy is based only on the action of the user.

GET /api/cloud/v2/policies/policySuggestion

Request

Query Parameters

account
Required*
number
policyID
Required*
string
Filter by actor name
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
format
string
Specify the format. By default json is the format

Allowable values: [terraform,json]
includeResource
string
Specify whether to fill out the resource section of the policy suggestion or leave it as '*'

Allowable values: [true,false]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of users for a given policy.

GET /api/cloud/v2/policies/users

Request

Query Parameters

account
Required*
number
policyID
Required*
string
Filter by actor name
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
kind
string
Filter by kind

Allowable values: [user,role]
policyType
string
Filter by type of policy

Allowable values: [AWS Managed,Customer,Inline]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the Groups Report in CSV format.

GET /api/cloud/v2/reports/groups/csv

Request

Query Parameters

account
number
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
groupName
string
Filter by group name
groupARN
string
Filter by group ARN
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]
riskLabels
string
Filter by risk labels

Allowable values: [Admin,Inactive]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude identities that are still in learning mode from the results.
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]

Response

Response Body

string

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

Example responses

Fetches the Policies Report in CSV format.

GET /api/cloud/v2/reports/policies/csv

Request

Query Parameters

accountId
number
policyId
string
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
policyName
string
Filter by policy name
policyType
string
Filter by type of policy

Allowable values: [AWS Managed,Customer,Inline]
riskLabels
string
Filter by risk labels

Allowable values: [No MFA,Admin,Root User,Inactive,Multiple Access Keys Active,Access Key 1 Not Rotated,Access Key 2 Not Rotated]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude the policies attached to the identities that are still in learning mode from the results.
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]

Response

Response Body

string

Status Code

200
OK
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

Example responses

Fetches the Users Report in CSV format.

GET /api/cloud/v2/reports/users/csv

Request

Query Parameters

kind
string
Filter by kind

Allowable values: [user,role,serviceAccount]
accountId
number
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
actorName
string
Filter by actor name
riskLabels
string
Filter by risk labels

Allowable values: [No MFA,Admin,Root User,Inactive,Lateral Movement,User Managed Key,Multiple Access Keys Active,Access Key 1 Not Rotated,Access Key 2 Not Rotated]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude identities that are still in learning mode from the results.
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]

Response

Response Body

string

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

Example responses

Lists all of the risk category thresholds.

GET /api/cloud/v2/riskCategory

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

This request retrieves the static risk findings definitions used to evaluate the identity risk findings of cloud IAM users or roles. Currently, it is only supported for AWS cloud.

GET /api/cloud/v2/riskFindingsDefinition

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Lists all of the risk label scores.

GET /api/cloud/v2/riskLabelScores

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of users.

GET /api/cloud/v2/users

Request

Query Parameters

account
number
provider
string
Filter by provider

Allowable values: [aws,gcp,azure]
kind
string
Filter by kind

Allowable values: [user,role,serviceAccount]
actorName
string
Filter by actor name
actorID
string
Filter by actor id
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination
riskLabels
string
Filter by risk labels

Allowable values: [No MFA,Admin,Root User,Inactive,Lateral Movement,User Managed Key,Multiple Access Keys Active,Access Key 1 Not Rotated,Access Key 2 Not Rotated]
profilingLabels
string
Filter by profiling labels

Allowable values: [Learning]
excludeLearning
string
Indicates whether to exclude identities that are still in learning mode from the results.
riskCategory
string
Filter by risk category

Allowable values: [Critical,High,Medium,Low]
excessiveRiskCategory
string
Filter by excessive risk category

Allowable values: [Critical,High,Medium,Low]
accessCategory
string
Filter by access category

Allowable values: [Empty Access,Admin,Write,Read]
sortBy
string
Sort by column. Options: userName, lastActive
sort
string
Sort order. Options: asc, desc

Response

Response Body

object

Users paginated response.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the list of groups attached to a specified user (actor_id).

GET /api/cloud/v2/users/groups

Request

Query Parameters

account
Required*
number
provider
Required*
string
Filter by provider

Allowable values: [aws,gcp,azure]
actorID
Required*
string
Filter by actor id
limit
string
Limit the amount of results to be fetched
cursor
string
Cursor is used for API pagination

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the policy information for a given user.

GET /api/cloud/v2/users/policyInfo

Request

Query Parameters

account
Required*
number
actorName
Required*
string
Filter by actor name
actorID
Required*
string
Filter by actor id

Response

Response Body

object[]

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the policy suggestion. Policy is based only on the action of the user.

GET /api/cloud/v2/users/policySuggestion

Request

Query Parameters

provider
Required*
string
Allowable values: [aws,gcp,azure]
account
Required*
number
actorName
Required*
string
Filter by actor name
actorID
Required*
string
Filter by actor id
format
string
Specify the format. By default json is the format

Allowable values: [terraform,json]
includeResource
string
Specify whether to fill out the resource section of the policy suggestion or leave it as '*'

Allowable values: [true,false]

Response

Response Body

object

Status Code

200
OK
204
There is no information.
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts

Request

Query Parameters

organizationId
string
provider
string
Allowable values: [PROVIDER_UNSPECIFIED,PROVIDER_AWS,PROVIDER_AZURE,PROVIDER_GCP,PROVIDER_OKTA,PROVIDER_GITHUB,PROVIDER_IBMCLOUD]
featureSecureConfigPostureEnabled
boolean
featureSecureIdentityEntitlementEnabled
boolean
featureSecureThreatDetectionEnabled
boolean
featureSecureAgentlessScanningEnabled
boolean
featureMonitorCloudMetricsEnabled
boolean
limit
string
offset
string
verbosity
string
Account verbosity level:
- VERBOSITY_UNSPECIFIED - default, same as DETAIL
- VERBOSITY_IDENT - only indentifying information of the entity
- VERBOSITY_INFO - includes all fields of entity; excludes nested entities and collections
- VERBOSITY_FULL - includes all fields of entity and nested entities; excludes collections
- VERBOSITY_DETAIL - default; includes all fields of the entity, nested entities and collections
- VERBOSITY_DEBUG - debugging information
- VERBOSITY_TRACE - all available information
Allowable values: [VERBOSITY_UNSPECIFIED,VERBOSITY_IDENT,VERBOSITY_INFO,VERBOSITY_FULL,VERBOSITY_DETAIL,VERBOSITY_DEBUG,VERBOSITY_TRACE]

Response

Response Body

object

Status Code

200
OK
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts

Request

Request Body

Required*

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Response

Status Code

204
There is no information.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Query Parameters

verbosity
string
Account verbosity level:
- VERBOSITY_UNSPECIFIED - default, same as DETAIL
- VERBOSITY_IDENT - only indentifying information of the entity
- VERBOSITY_INFO - includes all fields of entity; excludes nested entities and collections
- VERBOSITY_FULL - includes all fields of entity and nested entities; excludes collections
- VERBOSITY_DETAIL - default; includes all fields of the entity, nested entities and collections
- VERBOSITY_DEBUG - debugging information
- VERBOSITY_TRACE - all available information
Allowable values: [VERBOSITY_UNSPECIFIED,VERBOSITY_IDENT,VERBOSITY_INFO,VERBOSITY_FULL,VERBOSITY_DETAIL,VERBOSITY_DEBUG,VERBOSITY_TRACE]

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

PUT /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Request Body

Required*

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}/components

Request

Path Parameters

accountId
Required*
string

Response

Response Body

object

Status Code

200
OK
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts/{accountId}/components

Request

Path Parameters

accountId
Required*
string

Request Body

Required*

object

AccountComponent captures resourced deployed to a cloud

Response

Response Body

object

AccountComponent captures resourced deployed to a cloud

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL,COMPONENT_CRYPTO_KEY]
componentInstance
Required*
string

Response

Status Code

204
There is no information.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL,COMPONENT_CRYPTO_KEY]
componentInstance
Required*
string

Response

Response Body

object

AccountComponent captures resourced deployed to a cloud

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

PUT /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL,COMPONENT_CRYPTO_KEY]
componentInstance
Required*
string

Request Body

Required*

object

AccountComponent captures resourced deployed to a cloud

Response

Response Body

object

AccountComponent captures resourced deployed to a cloud

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}/validate

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

AccountComponent captures resourced deployed to a cloud

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/accounts/{accountId}/feature/{featureType}

Request

Path Parameters

accountId
Required*
string
featureType
Required*
string
Allowable values: [FEATURE_UNSPECIFIED,FEATURE_SECURE_THREAT_DETECTION,FEATURE_SECURE_CONFIG_POSTURE,FEATURE_SECURE_IDENTITY_ENTITLEMENT,FEATURE_MONITOR_CLOUD_METRICS,FEATURE_SECURE_AGENTLESS_SCANNING]

Response

Status Code

204
There is no information.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}/feature/{featureType}

Request

Path Parameters

accountId
Required*
string
featureType
Required*
string
Allowable values: [FEATURE_UNSPECIFIED,FEATURE_SECURE_THREAT_DETECTION,FEATURE_SECURE_CONFIG_POSTURE,FEATURE_SECURE_IDENTITY_ENTITLEMENT,FEATURE_MONITOR_CLOUD_METRICS,FEATURE_SECURE_AGENTLESS_SCANNING]

Response

Response Body

object

AccountFeature captures a sysdig feature enabled on a cloud account

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

update/enable a feature

PUT /api/cloudauth/v1/accounts/{accountId}/feature/{featureType}

Request

Path Parameters

accountId
Required*
string
featureType
Required*
string
Allowable values: [FEATURE_UNSPECIFIED,FEATURE_SECURE_THREAT_DETECTION,FEATURE_SECURE_CONFIG_POSTURE,FEATURE_SECURE_IDENTITY_ENTITLEMENT,FEATURE_MONITOR_CLOUD_METRICS,FEATURE_SECURE_AGENTLESS_SCANNING]

Request Body

Required*

object

AccountFeature captures a sysdig feature enabled on a cloud account

Response

Response Body

object

AccountFeature captures a sysdig feature enabled on a cloud account

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts/{accountId}/feature/{featureType}/validate

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

AccountFeature captures a sysdig feature enabled on a cloud account

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts/{accountId}/validate

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/components/validate

Request

Request Body

Required*

object

AccountComponent captures resourced deployed to a cloud

Response

Response Body

object

Status Code

200
OK

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/organizations

Request

Query Parameters

provider
string
Allowable values: [PROVIDER_UNSPECIFIED,PROVIDER_AWS,PROVIDER_AZURE,PROVIDER_GCP,PROVIDER_OKTA,PROVIDER_GITHUB,PROVIDER_IBMCLOUD]
limit
string
offset
string
verbosity
string
Organization verbosity level:
- VERBOSITY_UNSPECIFIED - default, same as DETAIL
- VERBOSITY_IDENT - only indentifying information of the entity
- VERBOSITY_INFO - includes all fields of entity; excludes nested entities and collections
- VERBOSITY_FULL - includes all fields of entity and nested entities; excludes collections
- VERBOSITY_DETAIL - default; includes all fields of the entity, nested entities and collections
- VERBOSITY_DEBUG - debugging information
- VERBOSITY_TRACE - all available information
Allowable values: [VERBOSITY_UNSPECIFIED,VERBOSITY_IDENT,VERBOSITY_INFO,VERBOSITY_FULL,VERBOSITY_DETAIL,VERBOSITY_DEBUG,VERBOSITY_TRACE]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/organizations

Request

Request Body

Required*

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Response

Response Body

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
409
The result would create conflicting condition.
424
The method could not be performed on the resource because the requested action depended on another action, and that action failed
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/organizations/{organizationId}

Request

Path Parameters

organizationId
Required*
string

Response

Status Code

204
NoContent
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/organizations/{organizationId}

Request

Path Parameters

organizationId
Required*
string

Query Parameters

verbosity
string
Organization verbosity level:
- VERBOSITY_UNSPECIFIED - default, same as DETAIL
- VERBOSITY_IDENT - only indentifying information of the entity
- VERBOSITY_INFO - includes all fields of entity; excludes nested entities and collections
- VERBOSITY_FULL - includes all fields of entity and nested entities; excludes collections
- VERBOSITY_DETAIL - default; includes all fields of the entity, nested entities and collections
- VERBOSITY_DEBUG - debugging information
- VERBOSITY_TRACE - all available information
Allowable values: [VERBOSITY_UNSPECIFIED,VERBOSITY_IDENT,VERBOSITY_INFO,VERBOSITY_FULL,VERBOSITY_DETAIL,VERBOSITY_DEBUG,VERBOSITY_TRACE]

Response

Response Body

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

PUT /api/cloudauth/v1/organizations/{organizationId}

Request

Path Parameters

organizationId
Required*
string

Request Body

Required*

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Response

Response Body

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/organizations/{organizationId}/validate

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

CloudOrganization captures a metadata fields associated with a cloud/service provider organization.

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets the list of cloud resources and their compliance data for a specific control

GET /api/cspm/v1/cloud/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
providerType
Required*
string
Provider type to retrieve resources for (AWS, GCP or Azure)

Example: AWS
resourceKind
Required*
string
Resource kind

Example: AWS_S3_BUCKET
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- name
  - Type: string
  - Description: Resource name.
- account
  - Type: string
  - Description: Cloud Account that this resource belongs to.
- location
  - Type: string
  - Description: Region where this resource is located.
- organization
  - Type: string
  - Description: Organization that this resource belongs to.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Cloud resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of cluster analysis resources and their compliance data for a specific control

GET /api/cspm/v1/clusteranalysis/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
benchmarkType
Required*
integer
Type of benchmark to retrieve resources for (0-Linux, 1-Docker, 2-Kubernetes). Defaults to 0.

Example: 1
resourceKind
Required*
string
Resource kind ('host' or 'cluster')

Example: host
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- clusterName
  - Type: string
  - Description: Cluster name.
- name
  - Type: string
  - Description: Host name.
- nodeInfo.osName
  - Type: string
  - Description: Host operating system.
- nodeInfo.osImage
  - Type: string
  - Description: Host operating system image.
- distributionName
  - Type: string
  - Description: Kubernetes Distribution Name.
  - Example: distributionName in ("Vanilla")
- distributionVersion
  - Type: string
  - Description: Kubernetes Distribution Version.
  - Example: distributionVersion in (1.23, 1.25)
- platformAccountId
  - Type: string
  - Description: Cloud Account ID
  - Example: 012345678901
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Cluster Analysis resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get the compliance results for a given filter.

GET /api/cspm/v1/compliance/requirements

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- name
  - Type: string
  - Example: name in ("1.5 - Exposing HostPort")
  - Description: The compliance requirements that will be included in the results.
- policy.name
  - Type: string
  - Example: policy.name in ("CIS Distribution Independent Linux Benchmark", "CIS Docker Benchmark")
  - Description: The compliance policies that will be included in the results.
- zone.name
  - Type: string
  - Example: zone.name="Entire Infrastructure"
  - Description: The zones that will be included in the results.
- pass
  - Type: boolean
  - Example: pass=false
  - Description: Show passing or failing requirements. If no value - will show both passing and failing requirements.
- severity
  - Type: Integer
  - Example: severity in (3, 2)
  - Description: Requirement severity. (1=low, 2=medium, 3=high)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false and policy.name in ("CIS Amazon Web Services Foundations Benchmark") and severity=3
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 10.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Compliance Results.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get the high-level compliance views for all zones.

GET /api/cspm/v1/compliance/views

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Successfully returned CSPM v1 Compliance Views.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Add view to favorites or remove from favorites.

PUT /api/cspm/v1/compliance/views/favorite

Request

Request Body

Required*

View to add to favorites or remove from favorites.

Response

Status Code

200
Successfully added or remove view from favorites.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Accept a Posture Risk by parameters

POST /api/cspm/v1/compliance/violations/acceptances

Request

Request Body

object

Risk Accept Parameters

Response

Response Body

object

Risk acceptance data

Status Code

200
Successfully accepted a Posture Risk
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of Kubernetes resources and their compliance data for a specific control

GET /api/cspm/v1/kube/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
resourceKind
Required*
string
Resource kind ('workload', 'subject', 'role' or 'group')

Example: workload
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- clusterName
  - Type: string
  - Description: Cluster name.
- name
  - Type: string
  - Description: Resource name.
- namespace
  - Type: string
  - Description: Resource namespace.
- type
  - Type: string
  - Example: type="DaemonSet"
  - Description: Resource k8s type.
- labelValues
  - Type: string
  - Description: Resource labels.
- distributionName
  - Type: string
  - Description: Kubernetes Distribution Name.
  - Example: distributionName in ("Vanilla")
- distributionVersion
  - Type: string
  - Description: Kubernetes Distribution Version.
  - Example: distributionVersion in (1.23, 1.25)
- platformAccountId
  - Type: string
  - Description: Cloud Account ID
  - Example: 012345678901
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Kubernetes resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Create or update a CSPM control.

POST /api/cspm/v1/policy/controls

Request

Request Body

Required*

Response

Response Body

Status Code

200
Successfully saved control.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get the list of resource kinds for controls.

GET /api/cspm/v1/policy/controls/resource-template/kinds

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

Status Code

200
Successfully retrieved resource kinds.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get the resource example for a specific resource kind.

GET /api/cspm/v1/policy/controls/resource-template/view/{resource_kind}

Request

Path Parameters

resource_kind
Required*
string

Response

Response Body

Status Code

200
Successfully retrieved resource example.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the CSPM controls for a given filter.

GET /api/cspm/v1/policy/controls/search

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- name
  - Type: string
  - Description: Control name.
- description
  - Type: string
  - Description: Control description.
- severity
  - Type: Integer
  - Description: Requirement severity. (1=low, 2=medium, 3=high)
  - Example: severity in (3, 2)
- type
  - Type: string
  - Description: Host control type.
  - Example: type="Host"
- target
  - Type: string
  - Description: Control supported target. ("AKS", "AWS", "Azure", "Docker" ,"EKS", "Linux", "GCP", "GKE", "IKS", "MKE", "OCP4", "Vanilla")
  - Example: target in ("IKS")
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: type="host" and severity in (3, 2)
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 controls.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Test a rego policy.

POST /api/cspm/v1/policy/controls/test-rego

Request

Request Body

Required*

Response

Response Body

Status Code

200
Successfully tested rego policy.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get control configurations for a specific control ID.

GET /api/cspm/v1/policy/controls/{controlId}/configuration

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Successfully retrieved control configurations.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

Example responses

Status 200

{
  "default": {
    "severity": 1,
    "violationValue": [
      "644",
      "400"
    ]
  },
  "system": {
    "severity": 3,
    "violationValue": [
      "600"
    ]
  }
}
Copy to clipboard

Update control configurations for a specific control ID.

PUT /api/cspm/v1/policy/controls/{controlId}/configuration

Request

Request Body

object

Examples:

Response

Response Body

object

Status Code

200
Successfully updated control configurations.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

Example responses

Status 200

{
  "default": {
    "severity": 1,
    "violationValue": [
      "644",
      "400"
    ]
  },
  "system": {
    "severity": 3,
    "violationValue": [
      "600"
    ]
  }
}
Copy to clipboard

Gets the list of policies for a given filter.

GET /api/cspm/v1/policy/policies/list

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

Status Code

200
Successfully returned CSPM v1 policies.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of zones.

GET /api/cspm/v1/policy/zones

Request

Query Parameters

filter
string
Query language expression for filtering results.

Operators:
- and, or and not logical operators
- =, !=
- >, >=, <, <=
- in
- contains and startsWith to check partial values of attributes
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: name in "zone1"
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 zones.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Create a new zone or update an existing one

POST /api/cspm/v1/policy/zones

Request

Request Body

Required*

Zone to create

Response

Response Body

Status Code

200
Successfully created or updated CSPM v1 zone.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Deletes a zone.

DELETE /api/cspm/v1/policy/zones/delete/{id}

Request

Path Parameters

id
Required*
integer
Zone ID

Example: 3

Response

Status Code

200
Successfully deleted CSPM v1 zone.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Search and list CSPM Tasks.

GET /api/cspm/v1/tasks

Request

Query Parameters

filter
string
Query language expression for filtering results.

Operators:
- and, or and not logical operators
- =, !=
- >, >=, <, <=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- type
  - Type: string
  - Description: Task type.
    
    Kubernetes Host Scan - Scans and evaluates the Linux, Docker, and Kubernetes configurations on Kubernetes hosts.
    
    Kubernetes Scan - Scans and evaluates Kubernetes resource manifests.
    
    Git Integration Scan - Scans and evaluates Infrastructure-as-Code (IAC) files from a Git integration.
    
    Init Cloud Scan - Initiates Cloud Scan tasks for connected cloud accounts.
    
    Cloud Scan - Scans and evaluates cloud resources.
    
    Host Benchmark Scan - Scans and evaluates Linux and Docker configurations on a Linux host.
  - Supported operators: =, !=, in, not in
  - Example: type="kuberenetes scan"
- parameters:
  - Type: string
  - Description: Task parameters:
    
    Benchmark Type
    Description: The type of requested scan - 0=Linux, 1=Docker, 2=Kubernetes. A benchmark scan collects Linux\Docker\Kubernetes configuration per this parameter.
    Related Task Types: Kubernetes Host Scan, Kubernetes Scan, Host Benchmark Scan
    
    Cluster
    Description: The kubernetes cluster name.
    Related Task Types: Kubernetes Host Scan, Kubernetes Scan
    
    Host
    Description: The linux host name to run Linux\Docker benchmark scan on.
    Related Task Types: Host Benchmark Scan
    
    GitIntegration:
    Description: The Git Integration Id to run a scan on.
    Related Task Types: Git Integration Scan
    
    Account
    Description: The Cloud Account Id. Related Task Types: Init Cloud Scan, Cloud Scan
    
    ProviderType
    Description: The Cloud Account provider type. Possible values are "AWS", "GCP", or "Azure". Related Task Types: Init Cloud Scan, Cloud Scan
  - example: parameters contains 'providertype: aws'
- startDate
  - Type: string
  - Description: Task created at in UTC. Format: "YYYY-MM-DD HH:mm:ss"
  - Supported operators: =,!=,>, >=, <,<=
  - Example: startDate > "2023-05-28 10:00:00"
- endDate
  - Type: string
  - Description: Task ended at in UTC. Format: "YYYY-MM-DD HH:mm:ss"
  - Supported operators: =,!=,>, >=, <,<=
  - Example: endDate <= "2023-05-28 10:00:00"
- status
  - Type: string
  - Description: Task status.
    
    Pending
    
    Running
    
    Completed
    
    Failed
    
    Canceled
    
    CompletedWithWarning
  - Supported operators: =, !=, in, not in
  - Example: status in ("running", "pending")
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: type="Cloud Scan" and status in ("pending", "running")
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 20.

Example: 20

Response

Response Body

Status Code

200
Successfully returned CSPM v1 tasks.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the CSPM task for a given task Id.

GET /api/cspm/v1/tasks/{taskId}

Request

Path Parameters

taskId
Required*
integer
Task ID

Example: 3

Response

Response Body

Status Code

200
Successfully returned CSPM v1 tasks.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Rerun task by task Id.

POST /api/cspm/v1/tasks/{taskId}/rerun

Request

Path Parameters

taskId
Required*
integer
Task ID

Example: 3

Response

Response Body

Status Code

200
Successfully reran CSPM task.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Search for Inventory Resources based on a given filter.

GET /api/cspm/v1/inventory/resources

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
- exists to check if a field exists and not empty
List of supported fields:
- account
  - Type: string
  - Example: account in ("285211435247")
  - Description: The account that will be included in the results.
- cluster
  - Type: string
  - Example: cluster in ("cluster1")
  - Description: The kubernetes cluster that will be included in the results.
- externalDNS
  - Type: string
  - Example: externalDNS in ("ec2-103-34-15-23.compute-1.amazonaws.com")
  - Description: The external DNS that will be included in the results.
- distribution
  - Type: string
  - Example: distribution in ("gke", "vanilla")
  - Description: The kubernetes distribution that will be included in the results.
- integrationName
  - Type: string
  - Example: integrationName = "github-integration"
  - Description: The name of the integration an IaC resource belongs to.
- labels
  - Type: string
  - Example: not labels exists
  - Description: The resource labels that will be included in the results.
- location
  - Type: string
  - Example: location starts with "https://bitbucket.org/organizations-workspace/teams-repository/src"
  - Description: The web address of an IaC Manifest.
- name
  - Type: string
  - Example: name starts with "acl"
  - Description: The names that will be included in the results.
- namespace
  - Type: string
  - Example: namespace contains "production"
  - Description: The namespace that will be included in the results.
- nodeType
  - Type: string
  - Example: nodeType="Worker"
  - Description: The nodeType that will be included in the results.
- osName
  - Type: string
  - Example: osName != "linux"
  - Description: The operating system that will be included in the results.
- osImage
  - Type: string
  - Example: osImage = "Ubuntu 18.04.6 LTS"
  - Description: The operating system image that will be included in the results.
- organization
  - Type: string
  - Example: organization = "s-xqe92dwe61"
  - Description: The organization that will be included in the results.
- platform
  - Type: string
  - Example: platform = "AWS"
  - Description: The platform that will be included in the results.
- control.accepted
  - Type: string
  - Example: control.accepted exists
  - Description: Include (or Exclude) only resources with accepted results. Supported operators: exists and not exists.
- policy
  - Type: string
  - Example: policy in (“CIS Docker Benchmark”)
  - Description: Include resources that applied the selected policies. Supported operators: in, not in, exists, not exists.
- control.severity
  - Type: string
  - Example: control.severity in ("High")
  - Description: Include resources that have violated risks in the selected severities. Supported operators: in, not in.
- control.failed
  - Type: string
  - Example: control.failed in ("/etc/default/docker owned by root:root")
  - Description: Include resources that have violated the selected risks. Supported operators: in, not in, exists, not exists.
- policy.failed
  - Type: string
  - Example: policy.failed in ("PCI DSS (Payment Card Industry Data Security Standard) v3.2.1")
  - Description: Include resources that failed the selected policies. Supported operators: in, not in, exists, not exists.
- policy.passed in ("CIS Kubernetes V1.20 Benchmark")
  - Type: string
  - Example: policy.passed in ("CIS Kubernetes V1.20 Benchmark")
  - Description: Include resources that passed the selected policies. Supported operators: in, not in, exists, not exists.
- project
  - Type: string
  - Example: project = "project1"
  - Description: The project that will be included in the results.
- region
  - Type: string
  - Example: region in ("europe-west1")
  - Description: The regions that will be included in the results.
- repository
  - Type: string
  - Example: repository in ("e2e-repo")
  - Description: The Repository an IaC resource belongs to.
- resourceOrigin
  - Type: string
  - Example: resourceOrigin = "Code"
  - Description: Origin of the resource. Supported values: Code, Deployed.
- type
  - Type: string
  - Example: type = "Account"
  - Description: The resource types that will be included in the results.
- subscription
  - Type: string
  - Example: subscription = "Azure subscription 1"
  - Description: The Azure subscriptions that will be included in the results.
- sourceType
  - Type: string
  - Example: sourceType = "YAML"
  - Description: The source type of an IaC resource. Supported values: YAML, Kustomize, Terraform, Helm.
- version
  - Type: string
  - Example: version = "1.1"
  - Description: The versions that will be included in the results.
- zone
  - Type: string
  - Example: zone in ("zone1")
  - Description: The zones that will be included in the results.
- category
  - Type: string
  - Example: category in ("Compute", "IAM")
  - Description: The category that will be included in the results.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: platform = "AWS" and policy.failed in ("CIS Amazon Web Services Foundations Benchmark")
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 20.

Example: 20
fields
string
The desired fields to be returned from the query. Defaults to hash,name,platform,type,configapiendpoint,labels,lastseen,metadata,zones,posturepolicysummary,resourceorigin,category. Fields that are not specified will return empty (even if they have values).

Example: name,platform,posturecontrolsummary

Response

Response Body

Status Code

200
Successfully returned Inventory v1 resources.
401
Invalid or missing auth token.
403
Forbidden access to Inventory v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Retrieve an Inventory Resource by its hash

GET /api/cspm/v1/inventory/resources/{hash}

Request

Path Parameters

hash
Required*
string
The resource’s hash

Example: 62e348b71acd7be14a4bdfcc

Query Parameters

fields
string
The desired fields to be returned from the query. Defaults to hash,name,platform,type,configapiendpoint,labels,lastseen,metadata,zones,posturepolicysummary,resourceorigin,category. Fields that are not specified will return empty (even if they have values).

Example: name,platform,posturecontrolsummary

Response

Response Body

Status Code

200
Successfully returned an Inventory v1 resource.
401
Invalid or missing auth token.
403
Forbidden access to Inventory v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all rules matching a list of given names. This is used to show how a base rule is modified by later rules that override/append to the rule. This API would be faster than making calls to "#/api/secure/rules/groups" with one rule name at a time

GET /api/policies/v3/rules/groups

Request

Query Parameters

names
Required*
string[]

Response

Response Body

object[][]

Status Code

200
A wrapper object containing array of rule groups, where outside array size will be the same size as the valid rule names passed in query params and these will be sorted by the name. Each rule group will contain base rule followed by appends and will be ordered by rule origin ["Secure UI", "Sysdig", "Profiling", "Tuner"]
400
Indicates the names field is either missing or is empty

No Sample Response

This method does not specify any sample responses.

Save a new rule

POST /api/secure/rules

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved rule
400
The provided rule is not valid

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all rules having the given name. This is used to show how a base rule is modified by later rules that override/append to the rule. If there are multiple rules with the same name of different types, rule type must be specified.

GET /api/secure/rules/groups

Request

Query Parameters

name
Required*
string
type
string

Response

Response Body

object[]

Status Code

200
An array of rules

No Sample Response

This method does not specify any sample responses.

Retrieve a map of rule names to their corresponding policies that use them. The accept header will include "lite" to indicate the lightweight response of the endpoint should be returned e.g. 'application/xhtml+xml; lite' and return the full representation if not requested

GET /api/secure/rules/policyMappings

Request

Query Parameters

origin
string
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.

Allowable values: [Secure UI,Sysdig,Customer,Profiling,K8s Policy Advisor,Compliance,Tuner]
Example: Secure UI

Response

Response Body

One of

Change Schema Parameter List

Status Code

200
An array of policies

No Sample Response

This method does not specify any sample responses.

Returns the list of rules in the system. These are grouped by name and do not necessarily represent individual rule objects, as multiple rules can have the same name.

GET /api/secure/rules/summaries

Request

Query Parameters

policyType
string
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name

Allowable values: [falco,list_matching,k8s_audit,aws_cloudtrail,gcp_auditlog,azure_platformlogs,drift,machine_learning,falco_cloud_awscloudtrail]

Response

Response Body

object[]

Status Code

200
An array of rules grouped by name.

No Sample Response

This method does not specify any sample responses.

Retrieves every tag associated with a runtime rule irrespective of whether or not that rule is used by a policy

GET /api/secure/rules/tags

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The array representing all the tags

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Response

Response Body

object

Status Code

200
The rule that was deleted

No Sample Response

This method does not specify any sample responses.

GET /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Response

Response Body

object

Status Code

200
The rule with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The rule with the given id
400
The provided rule is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

GET /api/reporting/v1/{domain}/reports/{fileId}

Request

Custom Headers

Accept
string
Allowable values: [application/json,application/pdf,text/csv]

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
fileId
Required*
string
The ID of the generated report ready for download

Example: 1ueqXHvmzvtwJV2lFr8z8wdydu

Response

Response Body

object[]

Status Code

200
Report content
307
Requested report available for download at another location
404
Requested report not found

Example responses

Report not found

GET /api/reporting/v1/{domain}/schedules

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning

Response

Response Body

object[]

Schedule and configuration definition for a report generation

Status Code

200
The list of all saved schedules for report generation

No Sample Response

This method does not specify any sample responses.

POST /api/reporting/v1/{domain}/schedules

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
The created schedule for report generation
400
Bad Request

Example responses

Invalid report configuration

DELETE /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

204
Schedule for report generation removed

No Sample Response

This method does not specify any sample responses.

GET /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Configuration for the requested schedule for report generation
404
Requested report generation schedule not found

Example responses

Report generation schedule not found

PUT /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Updated configuration for the requested schedule for report generation
400
Bad Request
404
Requested report generation schedule not found

Example responses

Invalid report configuration
Report generation schedule not found

POST /api/reporting/v1/{domain}/schedules/{scheduleId}/run

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

202
Generation of requested report accepted
400
Bad Request
403
Generation of requested report is either forbidden or disabled
404
Requested report generation schedule not found
429
Report generation is either already running or will be running shortly

Example responses

Invalid request payload
Report generation forbidden or disabled
Report generation schedule not found
Report generation already running

GET /api/reporting/v1/{domain}/{reportType}/config

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
reportType
Required*
string
The kind of report to generate

Allowable values: [vulnerabilities,policies]
Example: vulnerabilities

Response

Response Body

object

Status Code

200
Options available to define a report configuration

No Sample Response

This method does not specify any sample responses.

POST /api/reporting/v1/{domain}/{reportType}/preview

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
reportType
Required*
string
The kind of report to generate

Allowable values: [vulnerabilities,policies]
Example: vulnerabilities

Request Body

Required*

object

Configuration of a report generation

Response

Response Body

object[]

Status Code

200
The result preview for the requested report configuration
400
Bad Request

Example responses

Invalid report configuration

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Schedule and configuration definition for a report generation

Status Code

200
The list of all saved schedules for report generation

No Sample Response

This method does not specify any sample responses.

Note This API is compatible only with new scanning engine

POST /api/scanning/reporting/v2/schedules

Request

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
The created schedule for report generation
400
Bad Request

Example responses

Invalid report configuration

Note This API is compatible only with new scanning engine

POST /api/scanning/reporting/v2/schedules/disable

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
Request completed successfully
400
Bad Request
403
Disable is either forbidden or disabled

Example responses

Invalid request payload
Disable is either forbidden or disabled

Note This API is compatible only with new scanning engine

DELETE /api/scanning/reporting/v2/schedules/{scheduleId}

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

204
Schedule for report generation removed
404
Schedule not found

No Sample Response

This method does not specify any sample responses.

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Configuration for the requested schedule for report generation
404
Requested report generation schedule not found

Example responses

Report generation schedule not found

Note This API is compatible only with new scanning engine

PUT /api/scanning/reporting/v2/schedules/{scheduleId}

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Updated configuration for the requested schedule for report generation
400
Bad Request
404
Requested report generation schedule not found

Example responses

Invalid report configuration
Report generation schedule not found

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}/download

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

200
Requested report available for download at another location
404
Requested report not found

Example responses

Report not found

Note This API is compatible only with new scanning engine

HEAD /api/scanning/reporting/v2/schedules/{scheduleId}/download

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

307
Requested report available for download at another location
404
Requested report not found

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}/reports

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object[]

Generated report for a given reporting schedule

Status Code

200
Configuration for the requested schedule for report generation
404
Requested schedule not found

Example responses

Report schedule not found

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}/reports/{reportId}

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV
reportId
Required*
string
The ID of the report

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object

Generated report for a given reporting schedule

Status Code

200
Configuration for the requested schedule for report generation
404
Requested schedule not found

Example responses

Report not found

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}/reports/{reportId}/download

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV
reportId
Required*
string
The ID of the report

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

307
Requested report available for download at another location
404
Requested report not found

Example responses

Report not found

Note This API is compatible only with new scanning engine

HEAD /api/scanning/reporting/v2/schedules/{scheduleId}/reports/{reportId}/download

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV
reportId
Required*
string
The ID of the report

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

200
Requested report available for download at another location
404
Requested report not found

Note This API is compatible only with new scanning engine

POST /api/scanning/reporting/v2/schedules/{scheduleId}/run

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

202
Generation of requested report accepted
400
Bad Request
403
Generation of requested report is either forbidden or disabled
404
Requested report generation schedule not found
409
Report generation is either already running or will be running shortly

Example responses

Invalid request payload
Report generation forbidden or disabled
Report generation schedule not found
Report generation already running

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/schedules/{scheduleId}/status

Request

Path Parameters

scheduleId
Required*
string
The ID of the schedule for report generation

Example: 1hDklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Status of a given schedule
404
Requested report generation schedule not found

Example responses

Schedule not found

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/{reportType}/config

Request

Path Parameters

reportType
Required*
string
The kind of data the report contains

Allowable values: [vulnerabilities]
Example: vulnerabilities

Response

Response Body

object

Status Code

200
Options available to define a report configuration

No Sample Response

This method does not specify any sample responses.

Note This API is compatible only with new scanning engine

GET /api/scanning/reporting/v2/{reportType}/entities/{entityType}/config

Request

Path Parameters

reportType
Required*
string
The kind of data the report contains

Allowable values: [vulnerabilities]
Example: vulnerabilities
entityType
Required*
string
The kind of entity the report is generated from

Allowable values: [k8s,host,registry,pipeline,container]
Example: k8s

Response

Response Body

object

Status Code

200
Options available to define a report configuration

No Sample Response

This method does not specify any sample responses.

Note This API is compatible only with new scanning engine

POST /api/scanning/reporting/v2/{reportType}/entities/{entityType}/preview

Request

Path Parameters

reportType
Required*
string
The kind of data the report contains

Allowable values: [vulnerabilities]
Example: vulnerabilities
entityType
Required*
string
The kind of entity the report is generated from

Allowable values: [k8s,host,registry,pipeline,container]
Example: k8s

Query Parameters

limit
number
Possible values: 1 ≤ value ≤ 1000
Default: 100

Request Body

Required*

object

Filters for the report

Response

Response Body

object[]

Status Code

200
The result preview for the requested report configuration
400
Bad Request

Example responses

Invalid report configuration

Note This API is compatible only with new scanning engine

POST /api/scanning/reporting/v2/{reportType}/preview

Request

Path Parameters

reportType
Required*
string
The kind of data the report contains

Allowable values: [vulnerabilities]
Example: vulnerabilities

Query Parameters

limit
number
Possible values: 1 ≤ value ≤ 1000
Default: 100

Request Body

Required*

object

Filters for the report

Response

Response Body

object[]

Status Code

200
The result preview for the requested report configuration
400
Bad Request

Example responses

Invalid report configuration

Save a new falcolist

POST /api/secure/falco/lists

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all falco lists having the given name. This is used to show how a base list is modified by later lists that override/append to the list.

GET /api/secure/falco/lists/groups

Request

Query Parameters

name
Required*
string

Response

Response Body

object[]

Status Code

200
An array of lists

No Sample Response

This method does not specify any sample responses.

Returns the list of falco lists in the system. These are grouped by name and do not necessarily represent individual falco list objects, as multiple falco lists can have the same name.

GET /api/secure/falco/lists/summaries

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of falco lists grouped by name.

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Response

Response Body

object

Status Code

200
The falco list that was just deleted

No Sample Response

This method does not specify any sample responses.

GET /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Response

Response Body

object

Status Code

200
The falco list with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The falco list with the given id
400
The provided falcolist is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Updates multiple default falco lists

PUT /api/settings/falco/lists

Request

Request Body

object

Examples:

Response

Response Body

object[]

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

Updates a default falco list

PUT /api/settings/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Request Body

object

Examples:

Response

Response Body

object

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

Save a new macro

POST /api/secure/falco/macros

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved FalcoMacro
400
The provided FalcoMacro was invalid

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all falco macros having the given name. This is used to show how a base macro is modified by later macros that override/append to the macro.

GET /api/secure/falco/macros/groups

Request

Query Parameters

name
Required*
string

Response

Response Body

object[]

Status Code

200
An array of macros

No Sample Response

This method does not specify any sample responses.

Returns the list of macros in the system. These are grouped by name and do not necessarily represent individual macro objects, as multiple macros can have the same name.

GET /api/secure/falco/macros/summaries

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of macros grouped by name.

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Response

Response Body

object

Status Code

200
The macro that was just deleted

No Sample Response

This method does not specify any sample responses.

GET /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Response

Response Body

object

Status Code

200
The macro with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The macro with the given id
400
The updated macro is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

GET /api/secure/lists/groups/versions

Request

Query Parameters

name
Required*
string

Response

Response Body

object

Status Code

200
Structure representing 10 latest versions of a list.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/lists/groups/versions/diff/{version1}/{version2}

Request

Path Parameters

version1
Required*
integer
version2
Required*
integer

Query Parameters

name
Required*
string

Response

Response Body

object[]

Status Code

200
Structure representing comparison between 2 lists.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/lists/groups/versions/latest

Request

Query Parameters

name
Required*
string

Response

Response Body

object

Status Code

200
Structure representing latest version of a list.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/macros/groups/versions

Request

Query Parameters

name
Required*
string

Response

Response Body

object

Status Code

200
Structure representing 10 latest versions of a macro.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/macros/groups/versions/diff/{version1}/{version2}

Request

Path Parameters

version1
Required*
integer
version2
Required*
integer

Query Parameters

name
Required*
string

Response

Response Body

object

Status Code

200
Structure representing comparison between 2 macros.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/macros/groups/versions/latest

Request

Query Parameters

name
Required*
string

Response

Response Body

object

Status Code

200
Structure representing latest version of a rule.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/rules/groups/versions

Request

Query Parameters

name
Required*
string
type
Required*
string

Response

Response Body

object

Status Code

200
Structure representing 10 latest versions of a rule.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/rules/groups/versions/diff/{version1}/{version2}

Request

Path Parameters

version1
Required*
string
version2
Required*
string

Query Parameters

name
Required*
string
type
Required*
string

Response

Response Body

object

Status Code

200
Structure representing comparison between 2 rules.

No Sample Response

This method does not specify any sample responses.

GET /api/secure/rules/groups/versions/latest

Request

Query Parameters

name
Required*
string
type
Required*
string

Response

Response Body

object

Status Code

200
Structure representing latest version of a rule.

No Sample Response

This method does not specify any sample responses.

Gets the connection status (cloud account or agent installation) based on the user's primary environment selection.

GET /api/secure/onboarding/v2/connectionStatus/{environment}

Request

Path Parameters

environment
Required*
string
Environment to check connection status.

Allowable values: [AWS,GCP,Azure,Kubernetes,Linux,Docker,Fargate]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets the list of available environments that customers can connect.

GET /api/secure/onboarding/v2/environments

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK

No Sample Response

This method does not specify any sample responses.

Gets the list of selected environments that the customer wishes to connect.

GET /api/secure/onboarding/v2/environments/selection

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.

No Sample Response

This method does not specify any sample responses.

Registers the selected environment that the customer wishes to connect.

POST /api/secure/onboarding/v2/environments/selection

Request

Request Body

Required*

object

Response

Status Code

200
Environment has been successfully selected
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Skips the onboarding feature per customer which results in hiding the first two screen of first time onboarding.

PUT /api/secure/onboarding/v2/feature/customer/skip

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Checks the feature status for the user/customer.

GET /api/secure/onboarding/v2/feature/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets all compliance frameworks across all supported environments.

GET /api/secure/onboarding/v2/frameworks

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
OK

No Sample Response

This method does not specify any sample responses.

Gets the compliance frameworks for the specified environment.

GET /api/secure/onboarding/v2/frameworks/{environment}

Request

Path Parameters

environment
Required*
string
Allowable values: [AWS,GCP,Azure,Kubernetes,Linux,Docker]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.

No Sample Response

This method does not specify any sample responses.

Creates the set of compliance tasks for the specified environment.

POST /api/secure/onboarding/v2/frameworks/{environment}

Request

Path Parameters

environment
Required*
string

Request Body

object[]

Response

Response Body

integer[]

Status Code

200
OK
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets the appropriate install action for the specified installation type.

GET /api/secure/onboarding/v2/installActions/{installType}

Request

Path Parameters

installType
Required*
string
Allowable values: [AWS,GCP,Azure,Kubernetes,Linux,Docker,AdmissionController]

Query Parameters

accountType
string
Cloud provider account type. Only applies to AWS, GCP, or Azure.

Allowable values: [single,org,multi]
Default: single
installOption
string
Install option for agent. Only applies to Kubernetes, Linux, or Docker.

Allowable values: [helm,values]
Default: helm

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets the values.yaml content to install the agent on Kubernetes

GET /api/secure/onboarding/v2/installActions/{installType}/values

Request

Path Parameters

installType
Required*
string
Allowable values: [Kubernetes]

Response

Status Code

200
The string literal to copy and paste into a values.yaml file
400
The given request is invalid.

No Sample Response

This method does not specify any sample responses.

Checks if this is the first user ever in the account to login/ if it is this user's first login.

GET /api/secure/onboarding/v2/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets a user's profile.

GET /api/secure/onboarding/v2/userProfile

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
OK
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.

No Sample Response

This method does not specify any sample responses.

Gets the user profile questionnaire.

GET /api/secure/onboarding/v2/userProfile/questionnaire

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
OK

No Sample Response

This method does not specify any sample responses.

Submits the user profile questionnaire.

POST /api/secure/onboarding/v2/userProfile/questionnaire

Request

Request Body

object[]

Response

Status Code

200
OK
400
The given request is invalid.
403
Account is forbidden (inactive/expired customer).
404
The cloud info could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Gets the appropriate install action for the specified installation type and environment.

GET /api/secure/onboarding/v3/environments/{environment}/installActions/{installType}

Request

Path Parameters

environment
Required*
string
Environment in which you are planning to install

Allowable values: [AWS,GCP,Azure]
installType
Required*
string
Installation type via Terraform or CFT (AWS only).

Allowable values: [Terraform,CFT]

Query Parameters

accountType
Required*
string
Cloud provider account type, indicating a single account or org account install.

Allowable values: [single,org]
feature
Required*
string
The Sysdig features to install. Multiple features are specified as repeated instances of this query parameter

Allowable values: [FEATURE_SECURE_THREAT_DETECTION,FEATURE_SECURE_CONFIG_POSTURE,FEATURE_SECURE_IDENTITY_ENTITLEMENT,FEATURE_SECURE_AGENTLESS_SCANNING]
region
string
The regions to install during a multi region deploy. Multiple regions are specified as repeated instances of this query parameter

Default:
Examples:
[ "us-east-1", "eu-central-1" ]

Response

Response Body

object

Status Code

200
OK
400
The given request is invalid.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Get the custom falco rules files e.g. the set of falco rules managed by a customer.

GET /api/settings/falco/customRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The custom falco rules files.

No Sample Response

This method does not specify any sample responses.

Set the current custom falco rules files. This content is always validated by passing the current default rules files plus the submitted customer rules files and any Secure UI generated rules to the open source falco executable to verify that falco can read the combination of files. The backend should choose the variant that has the greatest required_engine_version for each file, and then run open source falco with the -d option to verify the files. As knowing the current value of the version field is required to successfully update the rules file, in order to update the rules content you must first do a GET and update the content property. The version property in the response will be incremented on success.

PUT /api/settings/falco/customRulesFiles

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The custom falco rules files
400
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Delete the specified falco rules file

DELETE /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Response

Response Body

object

Status Code

200
The deleted policy
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Get the custom falco rules file matching the filename

GET /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Response

Response Body

object

Status Code

200
The custom falco rules file
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404

No Sample Response

This method does not specify any sample responses.

Update the custom falco rules file matching the filename

PUT /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The custom falco rules file
400
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Get the default falco rules files e.g. the set of falco rules managed by sysdig.

GET /api/settings/falco/defaultRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The default falco rules files.

No Sample Response

This method does not specify any sample responses.

Get the newest default falco rules files e.g. the set of falco rules managed by sysdig.

GET /api/settings/falco/newestDefaultRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The newest falco rules files.

No Sample Response

This method does not specify any sample responses.

Returns what falco filters are available to customer to configure falco rules

GET /api/settings/falco/filters

Request

Query Parameters

eventSource
string
when provided only falco filters corresponding to the specified event source will be included in the response

Allowable values: [syscall,k8s_audit,aws_cloudtrail,gcp_auditlog,azure_platformlogs]

Response

Response Body

object[]

Status Code

200
The falco filters available to customer to configure falco rules

No Sample Response

This method does not specify any sample responses.

Fetch all integrations for a customer.

GET /api/ticketing/v1/integrations/{provider}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira

Response

Response Body

object[]

Status Code

200
List of all integrations for a customer.
401
Invalid credentials or missing auth token.
404
Invalid provider specified.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Creates a new Integration for a customer.

POST /api/ticketing/v1/integrations/{provider}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Integration is successfully created.
400
Invalid input, integration could not be created.
401
Invalid credentials or missing auth token.
403
Account is forbidden (inactive/expired customer).
404
Invalid provider specified.
409
Integration already exists.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Delete an Integration for a customer.

DELETE /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Response

Response Body

object

Status Code

200
Integration is successfully deleted.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetch a single integration Information by id.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Response

Response Body

object

Status Code

200
Description of a specific integration.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Update an Integration for a customer.

PUT /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Integration is successfully updated.
400
Integration could not be modified.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the projects information needed for creating a ticket. The list of assignable and issue types users are fetched to help create a ticket.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}/project/{project_id}/projectMeta

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer
index of the integration
project_id
Required*
integer
index of jira project id

Query Parameters

assignee
string
A query string that is matched against user attributes, such as displayName, and emailAddress, to find relevant assignable users.

Response

Response Body

object

Status Code

200
Project metadata
400
Project could not be fetched.
403
Account is forbidden (inactive/expired customer).
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the projects information needed for creating a ticket. The projectIDs, issueIDs, and list of assignable users are fetched for a valid integration.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}/projects

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer
index of the integration

Response

Response Body

object[]

Jira project object

Status Code

200
List all jira projects for an integration.
400
Project could not be fetched.
403
Account is forbidden (inactive/expired customer).
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Delete captures

DELETE /api/v1/captures

Request

Query Parameters

ids
integer
Represents the id of a particular capture. Can be used multiple times in the same request to delete multiple captures
source
string
Indicates that only captures belonging to either the monitor or secure product should be considered for deletion. Defaults to SDC if not specified

Allowable values: [sdc,sds]
statuses
string
Indicates that only captures with a particular status should be considered for deletion. Can be used multiple times in the same request

Allowable values: [requested,filtering,capturing,done,error,uploading,uploadingError,uploaded]

Response

Response Body

object

Status Code

200
The number of captures deleted

No Sample Response

This method does not specify any sample responses.

Retrieve the list of captures

GET /api/v1/captures

Request

Query Parameters

ids
integer
Represents the id of a particular capture. Can be used multiple times in the same request to fetch multiple captures
offset
integer
Indicates the distance between the true starting point and the index of the first returned capture
limit
integer
sort
string
An enum of allowable fields to sort a list of captures

Allowable values: [date_requested,duration,name,size,status]
dir
string
An enum of ways to order a sorted collection of values

Allowable values: [asc,desc]
filter
string
from
integer
Unix time of when to start looking for captures in microseconds
to
integer
Unix time of when to stop looking for captures in microseconds
source
string
An enum of Sysdig products

Allowable values: [sdc,sds]
scopeFilter
string
Limit the results to only captures matching a scope expression

Example: kubernetes.cluster.name != null

metrics

string

Examples:

aggregations

string

Examples:

forceSync
boolean
annotations
string
token
string
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}

Example: 960d9da0-cc79-4079-932a-544e193ab385

Response

Response Body

object

A list of captures and associated metadata

Status Code

200
The array representing the captures
400
Indicates a query param was invalid

No Sample Response

This method does not specify any sample responses.

Create a capture

POST /api/v1/captures

Request

Request Body

Required*

object

Metadata to create a capture

Response

Response Body

object

Status Code

200
Successfully created a capture
400
Indicates the request body was invalid

No Sample Response

This method does not specify any sample responses.

Get a capture

GET /api/v1/captures/{captureId}

Request

Path Parameters

captureId
Required*
integer

Response

Response Body

object

Status Code

200
Successfully retrieved a capture
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

Update a capture

PUT /api/v1/captures/{captureId}

Request

Path Parameters

captureId
Required*
integer

Request Body

Required*

object

Contains system calls and other operating system events

Response

Response Body

object

Contains system calls and other operating system events

Status Code

200
Successfully updated a capture
400
Indicates the request body was invalid

No Sample Response

This method does not specify any sample responses.

Download a capture

GET /api/v1/captures/{captureId}/download

Request

Path Parameters

captureId
Required*
integer

Response

Status Code

302
Redirects to a location for downloading
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

Stop a capture

POST /api/v1/captures/{captureId}/stop

Request

Path Parameters

captureId
Required*
integer

Response

Response Body

object

Status Code

200
Successfully stopped the capture
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

Retrieves a list of all the supported forwarding channels.

GET /api/v1/eventsForwarding/channels

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string[]

Status Code

200
List of supported forwarding channels.
400
The request is invalid.

Example responses

[ "POLICY_EVENTS" ]

Retrieves a list of forwarding integrations for the customer making the request.

GET /api/v1/eventsForwarding/integrations

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Represents a command execution.

Status Code

200
The list of integrations.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Creates a forwarding integration for the customer.

POST /api/v1/eventsForwarding/integrations

Request

Request Body

Required*

object

The content of the integration to create.

Examples:

Response

Status Code

201
The creation of the integration was successful.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Delete an integration given its id.

DELETE /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Response

Status Code

201
The integration was successfully deleted.
404
The integration could not be found.

No Sample Response

This method does not specify any sample responses.

Retrieves a forwarding rule given its id.

GET /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Response

Response Body

object

Represents a command execution.

Status Code

200
The forwarding integration with a given id.
404
The integration could not be found.

Example responses

Status 200

{
  "channels": [
    "POLICY_EVENTS"
  ],
  "connectionInfo": {
    "ServicePort": 514,
    "ServiceURL": "syslog-address"
  },
  "customerId": 1,
  "enabled": true,
  "id": 1,
  "name": "Forward to Syslog",
  "type": "syslog"
}
Copy to clipboard

Updates an integration given its id. The PATCH payload can be any combination of the following fields having the value to change. None of the connectionInfo fields are required for patching.

PATCH /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Request Body

Required*

object

The content of the integration to update.

Examples:

Response

Status Code

204
The integration was successfully updated.
404
The integration could not be found.

No Sample Response

This method does not specify any sample responses.

Retrieves a list of all the supported forwarding targets.

GET /api/v1/eventsForwarding/supported

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string[]

Status Code

200
List of supported forwarding targets.
400
The request is invalid.

Example responses

[ "syslog", "splunk" ]

Creates a Kubernetes Network Policy

POST /api/v1/networkSecurity/namespaces/{namespaceName}/simulatedPolicies

Request

Path Parameters

namespaceName
Required*
string
The name of a kubernetes namespace

Request Body

Required*

object

Response

Response Body

string

The text of a proposed Kubernetes Network Policy

Status Code

200
Indicates the requested KNP was successfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Creates a communication topology graph around the specified owner; if KNP spec is provided, marks communication edges as 'blocked' if they are blocked by the KNP

POST /api/v1/networkSecurity/networkPolicyOverlayOwnerTopology

Request

Query Parameters

namespace
Required*
string
The name of a kubernetes namespace
cluster
Required*
string
The name of a kubernetes cluster
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Request Body

object

Response

Response Body

object

Owner communication topology graph

Status Code

200
Indicates the requested topology graph is sucessfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the network security feature on the backend is available.

GET /api/v1/networkSecurity/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the network security feature is available

No Sample Response

This method does not specify any sample responses.

Returns all cluster names for the customer

GET /api/v1/networkTopology/clusters

Request

Query Parameters

from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

string[]

Cluster names

Status Code

200
Indicates the requested cluster names were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns an overview of egress networking traffic

GET /api/v1/networkTopology/egressSummaries

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested overview of egress networking traffic was successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns the unresolved ips for a time range and pod owner

GET /api/v1/networkTopology/egressUnresolvedIps

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested egress unresolved ips were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns an overview of ingress networking traffic

GET /api/v1/networkTopology/ingressSummaries

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested overview of ingress networking traffic was successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns the unresolved ips for a time range and pod owner

GET /api/v1/networkTopology/ingressUnresolvedIps

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested ingress unresolved ips were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns sorted list of unique namespace label key values

GET /api/v1/networkTopology/namespaceLabelKeys

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster

Response

Response Body

string[]

Array of kubernetes labels

Status Code

200
Indicates the requested list was returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns all namespace names for the cluster

GET /api/v1/networkTopology/namespaces

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object[]

Status Code

200
Indicates the requested namespaces were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Creates a communication topology graph around the specified owner

GET /api/v1/networkTopology/ownerTopology

Request

Query Parameters

namespace
Required*
string
The name of a kubernetes namespace
cluster
Required*
string
The name of a kubernetes cluster
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Owner communication topology graph

Status Code

200
Indicates the requested topology graph is sucessfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns a map of owner type to a list of owner selectors

GET /api/v1/networkTopology/owners

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object[]

Status Code

200
Indicates the requested map of owner type to a list of owner selectors were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the topology feature on the backend is available.

GET /api/v1/networkTopology/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the topology feature is available

No Sample Response

This method does not specify any sample responses.

Returns sorted list of unique workload label key values

GET /api/v1/networkTopology/workloadLabelKeys

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster

Response

Response Body

string[]

Array of kubernetes labels

Status Code

200
Indicates the requested list was returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile groups for a customer

GET /api/v1/profiling/profileGroups

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of profile groups for a customer
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile group given a id for a customer

GET /api/v1/profiling/profileGroups/{profileGroupId}

Request

Path Parameters

profileGroupId
Required*
integer
The id of the profile group

Response

Response Body

object

Status Code

200
The profile group for the given profileGroupId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profiles for a given profileGroupId

GET /api/v1/profiling/profileGroups/{profileGroupId}/profiles

Request

Path Parameters

profileGroupId
Required*
integer
The id of the profile group

Query Parameters

scoreMin
integer
If specified, only profiles with a confidence score at least this amount will be retrieved. Defaults to 0
status
string
A comma-separated list of statuses. If specified, only profiles with these statuses will be retrieved. Defaults to ['FINALIZED','LEARNING']

Allowable values: [FINALIZED,LEARNING]
filter
string
If specified, filter to only include profiles where the profile name or image name (registry/repository:tag@hash) contains this string. Defaults to empty string
sortBy
string
Field used to sort. Defaults to score. Profiles with status:'FINALIZED' will always appear above status:'LEARNING', for all values of sortBy except sortBy:'status', sortMethod:'asc'.

Allowable values: [score,profileName,status,createdOn]
limit
integer
If specified, a limit on the number of entries retrieved. If any filters are also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved. Defaults to length of list
offset
integer
If specified, a 0-based index on the profiles list. Only entries >= offset will be retrieved. Defaults to 0. If any filters are also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
sortMethod
string
Sorting method. Defaults to desc.

Allowable values: [desc,asc]

Response

Response Body

object

Status Code

200
The profiles for a given profileGroupId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile matching a given profileId

GET /api/v1/profiling/profiles/{profileId}

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Status Code

200
The profile for a given profileId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
404
The requested resource was not found. More information about 404 can be found at https://httpstatuses.com/404
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to remove a profile given a profileId

POST /api/v1/profiling/profiles/{profileId}/actions/remove

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Profile reset action response

Status Code

200
The ActionsProfileResponse containing time when profile was removed
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to reset a profile given a profileId

POST /api/v1/profiling/profiles/{profileId}/actions/reset

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Profile reset action response

Status Code

200
The ActionsProfileResponse containing time when profile was reset
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to get status of Profiling API

GET /api/v1/profiling/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string

Status Code

200
The ActionsProfileResponse containing time when profile was removed
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
API Access Forbidden

No Sample Response

This method does not specify any sample responses.

The policy tuner service records this customer as disabled such that a tune will not be run for this customer during the next run cycle

POST /api/v1/secure/policyTuner/disable

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
Success

No Sample Response

This method does not specify any sample responses.

The policy tuner service records this customer as enabled such that a tune will be run for this customer during the next run cycle

POST /api/v1/secure/policyTuner/enable

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
Success
400
Sysdig has not enabled tuning for this customer

No Sample Response

This method does not specify any sample responses.

Adds a provided set of exceptions to the tuner file

POST /api/v1/secure/policyTuner/exceptions

Request

Request Body

Required*

object

Response

Status Code

200
Indicates the new exceptions were successfully added to the tuner file
400
Indicates one of the fields in the request body was missing, the wrong data type, or the exception values did not match the expected form of the exception

No Sample Response

This method does not specify any sample responses.

Returns a list of exceptions to exclude the events matching a set of parameters

POST /api/v1/secure/policyTuner/excludeEvents

Request

Query Parameters

start
Required*
integer
The timestamp in seconds in which the events to be excluded begin
end
Required*
integer
The timestamp in seconds in which the events to be excluded end
filter
string
limit
integer
The number of suggested exclusion proposals to return in the responses. The request will be rejected if it is greater than 10 or less than 1.

Response

Response Body

object

Status Code

200
Indicates the service was able to successfully find a list of exceptions to exclude the provided events
400
Returned if the start param occurs after the end or if the parameters are of the wrong data type or the limit is out of range

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the policy tuner feature on the backend is available.

GET /api/v1/secure/policyTuner/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the policy tuner feature is available

No Sample Response

This method does not specify any sample responses.

The policy tuner immediately runs tuning for the customer

POST /api/v1/secure/policyTuner/tuneNow

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The generated tuner FalcoRulesFile
400
Sysdig has not enabled tuning for this customer

No Sample Response

This method does not specify any sample responses.

Checks if tuning is enabled

GET /api/v1/secure/policyTuner/tuningEnabled

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates whether tuning is enabled or disabled

No Sample Response

This method does not specify any sample responses.

Retrieves the list of events that match a filter given a specified time range or cursor. The pair from and to and the cursor parameter are mutually exclusive. If you supply a from and to you must not supply a cursor and vice-versa. If you supply a cursor then the prev field inside the response is set if and only if there are events before the first event returned, while the next field inside the response is set if and only if there are events after the last event returned. If, instead, you supply the from and to pair then the prev and next fields inside the response are always set, because in that case there is no efficient way for the backend to verify if next and prev events actually exist. For this reason, the best way to use this API is to supply the from and to pair at the first request and then use the prev and next cursors to fetch events before and after the events returned. Please, do note that if you supply from and to and receive the prev and next cursors, any subsequent request made by supplying that next or prev cursor will return results that are not filtered by the from and to you provided in the first request. Finally, the difference between from and to cannot be greater than 2 weeks.

GET /api/v1/secureEvents

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
cursor
string
Cursor is a string used to retrieve data given a specific context. The context can either be events feed before a certain event, after it or its surrounding. See the prev, next and cursor fields inside the response for further details.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the api/v1/secureEvents/scopeFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
limit
number
Limit the number of events to return.

Possible values: 1 ≤ value ≤ 999
Default: 100
Example: 50
specialCategory
string
How to handle special events categories, like the policy simulation (advisor).
- exclude_simulation excludes events with category simulation
- only_simulation returns only events with category simulation
Allowable values: [exclude_simulation,only_simulation]
Default: exclude_simulation
Example: exclude_simulation

Response

Response Body

object

Status Code

200
The secure events feed.
400
The request is invalid.
422
Attempting to retrieve a secure events feed by using a filter that contains unsupported metrics.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves the whitelist of supported secure events scope filters that can be used inside the filter parameter while retrieving the secure events feed.

GET /api/v1/secureEvents/filters

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

List of supported scope filters

Status Code

200
The supported secure events scope filters.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Verify if there are new/legacy events in the store.

GET /api/v1/secureEvents/hasEvents

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Whether or not there are new/legacy events.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the secureEvents feature on the backend is available.

GET /api/v1/secureEvents/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The supported secure events filters.

No Sample Response

This method does not specify any sample responses.

Retrieves an event with a given id.

GET /api/v1/secureEvents/{eventId}

Request

Path Parameters

eventId
Required*
string
The event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Response

Response Body

object

Status Code

200
Event with the given id.
404
The event could not be found.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves bubbleChart stats which are useful for understanding events and vulnerabilities with their severity. They that match a filter, specified time range (from <= to), and number of rows to return for all columns. Parameters from, to, and metric are required.

GET /api/vi/secureEvents/bubbleChart

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the api/v1/secureEvents/scopeFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1

Response

Response Body

object

Status Code

200
The bubbleChart stats of runtime policy events and vulnerabilities with severities.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves the count of events that match a filter given a specified time range (from <= to). Parameters from and to are required.

GET /api/vi/secureEvents/count

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the api/v1/secureEvents/scopeFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1

Response

Response Body

object

Status Code

200
The scanning and secure events count by severity.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves the top column value and counts of policy events that match a filter, specified time range (from <= to), and number of rows to return for all columns. Parameters from, to, and metric are required.

GET /api/vi/secureEvents/timeSeries

Request

Query Parameters

metric
Required*
string
The metric to query timeseries for. Valid values are either user or severity.

Example: severity
from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the api/v1/secureEvents/scopeFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
rows
number
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.

Possible values: value ≥ 5
Default: 5
Example: 10

Response

Response Body

object

Status Code

200
The time series stats of runtime policy events for the specified columns.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves the top column value and counts of policy events that match a filter, specified time range (from <= to), and number of rows to return for all columns. Parameters from and to are required.

GET /api/vi/secureEvents/topStats

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the api/v1/secureEvents/scopeFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
rows
number
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.

Possible values: value ≥ 5
Default: 5
Example: 10

Response

Response Body

object

Status Code

200
The count stats of policy events for all columns.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves a list of audit events in a time range filters. The pair from and to and the cursor parameter are mutually exclusive. If you supply a from and to you must not supply a cursor and vice-versa.

GET /api/v2/activityAudit/events

Request

Query Parameters

from
number
From, expressed in nanoseconds.

Example: 1546300800000000000
to
number
To, expressed in nanoseconds.

Example: 1546300800000000000
cursor
string
Cursor is a string used to retrieve data given a specific context. The context can either be audit events before a certain event, after it or its surrounding.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
limit
number
Limit the number of results to return.

Possible values: 1 ≤ value ≤ 9999
Default: 100
Example: 100
scopeFilter
string
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.

This are the supported scope filters where applicable are:
- agent.tag.*
- container.image.id
- container.image.repo
- container.image.tag
- container.image.digest
- container.label.io.kubernetes.container.name
- container.label.io.kubernetes.pod.name
- container.label.io.kubernetes.pod.namespace
- container.label.maintainer
- container.name
- host.hostName
- host.mac
- kubernetes.workload.name
- kubernetes.workload.type
- kubernetes.cluster.name
- kubernetes.cronJob.name
- kubernetes.daemonSet.name
- kubernetes.deployment.name
- kubernetes.job.name
- kubernetes.namespace.label.field.cattle.io/projectId
- kubernetes.namespace.label.project
- kubernetes.namespace.name
- kubernetes.node.name
- kubernetes.pod.name
- kubernetes.replicaSet.name
- kubernetes.service.name
- kubernetes.statefulSet.name
- aws.region
- aws.fargate.task.arn
- aws.fargate.cluster.arn
- aws.availabilityZone
- aws.accountId
- aws.user
- gcp.user
- gcp.projectId
Example: host.hostName="ip-127-0-0-1"
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1"))
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.

These are the supported fields:
- id
- agentid
- clientipv4
- clientport
- cmdline
- comm
- command
- container
- containerid
- container.id
- count
- cwd
- direction
- directory
- errorcode
- filename
- groups
- l4protocol
- loginshelldistance
- loginshellid
- name
- namespace
- permissions
- pid
- ppid
- processname
- resource
- rxtimestamp
- serveripv4
- serverport
- sourceaddresses
- stages
- subresource
- timestamp
- tty
- uid
- user
- useragent
- anomaly
Example: pid=1
types
string
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example: commands,connections

Response

Response Body

object

Status Code

200
The list of audit events.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Retrieves an audit event of a specified type with a given id.

GET /api/v2/activityAudit/events/{type}/{eventId}

Request

Path Parameters

type
Required*
string
The event type.

Allowable values: [commands,connections,fileaccesses,kubernetes]
Example: command
eventId
Required*
string
The audit event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Query Parameters

metrics
string
JSON list of metrics used to enrich results. If no metrics is passed the audit events returned will not have a metrics field populated. The metrics attributes are directly fetched from the metadata service, so please refer to it for the full list of supported metrics.

Example: ["host.hostName","container.id"]

Response

Response Body

One of

Change Schema Parameter List

Represents a command execution.

Status Code

200
Audit event with the given type and id.
404
The event could not be found.

No Sample Response

This method does not specify any sample responses.

Retrieves a trace of all the audit events related to the traceable event in case it is a long running task. The audit events returned are all the commands, connections etc collected during the duration of the traceable event. If the event has not completed yet, the time range considered is up until the current time.

GET /api/v2/activityAudit/events/{type}/{eventId}/trace

Request

Path Parameters

type
Required*
string
The event type.

Allowable values: [commands,connections,fileaccesses,kubernetes]
Example: command
eventId
Required*
string
The audit event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Query Parameters

limit
number
Limit the number of results to return.

Possible values: 1 ≤ value ≤ 9999
Default: 100
Example: 100
zoneIds
string
The zones to apply as an additional filter. It is a comma separated list of zone ids

Example: 123,456

Response

Response Body

object

Status Code

200
All the events associated with this traceable event.
400
The request is invalid.
404
The event could not be found.
422
The audit event requested does not support tracing.

No Sample Response

This method does not specify any sample responses.

Retrieves a summary of the audit events in a time range grouped by a series of metrics.

GET /api/v2/activityAudit/summary

Request

Query Parameters

from
number
From, expressed in nanoseconds.

Example: 1546300800000000000
to
number
To, expressed in nanoseconds.

Example: 1546300800000000000
scopeFilter
string
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.

This are the supported scope filters where applicable are:
- agent.tag.*
- container.image.id
- container.image.repo
- container.image.tag
- container.image.digest
- container.label.io.kubernetes.container.name
- container.label.io.kubernetes.pod.name
- container.label.io.kubernetes.pod.namespace
- container.label.maintainer
- container.name
- host.hostName
- host.mac
- kubernetes.workload.name
- kubernetes.workload.type
- kubernetes.cluster.name
- kubernetes.cronJob.name
- kubernetes.daemonSet.name
- kubernetes.deployment.name
- kubernetes.job.name
- kubernetes.namespace.label.field.cattle.io/projectId
- kubernetes.namespace.label.project
- kubernetes.namespace.name
- kubernetes.node.name
- kubernetes.pod.name
- kubernetes.replicaSet.name
- kubernetes.service.name
- kubernetes.statefulSet.name
- aws.region
- aws.fargate.task.arn
- aws.fargate.cluster.arn
- aws.availabilityZone
- aws.accountId
- aws.user
- gcp.user
- gcp.projectId
Example: host.hostName="ip-127-0-0-1"
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1"))
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.

These are the supported fields:
- id
- agentid
- clientipv4
- clientport
- cmdline
- comm
- command
- container
- containerid
- container.id
- count
- cwd
- direction
- directory
- errorcode
- filename
- groups
- l4protocol
- loginshelldistance
- loginshellid
- name
- namespace
- permissions
- pid
- ppid
- processname
- resource
- rxtimestamp
- serveripv4
- serverport
- sourceaddresses
- stages
- subresource
- timestamp
- tty
- uid
- user
- useragent
- anomaly
Example: pid=1
types
string
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example: commands,connections
zoneIds
string
The zones to apply as an additional filter. It is a comma separated list of zone ids

Example: 123,456
segment
boolean
Whether or not to segment the results with a distance between points depending on the distance between from and to.

Default: false

Response

Response Body

object

Status Code

200
The summary of audit events.
400
The request is invalid.

Example responses

Status 200

[
  {
    "step": 60000000000,
    "values": {
      "command": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "connection": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "fileaccess": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "kubernetes": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ]
    }
  }
]
Copy to clipboard

Returns information about policies configured by the current customer. Policies can be filtered by priority and scope.

GET /api/v2/policies

Request

Query Parameters

offset
number
limit
number
Example: 10
filter
string
string to look for in policy names/descriptions

Example: Write below
severity
number
finds policies that correspond to a numeric value representing a severity. The query param can be repeated to look for multiple severities

Example: 3
policyType
string
finds policies of a certain type

Allowable values: [list_matching,k8s_audit,aws_cloudtrail,gcp_auditlog,syscall,azure_platformlogs,drift,machine_learning,awscloudtrail,okta,github,aws_machine_learning,malware,windows]
Example: list_matching
managed
boolean
finds policies and rulesets that are managed by Sysdig. Returns custom policies when set to false

Possible values: allows empty value
managedType
string
allows filtering by managed type - managed_policy/managed_ruleset/custom_policy

Allowable values: [managed_policy,managed_ruleset,custom_policy]
Example: policy

Response

Response Body

object[]

Status Code

200
An array of policies

No Sample Response

This method does not specify any sample responses.

Save a new security policy.

POST /api/v2/policies

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created policy
400
The submitted policy was invalid

No Sample Response

This method does not specify any sample responses.

Save a new security policy and rules in a transaction. If the policy or any of the rules fail validation, the operation is canceled (no policy or rule is created) and an error response is returned.

POST /api/v2/policies/batch

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created policy and rules
400
A submitted policy or rule was invalid

No Sample Response

This method does not specify any sample responses.

DELETE /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Response

Response Body

object

Status Code

200
The deleted policy

No Sample Response

This method does not specify any sample responses.

GET /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Response

Response Body

object

Status Code

200
The requested policy

No Sample Response

This method does not specify any sample responses.

PUT /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The requested policy
400
The updated policy was invalid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Retrieves a list of scan results produced by pipelines that match a filter given a specified cursor. No sorting is supported.

GET /secure/vulnerability/v1beta1/pipeline-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. The page is composed of the vulnerabilities after a certain one. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
limit
integer
Limit sets the maximum quantity of vulnerabilities returned in the response. A page is never guaranteed to contain this exact number of vulnerabilities, but it will never contain more. The maximum value is 1000, and the minimum value is 1. The default value is 1000 because little calls are discouraged.

Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Only the freeText parameter is supported:
- freeText as string value (note that it will search on the full image name)
Example: freeText in ("whatever")

Response

Response Body

object

Status Code

200
A successful response
400
Bad Request
401
Unauthorized
403
Forbidden
404
The requested resource could not be found
409
Conflict
422
Unprocessable entity
429
Too many requests
500
Internal error processing the request
503
The service is unavailable

No Sample Response

This method does not specify any sample responses.

Retrieves a list of registry scan results discovered by the registry scanner that match a filter given a specified cursor.

GET /secure/vulnerability/v1beta1/registry-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. The page is composed of the vulnerabilities after a certain one. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
limit
int64
Limit for pagination. The maximum value is 100, and the minimum value is 1. The default value is 1000.

Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or logical operators (i.e. registry.vendor = "artifactory" and registry.name = "docker.internal.sysdig.tools")
- = and != comparison operators (i.e. registry.vendor = "ecr")
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each Scan Result type.

The list of supported fields is:
- repository.name as string value
- registry.vendor as string value
- scope as string value
Example: repository.name=alpine and registry.vendor=ecr

Response

Response Body

object

Status Code

200
A successful response
400
Bad Request
401
Unauthorized
403
Forbidden
404
The requested resource could not be found
409
Conflict
422
Unprocessable entity
429
Too many requests
500
Internal error processing the request
503
The service is unavailable

No Sample Response

This method does not specify any sample responses.

Retrieve a full scan result produced by any scanner that match a given ID

GET /secure/vulnerability/v1beta1/results/{resultId}

Request

Path Parameters

resultId
Required*
string
The ID of a single scan result. Could be retrieved by one of the listing endpoints.

Example: 176c77d16ee6bdd2f7482d4ec0fd0542

Response

Response Body

object

Status Code

200
A successful response
400
Bad Request
401
Unauthorized
403
Forbidden
404
The requested resource could not be found
409
Conflict
422
Unprocessable entity
429
Too many requests
500
Internal error processing the request
503
The service is unavailable

No Sample Response

This method does not specify any sample responses.

Retrieves a list of runtime scan results discovered by the runtime scanner that match a filter given a specified cursor.

GET /secure/vulnerability/v1beta1/runtime-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. The page is composed of the vulnerabilities after a certain one. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
limit
int64
Limit for pagination. The maximum value is 1000, and the minimum value is 1. The default value is 1000.

Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or logical operators (i.e. kubernetes.cluster.name=production and kubernetes.pod.container.name = docker.internal.sysdig.tools)
- = and != comparison operators (i.e. kubernetes.cluster.name=staging)
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each Scan Result type.

The list of supported fields is:
- asset.type as string value
- kubernetes.cluster.name as string value
- kubernetes.namespace.name as string value
- kubernetes.workload.name as string value
- kubernetes.workload.type as string value
- kubernetes.pod.container.name as string value
- agent.tag.env as string value
- hasRunningVulns as boolean value
- policyStatus as enum, allowed values are passed, failed, accepted and noPolicy
- freeText as string value (note that it will search on the full image name)
Example: kubernetes.namespace.name=testing and policyStatus=failed
sort
string
Allowed values for sorting are "vulnTotalBySeverity" and "runningVulnTotalBySeverity" the default is "vulnTotalBySeverity". Only one sorting at a time is supported Ordering is also supported along with sorting. Allowed values are "asc" and "desc", and the default value is "desc"

Example: sort=runningVulnTotalBySeverity,asc

Response

Response Body

object

Status Code

200
A successful response
400
Bad Request
401
Unauthorized
403
Forbidden
404
The requested resource could not be found
409
Conflict
422
Unprocessable entity
429
Too many requests
500
Internal error processing the request
503
The service is unavailable

No Sample Response

This method does not specify any sample responses.

Retrieve the SBOM of a recently scanned image

GET /secure/vulnerability/v1beta1/sboms

Request

Query Parameters

assetId
string
The ID of the asset for which we want to retrive the sbom. It's the imageId for container-image and the hostId for hosts Provide this with assetType if not providing bomIdentifier

Example: sha256:6147d53c2a3a4d99b8343665430e5d420eb7ee65cb89995b6bea1af2595be53a
assetType
string
The type of the asset for which we want to retrive the sbom. Provide this with assetId if not providing bomIdentifier

Allowable values: [container-image,host]
bomIdentifier
string
The ID of a single sbom. Either provide this or both assetId and assetType

Example: urn:uuid:6536eeee-b8f2-4865-b996-adc991c28202

Response

Response Body

object

Status Code

200
A successful response
400
Bad Request
401
Unauthorized
403
Forbidden
404
The required resource could not be found
406
Server can't produce a response in the content-type requested by the client
429
Too many requests
500
Internal error processing the request
503
The service is unavailable

Example responses

Status 406

application/vnd.cyclonedx+xml; version=1.4, application/vnd.cyclonedx+xml; version=1.3

Retrieves a list of runtime scan results discovered by the runtime scanner that match a filter given a specified cursor.

GET /secure/vulnerability/v1/runtime-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Possible values: length ≤ 300
Example: MTI0MjM0Cg==
limit
int64
Limit for pagination

Possible values: 1 ≤ value ≤ 1000
Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or logical operators (i.e. kubernetes.cluster.name="production" and kubernetes.pod.container.name = "docker.internal.sysdig.tools")
- = and != comparison operators (i.e. kubernetes.cluster.name="staging")
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each Scan Result type.

The supported fields are the all the fields of the Scope, plus: freeText, hasRunningVulns and hasRunningVulns.
Possible values: length ≤ 1024
Example: kubernetes.cluster.name="staging" and kubernetes.pod.container.name="docker.internal.sysdig.tools"
sort
string
Field used to sort the results vulnTotalBySeverity: sort by total number of running vulnerabilities weighted by severity runningVulnTotalBySeverity: sort by total number of running vulnerabilities weighted by severity for running assets

Allowable values: [vulnTotalBySeverity,runningVulnTotalBySeverity]
Default: vulnTotalBySeverity
Example: runningVulnTotalBySeverity
order
string
Ordering of the results for the sort field

Allowable values: [desc,asc]
Default: desc
Example: asc

Response

Response Body

RuntimeResultsResponse

runtime results response

Status Code

200
A successful response
400
Operation failed due to invalid payload.
401
Access denied.
403
Not enough privileges to complete the action.
409
Conflict.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 403

{
  "details": [],
  "message": "Forbidden",
  "type": "forbidden"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieves a list of registry scan results discovered by the registry scanner that match a filter given a specified cursor.

GET /secure/vulnerability/v1/registry-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Possible values: length ≤ 300
Example: MTI0MjM0Cg==
limit
int64
Limit for pagination

Possible values: 1 ≤ value ≤ 1000
Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or logical operators (i.e. freeText = "alpine:latest" and vendor = "docker")
- = and != comparison operators (i.e. vendor = "ecr")
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each Scan Result type.

The supported fields are: freeText, vendor.
- vendor as string value
- freeText as string value (note that it will search on the full image name)
Possible values: length ≤ 1024
Example: freeText = "alpine:latest" and vendor = "docker"

Response

Response Body

RegistryResultsResponse

registry results response

Status Code

200
A successful response
400
Operation failed due to invalid payload.
401
Access denied.
403
Not enough privileges to complete the action.
409
Conflict.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 403

{
  "details": [],
  "message": "Forbidden",
  "type": "forbidden"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieves a list of scan results produced by pipelines that match a filter given a specified cursor. No sorting is supported, the items are sorted in a stable way by their ID.

GET /secure/vulnerability/v1/pipeline-results

Request

Query Parameters

cursor
string
Cursor is a string used to retrieve a particular page of data. It is an opaque structure, and should not be mangled. It could be retrieved in the body of each request. If a response does not contain a cursor, it means that it's the last page.

Possible values: length ≤ 300
Example: MTI0MjM0Cg==
limit
int64
Limit for pagination

Possible values: 1 ≤ value ≤ 1000
Default: 1000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Only the freeText parameter is supported:
- freeText as string value (note that it will search on the full image name)
Possible values: length ≤ 1024
Example: freeText in ("nginx")

Response

Response Body

PipelineResultsResponse

pipeline results

Status Code

200
A successful response
400
Operation failed due to invalid payload.
401
Access denied.
403
Not enough privileges to complete the action.
409
Conflict.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 403

{
  "details": [],
  "message": "Forbidden",
  "type": "forbidden"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieve a full scan result produced by any scanner that match a given ID

GET /secure/vulnerability/v1/results/{resultId}

Request

Path Parameters

resultId
Required*
string
The ID of a single scan result. Could be retrieved by one of the listing endpoints.

Possible values: length ≤ 255
Example: 176c77d16ee6bdd2f7482d4ec0fd0542

Response

Response Body

ScanResultResponse

Status Code

200
A successful response
400
Operation failed due to invalid payload.
401
Access denied.
403
Not enough privileges to complete the action.
409
Conflict.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 403

{
  "details": [],
  "message": "Forbidden",
  "type": "forbidden"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieve a paginated list of Zones.

Required permissions: zones.read or teams.edit

GET /platform/v1/zones

Request

Query Parameters

filter
string[]
Filters to apply in the form of key:value.
Multiple filters can be applied by repeating the filter parameter:
&filter=key1:value1&filter=key2:value2

Possible values: number of items ≤ 4, length ≤ 512
Default: []
limit
int32
The number of items to return

Possible values: 1 ≤ value ≤ 200
Default: 25
Example: 25
offset
int32
The offset number of items to start with

Possible values: 0 ≤ value ≤ 2147483647
Default: 0
Example: 30
orderby
string[]
Ordering to apply in the form of field:direction where direction can either be asc or desc.
Multiple orderings can be applied by repeating the orderby parameter:
&orderby=key1:direction1&orderby=key2:direction2

Possible values: number of items ≤ 4, length ≤ 256

Response

Response Body

ListZonesResponseV1

Status Code

200
A list of Zones
400
Operation failed due to invalid payload.
401
Access denied.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Create a new Zone.

Required permissions: zones.edit

POST /platform/v1/zones

Request

Request Body

Required*

CreateZoneRequestV1

Request body for creating a new Zone

Response

Response Body

ZoneResponseV1

Status Code

200
A Single Zone
400
Operation failed due to invalid payload.
401
Access denied.
409
Conflict.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Delete a Zone by its ID.

Required permissions: zones.edit

DELETE /platform/v1/zones/{zoneId}

Request

Path Parameters

zoneId
Required*
int64
ID of the Zone

Possible values: value ≥ 0
Example: 1

Response

Status Code

204
Zone successfully deleted
400
Operation failed due to invalid payload.
401
Access denied.
404
Zone not found
409
Conflict.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 409

{
  "details": [],
  "message": "Conflict",
  "type": "conflict"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieve a single Zone by ID.

Required permissions: zones.read

GET /platform/v1/zones/{zoneId}

Request

Path Parameters

zoneId
Required*
int64
ID of the Zone

Possible values: value ≥ 0
Example: 1

Response

Response Body

ZoneResponseV1

Status Code

200
A Single Zone
400
Operation failed due to invalid payload.
401
Access denied.
404
Zone not found
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Update an existing Zone by its ID.

Required permissions: zones.edit

PUT /platform/v1/zones/{zoneId}

Request

Path Parameters

zoneId
Required*
int64
ID of the Zone

Possible values: value ≥ 0
Example: 1

Request Body

Required*

CreateZoneRequestV1

Request body for editing an existing zone

Response

Response Body

ZoneResponseV1

Status Code

200
A Single Zone
400
Operation failed due to invalid payload.
401
Access denied.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieve a paginated list of Report Schedules.

Required permissions: platform.reporting.schedules.read

GET /platform/reporting/v1/schedules

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

ListSchedules

Status Code

200
List of Report schedules
400
Operation failed due to invalid payload.
401
Access denied.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Retrieve a list of Report Job runs.

Required permissions: platform.reporting.report-downloads.read

GET /platform/reporting/v1/jobs

Request

Query Parameters

scheduleId
Required*
string
ID of the Schedule

Possible values: length ≤ 512
Example: 2pUnGeLvrOo5qoWuvXg5H9nEH2g
reportId
int64
ID of the Report

Possible values: 0 ≤ value ≤ 1000000
Example: 1
isReportTemplate
string
Indicates whether the report is a template.

Allowable values: [true,false]
Example: true
completedOn
int64
Date the job was completed in epoch milliseconds.

Possible values: value ≥ 0
Example: 1
jobType
string
Type of the job.

Allowable values: [ON_DEMAND,SCHEDULED]
Example: SCHEDULED
status
string
Status of the job.

Allowable values: [RUNNING,COMPLETED,FAILED,CREATED]
Example: COMPLETED
kind
string
Kind of the report.

Allowable values: [compliance_readiness,vulnerability_management]
Example: compliance_readiness
policies
string
List of policy IDs in string format.

Possible values: length ≤ 8192
Example: [1,2,3]
zones
string
List of zone IDs in string format.

Possible values: length ≤ 8192
Example: [1,2,3]

Response

Response Body

ListJobs

Status Code

200
List of Report job runs.
400
Operation failed due to invalid payload.
401
Access denied.
422
Server was unable to process the request.
429
Too many requests.
500
Internal server error.

Example responses

Status 400

{
  "details": [],
  "message": "Bad request",
  "type": "bad_request"
}
Copy to clipboard

Status 401

{
  "details": [],
  "message": "Unauthorized",
  "type": "unauthorized"
}
Copy to clipboard

Status 422

{
  "details": [],
  "message": "Unprocessable content",
  "type": "unprocessable_content"
}
Copy to clipboard

Status 429

{
  "details": [],
  "message": "Too many requests",
  "type": "too_many_requests"
}
Copy to clipboard

Status 500

{
  "details": [],
  "message": "Internal server error",
  "type": "internal_server_error"
}
Copy to clipboard

Introduction

Endpoint URL

Authentication

Auditing

Error handling

Methods

List the Cloud Account IDs.

Request

No Request Parameters

Response

Response Body

Status Code

200

403

404

List the Cloud Accounts.

Request

Query Parameters

provider

includeExternalID

includeExternalId

Response

Response Body

accountId

alias

ciemEnabled

cloudConnectorBuildVersion

cloudConnectorFirstSeenAt

cloudConnectorLastSeenAt

component

hasAdvancePrerequisiteSet

provider

roleAvailable

roleLastUsedAt

roleName

workloadIdentityAccountAlias

workloadIdentityAccountId

zones

id

name

Status Code

200

403

No Sample Response

Create a new Cloud Account.

Request

Query Parameters

includeExternalID

includeExternalId

upsert

Response

Response Body

accountId

alias

ciemEnabled

cloudConnectorBuildVersion

cloudConnectorFirstSeenAt

cloudConnectorLastSeenAt

component

hasAdvancePrerequisiteSet

provider

roleAvailable

roleLastUsedAt

roleName

workloadIdentityAccountAlias

workloadIdentityAccountId

zones

id

name

externalId

Status Code

200

400

403

409

500

No Sample Response

Register a new Cloud Account.

Request

Request Body