Introduction
In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to protect, monitor, and enhance forensic analysis of your pipeline and runtime components.
IBM Cloud Security and Compliance Center Workload Protection is available natively on IBM Cloud with an API and SDK that is maintained and provided by Sysdig.
For details about using IBM Cloud Security and Compliance Center Workload Protection, see the IBM Cloud docs.
Use the following syntax from a terminal to run a cURL command:
curl -X <METHOD> <ENDPOINT>/<API_URL> <-H HEADERS,> [-d DATA]
Where
<METHOD>
indicates the type of REST API call that you want to make.<ENDPOINT>
indicates the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available. For more information, see Endpoints.<API_URL>
The API URL.HEADERS
add additional information such as information to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service.DATA
allows you to pass additional information that might be required.
The code examples on this tab use the client library that is provided for Python.
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient
# Parse arguments.
def usage():
print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
print('ENDPOINT_URL: IBM Cloud endpoint URL (for example https://us-south.security-compliance-secure.cloud.ibm.com')
print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
print('INSTANCE_GUID: GUID of an Security and Compliance Center Workload Protection instance.')
sys.exit(1)
if len(sys.argv) != 4:
usage()
URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]
# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
Endpoint URL
You can use public and private endpoints. To find out about the available endpoints, see REST API Endpoints.
The endpoint for the IBM Cloud Security and Compliance Center Workload Protection API is in the format: https://cloud.ibm.com.security-compliance-secure.cloud.ibm.com/api
For example, the API endpoint for Dallas is: https://us-south.security-compliance-secure.cloud.ibm.com/api
Example request to a Dallas endpoint:
curl -X GET https://us-south.security-compliance-secure.cloud.ibm.com/api/alerts/<ALERT_ID> -H "Authorization: $AUTH_TOKEN" -H "IBMInstanceID: $GUID" -H "TeamID: $TEAM_ID" -H "content-type: application/json"
Replace <ALERT_ID>
, AUTH_TOKEN
, GUID
and TEAM_ID
in this example with the values for your particular API call.
Example request to a Dallas endpoint
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient
# Parse arguments.
def usage():
print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
print('ENDPOINT_URL: IBM Cloud endpoint URL (e.g. https://us-south.security-compliance-secure.cloud.ibm.com')
print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
print('INSTANCE_GUID: GUID of an IBM Cloud Monitoring instance.')
sys.exit(1)
if len(sys.argv) != 4:
usage()
URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]
# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
Authentication
Access to IBM Cloud Security and Compliance Center Workload Protection is controlled by using IBM Cloud Identity and Access Management (IAM), which provides a unified approach to managing user identities and access control across your IBM Cloud services and applications.
This API requires IBM Cloud Identity and Access Management (IAM) authentication. You must pass an IAM token in the Authorization header of the request. You can retrieve your IAM access token, which is prefixed with Bearer
, by running the ibmcloud iam oauth-tokens
command. You must also set the Account header to the unique ID for your IBM Cloud account. You can retrieve your Account ID by running the ibmcloud account show command.
To call each method, you must be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Controlling access through IAM.
In a cURL command, add the following headers to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service by using an IAM token:
-H "Authorization: $AUTH_TOKEN"
-H "IBMInstanceID: $GUID"
-H "TeamID: $TEAM_ID"
Where
-
IBMInstanceID
indicates the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you want to target with the cURL command.To get the GUID of the monitoring instance, run the following command:
ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
-
Authorization
indicates the IAM token that is used to authenticate with the IBM Cloud Monitoring service instance.To get the IAM
AUTH_TOKEN
token, run the following command:ibmcloud iam oauth-tokens | awk '{print $4}'
For more information, see Getting the IAM API token.
-
TeamID
indicates the GUID of a team.To get the GUID, see Getting the ID of a team.
To use IBM Cloud IAM authentication with the Python client, you must specify an endpoint, an API key, and the GUID from your IBM Cloud Monitoring instance.
Complete the following steps from a terminal:
-
Get the GUID of your IBM Cloud Security and Compliance Center Workload Protection instance. Run the following command:
ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
-
Get the API key. Run the following command to generate a user API key:
ibmcloud iam api-key-create KEY_NAME
-
Get the endpoint for the region where the instance is available.
-
Add the following entries to your Python script:
from sdcclient import IbmAuthHelper, SdMonitorClient URL = <ENDPOINT> # For example: URL = 'https://us-south.security-compliance-secure.cloud.ibm.com' APIKEY = <IAM_APIKEY> GUID = <GUID> ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID) sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
Where
<ENDPOINT>
must be replaced with the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available.<IAM_APIKEY>
must be replaced with a valid IAM API key. Learn more.<GUID>
must be replaced with the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you obtain in the previous step.
You can now use the sdclient to perform actions that will be authenticated by using IAM.
If you get the error 400 Client Error: Bad Request for url: https://iam.cloud.ibm.com/identity/token
, check the API key. The value that you are passing is not valid.
Auditing
You can monitor API activity within your account by using the IBM Cloud Activity Tracker service. Whenever an API method is called, an event is generated that you can then track and audit from within Activity Tracker. The specific event type is listed for each individual method. For more information about how to track IBM Cloud Security and Compliance Center Workload Protection activity, see Auditing the events for IBM Cloud Security and Compliance Center Workload Protection.
Error handling
The IBM Cloud Security and Compliance Center Workload Protection service uses standard HTTP response codes to indicate whether a method completed successfully.
- A
200
response always indicates success. - A
400
type response indicates a failure. - A
500
type response usually indicates an internal system error.
HTTP Error Code | Description |
---|---|
200 |
Success |
201 |
Success |
400 |
Bad Request |
401 |
Unauthorized |
403 |
Forbidden |
404 |
Not Found |
422 |
Validation error, reason stated in the response body |
500 |
Internal Server Error |
Methods
Compliance Views
Get the high-level compliance views for all zones.
GET /api/cspm/v1/compliance/views
Response
List of Compliance Views
Zone ID
Example:
1
Zone name
Example:
Entire Infrastructure
List of policies calculated in the View
Policy ID
Example:
100066
Policy name
Example:
My Policy
Percentage of passing requirements
Example:
55
View result history (last 7 evaluations)
Time of evaluation in unix timestamp (milliseconds)
Example:
1661430108
Number of failing requirements
Example:
56
Percentage of passing requirements
Example:
53
requirementsHistory
Number of failing controls
Example:
58
Counters of violated resources per severity
Example:
930
Example:
806
Example:
980
resourceViolationSummary
Number of accepted resources
Example:
2
policies
data
Status Code
Successfully returned CSPM v1 Compliance Views.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Compliance Results
Get the compliance results for a given filter.
GET /api/cspm/v1/compliance/requirements
Request
Query Parameters
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributes
List of supported fields:
name
- Type: string
- Example:
name in ("1.5 - Exposing HostPort")
- Description: The compliance requirements that will be included in the results.
policy.name
- Type: string
- Example:
policy.name in ("CIS Distribution Independent Linux Benchmark", "CIS Docker Benchmark")
- Description: The compliance policies that will be included in the results.
zone.name
- Type: string
- Example:
zone.name="Entire Infrastructure"
- Description: The zones that will be included in the results.
pass
- Type: boolean
- Example:
pass=false
- Description: Show passing or failing requirements. If no value - will show both passing and failing requirements.
severity
- Type: Integer
- Example:
severity in (3, 2)
- Description: Requirement severity. (1=low, 2=medium, 3=high)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
pass=false and policy.name in ("CIS Amazon Web Services Foundations Benchmark") and severity=3
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 10.
Example:
50
Response
Requirement ID
Example:
5000
Requirement name
Example:
1.1.1 Ensure a separate partition for containers has been created
Requirement description
Example:
All Docker containers and their data and metadata is stored under '/var/lib/docker' directory. By default, '/var/lib/docker' should be mounted under either the '/' or '/var' partitions dependent on how the Linux operating system in use is configured.
Highest control severity
Example:
High
Is requirement passing
Number of failing controls
Example:
1
Number of failing resources for high-severity controls
Example:
1
Number of failing resources for medium-severity controls
Example:
5
Number of failing resources for low-severity controls
Example:
3
Number of accepted resources
Example:
2
Policy ID
Example:
4
Policy name
Example:
CIS Docker Benchmark
Control ID.
Example:
5000
Control name.
Example:
Separate partition for containers mounted
Control description.
Example:
Ensure a separate partition for containers has been created
Is control passing.
Control severity.
Example:
High
Does control need to be checked manually.
Example:
true
Number of failing resources.
Example:
5
Last evaluation time in unix timestamp (milliseconds).
Example:
1660742138
Number of accepted resources.
Example:
1
Kind of resource evaluated by the control.
Example:
host
API endpoint for listing the evaluated resources for this control.
Example:
/api/cspm/v1/kube/resources?controlId=32&resourceKind=workload&filter=policyId=100000 and zones.id=1
List of supported distributions of a specific control.
Distribution name.
Example:
Vanilla
Distribution min version.
Example:
1.23
Distribution max version.
Example:
1.25
supportedDistributions
controls
Requirement zone
Zone ID
Example:
1001
Zone name
Example:
Entire Infrastructure
zone
data
Total number of requirements matching filter (limited to 1000)
Example:
732
Status Code
Successfully returned CSPM v1 Compliance Results.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Kuberenetes Resources
Gets the list of Kubernetes resources and their compliance data for a specific control
GET /api/cspm/v1/kube/resources
Request
Query Parameters
Control ID
Example:
21
Resource kind ('workload', 'subject', 'role' or 'group')
Example:
workload
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributes
List of supported fields:
zones.id
- Type: integer
- Example:
zones.id=1
- Description: Evaluated zone ID.
zoneName
- Type: string
- Description: Zone name
policyId
- Type: integer
- Example:
policyId=1
- Description: Evaluated policy ID.
policyName
- Type: string
- Description: Policy name
pass
- Type: boolean
- Example:
pass=true
- Description: Passing status of resource.
accepted
- Type: boolean
- Example:
accepted=true
- Description: Return accepted resources.
clusterName
- Type: string
- Description: Cluster name.
name
- Type: string
- Description: Resource name.
namespace
- Type: string
- Description: Resource namespace.
type
- Type: string
- Example:
type="DaemonSet"
- Description: Resource k8s type.
labelValues
- Type: string
- Description: Resource labels.
distributionName
- Type: string
- Description: Kubernetes Distribution Name.
- Example: distributionName in ("Vanilla")
distributionVersion
- Type: string
- Description: Kubernetes Distribution Version.
- Example: distributionVersion in (1.23, 1.25)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
pass=false or accepted=true
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 50.
Example:
50
Response
Resource unique identifier
Example:
4e3e444e6e42e00c69e57e7119929eb1
Resource name
Example:
risky-redis-deployment
Resource namespace
Example:
risky-redis-deployment
Resource labels
Is resource passing for given control
Kubernetes object type
Example:
Deployment
List of container names violating the given control
Cluster name
Example:
kspm-test-chen-4
Resource last evaluation date in unix timestamp (milliseconds)
Example:
1660742138
Risk acceptance data
Acceptance ID
Example:
62fce98ebc19e98141f04f1f
Acceptance date in unix timestamp (milliseconds)
Example:
1660742030427
Acceptance reason
Example:
Risk Owned
Acceptance additional description
Example:
Jane - will take care of it
Acceptance expiry date in unix timestamp (milliseconds)
Example:
1663361999999
Is acceptance expired
Acceptance period in days
Example:
30
User display name of the user that accepted the risk
Example:
Jane Doe
Username of the user that accepted the risk
Example:
jane.doe@myorg.com
acceptance
Resource zones
Zone ID
Example:
1001
Zone name
Example:
Entire Infrastructure
zones
Distribution Name.
Example:
vanilla
Distribution Version.
Example:
1.23
data
Total number of resources matching filter (limited to 1000)
Example:
5112
Status Code
Successfully returned CSPM v1 Kubernetes resources.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Cluster Analysis Resources
Gets the list of cluster analysis resources and their compliance data for a specific control
GET /api/cspm/v1/clusteranalysis/resources
Request
Query Parameters
Control ID
Example:
21
Type of benchmark to retrieve resources for (0-Linux, 1-Docker, 2-Kubernetes). Defaults to 0.
Example:
1
Resource kind ('host' or 'cluster')
Example:
host
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributes
List of supported fields:
zones.id
- Type: integer
- Example:
zones.id=1
- Description: Evaluated zone ID.
zoneName
- Type: string
- Description: Zone name
policyId
- Type: integer
- Example:
policyId=1
- Description: Evaluated policy ID.
policyName
- Type: string
- Description: Policy name
pass
- Type: boolean
- Example:
pass=true
- Description: Passing status of resource.
accepted
- Type: boolean
- Example:
accepted=true
- Description: Return accepted resources.
clusterName
- Type: string
- Description: Cluster name.
name
- Type: string
- Description: Host name.
nodeInfo.osName
- Type: string
- Description: Host operating system.
nodeInfo.osImage
- Type: string
- Description: Host operating system image.
distributionName
- Type: string
- Description: Kubernetes Distribution Name.
- Example: distributionName in ("Vanilla")
distributionVersion
- Type: string
- Description: Kubernetes Distribution Version.
- Example: distributionVersion in (1.23, 1.25)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
pass=false or accepted=true
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 50.
Example:
50
Response
Resource unique identifier
Example:
4e3e444e6e42e00c69e57e7119929eb1
Resource name
Example:
risky-redis-deployment
Host OS image
Example:
Ubuntu 20.04.2 LTS
OS name
Example:
linux
Is resource passing for given control
Configuration error occurred while checking the resource
Object type
Example:
host
Cluster name
Example:
kspm-test-chen-4
Resource last evaluation date in unix timestamp (milliseconds)
Example:
1660742138
Risk acceptance data
Acceptance ID
Example:
62fce98ebc19e98141f04f1f
Acceptance date in unix timestamp (milliseconds)
Example:
1660742030427
Acceptance reason
Example:
Risk Owned
Acceptance additional description
Example:
Jane - will take care of it
Acceptance expiry date in unix timestamp (milliseconds)
Example:
1663361999999
Is acceptance expired
Acceptance period in days
Example:
30
User display name of the user that accepted the risk
Example:
Jane Doe
Username of the user that accepted the risk
Example:
jane.doe@myorg.com
acceptance
Resource zones
Zone ID
Example:
1001
Zone name
Example:
Entire Infrastructure
zones
Distribution Name
Example:
vanilla
Distribution Version
Example:
1.23
data
Total number of resources matching filter (limited to 1000)
Example:
5112
Status Code
Successfully returned CSPM v1 Cluster Analysis resources.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Cloud Resources
Gets the list of cloud resources and their compliance data for a specific control
GET /api/cspm/v1/cloud/resources
Request
Query Parameters
Control ID
Example:
21
Provider type to retrieve resources for (AWS, GCP or Azure)
Example:
AWS
Resource kind
Example:
AWS_S3_BUCKET
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributes
List of supported fields:
zones.id
- Type: integer
- Example:
zones.id=1
- Description: Evaluated zone ID.
zoneName
- Type: string
- Description: Zone name
policyId
- Type: integer
- Example:
policyId=1
- Description: Evaluated policy ID.
policyName
- Type: string
- Description: Policy name
pass
- Type: boolean
- Example:
pass=true
- Description: Passing status of resource.
accepted
- Type: boolean
- Example:
accepted=true
- Description: Return accepted resources.
name
- Type: string
- Description: Resource name.
account
- Type: string
- Description: Cloud Account that this resource belongs to.
location
- Type: string
- Description: Region where this resource is located.
organization
- Type: string
- Description: Organization that this resource belongs to.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
pass=false or accepted=true
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 50.
Example:
50
Response
Resource unique identifier
Example:
4e3e444e6e42e00c69e57e7119929eb1
Resource name
Example:
acl-0ec898c5d834142ed
Organization that this resource belongs to
Example:
o-tdkbj7rwhn
Cloud account that this resource belongs to
Example:
316651456328
Is resource passing for given control
Object type
Example:
Network ACL
Region where this resource is located
Example:
us-east-2
Resource last evaluation date in unix timestamp (milliseconds)
Example:
1660742138
Risk acceptance data
Acceptance ID
Example:
62fce98ebc19e98141f04f1f
Acceptance date in unix timestamp (milliseconds)
Example:
1660742030427
Acceptance reason
Example:
Risk Owned
Acceptance additional description
Example:
Jane - will take care of it
Acceptance expiry date in unix timestamp (milliseconds)
Example:
1663361999999
Is acceptance expired
Acceptance period in days
Example:
30
User display name of the user that accepted the risk
Example:
Jane Doe
Username of the user that accepted the risk
Example:
jane.doe@myorg.com
acceptance
Resource zones
Zone ID
Example:
1001
Zone name
Example:
Entire Infrastructure
zones
data
Total number of resources matching filter (limited to 1000)
Example:
5112
Status Code
Successfully returned CSPM v1 Cloud resources.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Request
Query Parameters
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributes
List of supported fields:
name
- Type: string
- Description: Control name.
description
- Type: string
- Description: Control description.
severity
- Type: Integer
- Description: Requirement severity. (1=low, 2=medium, 3=high)
- Example:
severity in (3, 2)
type
- Type: string
- Description: Host control type.
- Example:
type="Host"
target
- Type: string
- Description: Control supported target. ("AKS", "AWS", "Azure", "Docker" ,"EKS", "Linux", "GCP", "GKE", "IKS", "MKE", "OCP4", "Vanilla")
- Example:
target in ("IKS")
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
type="host" and severity in (3, 2)
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 50.
Example:
50
Response
Control id.
Example:
4e3e444e6e42e00c69e57e7119929eb1
Control name.
Example:
"Users" .netrc files permissions 600 or more restrictive
Control description.
Example:
'.netrc' files may contain unencrypted passwords that may be used to attack other systems.
Control authors.
Example:
Sysdig
Does control need to be checked manually.
Example:
true
Is control created by system.
Example:
true
Control severity.
Example:
High
Control platform.
Example:
Kubernetes
List of supported distributions of a specific control.
Distribution name.
Example:
Vanilla
Distribution min version.
Example:
1.23
Distribution max version.
Example:
1.25
supportedDistributions
API endpoint for listing the evaluated resources for this control.
Example:
/api/cspm/v1/kube/resources?controlId=32&resourceKind=workload&filter=policyId=100000 and zones.id=1
data
Total number of controls matching filter (limited to 1000)
Example:
5112
Status Code
Successfully returned CSPM v1 controls.
Invalid or missing auth token.
Forbidden access to CSPM v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Search and list Inventory Resources
Search for Inventory Resources based on a given filter.
GET /api/cspm/v1/inventory/resources
Request
Query Parameters
Query language expression for filtering results. Operators:
and
,or
andnot
logical operators=
,!=
in
contains
andstartsWith
to check partial values of attributesexists
to check if a field exists and not empty
List of supported fields:
account
- Type: string
- Example:
account in ("285211435247")
- Description: The account that will be included in the results.
cluster
- Type: string
- Example:
cluster in ("cluster1")
- Description: The kubernetes cluster that will be included in the results.
externalDNS
- Type: string
- Example:
externalDNS in ("ec2-102-34-15-23.compute-1.amazonaws.com")
- Description: The external DNS that will be included in the results.
distribution
- Type: string
- Example:
distribution in ("gke", "vanilla")
- Description: The kubernetes distribution that will be included in the results.
labels
- Type: string
- Example:
not labels exists
- Description: The resource labels that will be included in the results.
name
- Type: string
- Example:
name starts with "acl"
- Description: The names that will be included in the results.
namespace
- Type: string
- Example:
namespace contains "production"
- Description: The namespace that will be included in the results.
nodeType
- Type: string
- Example:
nodeType="Worker"
- Description: The nodeType that will be included in the results.
osName
- Type: string
- Example:
osName != "linux"
- Description: The operating system that will be included in the results.
organization
- Type: string
- Example:
organization = "s-xqe92dwe61"
- Description: The organization that will be included in the results.
platform
- Type: string
- Example:
platform = "AWS"
- Description: The platform that will be included in the results.
control.accepted
- Type: string
- Example:
control.accepted exists
- Description: Include (or Exclude) only resources with accepted results. Supported operators: exists and not exists.
policy
- Type: string
- Example:
policy in (“CIS Docker Benchmark”)
- Description: Include resources that applied the selected policies. Supported operators: in, not in, exists, not exists.
control.severity
- Type: string
- Example:
control.severity in ("High")
- Description: Include resources that have violated risks in the selected severities. Supported operators: in, not in.
control.failed
- Type: string
- Example:
control.failed in ("/etc/default/docker owned by root:root")
- Description: Include resources that have violated the selected risks. Supported operators: in, not in, exists, not exists.
policy.failed
- Type: string
- Example:
policy.failed in ("PCI DSS (Payment Card Industry Data Security Standard) v3.2.1")
- Description: Include resources that failed the selected policies. Supported operators: in, not in, exists, not exists.
requirement.failed
- Type: string
- Example:
requirement.failed in ("01.a Access Control Policy")
- Description: Include resources that failed the selected requirements. Supported operators: in, not in, exists, not exists.
policy.passed
in ("CIS Kubernetes V1.20 Benchmark")- Type: string
- Example:
policy.passed in ("CIS Kubernetes V1.20 Benchmark")
- Description: Include resources that passed the selected policies. Supported operators: in, not in, exists, not exists.
project
- Type: string
- Example:
project = "project1"
- Description: The project that will be included in the results.
region
- Type: string
- Example:
region in ("europe-west1")
- Description: The regions that will be included in the results.
type
- Type: string
- Example:
type = "Account"
- Description: The resource types that will be included in the results.
subscription
- Type: string
- Example:
subscription = "Azure subscription 1"
- Description: The Azure subscriptions that will be included in the results.
version
- Type: string
- Example:
version = "1.1"
- Description: The versions that will be included in the results.
zone
- Type: string
- Example:
zone in ("zone1")
- Description: The zones that will be included in the results.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example:
platform = "AWS" and policy.failed in ("CIS Amazon Web Services Foundations Benchmark")
Page number. Defaults to 1.
Example:
1
Page size. Defaults to 20.
Example:
20
The desired fields to be returned from the query. Defaults to
id,name,platform,type,configuration,keyvalueconfigs,labels,lastseen,metadata,zones,posturepolicysummary
. Fields that are not specified will return empty (even if they have values).Example:
name,platform,posturecontrolsummary
Response
Inventory resources
Resource unique identifier
Example:
62e348b71acd7be14a4bdfcc
Resource name
Example:
aws-bucket1
The resource platform (AWS, GCP, Kubernetes, Azure, etc.)
Example:
AWS
The resource type
Example:
AWS_S3_BUCKET_ACL
Last scan date as unix timestamp
Example:
1660742138
The resource metadata
Examples:ViewThe posture policy summary
Percentage of policies passing
Example:
50
The policies list
Policy Id
Example:
15
Policy Name
Example:
CIS Amazon Web Services Foundations Benchmark
True for passed, false for failed
policies
posturePolicySummary
Detailed breakdown of controls per Posture policy
The Posture policy name
Example:
CIS Amazon Web Services Foundations Benchmark
Policy Id
Example:
15
Number of failed controls
Example:
5
Number of accepted controls
Example:
3
postureControlSummary
YAML\JSON configuration of the resource (for relevant resource types)
Example:
metadata: annotations: meta.helm.sh/release-name: iac-collector meta.helm.sh/release-namespace: default labels: app.kubernetes.io/managed-by: Helm skaffold.dev/run-id: 57984887-4121-4d34-aa82-c8291300205f name: secure-iac-collector-sa namespace: sysdig
Key-value configurations (for relevant resource type, such as Kubernetes Host and Cluster)
The configuration group name
Example:
Kubernetes
map of configuration name and value
configuration name
Example:
Kubelet --anonymous-auth
configuration value
Example:
false
values
keyValueConfigs
The resource labels
Resource zones
The zone identifier
Example:
1
The zone name
Example:
Entire Infrastructure
zones
data
Total number of resources matching filter (limited to 1000)
Example:
5112
Status Code
Successfully returned Inventory v1 resources.
Invalid or missing auth token.
Forbidden access to Inventory v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Retrieve a single Inventory Resource by its identifier
Retrieve an Inventory Resource by its id
GET /api/cspm/v1/inventory/resources/{id}
Request
Path Parameters
The resource’s unique identifier
Example:
62e348b71acd7be14a4bdfcc
Query Parameters
The desired fields to be returned from the query. Defaults to
id,name,platform,type,configuration,keyvalueconfigs,labels,lastseen,metadata,zones,posturepolicysummary
. Fields that are not specified will return empty (even if they have values).Example:
name,platform,posturecontrolsummary
Response
Resource unique identifier
Example:
62e348b71acd7be14a4bdfcc
Resource name
Example:
aws-bucket1
The resource platform (AWS, GCP, Kubernetes, Azure, etc.)
Example:
AWS
The resource type
Example:
AWS_S3_BUCKET_ACL
Last scan date as unix timestamp
Example:
1660742138
The resource metadata
Examples:ViewThe posture policy summary
Percentage of policies passing
Example:
50
The policies list
Policy Id
Example:
15
Policy Name
Example:
CIS Amazon Web Services Foundations Benchmark
True for passed, false for failed
policies
posturePolicySummary
Detailed breakdown of controls per Posture policy
The Posture policy name
Example:
CIS Amazon Web Services Foundations Benchmark
Policy Id
Example:
15
Number of failed controls
Example:
5
Number of accepted controls
Example:
3
postureControlSummary
YAML\JSON configuration of the resource (for relevant resource types)
Example:
metadata: annotations: meta.helm.sh/release-name: iac-collector meta.helm.sh/release-namespace: default labels: app.kubernetes.io/managed-by: Helm skaffold.dev/run-id: 57984887-4121-4d34-aa82-c8291300205f name: secure-iac-collector-sa namespace: sysdig
Key-value configurations (for relevant resource type, such as Kubernetes Host and Cluster)
The configuration group name
Example:
Kubernetes
map of configuration name and value
configuration name
Example:
Kubelet --anonymous-auth
configuration value
Example:
false
values
keyValueConfigs
The resource labels
Resource zones
The zone identifier
Example:
1
The zone name
Example:
Entire Infrastructure
zones
data
Status Code
Successfully returned an Inventory v1 resource.
Invalid or missing auth token.
Forbidden access to Inventory v1.
The server encountered an unexpected condition that prevented it from fulfilling the request.
Service is unavailable.
No Sample Response
Get all the options available to define a report configuration
GET /api/reporting/v1/{domain}/{reportType}/config
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
The kind of report to generate
Allowable values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Response
The available columns that can be chosen and included in a generated report
Column identifier
Example:
severity
Human-readable name for the column
Example:
Severity
Whether the columns must be included when specifying a report configuration
Example:
true
availableColumns
The available conditions that can be set to filter the results in a generated report
Data type for the filter values
Possible values: [
string
,number
,boolean
,stringarray
]Example:
string
Filter identifier
Example:
severity
Human-readable label for the filter
Example:
Severity
Human-readable suffix for the filter value
Example:
sev.
Full list of the allowed values for the filter
One of the allowed value for the filter
Example:
high
Human-readable label for the filter value
Example:
High
allowedValues
Minimum allowed value for filters with type number
Maximum allowed value for filters with type number
Example:
10
Optional list of comparison operators which can be used when applying the filter
Examples:View
availableFilters
Status Code
Options available to define a report configuration
No Sample Response
Get a result preview of a report with the given configuration
POST /api/reporting/v1/{domain}/{reportType}/preview
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
The kind of report to generate
Allowable values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Allowable values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Allowable values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
Response
Schedule and configuration definition for a report generation
Unique opaque identifier of the report generation schedule.
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Possible values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Possible values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Possible values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Possible values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
The download link of the last generated report for each configured format
Examples:Viewresources
Whether the on-demand report generation is enabled or not
Schedule, start and completion timestamps for the latest report
The timestamp when a new generation of the scheduled report was last queued
Example:
1602674500
The timestamp when the generation of the scheduled report started the last time
Example:
1602674521
The timestamp when the generation of the scheduled report completed the last time
Example:
1602674554
status
The timestamp when the schedule was defined the first time
Example:
1602672997
The timestamp when the schedule was last updated
Example:
1602673124
Status Code
The list of all saved schedules for report generation
No Sample Response
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
Schedule and configuration definition for a report generation
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Allowable values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Allowable values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Allowable values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Allowable values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
Whether the on-demand report generation is enabled or not
Response
Schedule and configuration definition for a report generation
Unique opaque identifier of the report generation schedule.
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Possible values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Possible values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Possible values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Possible values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
The download link of the last generated report for each configured format
Examples:Viewresources
Whether the on-demand report generation is enabled or not
Schedule, start and completion timestamps for the latest report
The timestamp when a new generation of the scheduled report was last queued
Example:
1602674500
The timestamp when the generation of the scheduled report started the last time
Example:
1602674521
The timestamp when the generation of the scheduled report completed the last time
Example:
1602674554
status
The timestamp when the schedule was defined the first time
Example:
1602672997
The timestamp when the schedule was last updated
Example:
1602673124
Status Code
The created schedule for report generation
Bad Request
Invalid report configuration
Generate an on-demand report using the configuration of the requested schedule
POST /api/reporting/v1/{domain}/schedules/{scheduleId}/run
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
The ID of the schedule for report generation
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
Response
Status Code
Generation of requested report accepted
Bad Request
Generation of requested report is either forbidden or disabled
Requested report generation schedule not found
Report generation is either already running or will be running shortly
Invalid request payload
Report generation forbidden or disabled
Report generation schedule not found
Report generation already running
Get the configuration of the requested schedule for report generation
GET /api/reporting/v1/{domain}/schedules/{scheduleId}
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
The ID of the schedule for report generation
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
Response
Schedule and configuration definition for a report generation
Unique opaque identifier of the report generation schedule.
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Possible values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Possible values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Possible values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Possible values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
The download link of the last generated report for each configured format
Examples:Viewresources
Whether the on-demand report generation is enabled or not
Schedule, start and completion timestamps for the latest report
The timestamp when a new generation of the scheduled report was last queued
Example:
1602674500
The timestamp when the generation of the scheduled report started the last time
Example:
1602674521
The timestamp when the generation of the scheduled report completed the last time
Example:
1602674554
status
The timestamp when the schedule was defined the first time
Example:
1602672997
The timestamp when the schedule was last updated
Example:
1602673124
Status Code
Configuration for the requested schedule for report generation
Requested report generation schedule not found
Report generation schedule not found
Edit the configuration of the requested schedule for report generation
PUT /api/reporting/v1/{domain}/schedules/{scheduleId}
Request
Path Parameters
The data domain of the report. The only supported value is
scanning
Allowable values: [
scanning
]Example:
scanning
The ID of the schedule for report generation
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
Schedule and configuration definition for a report generation
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Allowable values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Allowable values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Allowable values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Allowable values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
Whether the on-demand report generation is enabled or not
Response
Schedule and configuration definition for a report generation
Unique opaque identifier of the report generation schedule.
Example:
schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV
The title for the generated reports.
Example:
Weekly vulnerability report
Configuration of a report generation
Filter the results based on the given scope
restrict the report generation on the given image ID
Example:
sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f
whether the report should be filtered using a runtime scope
Example:
true
An AND-composed string of predicates that restrict the scope of the generated report
Docker registry
Example:
docker.io
Docker image repository
Example:
debian
Docker image tag
Example:
stable
scope
The columns to be included in the generated report, in the order desired
Examples:ViewSorting criteria
The column identifier chosen for sorting
Example:
vulnId
The sorting order (ascending or descending) for the given column
Possible values: [
asc
,desc
]Example:
asc
sorting
Set of additional filter conditions on the generated reports. Filters are defined as map with filter names as key.
Examples:ViewFilter value
Comparison operator to be applied with the chosen filter value
Possible values: [
<
,<=
,=
,>=
,>
]
any property
queryFilters
configuration
A cron-like expression representing the generation frequency of the reports.
Possible values: Value must match regular expression
^[0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+ [0-9*/,-]+$
Example:
0 9 * * 1
Whether the report generation is active or not
Example:
true
A human-readable description for the report content.
Examples:ViewThe kind of report to generate
Possible values: [
vulnerabilities
,policies
]Example:
vulnerabilities
Notification channels where to notify the generation of a new report along with the chosen report format
ID of notification channel where the generation of new reports is notified
Example:
12456
Format of the generated report
Possible values: [
csv
,json
,pdf
]Example:
csv
notificationChannels
The download link of the last generated report for each configured format
Examples:Viewresources
Whether the on-demand report generation is enabled or not
Schedule, start and completion timestamps for the latest report
The timestamp when a new generation of the scheduled report was last queued
Example:
1602674500
The timestamp when the generation of the scheduled report started the last time
Example:
1602674521
The timestamp when the generation of the scheduled report completed the last time
Example:
1602674554
status
The timestamp when the schedule was defined the first time
Example:
1602672997
The timestamp when the schedule was last updated
Example:
1602673124
Status Code
Updated configuration for the requested schedule for report generation
Bad Request
Requested report generation schedule not found
Invalid report configuration
Report generation schedule not found
Remove the requested schedule for report generation
DELETE /api/reporting/v1/{domain}/schedules/{scheduleId}
Returns all cluster names for the customer
Returns all cluster names for the customer
GET /api/v1/networkTopology/clusters
Request
Query Parameters
A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
Cluster names
Status Code
Indicates the requested cluster names were successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns all namespace names for the cluster
Returns all namespace names for the cluster
GET /api/v1/networkTopology/namespaces
Request
Query Parameters
The name of a kubernetes cluster
A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
Status Code
Indicates the requested namespaces were successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns all pod owners for a cluster, namespace, and time range
Returns a map of owner type to a list of owner selectors
GET /api/v1/networkTopology/owners
Request
Query Parameters
The name of a kubernetes cluster
The name of a kubernetes namespace
A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
the name of the namespace that the pod owner belongs to
Kubernetes labels of the pod controller. If the pod owner is a service, the labels are for the pod owner of the service’s endpoint.
Status Code
Indicates the requested map of owner type to a list of owner selectors were successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns an overview of ingress networking traffic
Returns an overview of ingress networking traffic
GET /api/v1/networkTopology/ingressSummaries
Request
Query Parameters
The name of a kubernetes cluster
The name of a kubernetes namespace
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
The from parameter after being normalized to fit the closest approximate available time range
The to parameter after being normalized to fit the closest approximate available time range
metadata
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
the name of the namespace that the pod owner belongs to
Kubernetes labels of the pod controller. If the pod owner is a service, the labels are for the pod owner of the service’s endpoint.
clientOwner
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
clientNamespace
The process on the server
Example:
nginx
The port on the server
connections
Status Code
Indicates the requested overview of ingress networking traffic was successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns an overview of egress networking traffic
Returns an overview of egress networking traffic
GET /api/v1/networkTopology/egressSummaries
Request
Query Parameters
The name of a kubernetes cluster
The name of a kubernetes namespace
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
The from parameter after being normalized to fit the closest approximate available time range
The to parameter after being normalized to fit the closest approximate available time range
metadata
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
the name of the namespace that the pod owner belongs to
Kubernetes labels of the pod controller. If the pod owner is a service, the labels are for the pod owner of the service’s endpoint.
serverOwner
name of the object
For pod owners, the labels are used to identify the pods related to the deployment/job/etc. For services, the labels are used to identify the endpoints for the service. For namespaces, the labels will be put in any knp generated based on objects in this namespace.
Owner type
Possible values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]the name of the cluster
serverNamespace
The process on the client
Example:
nginx
The port on the server
connections
Status Code
Indicates the requested overview of egress networking traffic was successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns the unresolved ips for a time range and pod owner
Returns the unresolved ips for a time range and pod owner
GET /api/v1/networkTopology/ingressUnresolvedIps
Request
Query Parameters
The name of a kubernetes cluster
The name of a kubernetes namespace
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
If false, the FE will display the warning “Cluster subnet list is incomplete. IPs not mapping to known subnets will be marked as external”.
Collection of unresolved egress IPs
IP origin
Possible values: [
internal
,external
]Unresolved IP address
serverIPMetadata
The process on the client
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Possible values: [
TCP
]
serverPort
unresolveds
Status Code
Indicates the requested ingress unresolved ips were successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns the unresolved ips for a time range and pod owner
Returns the unresolved ips for a time range and pod owner
GET /api/v1/networkTopology/egressUnresolvedIps
Request
Query Parameters
The name of a kubernetes cluster
The name of a kubernetes namespace
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
If false, the FE will display the warning “Cluster subnet list is incomplete. IPs not mapping to known subnets will be marked as external”.
Collection of unresolved ingress IPs
IP origin
Possible values: [
internal
,external
]Unresolved IP address
clientIPMetadata
The process on the server
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Possible values: [
TCP
]
serverPort
unresolveds
Status Code
Indicates the requested egress unresolved ips were successfully returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Creates a communication topology graph around the specified owner
Creates a communication topology graph around the specified owner
GET /api/v1/networkTopology/ownerTopology
Request
Query Parameters
The name of a kubernetes namespace
The name of a kubernetes cluster
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
Response
Owner communication topology graph
Communication topology graph
Metadata, could be attached to a graph, an edge, or a vertex
metadata
Pod Owner
Vertex ID
Vertex type
Possible values: [
service
,deployment
,statefulset
,daemonset
,namespace
,unresolvedip
]Pod Owner name
Metadata, could be attached to a graph, an edge, or a vertex
metadata
Namespace vertex ID; required for all pod owner types except 'namespace' and 'unresolvedip'
any property
vertices
A directed edge, indicates a relationship between two vertices
Type of edge relationship
Possible values: [
endpoints
,communication
]ID of the source vertex
ID of the destination vertex
Metadata, could be attached to a graph, an edge, or a vertex
metadata
edges
graph
Status Code
Indicates the requested topology graph is sucessfully created
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns sorted list of unique workload label key values
Returns sorted list of unique workload label key values
GET /api/v1/networkTopology/workloadLabelKeys
Response
Array of kubernetes labels
Status Code
Indicates the requested list was returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Returns sorted list of unique namespace label key values
Returns sorted list of unique namespace label key values
GET /api/v1/networkTopology/namespaceLabelKeys
Response
Array of kubernetes labels
Status Code
Indicates the requested list was returned
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Creates a Kubernetes Network Policy
Creates a Kubernetes Network Policy
POST /api/v1/networkSecurity/namespaces/{namespaceName}/simulatedPolicies
Request
Path Parameters
The name of a kubernetes namespace
List of ingress rules to be applied to the selected pods
List of sources which should be able to access the pods selected for this rule
Defines policy on a particular IPBlock
Represents an IP Block
Example:
192.168.1.1/24
CIDRs that should not be included within an IP Block
ipBlock
Matches all pods in all namespaces selected by this label selector
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelector
Selects all matching pods in the namespace
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
from
List of ports which should be made accessible on the pods selected for this rule
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Allowable values: [
TCP
]
ports
ingress
List of egress rules to be applied to the selected pods
List of destinations for outgoing traffic of pods selected for this rule
Defines policy on a particular IPBlock
Represents an IP Block
Example:
192.168.1.1/24
CIDRs that should not be included within an IP Block
ipBlock
Matches all pods in all namespaces selected by this label selector
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelector
Selects all matching pods in the namespace
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
to
List of destination ports for outgoing traffic
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Allowable values: [
TCP
]
ports
egress
Selects the pods to which this NetworkPolicy object applies. An empty podSelector matches all pods in this namespace.
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
List of rule types that the NetworkPolicy relates to
Allowable values: [
Ingress
,Egress
]
spec
Response
The text of a proposed Kubernetes Network Policy
Status Code
Indicates the requested KNP was successfully created
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Creates a communication topology graph around the specified owner
Creates a communication topology graph around the specified owner; if KNP spec is provided, marks communication edges as 'blocked' if they are blocked by the KNP
POST /api/v1/networkSecurity/networkPolicyOverlayOwnerTopology
Request
Query Parameters
The name of a kubernetes namespace
The name of a kubernetes cluster
The name of a pod owner
Specifies how to group pods
Allowable values: [
Service
,Deployment
,StatefulSet
,DaemonSet
,Pod
,Namespace
]A unix timestamp in seconds of specifying the initial time of a range
A unix timestamp in seconds of specifying the end time of a range
List of ingress rules to be applied to the selected pods
List of sources which should be able to access the pods selected for this rule
Defines policy on a particular IPBlock
Represents an IP Block
Example:
192.168.1.1/24
CIDRs that should not be included within an IP Block
ipBlock
Matches all pods in all namespaces selected by this label selector
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelector
Selects all matching pods in the namespace
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
from
List of ports which should be made accessible on the pods selected for this rule
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Allowable values: [
TCP
]
ports
ingress
List of egress rules to be applied to the selected pods
List of destinations for outgoing traffic of pods selected for this rule
Defines policy on a particular IPBlock
Represents an IP Block
Example:
192.168.1.1/24
CIDRs that should not be included within an IP Block
ipBlock
Matches all pods in all namespaces selected by this label selector
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaceSelector
Selects all matching pods in the namespace
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
to
List of destination ports for outgoing traffic
port on the pod
The protocol by which traffic must match. Defaults to TCP if not specified. In the future UDP and SCTP may be supported.
Allowable values: [
TCP
]
ports
egress
Selects the pods to which this NetworkPolicy object applies. An empty podSelector matches all pods in this namespace.
A list of label selector requirements. The requirements are ANDed.
The label key that the selector applies to.
Represents a key's relationship to a set of values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
Allowable values: [
In
,NotIn
,Exists
,DoesNotExist
]A list of operands
matchExpressions
A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSelector
List of rule types that the NetworkPolicy relates to
Allowable values: [
Ingress
,Egress
]
spec
Response
Owner communication topology graph
Communication topology graph
Metadata, could be attached to a graph, an edge, or a vertex
metadata
Pod Owner
Vertex ID
Vertex type
Possible values: [
service
,deployment
,statefulset
,daemonset
,namespace
,unresolvedip
]Pod Owner name
Metadata, could be attached to a graph, an edge, or a vertex
metadata
Namespace vertex ID; required for all pod owner types except 'namespace' and 'unresolvedip'
any property
vertices
A directed edge, indicates a relationship between two vertices
Type of edge relationship
Possible values: [
endpoints
,communication
]ID of the source vertex
ID of the destination vertex
Metadata, could be attached to a graph, an edge, or a vertex
metadata
edges
graph
Status Code
Indicates the requested topology graph is sucessfully created
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403
No Sample Response
Request
Query Parameters
Represents the id of a particular capture. Can be used multiple times in the same request to fetch multiple captures
Indicates the distance between the true starting point and the index of the first returned capture
An enum of allowable fields to sort a list of captures
Allowable values: [
date_requested
,duration
,name
,size
,status
]An enum of ways to order a sorted collection of values
Allowable values: [
asc
,desc
]Unix time of when to start looking for captures in microseconds
Unix time of when to stop looking for captures in microseconds
An enum of Sysdig products
Allowable values: [
sdc
,sds
]Limit the results to only captures matching a scope expression
Example:
kubernetes.cluster.name != null
- Examples:View
- Examples:View
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
Response
A list of captures and associated metadata
Indicates how many captures would have been returned if no limit query param was specified. It does not represent the number of captures returned in the request.
Contains system calls and other operating system events
An enum of Sysdig products
Possible values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Possible values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Possible values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
captures
Indicates the distance between the true starting point and the index of the first returned capture. Corresponds to the offset query param that was provided in the original request.
Indicates whether the number of captures returned had some limit applied
Status Code
The array representing the captures
Indicates a query param was invalid
No Sample Response
Request
Metadata to create a capture
An enum of Sysdig products
Allowable values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
Response
Contains system calls and other operating system events
An enum of Sysdig products
Possible values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Possible values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Possible values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
capture
Status Code
Successfully created a capture
Indicates the request body was invalid
No Sample Response
Request
Query Parameters
Represents the id of a particular capture. Can be used multiple times in the same request to delete multiple captures
Indicates that only captures belonging to either the monitor or secure product should be considered for deletion. Defaults to SDC if not specified
Allowable values: [
sdc
,sds
]Indicates that only captures with a particular status should be considered for deletion. Can be used multiple times in the same request
Allowable values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]
Response
Contains system calls and other operating system events
An enum of Sysdig products
Possible values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Possible values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Possible values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
capture
Status Code
Successfully retrieved a capture
The capture could not be found
No Sample Response
Request
Path Parameters
Contains system calls and other operating system events
An enum of Sysdig products
Allowable values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Allowable values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Allowable values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
Response
Contains system calls and other operating system events
An enum of Sysdig products
Possible values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Possible values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Possible values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
Status Code
Successfully updated a capture
Indicates the request body was invalid
No Sample Response
Response
Contains system calls and other operating system events
An enum of Sysdig products
Possible values: [
sdc
,sds
]A way to reference a capture. Must not be empty
Example:
my_capture.scap
The range in time from when the capture began to when it ended in seconds. The maximum value is 86400
Example:
30
Uniquely identifies a container
Example:
8883164eb9bf
The name of the s3 bucket to which the capture will be saved. May be null
The name of a folder in an s3 bucket
Example:
/
A map of assorted metadata
annotations
A way to only capture a subset of the data
Example:
proc.name=vi
Describes a Sysdig agent running on a machine
The ID of a particular customer
Uniquely identifies an agent
Example:
34688
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
The name of the host the agent is running on
Example:
ip-10-2-157-201
attributes
agent
uniquely identifies the capture
Example:
1327048
The maximum number of bytes allowed to be in this capture
Example:
104857600
The range in time from when the capture began to when the event that triggered the capture occurred in seconds. The maximum value is 86400
Example:
3
The amount of bytes in the capture that occurred in the pastDuration interval
The unix timestamp of when the capture was requested in milliseconds
Example:
1625783854265
The unx timestamp of when the Sysdig backend received the capture from the agent in milliseconds
Example:
1625783881254
The url to download the capture
Example:
/api/v1/captures/1327048/download
The number of bytes in the capture
Example:
87335540
An enum of the different types of storage to which captures can be saved
Possible values: [
local
,s3
,agent
,provided
,cassandra
]An enum of the different statuses a capture can have
Possible values: [
requested
,filtering
,capturing
,done
,error
,uploading
,uploadingError
,uploaded
]The key that allows an agent to communicate with a collector
The number of bytes the Sysdig backend has received from the agent
Example:
87335540
The number of bytes the Sysdig backend has pushed to a storage provider
Example:
87335540
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}
Example:
960d9da0-cc79-4079-932a-544e193ab385
A list of metrics
Uniquely identifies a storage configuration
Example:
153
A scope expression that limits where the capture could have been taken
Example:
host.hostName = 'ip-10-2-157-201'
Uniquely identifies a machine
Example:
12:dd:fe:e0:17:0b
capture
Status Code
Successfully stopped the capture
The capture could not be found
No Sample Response
Vulnerabilities of an image. [Digest] Data is fetched directly from the database.
GET /api/scanning/v1/images/{imageDigest}/vulnSummaryDirect
Vulnerabilities of an image. [ImageID] Data is fetched directly from the database.
GET /api/scanning/v1/images/by_id/{imageId}/vulnSummaryDirect
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
The type of vulnerabilities to retrieve
Allowable values: [
os
,non-os
]
Query Parameters
If specified, only vulnerabilities that contain this substring will be retrieved
Sorting method. Defaults to descendent.
Allowable values: [
desc
,asc
]Field used to alphabetically sort by. Defaults to severity.
Allowable values: [
vuln
,fix
,severity
,package
,url
,feed
,feed_group
,package_name
,package_version
,package_type
,package_cpe
,package_pat
]A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved
Allowable values: [
Unknown
,Negligible
,Low
,Medium
,High
,Critical
]If specified, only vulnerabilities with an available fix will be retrieved
If specified, the vulnerabilities in the response will contain a comparison status relative to the image specified by this parameter. A total count of all comparison statuses will also be returned.
If specified, only vulnerabilities matching this comparison status will be returned. If not specified, all vulnerabilities will be returned.
Allowable values: [
New
,Fixed
,Shared
]If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
The image's tag. Required when "includeVulnExceptions" is set to true.
Target bundle. If not specified, the currently active bundle will be used.
Response
The targeted image digest
The targeted imageID
The type of vulnerabilities retrieved
The filter used
The sorting method used
The field used to sort the result
Wether only vulns with a fix have been retrieved
The severities retrieved
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The total count of vulnerabilities.
Total counts of comparison statuses.
The total count of vulnerabilities.
The total count of new vulnerabilities.
The total count of fixed vulnerabilities.
The total count of shared vulnerabilities.
vulnCounts
The vulnerabilities retrieved.
The feed type, Always "vulnerabilities"
Example:
vulnerabilities
The distribution group name
Example:
debian:10
If exists, the fix version
Example:
None
nvd_data object
The package full name
Example:
gcc-8-base-8.3.0-6
Example:
None
The package name
Example:
gcc-8-base
The package path
Example:
pkgdb
The package type
Example:
dpkg
The vulnerability severity level
Example:
Medium
URL to full description of the vulnerability
Example:
https://security-tracker.debian.org/tracker/CVE-2018-12886
The vulnerability identifier
Example:
CVE-2018-12886
List of vulnExceptions by id/name along with the vulnerability expiration for that exception list
Example:
vuln-exception-list-id
Example:
some-name
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
vulnexceptions
vulns
Status Code
The retrieved vulnerabilities
No Sample Response
Retrieve vulnerabilities data of an image [Digest][Direct]
GET /api/scanning/v1/images/{imageDigest}/vulnDirect/{vtype}
Request
Path Parameters
The targeted image digest
The type of vulnerabilities to retrieve
Allowable values: [
os
,non-os
,all
]
Query Parameters
If specified, only vulnerabilities that contain this substring will be retrieved
Sorting method. Defaults to descendent.
Allowable values: [
desc
,asc
]Field used to alphabetically sort by. Defaults to severity.
Allowable values: [
vuln
,fix
,severity
,package
,url
,feed
,feed_group
,package_name
,package_version
,package_type
,package_cpe
,package_pat
]A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved
Allowable values: [
Unknown
,Negligible
,Low
,Medium
,High
,Critical
]If specified, only vulnerabilities with an available fix will be retrieved
If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
The image's tag. Required when "includeVulnExceptions" is set to true.
Target bundle. If not specified, the currently active bundle will be used.
Response
The targeted image digest
The targeted imageID
The type of vulnerabilities retrieved
The filter used
The sorting method used
The field used to sort the result
Wether only vulns with a fix have been retrieved
The severities retrieved
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The total count of vulnerabilities.
Total counts of comparison statuses.
The total count of vulnerabilities.
The total count of new vulnerabilities.
The total count of fixed vulnerabilities.
The total count of shared vulnerabilities.
vulnCounts
The vulnerabilities retrieved.
The feed type, Always "vulnerabilities"
Example:
vulnerabilities
The distribution group name
Example:
debian:10
If exists, the fix version
Example:
None
nvd_data object
The package full name
Example:
gcc-8-base-8.3.0-6
Example:
None
The package name
Example:
gcc-8-base
The package path
Example:
pkgdb
The package type
Example:
dpkg
The vulnerability severity level
Example:
Medium
URL to full description of the vulnerability
Example:
https://security-tracker.debian.org/tracker/CVE-2018-12886
The vulnerability identifier
Example:
CVE-2018-12886
List of vulnExceptions by id/name along with the vulnerability expiration for that exception list
Example:
vuln-exception-list-id
Example:
some-name
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
vulnexceptions
vulns
Status Code
The retrieved vulnerabilities
No Sample Response
Retrieve vulnerabilities data of an image [ImageId][Direct]
GET /api/scanning/v1/images/by_id/{imageId}/vulnDirect/{vtype}
Request
Path Parameters
The targeted imageID
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
The type of vulnerabilities to retrieve
Allowable values: [
os
,non-os
,all
]
Query Parameters
If specified, only vulnerabilities that contain this substring will be retrieved
Sorting method. Defaults to descendent.
Allowable values: [
desc
,asc
]Field used to alphabetically sort by. Defaults to severity.
Allowable values: [
vuln
,fix
,severity
,package
,url
,feed
,feed_group
,package_name
,package_version
,package_type
,package_cpe
,package_pat
]A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved
Allowable values: [
Unknown
,Negligible
,Low
,Medium
,High
,Critical
]If specified, only vulnerabilities with an available fix will be retrieved
If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
The image's tag. Required when "includeVulnExceptions" is set to true.
Target bundle. If not specified, the currently active bundle will be used.
Response
The targeted image digest
The targeted imageID
The type of vulnerabilities retrieved
The filter used
The sorting method used
The field used to sort the result
Wether only vulns with a fix have been retrieved
The severities retrieved
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The total count of vulnerabilities.
Total counts of comparison statuses.
The total count of vulnerabilities.
The total count of new vulnerabilities.
The total count of fixed vulnerabilities.
The total count of shared vulnerabilities.
vulnCounts
The vulnerabilities retrieved.
The feed type, Always "vulnerabilities"
Example:
vulnerabilities
The distribution group name
Example:
debian:10
If exists, the fix version
Example:
None
nvd_data object
The package full name
Example:
gcc-8-base-8.3.0-6
Example:
None
The package name
Example:
gcc-8-base
The package path
Example:
pkgdb
The package type
Example:
dpkg
The vulnerability severity level
Example:
Medium
URL to full description of the vulnerability
Example:
https://security-tracker.debian.org/tracker/CVE-2018-12886
The vulnerability identifier
Example:
CVE-2018-12886
List of vulnExceptions by id/name along with the vulnerability expiration for that exception list
Example:
vuln-exception-list-id
Example:
some-name
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
vulnexceptions
vulns
Status Code
The retrieved vulnerabilities
No Sample Response
Retrieve the vulnerability exception lists that this image is bound to via policies assignements [Digest]
GET /api/scanning/v1/images/{imageDigest}/vulnexceptions
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
Query Parameters
The image's tag
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The associated vulnerability exception lists
Image digest not found
Image not found
Retrieve the vulnerability exception lists that this image is bound to via policies assignements [ImageID]
GET /api/scanning/v1/images/by_id/{imageId}/vulnexceptions
Request
Path Parameters
The targeted imageID
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
Query Parameters
The image's tag
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The associated vulnerability exception lists
Image digest not found
Image not found
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
The type of content to retrieve
Allowable values: [
os
,files
,npm
,gem
,python
,java
]
Query Parameters
If specified, only content entries that contain this substring will be retrieved
Sorting method
Allowable values: [
asc
,desc
]Field used to alphabetically sort by. Defaults to package
Allowable values: [
package
,implementation-version
,specification-version
,maven-version
,location
,type
,origin
]Field used to alphabetically sort by. Defaults to filename
Allowable values: [
filename
,gid
,linkdest
,mode
,sha256
,size
,type
,uid
]Field used to alphabetically sort by. Defaults to package
Allowable values: [
package
,version
,size
,type
,origin
,license
,location
]If specified, a 0-based index on the content list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
Response
The targeted image digest
The type of content retrieved
The filter used
The sorting method used
The field used to sort the result
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The content retrieved
Status Code
The retrieved content
No Sample Response
Retrieve the content of an image [ImageID]
GET /api/scanning/v1/images/by_id/{imageId}/content/{ctype}
Request
Path Parameters
The targeted imageID
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
The type of content to retrieve
Allowable values: [
os
,files
,npm
,gem
,python
,java
]
Query Parameters
If specified, only content entries that contain this substring will be retrieved
Sorting method
Allowable values: [
asc
,desc
]Field used to alphabetically sort by. Defaults to package
Allowable values: [
package
,implementation-version
,specification-version
,maven-version
,location
,type
,origin
]Field used to alphabetically sort by. Defaults to filename
Allowable values: [
filename
,gid
,linkdest
,mode
,sha256
,size
,type
,uid
]Field used to alphabetically sort by. Defaults to package
Allowable values: [
package
,version
,size
,type
,origin
,license
,location
]If specified, a 0-based index on the content list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
Response
The targeted image digest
The type of content retrieved
The filter used
The sorting method used
The field used to sort the result
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The content retrieved
Status Code
The retrieved content
No Sample Response
Retrieve the policy evaluation summary of an image with the selected timestamp [Digest]
GET /api/scanning/v1/images/{imageDigest}/checkSummary
Request
Path Parameters
The targeted image digest
Query Parameters
The image full tag
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned
Response
The targeted image digest
the imageID that identifies the image
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
The RFC-3339 timestamp of the evaluation
The image full tag
Final evaluation status
The bundle ID used in this evaluation
Final evaluation action
Final evaluation action reason
Total number of stop rules triggered
Total number of warn rules triggered
Policy ID
Policy Name
Number of stop rules triggered from this policy
Number of warn rules triggered from this policy
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
rules
policies
Status Code
The policy evaluation summary
No Sample Response
Retrieve the policy evaluation summary of an image with the selected timestamp [ImageID]
GET /api/scanning/v1/images/by_id/{imageId}/checkSummary
Request
Path Parameters
The targeted imageID
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
Query Parameters
The image full tag
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned
Response
The targeted image digest
the imageID that identifies the image
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
The RFC-3339 timestamp of the evaluation
The image full tag
Final evaluation status
The bundle ID used in this evaluation
Final evaluation action
Final evaluation action reason
Total number of stop rules triggered
Total number of warn rules triggered
Policy ID
Policy Name
Number of stop rules triggered from this policy
Number of warn rules triggered from this policy
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
rules
policies
Status Code
The policy evaluation summary
No Sample Response
Retrieve the policy evaluation summary of a specific policy for an image with the selected timestamp [Digest]
GET /api/scanning/v1/images/{imageDigest}/checkSummary/{policyId}
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
The targeted policy ID
Query Parameters
The image full tag
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned
Response
the imageID that identifies the image
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
an image digest string, starting with "sha256:" prefix
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
The RFC-3339 timestamp of the evaluation
The image full tag
The targeted policy ID
A Policy object
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
the list of outputs for this pair/gate trigger
The ID of the image that triggered this rule.
The name of the image that triggered this rule.
The trigger identifier responsible for this rule output.
The gate of this rule.
The trigger of this rule.
Human-readable output string of this rule.
The action of this rule.
Whether this rule was whitelisted in the policy.
The ID of the policy that contains the triggered rule.
rows
rules
Status Code
The policy evaluation policy summary
No Sample Response
Retrieve the policy evaluation summary of a specific policy for an image with the selected timestamp [ImageID]
GET /api/scanning/v1/images/by_id/{imageId}/checkSummary/{policyId}
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
The targeted policy ID
Query Parameters
The image full tag
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned
Response
the imageID that identifies the image
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
an image digest string, starting with "sha256:" prefix
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
The RFC-3339 timestamp of the evaluation
The image full tag
The targeted policy ID
A Policy object
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
the list of outputs for this pair/gate trigger
The ID of the image that triggered this rule.
The name of the image that triggered this rule.
The trigger identifier responsible for this rule output.
The gate of this rule.
The trigger of this rule.
Human-readable output string of this rule.
The action of this rule.
Whether this rule was whitelisted in the policy.
The ID of the policy that contains the triggered rule.
rows
rules
Status Code
The policy evaluation policy summary
No Sample Response
Retrieve the policy evaluation summary of an image [Digest]
GET /api/scanning/v1/images/{imageDigest}/policyEvaluation
Request
Path Parameters
The targeted image digest
Possible values: length ≥ 1
Example:
sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
Query Parameters
The image full tag
Response
The targeted image digest
The RFC-3339 timestamp of the evaluation
The image full tag
Final evaluation status
The bundle ID used in this evaluation
Final evaluation action
Final evaluation action reason
Total number of stop rules triggered
Total number of warn rules triggered
Policy comment
Policy ID
Policy Name
Policy version
Rule action
Rule gate
Rule ID
Rule trigger
Parameter Name
Parameter Value
params
rules
policies
Policy ID
Policy Name
Number of stop rules triggered from this policy
Number of warn rules triggered from this policy
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
Rule gate
Rule trigger
the policy rule check output
the gate action
the trigger ID
rule whitelisted (true/false)
ruleREsults
gateResults
results
Status Code
The policy evaluation summary
No Sample Response
Retrieve the policy evaluation summary of an image [ImageID]
GET /api/scanning/v1/images/by_id/{imageId}/policyEvaluation
Request
Path Parameters
The targeted imageID
Possible values: length ≥ 1
Example:
d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
Query Parameters
The image full tag
Response
The targeted image digest
The RFC-3339 timestamp of the evaluation
The image full tag
Final evaluation status
The bundle ID used in this evaluation
Final evaluation action
Final evaluation action reason
Total number of stop rules triggered
Total number of warn rules triggered
Policy comment
Policy ID
Policy Name
Policy version
Rule action
Rule gate
Rule ID
Rule trigger
Parameter Name
Parameter Value
params
rules
policies
Policy ID
Policy Name
Number of stop rules triggered from this policy
Number of warn rules triggered from this policy
Rule gate
Rule trigger
Number of stop rules triggered from this gate/trigger pair
Number of warn rules triggered from this gate/trigger pair
Rule gate
Rule trigger
the policy rule check output
the gate action
the trigger ID
rule whitelisted (true/false)
ruleREsults
gateResults
results
Status Code
The policy evaluation summary
No Sample Response
Response
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
List of all the policies in the targeted policy bundle
No Sample Response
Request
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Response
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The newly created policy
No Sample Response
Retrieve the policy with the given id in the targeted policy bundle
GET /api/scanning/v1/policies/{id}
Request
Path Parameters
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Response
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The policy with the given id
Policy not found
No Sample Response
Request
Path Parameters
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Response
The name of the policy.
An array of PolicyRule elements (while creating/updating a policy, new rule IDs will be created backend side)
Unique identifier associated with this policy. It's created backend side.
A human-readable description.
Version of the policy.
If true, this policy is referenced in the default mapping (registry=repository=tag=*)
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this policy. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The updated policy
Policy not found
No Sample Response
Delete the policy with the given id in the targeted policy bundle
DELETE /api/scanning/v1/policies/{id}
Retrieve all the vulnerability exception lists in the targeted policy bundle
GET /api/scanning/v1/whitelists
Request
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
All the vulnerability exception lists in the targeted policy bundle
No Sample Response
Create a new vulnerability exception list in the targeted policy bundle
POST /api/scanning/v1/whitelists
Request
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The newly created vulnerability exception list
Bad Request
Conflict
Missing field name
A vulnerability exception list with the given name already exists
Retrieve the vulnerability exception list with the given id in the active policy bundle
GET /api/scanning/v1/whitelists/{id}
Request
Path Parameters
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The vulnerability exception list with the given id
Vulnerability exception list not found
Vulnerability exception list not found
Update the main attributes of the vulnerability exception list with the given id in the targeted policy bundle
PUT /api/scanning/v1/whitelists/{id}
Request
Path Parameters
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
Deprecated: use POST .../vulnexceptions/{id}/vulnerabilities instead
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.The vulnerability generic description
Examples:View
items
A human-readable description.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The updated vulnerability exception list
Bad Request
Policy not found
Conflict
Missing field name
Vulnerability exception list not found
A vulnerability exception list with the given name already exists
Delete the vulnerability exception list with the given id in the targeted policy bundle
DELETE /api/scanning/v1/whitelists/{id}
Retrieve all the vulnerability exception lists in the targeted policy bundle
GET /api/scanning/v1/vulnexceptions
Request
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
All the vulnerability exception lists in the targeted policy bundle
No Sample Response
Create a new vulnerability exception list in the targeted policy bundle
POST /api/scanning/v1/vulnexceptions
Request
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The newly created vulnerability exception list
Bad Request
Conflict
Missing field name
A vulnerability exception list with the given name already exists
Retrieve the vulnerability exception list with the given id in the active policy bundle
GET /api/scanning/v1/vulnexceptions/{id}
Request
Path Parameters
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The vulnerability exception list with the given id
Vulnerability exception list not found
Vulnerability exception list not found
Update the main attributes of the vulnerability exception list with the given id in the targeted policy bundle
PUT /api/scanning/v1/vulnexceptions/{id}
Request
Path Parameters
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
Deprecated: use POST .../vulnexceptions/{id}/vulnerabilities instead
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.The vulnerability generic description
Examples:View
items
A human-readable description.
Response
Unique identifier associated with this vulnerability exception list. It's created backend side.
The timestamp when the vulnerability exception list has been created
Example:
1595433581
The timestamp when the vulnerability exception list has been updated
Example:
1595433581
The name of the vulnerability exception list.
Version of the vulnerability exception list. Should be "1_0"
An array of vulnerability exception items (while creating/updating a list, new item IDs will be created backend side)
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
items
A human-readable description.
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this vulnerability exception list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The updated vulnerability exception list
Bad Request
Policy not found
Conflict
Missing field name
Vulnerability exception list not found
A vulnerability exception list with the given name already exists
Delete the vulnerability exception list with the given id in the targeted policy bundle
DELETE /api/scanning/v1/vulnexceptions/{id}
Add a new vulnerability to a specific vulnerability exception list.
POST /api/scanning/v1/vulnexceptions/{id}/vulnerabilities
Request
Path Parameters
The vulnerability exception list identifier
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
Response
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
Status Code
Vulnerability added to exception list
Bad request
Vulnerability exception list not found
Conflict
Bad request
Vulnerability exception list not found
Vulnerability already exists in the exception list
Retrieve vulnerability informations in a specific vulnerability exception list
GET /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}
Request
Path Parameters
The vulnerability exception list identifier
The vulnerability identifier
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
Response
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
Status Code
Fetched vulnerability details
Vulnerability exception list or vulnerability item not found
Vulnerability exception list not found
Update a vulnerability in a specific vulnerability exception list
PUT /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}
Request
Path Parameters
The vulnerability exception list identifier
The vulnerability identifier
Query Parameters
Target bundle. If not specified, the currently active bundle will be used.
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
Response
The vulnerability identifier. Computed server side
The timestamp when the vulnerability has been added to the exception list
Example:
1595433581
The timestamp when the vulnerability has been modified in one of its fields.
Example:
1595433581
The gate kind
Example:
vulnerabilities
The name of the vulnerability
Example:
CVE-2020-9071+*
The vulnerability generic description
Examples:ViewThe user written notes attached to a specific vulnerability exception item
The timestamp till the vulnerability will be disabled. If
null
, the entry never expires.Note: the actual expiration will be computed only once a day for the entire Sysdig installation. The task will be executed each day at 0:00 UTC (4:00 PM PST, 5:00 PM PDT) and will consider expiration dates which are <= than the current date.
Example:
1657622089
Enable/disable vulnerability when considering exceptions. Useful, in combination with
expiration_date
to handle temporary exceptions.
Status Code
Updated vulnerability details
Bad request
Vulnerability exception list or vulnerability item not found
Bad request
Vulnerability exception list not found
Remove a vulnerability from a specific vulnerability exception list
DELETE /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}
Response
The vulnerability identifier
Example:
CVE-2020-7091
The vulnerability human readable description as reported in the NVD database
Example:
This vulnerability will make kittens explode
The source
Example:
ubuntu:12.04
The specific url by source
Example:
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8492
The specific severity by source
Example:
High
feeds
Status Code
Fetched vulnerability details
Vulnerability not found
Vulnerability not found
Retrieve the list, in order, of all the mappings in the targeted policy bundle
GET /api/scanning/v1/mappings
Response
A list of mappings as MappingRule elements.
Note: the default mapping should always be the last one in the array.
Example:
quay.io
Example:
nginx
Example:
tag
Example:
latest
image
items
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this mapping list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
List of all the mappings in the targeted policy bundle
Bundle not found
No Sample Response
Request
A list of mappings as MappingRule elements.
Note: the default mapping should always be the last one in the array.
Example:
quay.io
Example:
nginx
Example:
tag
Example:
latest
image
items
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this mapping list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Response
A list of mappings as MappingRule elements.
Note: the default mapping should always be the last one in the array.
Example:
quay.io
Example:
nginx
Example:
tag
Example:
latest
image
items
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this mapping list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The updated mapping list
Bundle not found
No Sample Response
Response
A list of image names to be {white,black}listed
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this image list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The list of whitelisted image names
No Sample Response
Request
A list of image names to be {white,black}listed
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this image list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Response
A list of image names to be {white,black}listed
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this image list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The updated list of whitelisted image names
No Sample Response
Response
A list of image names to be {white,black}listed
An policy bundle ID. While retrieving this object, this is the bundle ID that contains this image list. While inserting/updating, this is the target bundle, and if not specified, the currently active bundle will be used.
Status Code
The list of blacklisted image names
No Sample Response
Request
Query Parameters
Maximum number of alerts in the response
An opaque string representing the current position in the list of alerts
Response
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Possible values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
alerts
responseMetadata
Status Code
The list of requested alerts
No Sample Response
Request
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Allowable values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
Response
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Possible values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
Status Code
The newly created alert
No Sample Response
Response
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Possible values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
Status Code
The scanning alert with the given id
Alert not found
No Sample Response
Request
Path Parameters
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Allowable values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
Response
Whether this alert should actually be applied.
The name of the alert.
The type of the alert.
Possible values: [
runtime
,repository
]True if the alert should automatically analyze unscanned images.
Unique identifier associated with this alert. It's created backend side.
The description of the alert.
An AND-composed string of predicates that selects the scope in which the alert will be applied. Only used when type=runtime.
The list of images for which the alert will be applied. Only used when type=repository.
The image registry.
The image repository.
The image tag.
repositories
True if the policy_eval trigger should activate only when the result changes from pass to fail.
Status Code
The updated alert
Alert not found
No Sample Response
Retrieve the list of runtime images in the selected scope, time and container range.
POST /api/scanning/v1/query/containers
Request
Generate the report based on the given query type.
Allowable values: [
image
,vuln
,pkg
,policies
]Filter the results based on the given scope.
Allowable values: [
runtime
,static
]An AND-composed string of predicates that selects the scope in which the alert will be applied.
The selected time range (unix timestamp, microseconds)
time
runtimeScope
Filter the results based on the registry name.
Filter the results based on the repository name.
Filter the results based on the given image tag.
staticScope
Filter the results based on the vulnerability ID.
The selected time range (value as specified by iso8601)
Example:
2019-07-31T00:00:00-07:00
Example:
2019-08-02T20:15:24-07:00
age
Filter the results based on the vulnerability severity.
Allowable values: [
Critical
,High
,Medium
,Low
,Negligible
,Unknown
]Filter the results based on vulnerabolity with fixes.
Filter the results based on the given package name.
Filter the results based on the given package version.
vulnQueryFilter
Filter the results based on the given package name.
Filter the results based on the given package version.
pkgQueryFilter
Filter the results based on image digest
Filter the results based on the result of a policy evaluation.
Allowable values: [
pass
,fail
]Timestamp value for policy evaluation (value as specified by iso8601). Show all the policy evaluations after this timestamp.
Example:
2019-07-15T14:47:08-07:00
Timestamp value for policy evaluation (value as specified by iso8601) Show all the policy evaluations before this timestamp.
Example:
2019-07-15T14:47:08-07:00
policyQueryFilter
Sorting method. Defaults to descendent.
Allowable values: [
desc
,asc
]Field used to determine sorting column. Defaults to severity.
Allowable values: [
imageName
,tag
,vulnId
,fixedIn
,severity
,pkgName
,pkgVersion
,evaluationDate
,bundleId
,result
]If specified, a 0-based index on the list. Only entries >= offset will be retrieved. Defaults to 0.
If specified, a limit on the number of entries retrieved. limit must be >= 1 and if it overflows the list all entries will be retrieved.
The string on which the results are to be filtered.
Response
runtime
imageQueryResponse
runtime
vulnQueryResponse
runtime
pkgQueryResponse
runtime
policyQueryResponse
The sorting method used
The field used to sort the result
The start offset used
The limit used. Must be >= 1.
True if more results can be fetched.
The string on which the results are to be filtered.
Status Code
The report was generated successfully for given conditions.
The API was not found
No Sample Response
Generate a CSV formatted report based on the given scope and conditions.
POST /api/scanning/v1/reports/csv
Request
Generate the report based on the given query type.
Allowable values: [
image
,vuln
,pkg
,policies
]Filter the results based on the given scope.
Allowable values: [
runtime
,static
]An AND-composed string of predicates that selects the scope in which the alert will be applied.
The selected time range (unix timestamp, microseconds)
time
runtimeScope
Filter the results based on the registry name.
Filter the results based on the repository name.
Filter the results based on the given image tag.
staticScope
Filter the results based on the vulnerability ID.
The selected time range (value as specified by iso8601)
Example:
2019-07-31T00:00:00-07:00
Example:
2019-08-02T20:15:24-07:00
age
Filter the results based on the vulnerability severity.
Allowable values: [
Critical
,High
,Medium
,Low
,Negligible
,Unknown
]Filter the results based on vulnerabolity with fixes.
Filter the results based on the given package name.
Filter the results based on the given package version.
vulnQueryFilter
Filter the results based on the given package name.
Filter the results based on the given package version.
pkgQueryFilter
Filter the results based on image digest
Filter the results based on the result of a policy evaluation.
Allowable values: [
pass
,fail
]Timestamp value for policy evaluation (value as specified by iso8601). Show all the policy evaluations after this timestamp.
Example:
2019-07-15T14:47:08-07:00
Timestamp value for policy evaluation (value as specified by iso8601) Show all the policy evaluations before this timestamp.
Example:
2019-07-15T14:47:08-07:00
policyQueryFilter
Sorting method. Defaults to descendent.
Allowable values: [
desc
,asc
]Field used to determine sorting column. Defaults to severity.
Allowable values: [
imageName
,tag
,vulnId
,fixedIn
,severity
,pkgName
,pkgVersion
,evaluationDate
,bundleId
,result
]If specified, a 0-based index on the list. Only entries >= offset will be retrieved. Defaults to 0.
If specified, a limit on the number of entries retrieved. limit must be >= 1 and if it overflows the list all entries will be retrieved.
The string on which the results are to be filtered.
Request
Query Parameters
If specified, only scan results that contain this substring will be retrieved
Sorting method. Defaults to descending.
Allowable values: [
desc
,asc
]Field used to alphabetically sort by. Defaults to scanDate.
Allowable values: [
repository
,tag
,digest
,scanDate
]A comma-separated list of registry display names. If specified, only scan results from these registries will be retrieved
If specified, a 0-based index on the scan results list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
Response
The string on which the results are to be filtered.
A comma seperated list of registries to filter by
The sort direction (default desc)
Possible values: [
asc
,desc
]The field used to sort the result
Possible values: [
repository
,tag
,digest
,scanDate
]The start offset used
The limit used. Must be >= 1.
True if more results can be fetched.
options
The total number of images scanned
The total number of images scanned
The total number of images that are NOT pass the evaluation
The total number of images that are pass the evaluation
policyStatus
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
The total images that has this specific origin
origins
list of the all possible registry in all image scanned
list of the all possible origins in all image scanned
metadata
The current analysis status
The timestamp when analysis was comleted
The timestamp when the analysis request was created
The full tag of the image including registry, repository and tag
The image digest
The image id
The parent image digest
The timestamp when tag was detected
The image registry as derived from the fullTag
The image repository as derived from the fullTag
The image tag as derived from the fullTag
The display name configured for the registry as derived from the fullTag
The image origin
The image origin
results
Status Code
an array of scan results matching the provided filters.
An invalid request was provided
Internal server error, not due to request parameters
No Sample Response
Request
Date policy in seconds. By default, the range is between 30 and 90 days (in seconds)
Example:
2592000
Tags policy. Number of tags that triggers the retention policy
Example:
5
Response
Date policy in seconds. By default, the range is between 30 and 90 days (in seconds)
Example:
2592000
Tags policy. Number of tags that triggers the retention policy
Example:
5
Status Code
The retention policy was successfully updated
The retention policy was not updated
Internal server error, not due to request parameters
No Sample Response
Retrieves a secure events feed
Retrieves the list of events that match a filter given a specified
time range or cursor.
The pair from
and to
and the cursor
parameter are mutually
exclusive. If you supply a from
and to
you must not supply a
cursor
and vice-versa.
If you supply a cursor
then the prev
field inside the response is
set if and only if there are events before the first event returned, while
the next
field inside the response is set if and only if there are
events after the last event returned. If, instead, you supply the from
and to
pair then the prev
and next
fields inside the response are
always set, because in that case there is no efficient way for the backend
to verify if next
and prev
events actually exist. For this reason, the
best way to use this API is to supply the from
and to
pair at the
first request and then use the prev
and next
cursors to fetch events
before and after the events returned.
Please, do note that if you supply from
and to
and receive the prev
and next
cursors, any subsequent request made by supplying that next
or prev
cursor will return results that are not filtered by the from
and to
you provided in the first request.
Finally, the difference between from
and to
cannot be greater than
2 weeks.
GET /api/v1/secureEvents
Request
Query Parameters
From, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
To, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
Cursor is a string used to retrieve data given a specific context. The context can either be events feed before a certain event, after it or its surrounding. See the
prev
,next
andcursor
fields inside the response for further details.Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through theeventsFeedFilters
endpoint. In addition to those fields, also these fields are supported:severity
as numeric value in the[0, 7]
rangecategory
as string valueoriginator
as string value (eitherpolicy
orscanning
)name
as string valuefreeText
as string valuesource
as string valueagentId
as numeric valuecontainerId
as string valuemachineId
as string valueruleName
as string valueruleType
as numeric valueruleSubType
as numeric valuepolicyId
as numeric valuealertName
as string valuetrigger
as string valueimage.id
as string valueimage.registry
as string valueimage.repo
as string valueimage.tag
as string valueimage.digest
as string value
Example:
agent.id=1
Limit the number of events to return.
Possible values: 1 ≤ value ≤ 999
Default:
100
Example:
50
How to handle special events categories, like the policy simulation (advisor).
exclude_simulation
excludes events with categorysimulation
only_simulation
returns only events with categorysimulation
Allowable values: [
exclude_simulation
,only_simulation
]Default:
exclude_simulation
Example:
exclude_simulation
Response
The number of events returned. This number is always less or equal the limit specified in the request.
Example:
10
The cursor that can be used to fetch a set of events before the first event returned in the
data
array. If this value is unset, then there are no events before the first event returned in thedata
array. By providing this value ascursor
in a GETsecureEvents
request, you will get the set of events that precede the first event returned in thedata
array.Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
The cursor that can be used to fetch a set of events after the last event returned in the
data
array. If this value is unset, then there are no events after the last event returned in thedata
array. By providing this value ascursor
in a GETsecureEvents
request, you will get the set of events after the last event returned in thedata
array.Example:
KzltNGUybXIwdWkzZThhMjE1bjRn
page
The event id.
Example:
15cbf54e34df95404caad1c988cf7c42
The cursor that can be used to fetch a set of events surrounding this same event. By providing this value as
cursor
in a GETsecureEvents
request, you will get the set of events surrounding this current event.Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
Timestamp the event occured.
Example:
2020-04-21T16:08:08.845336507Z
The customer id.
Example:
1
Type of the event (i.e. policy, scanning etc.).
Example:
policy
Source of the event.
Example:
k8s_audit
The event category.
Possible values: [
runtime
,simulation
]Example:
runtime
The event name.
Example:
Launch Privileged Container
The event description.
Examples:ViewThe event severity.
Possible values: 0 ≤ value ≤ 7
Example:
4
The machine id (i.e. hostname).
Example:
02:37:22:86:ce:53
Capture action performed once the event happened.
Capture action type.
Possible values: [
capture
]Whether or not the action was completed successfully.
When
successful == false
, details on why the action failed.Token that can be related to later messages.
Example:
4f24c92e-48f5-45ab-84a5-c394f07e855e
Period of time to capture after event in nanoseconds.
Example:
18000000000
Period of time to capture before event in nanoseconds.
Example:
5000000000
undefined
actions
The agent id.
Example:
1
The container id.
Example:
df5f83c5d5e5
Body of the specific event. It contains fields that are specific to a single event and are not shared among different event types.
Policy ID.
Example:
2
Rule name.
Example:
Terminal shell in container
Rule type.
Example:
6
Rule subtype.
Rule tags.
Examples:ViewOutput of the policy event.
Examples:ViewAttribute fields of the policy event.
content
Key value pairs of labels.
label
data
Status Code
The secure events feed.
The request is invalid.
Attempting to retrieve a secure events feed by using a filter that contains unsupported metrics.
The server encountered an unexpected condition that prevented it from fulfilling the request.
No Sample Response
Verify presence of old events
Verify if there are new/legacy events in the store.
GET /api/v1/secureEvents/hasEvents
Response
This is
true
if and only if there are no new events (i.e. events in the new indices) in the time range from 30 days ago to 29 days ago. This assumes that once the Secure Events feature is deployed, all the events are written in the new indices only; therefore, there are legacy events only if there are no events in the new indices for that time range.This is
true
if and only if there is at least a new event in the time range from 1 day ago to now.Example:
true
Status Code
Whether or not there are new/legacy events.
The server encountered an unexpected condition that prevented it from fulfilling the request.
No Sample Response
Retrieves the supported events feed scope filters
Retrieves the whitelist of supported secure events scope filters that can
be used inside the filter
parameter while retrieving the secure events
feed.
GET /api/v1/secureEvents/filters
Response
List of supported scope filters
- Examples:View
The supported scope filter key.
Type of the scope filter value.
Possible values: [
string
,number
,date
,ip
]
labelDescriptors
Status Code
The supported secure events scope filters.
The server encountered an unexpected condition that prevented it from fulfilling the request.
No Sample Response
Retrieves an event given its id
Retrieves an event with a given id.
GET /api/v1/secureEvents/{eventId}
Response
The event id.
Example:
15cbf54e34df95404caad1c988cf7c42
The cursor that can be used to fetch a set of events surrounding this same event. By providing this value as
cursor
in a GETsecureEvents
request, you will get the set of events surrounding this current event.Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
Timestamp the event occured.
Example:
2020-04-21T16:08:08.845336507Z
The customer id.
Example:
1
Type of the event (i.e. policy, scanning etc.).
Example:
policy
Source of the event.
Example:
k8s_audit
The event category.
Possible values: [
runtime
,simulation
]Example:
runtime
The event name.
Example:
Launch Privileged Container
The event description.
Examples:ViewThe event severity.
Possible values: 0 ≤ value ≤ 7
Example:
4
The machine id (i.e. hostname).
Example:
02:37:22:86:ce:53
Capture action performed once the event happened.
Capture action type.
Possible values: [
capture
]Whether or not the action was completed successfully.
When
successful == false
, details on why the action failed.Token that can be related to later messages.
Example:
4f24c92e-48f5-45ab-84a5-c394f07e855e
Period of time to capture after event in nanoseconds.
Example:
18000000000
Period of time to capture before event in nanoseconds.
Example:
5000000000
undefined
actions
The agent id.
Example:
1
The container id.
Example:
df5f83c5d5e5
Body of the specific event. It contains fields that are specific to a single event and are not shared among different event types.
Policy ID.
Example:
2
Rule name.
Example:
Terminal shell in container
Rule type.
Example:
6
Rule subtype.
Rule tags.
Examples:ViewOutput of the policy event.
Examples:ViewAttribute fields of the policy event.
content
Key value pairs of labels.
label
Status Code
Event with the given id.
The event could not be found.
The server encountered an unexpected condition that prevented it from fulfilling the request.
No Sample Response
Retrieves the count of scanning and policy events.
Retrieves the count of events that match a filter
given a specified time range (from <= to
). Parameters from
and to
are required.
GET /api/vi/secureEvents/count
Request
Query Parameters
From, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
To, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through theeventsFeedFilters
endpoint. In addition to those fields, also these fields are supported:severity
as numeric value in the[0, 7]
rangecategory
as string valueoriginator
as string value (eitherpolicy
orscanning
)name
as string valuefreeText
as string valuesource
as string valueagentId
as numeric valuecontainerId
as string valuemachineId
as string valueruleName
as string valueruleType
as numeric valueruleSubType
as numeric valuepolicyId
as numeric valuealertName
as string valuetrigger
as string valueimage.id
as string valueimage.registry
as string valueimage.repo
as string valueimage.tag
as string valueimage.digest
as string value
Example:
agent.id=1
Response
The count of events separatelly for each severity level.
Examples:View
scanningEvents
The count of events separatelly for each severity level.
Examples:View
policyEvents
The count of events separately for each severity level.
Examples:View
profilingDetectionEvents
Status Code
The scanning and secure events count by severity.
The query parameters are missing or invalid
The provided access token is invalid
No Sample Response
Retrieves top column value and counts of events by cluster, compliance, mitre, namespace, node, rule name, workload.
Retrieves the top column value and counts of policy events that match a filter
, specified time range (from
<= to
), and number of rows to return for all columns.
Parameters from
and to
are required.
GET /api/vi/secureEvents/topStats
Request
Query Parameters
From, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
To, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through theeventsFeedFilters
endpoint. In addition to those fields, also these fields are supported:severity
as numeric value in the[0, 7]
rangecategory
as string valueoriginator
as string value (eitherpolicy
orscanning
)name
as string valuefreeText
as string valuesource
as string valueagentId
as numeric valuecontainerId
as string valuemachineId
as string valueruleName
as string valueruleType
as numeric valueruleSubType
as numeric valuepolicyId
as numeric valuealertName
as string valuetrigger
as string valueimage.id
as string valueimage.registry
as string valueimage.repo
as string valueimage.tag
as string valueimage.digest
as string value
Example:
agent.id=1
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.
Possible values: value ≥ 5
Default:
5
Example:
10
Response
Array of the count of events per compliance tag, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
container.image.repo
Array of the count of events per cluster, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
kubernetes.cluster.name
Array of the count of events per namespace, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
kubernetes.namespace.name
Array of the count of nodes, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
kubernetes.node.name
Array of the count of events per mitre sub-tag, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
mitre
Array of the count of events per rule name, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
ruleName
Array of the count of workloads per workload type and name, sorted by count.
Examples:ViewString key value
Example:
NIST
Integer value representing count of events.
Example:
543
String label value that represents the field
Example:
kubernetes.deployment.name
workload
Status Code
The count stats of policy events for all columns.
The query parameters are missing or invalid
The provided access token is invalid
No Sample Response
Retrieves timeseries counts of events by severity or user.
Retrieves the top column value and counts of policy events that match a filter
, specified time range (from
<= to
), and number of rows to return for all columns.
Parameters from
, to
, and metric
are required.
GET /api/vi/secureEvents/timeSeries
Request
Query Parameters
The metric to query timeseries for. Valid values are either
user
orseverity
.Example:
severity
From, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
To, expressed in nanoseconds. The difference between
from
andto
cannot be greater than 2 weeks.Possible values: value ≥ 0
Example:
1546300800000000000
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through theeventsFeedFilters
endpoint. In addition to those fields, also these fields are supported:severity
as numeric value in the[0, 7]
rangecategory
as string valueoriginator
as string value (eitherpolicy
orscanning
)name
as string valuefreeText
as string valuesource
as string valueagentId
as numeric valuecontainerId
as string valuemachineId
as string valueruleName
as string valueruleType
as numeric valueruleSubType
as numeric valuepolicyId
as numeric valuealertName
as string valuetrigger
as string valueimage.id
as string valueimage.registry
as string valueimage.repo
as string valueimage.tag
as string valueimage.digest
as string value
Example:
agent.id=1
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.
Possible values: value ≥ 5
Default:
5
Example:
10
Response
This is the distance between points from and to in values expressed in nanoseconds.
Example:
600000000000
Array of the count of events per severity and segmented.
Examples:ViewString key value
Example:
Cloud Trail
Array of the counts of events, segmented into buckets.
Examples:View
severity
Array of the count of events per user and segmented.
Examples:ViewString key value
Example:
Cloud Trail
Array of the counts of events, segmented into buckets.
Examples:View
user
data
Status Code
The time series stats of runtime policy events for the specified columns.
The query parameters are missing or invalid
The provided access token is invalid
No Sample Response
Retrieve a summary of the audit events
Retrieves a summary of the audit events in a time range grouped by a series of metrics.
GET /api/v2/activityAudit/summary
Request
Query Parameters
From, expressed in nanoseconds.
Example:
1546300800000000000
To, expressed in nanoseconds.
Example:
1546300800000000000
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.
This are the supported scope filters where applicable are:
agent.tag.*
container.image.id
container.image.repo
container.image.tag
container.image.digest
container.label.io.kubernetes.container.name
container.label.io.kubernetes.pod.name
container.label.io.kubernetes.pod.namespace
container.label.maintainer
container.name
host.hostName
host.mac
kubernetes.workload.name
kubernetes.workload.type
kubernetes.cluster.name
kubernetes.cronJob.name
kubernetes.daemonSet.name
kubernetes.deployment.name
kubernetes.job.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.label.project
kubernetes.namespace.name
kubernetes.node.name
kubernetes.pod.name
kubernetes.replicaSet.name
kubernetes.service.name
kubernetes.statefulSet.name
aws.region
aws.fargate.task.arn
aws.fargate.cluster.arn
aws.availabilityZone
aws.accountId
aws.user
gcp.user
gcp.projectId
Example:
host.hostName="ip-127-0-0-1"
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.
Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
)
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.
These are the supported fields:
id
agentid
clientipv4
clientport
cmdline
comm
command
container
containerid
container.id
count
cwd
direction
directory
errorcode
filename
groups
l4protocol
loginshelldistance
loginshellid
name
namespace
permissions
pid
ppid
processname
resource
rxtimestamp
serveripv4
serverport
sourceaddresses
stages
subresource
timestamp
tty
uid
user
useragent
anomaly
Example:
pid=1
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example:
commands,connections
Whether or not to segment the results with a distance between points depending on the distance between
from
andto
.Default:
false
Response
If segmented data has been requested, the distance between points in values expressed in nanoseconds.
Series of tuples containing timestamp and values for a specific point in time for the metric. Only present if there are elements matching the metric.
Series of tuples containing timestamp and values for a specific point in time for the metric. Only present if there are elements matching the metric.
Series of tuples containing timestamp and values for a specific point in time for the metric. Only present if there are elements matching the metric.
Series of tuples containing timestamp and values for a specific point in time for the metric. Only present if there are elements matching the metric.
values
Status Code
The summary of audit events.
The request is invalid.
[ { "values": { "command": [ [ 1569065400000000000, 36 ], [ 1569065460000000000, 36 ], [ 1569065520000000000, 36 ], [ 1569065580000000000, 36 ] ], "connection": [ [ 1569065400000000000, 36 ], [ 1569065460000000000, 36 ], [ 1569065520000000000, 36 ], [ 1569065580000000000, 36 ] ], "fileaccess": [ [ 1569065400000000000, 36 ], [ 1569065460000000000, 36 ], [ 1569065520000000000, 36 ], [ 1569065580000000000, 36 ] ], "kubernetes": [ [ 1569065400000000000, 36 ], [ 1569065460000000000, 36 ], [ 1569065520000000000, 36 ], [ 1569065580000000000, 36 ] ] }, "step": 60000000000 } ]
Retrieves a list of audit events
Retrieves a list of audit events in a time range filters.
The pair from
and to
and the cursor
parameter are mutually
exclusive. If you supply a from
and to
you must not supply a
cursor
and vice-versa.
GET /api/v2/activityAudit/events
Request
Query Parameters
From, expressed in nanoseconds.
Example:
1546300800000000000
To, expressed in nanoseconds.
Example:
1546300800000000000
Cursor is a string used to retrieve data given a specific context. The context can either be audit events before a certain event, after it or its surrounding.
Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
Limit the number of results to return.
Possible values: 1 ≤ value ≤ 9999
Default:
100
Example:
100
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.
This are the supported scope filters where applicable are:
agent.tag.*
container.image.id
container.image.repo
container.image.tag
container.image.digest
container.label.io.kubernetes.container.name
container.label.io.kubernetes.pod.name
container.label.io.kubernetes.pod.namespace
container.label.maintainer
container.name
host.hostName
host.mac
kubernetes.workload.name
kubernetes.workload.type
kubernetes.cluster.name
kubernetes.cronJob.name
kubernetes.daemonSet.name
kubernetes.deployment.name
kubernetes.job.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.label.project
kubernetes.namespace.name
kubernetes.node.name
kubernetes.pod.name
kubernetes.replicaSet.name
kubernetes.service.name
kubernetes.statefulSet.name
aws.region
aws.fargate.task.arn
aws.fargate.cluster.arn
aws.availabilityZone
aws.accountId
aws.user
gcp.user
gcp.projectId
Example:
host.hostName="ip-127-0-0-1"
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.
Operators:
and
,or
andnot
logical operators (i.e.pid = 1 and ppid = 2
)=
,!=
,>
,>=
,<
and<=
comparison operators (i.e.pid = 1
)in
to check inclusion in a list of values (i.e.pid in (1, 2)
orclientipv4 in ("127.0.0.1", "192.168.0.1")
)
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.
These are the supported fields:
id
agentid
clientipv4
clientport
cmdline
comm
command
container
containerid
container.id
count
cwd
direction
directory
errorcode
filename
groups
l4protocol
loginshelldistance
loginshellid
name
namespace
permissions
pid
ppid
processname
resource
rxtimestamp
serveripv4
serverport
sourceaddresses
stages
subresource
timestamp
tty
uid
user
useragent
anomaly
Example:
pid=1
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example:
commands,connections
Response
The number of events that match the provided filter. If the cursor is used, this field is omitted.
Example:
10
The number of audit events returned. This number is always less or equal the limit specified in the request. This field is always present if any result is returned.
Example:
10
The continuation token used to fetch a set of audit events before the current one.
Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
The continuation token used to fetch a set of audit events after the current one.
Example:
KzltNGUybXIwdWkzZThhMjE1bjRn
page
Represents a command execution.
The audit event id.
Example:
15cbf54e34df95404caad1c988cf7c42
The customer id.
Example:
1
The agent id.
Example:
1
Timestamp the audit event occured, expressed in nanoseconds.
Example:
1546300800000000000
Timestamp the command was received, expressed in nanoseconds.
Example:
1546300800000000000
Possible values: [
command
,connection
,fileaccess
,kubernetes
]Count of commands.
command
is ever greater than1
only when commands are grouped together.Example:
1
Full command line
Example:
pg_isready --host 10.32.0.8
The name of the command.
Example:
pg_isready
The name of the parent command.
Example:
sshd
Process ID.
Example:
31135
Parent process ID.
Example:
31132
User ID
Process id of the shell.
Level of nesting from the parent shell.
TTY number.
If command can be traced.
List of metrics associated to the audit event.
Examples:ViewThe container id.
containerId
is present only if the audit event was collected in a container context.Example:
f8d4f71ab80b
Command working directory.
Example:
/
The Kubernetes hostname.
Example:
ip-127-0-0-1
Key value pairs of labels.
labels
undefined
data
Status Code
The list of audit events.
The request is invalid.
No Sample Response
Retrieves an audit event given its type and id
Retrieves an audit event of a specified type with a given id.
GET /api/v2/activityAudit/events/{type}/{eventId}
Request
Path Parameters
The event type.
Allowable values: [
commands
,connections
,fileaccesses
,kubernetes
]Example:
command
The audit event id.
Example:
15cbf54e34df95404caad1c988cf7c42
Query Parameters
JSON list of metrics used to enrich results. If no
metrics
is passed the audit events returned will not have ametrics
field populated. The metrics attributes are directly fetched from the metadata service, so please refer to it for the full list of supported metrics.Example:
["host.hostName","container.id"]
Response
Represents a command execution.
The audit event id.
Example:
15cbf54e34df95404caad1c988cf7c42
The customer id.
Example:
1
The agent id.
Example:
1
Timestamp the audit event occured, expressed in nanoseconds.
Example:
1546300800000000000
Timestamp the command was received, expressed in nanoseconds.
Example:
1546300800000000000
Possible values: [
command
,connection
,fileaccess
,kubernetes
]Count of commands.
command
is ever greater than1
only when commands are grouped together.Example:
1
Full command line
Example:
pg_isready --host 10.32.0.8
The name of the command.
Example:
pg_isready
The name of the parent command.
Example:
sshd
Process ID.
Example:
31135
Parent process ID.
Example:
31132
User ID
Process id of the shell.
Level of nesting from the parent shell.
TTY number.
If command can be traced.
List of metrics associated to the audit event.
Examples:ViewThe container id.
containerId
is present only if the audit event was collected in a container context.Example:
f8d4f71ab80b
Command working directory.
Example:
/
The Kubernetes hostname.
Example:
ip-127-0-0-1
Key value pairs of labels.
labels
Status Code
Audit event with the given type and id.
The event could not be found.
No Sample Response
Retrieves the trace of an audit event
Retrieves a trace of all the audit events related to the traceable event in case it is a long running task. The audit events returned are all the commands, connections etc collected during the duration of the traceable event. If the event has not completed yet, the time range considered is up until the current time.
GET /api/v2/activityAudit/events/{type}/{eventId}/trace
Request
Path Parameters
The event type.
Allowable values: [
commands
,connections
,fileaccesses
,kubernetes
]Example:
command
The audit event id.
Example:
15cbf54e34df95404caad1c988cf7c42
Query Parameters
Limit the number of results to return.
Possible values: 1 ≤ value ≤ 9999
Default:
100
Example:
100
Response
The number of events that match the provided filter. If the cursor is used, this field is omitted.
Example:
10
The number of audit events returned. This number is always less or equal the limit specified in the request. This field is always present if any result is returned.
Example:
10
The continuation token used to fetch a set of audit events before the current one.
Example:
LTltNGUybXIwdWkzZThhMjE1bjRn
The continuation token used to fetch a set of audit events after the current one.
Example:
KzltNGUybXIwdWkzZThhMjE1bjRn
page
Represents a command execution.
The audit event id.
Example:
15cbf54e34df95404caad1c988cf7c42
The customer id.
Example:
1
The agent id.
Example:
1
Timestamp the audit event occured, expressed in nanoseconds.
Example:
1546300800000000000
Timestamp the command was received, expressed in nanoseconds.
Example:
1546300800000000000
Possible values: [
command
,connection
,fileaccess
,kubernetes
]Count of commands.
command
is ever greater than1
only when commands are grouped together.Example:
1
Full command line
Example:
pg_isready --host 10.32.0.8
The name of the command.
Example:
pg_isready
The name of the parent command.
Example:
sshd
Process ID.
Example:
31135
Parent process ID.
Example:
31132
User ID
Process id of the shell.
Level of nesting from the parent shell.
TTY number.
If command can be traced.
List of metrics associated to the audit event.
Examples:ViewThe container id.
containerId
is present only if the audit event was collected in a container context.Example:
f8d4f71ab80b
Command working directory.
Example:
/
The Kubernetes hostname.
Example:
ip-127-0-0-1
Key value pairs of labels.
labels
undefined
data
Status Code
All the events associated with this traceable event.
The request is invalid.
The event could not be found.
The audit event requested does not support tracing.
No Sample Response
Retrieve a list of integrations for the customer.
Retrieves a list of forwarding integrations for the customer making the request.
GET /api/v1/eventsForwarding/integrations
Response
Represents a command execution.
The integration type.
Possible values: [
SYSLOG
,SPLUNK
,MCM
,QRADAR
]The channels for which the integration must forward data from.
Possible values: [
POLICY_EVENTS
]Possible values: [
tcp
,udp
,tls
]Possible values: [
RFC_3164
,RFC_5424
,RFC_5425
]Possible values: [
JSON
,LEEF
,CEF
]
connectionInfo
Status Code
The list of integrations.
The request is invalid.
No Sample Response
Create an integration for the customer.
Creates a forwarding integration for the customer.
POST /api/v1/eventsForwarding/integrations
Request
The content of the integration to create.
The integration type.
Allowable values: [
SYSLOG
,SPLUNK
,MCM
,QRADAR
]The channels for which the integration must forward data from.
Allowable values: [
POLICY_EVENTS
]Allowable values: [
tcp
,udp
,tls
]Allowable values: [
RFC_3164
,RFC_5424
,RFC_5425
]Allowable values: [
JSON
,LEEF
,CEF
]
connectionInfo
Default:
false
Retrieve an integration given its id.
Retrieves a forwarding rule given its id.
GET /api/v1/eventsForwarding/integrations/{integrationId}
Response
Represents a command execution.
The integration type.
Possible values: [
SYSLOG
,SPLUNK
,MCM
,QRADAR
]The channels for which the integration must forward data from.
Possible values: [
POLICY_EVENTS
]Possible values: [
tcp
,udp
,tls
]Possible values: [
RFC_3164
,RFC_5424
,RFC_5425
]Possible values: [
JSON
,LEEF
,CEF
]
connectionInfo
Status Code
The forwarding integration with a given id.
The integration could not be found.
{ "id": 1, "name": "Forward to Syslog", "customerId": 1, "type": "syslog", "enabled": true, "channels": [ "POLICY_EVENTS" ], "connectionInfo": { "ServiceURL": "syslog-address", "ServicePort": 514 } }
Update an integration given its id.
Updates an integration given its id. The PATCH
payload can be any
combination of the following fields having the value to change.
None of the connectionInfo
fields are required for patching.
PATCH /api/v1/eventsForwarding/integrations/{integrationId}
Request
Path Parameters
The forwarding integration id.
Example:
1
The content of the integration to update.
Change the name of the integration.
Enable/disable the integration.
The channels for which the integration must forward data from.
Allowable values: [
POLICY_EVENTS
]Allowable values: [
tcp
,udp
,tls
]Allowable values: [
RFC_3164
,RFC_5424
,RFC_5425
]Allowable values: [
JSON
,LEEF
,CEF
]
connectionInfo
Get info about profile groups for a customer
This endpoint returns the profile groups for a customer
GET /api/v1/profiling/profileGroups
Response
Identifier of this profile group.
Specify whether the profile engine aggregates data at the container or host level.
Possible values: [
AT_HOSTS
,AT_CONTAINERS
]List of metrics used to identify the entity to be profiles (e.g. ["container.image"].
List of metrics used to identify a sub-entity inside an entity (e.g. ["container.id"].
Number of profiles computed within the profileGroup.
Status Code
An array of profile groups for a customer
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
No Sample Response
Get info about a profile group with a specific id for a customer
This endpoint returns the profile group given a id for a customer
GET /api/v1/profiling/profileGroups/{profileGroupId}
Response
Identifier of this profile group.
Specify whether the profile engine aggregates data at the container or host level.
Possible values: [
AT_HOSTS
,AT_CONTAINERS
]List of metrics used to identify the entity to be profiles (e.g. ["container.image"].
List of metrics used to identify a sub-entity inside an entity (e.g. ["container.id"].
Number of profiles computed within the profileGroup.
Status Code
The profile group for the given profileGroupId
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
No Sample Response
Get all profiles for a given profileGroupId
This endpoint returns the profiles for a given profileGroupId
GET /api/v1/profiling/profileGroups/{profileGroupId}/profiles
Request
Path Parameters
The id of the profile group
Query Parameters
If specified, only profiles with a confidence score at least this amount will be retrieved. Defaults to
0
A comma-separated list of statuses. If specified, only profiles with these statuses will be retrieved. Defaults to
['FINALIZED','LEARNING']
Allowable values: [
FINALIZED
,LEARNING
]If specified, filter to only include profiles where the profile name or image name (registry/repository:tag@hash) contains this string. Defaults to empty string
Field used to sort. Defaults to
score
. Profiles withstatus:'FINALIZED'
will always appear abovestatus:'LEARNING'
, for all values ofsortBy
exceptsortBy:'status', sortMethod:'asc'
.Allowable values: [
score
,profileName
,status
,createdOn
]If specified, a limit on the number of entries retrieved. If any filters are also specified, the limit will be applied on the filtered list.
limit
must be >=1
and if it overflows the list all entries will be retrieved. Defaults to length of listIf specified, a 0-based index on the profiles list. Only entries >=
offset
will be retrieved. Defaults to0
. If any filters are also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.Sorting method. Defaults to
desc
.Allowable values: [
desc
,asc
]
Response
The start offset used
The limit used. 0 for no limit.
True if more results can be fetched.
The profiles retrieved
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
Value from 0 to 1000 representing the score of the category or subcategory.
Status of the model (learning or finalized).
Possible values: [
LEARNING
,FINALIZED
]Identifier of the profile group.
A category has at least one subcategory. Each subcategory refers to one rule and has its own score and status.
Example:
The category `fileSystemProposal` will have an `items` array with subcategories such as "files rw" which refers to a single rule.
Short description of the subcategory.
Example:
files rw
Name of the rule object.
Example:
Unexpected spawned process postgres in image a1b2c3d4e5f6
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
Value from 0 to 1000 representing the score of the category or subcategory.
subcategories
Value from 0 to 1000 representing the score of the category or subcategory.
processesProposal
A category has at least one subcategory. Each subcategory refers to one rule and has its own score and status.
Example:
The category `fileSystemProposal` will have an `items` array with subcategories such as "files rw" which refers to a single rule.
Short description of the subcategory.
Example:
files rw
Name of the rule object.
Example:
Unexpected spawned process postgres in image a1b2c3d4e5f6
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
Value from 0 to 1000 representing the score of the category or subcategory.
subcategories
Value from 0 to 1000 representing the score of the category or subcategory.
fileSystemProposal
A category has at least one subcategory. Each subcategory refers to one rule and has its own score and status.
Example:
The category `fileSystemProposal` will have an `items` array with subcategories such as "files rw" which refers to a single rule.
Short description of the subcategory.
Example:
files rw
Name of the rule object.
Example:
Unexpected spawned process postgres in image a1b2c3d4e5f6
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
Value from 0 to 1000 representing the score of the category or subcategory.
subcategories
Value from 0 to 1000 representing the score of the category or subcategory.
syscallProposal
A category has at least one subcategory. Each subcategory refers to one rule and has its own score and status.
Example:
The category `fileSystemProposal` will have an `items` array with subcategories such as "files rw" which refers to a single rule.
Short description of the subcategory.
Example:
files rw
Name of the rule object.
Example:
Unexpected spawned process postgres in image a1b2c3d4e5f6
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
Value from 0 to 1000 representing the score of the category or subcategory.
subcategories
Value from 0 to 1000 representing the score of the category or subcategory.
networkProposal
A category has at least one subcategory. Each subcategory refers to one rule and has its own score and status.
Example:
The category `fileSystemProposal` will have an `items` array with subcategories such as "files rw" which refers to a single rule.
Short description of the subcategory.
Example:
files rw
Name of the rule object.
Example:
Unexpected spawned process postgres in image a1b2c3d4e5f6
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
Value from 0 to 1000 representing the score of the category or subcategory.
subcategories
Value from 0 to 1000 representing the score of the category or subcategory.
containerImagesProposal
profiles
Status Code
The profiles for a given profileGroupId
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
No Sample Response
Get profile matching given profileId
This endpoint returns the profile matching a given profileId
GET /api/v1/profiling/profiles/{profileId}
Response
Identifier of the related profile group.
UUID of this profile.
Name of the profile inside the profileGroup.
Values for the ProfileGroup.aggregationKeys.
keep track of the life of an entity
profileLifeTracker
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
proposedPolicy
Array of rules referred to by the proposed policy in
proposedPolicy
, that have not yet been created. Each of theruleNames
inproposedPolicy
must refer to a rule'sname
of either a proposed rule in this array or a rule that already exists.A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
Name of the file in which the rule is defined. For Default Falco rules, this should come from the name property of the FalcoRulesFile object that contained this rule. For other falco rules, the filename should be "falco_rules.local.yaml". For non-falco rules, the filename should be "fast_rules.local.yaml".
Example:
falco_rules.local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
proposedRules
Status Code
The profile for a given profileId
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
The requested resource was not found. More information about 404 can be found at https://httpstatuses.com/404
Generic error from API
No Sample Response
Reset a profile given the profileId
This endpoint can be used to reset a profile given a profileId
POST /api/v1/profiling/profiles/{profileId}/actions/reset
Response
Profile reset action response
Status Code
The ActionsProfileResponse containing time when profile was reset
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
Generic error from API
No Sample Response
Remove a profile given the profileId
This endpoint can be used to remove a profile given a profileId
POST /api/v1/profiling/profiles/{profileId}/actions/remove
Response
Profile reset action response
Status Code
The ActionsProfileResponse containing time when profile was removed
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
Generic error from API
No Sample Response
Request
Path Parameters
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The saved falco list
The provided falco list is not valid
No Sample Response
Request
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The saved falco list
The provided falco list is not valid
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The falco list with the given id
No Sample Response
Request
Path Parameters
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The falco list with the given id
The provided falcolist is not valid
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The falco list that was just deleted
No Sample Response
Retrieve a list of summary falco list information, grouped by list name
Returns the list of falco lists in the system. These are grouped by name and do not necessarily represent individual falco list objects, as multiple falco lists can have the same name.
GET /api/secure/falco/lists/summaries
Response
The specific object ids having this name
Examples:ViewA name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A set of (origin,versionId) pairs for all the objects sharing this name.
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
publishedBys
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The number of rules that refer to this object (macro/list) OR the number of policies that refer to this rule
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702738265
Status Code
An array of falco lists grouped by name.
No Sample Response
Retrieve a group of falco lists having a given name
Retrieve a group of all falco lists having the given name. This is used to show how a base list is modified by later lists that override/append to the list.
GET /api/secure/falco/lists/groups
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the array of items as represented in the yaml List
Examples:Viewan array containing the broken-up components of this falco list's items field
Any sort of text that might make sense to put in a list
Example:
item 1
undefined
components
items
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
An array of lists
No Sample Response
Get the default falco rules files
Get the default falco rules files e.g. the set of falco rules managed by sysdig.
GET /api/settings/falco/defaultRulesFiles
Response
Version of the object. Incremented on each update and used for optimistic locking
An externally provided version identifier (e.g. git tag) that can be used to uniquely identify this set of files.
Example:
v0.1.2
A list of files that comprise the set of rules files
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
An array of alternate versions for the given file. An agent should choose the highest version that is compatible with its included falco engine.
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
variants
files
A list of reference policies that can be created from the provided falco rules. Used by the /v2/policies/default endpoint.
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of TemplateRule objects
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]
defaultPolicies
defaultFalcoRulesFiles
Status Code
The default falco rules files.
No Sample Response
Get the newest default falco rules files
Get the newest default falco rules files e.g. the set of falco rules managed by sysdig.
GET /api/settings/falco/newestDefaultRulesFiles
Response
Version of the object. Incremented on each update and used for optimistic locking
An externally provided version identifier (e.g. git tag) that can be used to uniquely identify this set of files.
Example:
v0.1.2
A list of files that comprise the set of rules files
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
files
newestDefaultFalcoRulesFiles
Status Code
The newest falco rules files.
No Sample Response
Get the custom falco rules files
Get the custom falco rules files e.g. the set of falco rules managed by a customer.
GET /api/settings/falco/customRulesFiles
Response
Version of the object. Incremented on each update and used for optimistic locking
An externally provided version identifier (e.g. git tag) that can be used to uniquely identify this set of files.
Example:
v0.1.2
A list of files that comprise the set of rules files
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
An array of alternate versions for the given file. An agent should choose the highest version that is compatible with its included falco engine.
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
variants
files
A list of reference policies that can be created from the provided falco rules. Used by the /v2/policies/default endpoint.
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of TemplateRule objects
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]
defaultPolicies
customFalcoRulesFiles
Status Code
The custom falco rules files.
No Sample Response
Set the custom rules files e.g. the set of falco rules managed by a customer.
Set the current custom falco rules files. This content is always validated by passing the current default rules files plus the submitted customer rules files and any Secure UI generated rules to the open source falco executable to verify that falco can read the combination of files. The backend should choose the variant that has the greatest required_engine_version for each file, and then run open source falco with the -d option to verify the files. As knowing the current value of the version
field is required to successfully update the rules file, in order to update the rules content you must first do a GET and update the content
property. The version
property in the response will be incremented on success.
PUT /api/settings/falco/customRulesFiles
Request
Version of the object. Incremented on each update and used for optimistic locking
An externally provided version identifier (e.g. git tag) that can be used to uniquely identify this set of files.
Example:
v0.1.2
A list of files that comprise the set of rules files
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
An array of alternate versions for the given file. An agent should choose the highest version that is compatible with its included falco engine.
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
variants
files
A list of reference policies that can be created from the provided falco rules. Used by the /v2/policies/default endpoint.
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of TemplateRule objects
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Allowable values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Allowable values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Allowable values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]
defaultPolicies
customFalcoRulesFiles
Response
Version of the object. Incremented on each update and used for optimistic locking
An externally provided version identifier (e.g. git tag) that can be used to uniquely identify this set of files.
Example:
v0.1.2
A list of files that comprise the set of rules files
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
An array of alternate versions for the given file. An agent should choose the highest version that is compatible with its included falco engine.
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
variants
files
A list of reference policies that can be created from the provided falco rules. Used by the /v2/policies/default endpoint.
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of TemplateRule objects
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]
defaultPolicies
customFalcoRulesFiles
Status Code
The custom falco rules files
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Get the custom falco rules file matching the filename
Get the custom falco rules file matching the filename
GET /api/settings/falco/customRulesFiles/{filename}
Response
The name of a Falco rules file
Example:
falco_rules_local.yaml
A string containing the yaml contents of a falco rules file variant.
Examples:ViewVersion of the corresponding CustomRulesFiles object to which the specific file belongs
Status Code
The custom falco rules file
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
No Sample Response
Update the custom falco rules file matching the filename
Update the custom falco rules file matching the filename
PUT /api/settings/falco/customRulesFiles/{filename}
Request
Path Parameters
The name of a Falco rules file
Example:
falco_rules_local.yaml
A string containing the yaml contents of a falco rules file variant.
Examples:ViewVersion of the corresponding CustomRulesFiles object to which the specific file belongs
Response
The name of a Falco rules file
Example:
falco_rules_local.yaml
A string containing the yaml contents of a falco rules file variant.
Examples:ViewVersion of the corresponding CustomRulesFiles object to which the specific file belongs
Status Code
The custom falco rules file
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Delete the specified falco rules file
Delete the specified falco rules file
DELETE /api/settings/falco/customRulesFiles/{filename}
Response
The name of a Falco rules file
Example:
falco_rules_local.yaml
A string containing the yaml contents of a falco rules file variant.
Examples:ViewVersion of the corresponding CustomRulesFiles object to which the specific file belongs
Status Code
The deleted policy
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Request
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Allowable values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Allowable values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Allowable values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Status Code
The newly created policy
The submitted policy was invalid
No Sample Response
Retrieve security policies
Returns information about policies configured by the current customer. Policies can be filtered by priority and scope.
GET /api/v2/policies
Request
Query Parameters
Example:
10
string to look for in policy names/descriptions
Example:
Write below
finds policies that correspond to a numeric value representing a severity. The query param can be repeated to look for multiple severities
Example:
3
finds policies of a certain type
Example:
list_matching
finds policies that are managed by sysdig
Possible values: allows empty value
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Status Code
An array of policies
No Sample Response
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Status Code
The requested policy
No Sample Response
Request
Path Parameters
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Allowable values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Allowable values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Allowable values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Status Code
The requested policy
The updated policy was invalid
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
Status Code
The deleted policy
No Sample Response
Create a new security policy and rules in a transaction
Save a new security policy and rules in a transaction. If the policy or any of the rules fail validation, the operation is canceled (no policy or rule is created) and an error response is returned.
POST /api/v2/policies/batch
Request
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Allowable values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Allowable values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Allowable values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
policy
Array of rules to create. If no rules need to be created, this will be an empty array
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Allowable values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Allowable values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Allowable values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
rules
Response
A short name for the policy
Example:
Check filesystem activity
Description of policy
Example:
Monitor all filesystem operations and look for suspicious or notable behavior
How severe is this policy when violated. Range from 0 to 7 included.
Example:
4
True if the policy should be considered
Example:
true
Where the policy is being applied- Container, Host etc..
Example:
container.image.repository = sysdig/agent
Array of PolicyRules representing each Rule referenced by this policy
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
rules
Array of rule names. (They must be names instead of ids, as the rules list view is by name, to account for multiple rules having the same name).
Examples:ViewFunctional behavior that can be enabled within a policy and should be performed if the condition of a policy is met. Certain actions may only make sense for policies of a particular type.
Possible values: [
POLICY_ACTION_CAPTURE
]specifies the subset to match
Example:
proc.name=cat or proc.name=vi
period of time to capture before event in nanoseconds
period of time to capture after event in nanoseconds
the name of the file in which the capture will be saved
specifies which strategy will be taken to store the capture
Possible values: [
LOCAL
,S3
,AGENT
,PROVIDED
,CASSANDRA
]identifies an s3 compliant bucket
the name of an s3 folder (enables the user to specify a bucket that is not in the default bucket root folder '/')
specifies the id of a row in the file_storage table that corresponds to a FileStorageDetails.java object
undefined
actions
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Possible values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]Unique identifier representing a specific policy.
Example:
1
Version of the object. Incremented on each update and used for optimistic locking
Example:
18
id of the template this policy was birthed from. For unmanaged policies this value is nil
Example:
2
version of the template this policy was most recently updated from.
Example:
4
is this a default policy
Example:
true
runbook url
Example:
https://runbook.com
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
UUID of the profile, based on a SHA of (imageId + profileVersion).
Name of the profile, which includes registry/repository:tag@hash.
Version of the profile, incremented when the model is updated.
UUID of the image, based on a SHA256 of the image content.
Name of the image, as registry/repository:tag.
profile
policy
Array of newly created rules. If no rules were created, this will be an empty array
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
rules
Status Code
The newly created policy and rules
A submitted policy or rule was invalid
No Sample Response
Request
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Allowable values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Allowable values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Allowable values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Status Code
The saved rule
The provided rule is not valid
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Status Code
The rule with the given id
No Sample Response
Request
Path Parameters
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Allowable values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Allowable values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Allowable values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Status Code
The rule with the given id
The provided rule is not valid
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Status Code
The rule that was deleted
No Sample Response
Retrieve a list of summary rule information, grouped by rule name
Returns the list of rules in the system. These are grouped by name and do not necessarily represent individual rule objects, as multiple rules can have the same name.
GET /api/secure/rules/summaries
Request
Query Parameters
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name
Allowable values: [
falco
,list_matching
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
,drift
,machine_learning
,falco_cloud_awscloudtrail
]
Response
The specific object ids having this name
Examples:ViewA name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A set of (origin,versionId) pairs for all the objects sharing this name.
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
publishedBys
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
The number of rules that refer to this object (macro/list) OR the number of policies that refer to this rule
The set of tags
Examples:ViewA timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702738265
Status Code
An array of rules grouped by name.
No Sample Response
Retrieve a group of all rules having a given name
Retrieve a group of all rules having the given name. This is used to show how a base rule is modified by later rules that override/append to the rule. If there are multiple rules with the same name of different types, rule type must be specified.
GET /api/secure/rules/groups
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The set of tags
Examples:ViewA description of this rule. No newlines/formatting.
Example:
an attempt to write to any file below a set of binary directories
Indicates the rule type
Possible values: [
PROCESS
,CONTAINER
,FILESYSTEM
,NETWORK
,SYSCALL
,FALCO
]Example:
FALCO
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
A string describing the output string to generate when this rule matches an event. Should exactly match the output property of the rule's output field
Example:
File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)
A string describing the falco rule's priority. This is only included so the resulting rule can be converted back to yaml easily. For the purposes of policy events, the policy's severity should be used instead of this value.
Possible values: [
emergency
,alert
,critical
,error
,warning
,notice
,informational
,debug
]Example:
error
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
An event source through which Falco rules are evaluated. The enum syscall corresponds to the policy types falco and list_matching. The enum k8s_audit corresponds to the policy type k8s_audit
Possible values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
details
Status Code
An array of rules
No Sample Response
Retrieve a group of all rules matching a list of given names
Retrieve a group of all rules matching a list of given names. This is used to show how a base rule is modified by later rules that override/append to the rule. This API would be faster than making calls to "#/api/secure/rules/groups" with one rule name at a time
GET /api/policies/v3/rules/groups
Response
Status Code
A wrapper object containing array of rule groups, where outside array size will be the same size as the valid rule names passed in query params and these will be sorted by the name. Each rule group will contain base rule followed by appends and will be ordered by rule origin ["Secure UI", "Sysdig", "Profiling", "Tuner"]
Indicates the names field is either missing or is empty
No Sample Response
Retrieve a map of rule names to their corresponding policies that use them
Retrieve a map of rule names to their corresponding policies that use them. The accept header will include "lite" to indicate the lightweight response of the endpoint should be returned e.g. 'application/xhtml+xml; lite' and return the full representation if not requested
GET /api/secure/rules/policyMappings
Request
Query Parameters
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
Response
the name of a runtime policy rule
Example:
shell_in_container
policy type of the policies corresponding to this rule
Example:
aws_cloudtrail
Unique identifier representing a specific policy.
Example:
1
A short name for the policy
Example:
Check filesystem activity
True if the policy should be considered
Example:
true
policies
Status Code
An array of policies
No Sample Response
Request
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The saved FalcoMacro
The provided FalcoMacro was invalid
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The macro with the given id
No Sample Response
Request
Path Parameters
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Allowable values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Allowable values: [
true
,false
]Example:
true
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The macro with the given id
The updated macro is not valid
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409
No Sample Response
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
The macro that was just deleted
No Sample Response
Retrieve a list of summary macro information, grouped by macro name
Returns the list of macros in the system. These are grouped by name and do not necessarily represent individual macro objects, as multiple macros can have the same name.
GET /api/secure/falco/macros/summaries
Response
The specific object ids having this name
Examples:ViewA name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A set of (origin,versionId) pairs for all the objects sharing this name.
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
publishedBys
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
The number of rules that refer to this object (macro/list) OR the number of policies that refer to this rule
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702738265
Status Code
An array of macros grouped by name.
No Sample Response
Retrieve a group of all falco macros having a given name
Retrieve a group of all falco macros having the given name. This is used to show how a base macro is modified by later macros that override/append to the macro.
GET /api/secure/falco/macros/groups
Response
A unique identifier representing a specific rule
Example:
1
A name for this object. For Falco rules/macros/lists, should exactly be the value of the "rule"/"macro"/"list" property of the yaml object.
Example:
Write Below Binary Dir
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.
Possible values: [
Secure UI
,Sysdig
,Customer
,Profiling
,K8s Policy Advisor
,Compliance
,Tuner
]Example:
Secure UI
A string representing the version of the file that contained this rule. This, combined with the origin, corresponds to the "Published by" field in the UI. For rules with origin == Sysdig/Customer, the version identifier should come from the version property of the FalcoRulesFiles object that originally contained the rule. For rules with origin == Secure UI, the version should be a constant string "current".
Example:
v1.2.3
The name of a Falco rules file
Example:
falco_rules_local.yaml
The version is incremented when the update is successful.
Example:
5
A timestamp (in milliseconds) of when the rules object was first created.
Example:
1553702727177
A timestamp (in milliseconds) of when the rules object was last modified.
Example:
1553702738288
the full condition text exactly as represented in the yaml file
Example:
evt.type in (open, openat) and bin_dir and fd.name in (monitored_directories)
an array containing the broken-up components of this falco rule's condition field
An opaque hunk of condition text. May contain a mix of fields, relational operators, etc. Basically anything between Macro/List references.
Example:
evt.type in (open, openat) and
undefined
components
condition
If true, this object should be appended to an object with the same name that has already been loaded. Defaults to false if not present.
Possible values: [
true
,false
]Example:
true
Status Code
An array of macros
No Sample Response
View the available falco filters for a customer
Returns what falco filters are available to customer to configure falco rules
GET /api/settings/falco/filters
Request
Query Parameters
when provided only falco filters corresponding to the specified event source will be included in the response
Allowable values: [
syscall
,k8s_audit
,aws_cloudtrail
,gcp_auditlog
,azure_platformlogs
]
Response
Indicates what the falco filter is called
Example:
container.healthcheck
Provides additional context about the filter such as when it evaluates to true or false and the range of potential evaluation values
Example:
The container's health check. Will be the null value if no healthcheck configured, NONE if configured but explicitly not created, and the healthcheck command line otherwise
Status Code
The falco filters available to customer to configure falco rules
No Sample Response
The policy tuner service records this customer as disabled such that a tune will not be run for this customer during the next run cycle
The policy tuner service records this customer as disabled such that a tune will not be run for this customer during the next run cycle
POST /api/v1/secure/policyTuner/disable
The policy tuner immediately runs tuning for the customer
The policy tuner immediately runs tuning for the customer
POST /api/v1/secure/policyTuner/tuneNow
Response
A name for this file. Should be used in UI to distinguish between files.
Example:
falco_rules.yaml
An array of alternate versions for the given file. An agent should choose the highest version that is compatible with its included falco engine.
A string containing the yaml contents of a falco rules file variant.
Examples:ViewThe minimum falco engine version that can read this rules file variant.
variants
Status Code
The generated tuner FalcoRulesFile
Sysdig has not enabled tuning for this customer
No Sample Response
Returns a list of exceptions to exclude the events matching a set of parameters
Returns a list of exceptions to exclude the events matching a set of parameters
POST /api/v1/secure/policyTuner/excludeEvents
Request
Query Parameters
The timestamp in seconds in which the events to be excluded begin
The timestamp in seconds in which the events to be excluded end
The number of suggested exclusion proposals to return in the responses. The request will be rejected if it is greater than 10 or less than 1.
Response
fields
comps
items
tuples
values
exception
exclusionProposals
Status Code
Indicates the service was able to successfully find a list of exceptions to exclude the provided events
Returned if the start param occurs after the end or if the parameters are of the wrong data type or the limit is out of range
No Sample Response
Create a new Integration
Creates a new Integration for a customer.
POST /api/ticketing/v1/integrations/{provider}
Request
Path Parameters
The ticket management provider.
Example:
jira
Jira cloud Url
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
Sam@sysdig.com
Access Token to use to call Jira API.
Example:
XHAGSTOEGV47NH36510E6VBJD6
Response
Integration index.
Example:
10
Jira cloud url.
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
sam@sysdig.com
Whether we can connect to jira using this integration.
Example:
active
creation time of the integration.
Example:
2022-06-29T22:46:25.043Z
updated time of the integration.
Example:
2022-06-29T22:46:25.043Z
Status Code
Integration is successfully created.
Invalid input, integration could not be created.
Invalid credentials or missing auth token.
Account is forbidden (inactive/expired customer).
Invalid provider specified.
Integration already exists.
The server encountered an unexpected condition.
No Sample Response
Get all integration.
Fetch all integrations for a customer.
GET /api/ticketing/v1/integrations/{provider}
Response
Integration index.
Example:
10
Jira cloud url.
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
sam@sysdig.com
Whether we can connect to jira using this integration.
Example:
active
creation time of the integration.
Example:
2022-06-29T22:46:25.043Z
updated time of the integration.
Example:
2022-06-29T22:46:25.043Z
Status Code
List of all integrations for a customer.
Invalid credentials or missing auth token.
Invalid provider specified.
The server encountered an unexpected condition.
No Sample Response
Get an Integration.
Fetch a single integration Information by id.
GET /api/ticketing/v1/integrations/{provider}/{integration_id}
Response
Integration index.
Example:
10
Jira cloud url.
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
sam@sysdig.com
Whether we can connect to jira using this integration.
Example:
active
creation time of the integration.
Example:
2022-06-29T22:46:25.043Z
updated time of the integration.
Example:
2022-06-29T22:46:25.043Z
Status Code
Description of a specific integration.
Invalid credentials or missing auth token.
Integration could not be found.
The server encountered an unexpected condition.
No Sample Response
Update an Integration.
Update an Integration for a customer.
PUT /api/ticketing/v1/integrations/{provider}/{integration_id}
Request
Path Parameters
The ticket management provider.
Example:
jira
Jira cloud Url
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
Sam@sysdig.com
Access Token to use to call Jira API.
Example:
XHAGSTOEGV47NH36510E6VBJD6
Response
Integration index.
Example:
10
Jira cloud url.
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
sam@sysdig.com
Whether we can connect to jira using this integration.
Example:
active
creation time of the integration.
Example:
2022-06-29T22:46:25.043Z
updated time of the integration.
Example:
2022-06-29T22:46:25.043Z
Status Code
Integration is successfully updated.
Integration could not be modified.
Invalid credentials or missing auth token.
Integration could not be found.
The server encountered an unexpected condition.
No Sample Response
Delete an Integration.
Delete an Integration for a customer.
DELETE /api/ticketing/v1/integrations/{provider}/{integration_id}
Response
Integration index.
Example:
10
Jira cloud url.
Example:
https://sysdig.atlassian.net
Name of your integration.
Example:
DevOps-Integ
Email of the authorized user to access Jira.
Example:
sam@sysdig.com
Whether we can connect to jira using this integration.
Example:
inactive
creation time of the integration.
Example:
2022-06-29T22:46:25.043Z
updated time of the integration.
Example:
2022-06-29T22:46:25.043Z
Status Code
Integration is successfully deleted.
Invalid credentials or missing auth token.
Integration could not be found.
The server encountered an unexpected condition.
No Sample Response
Pull all jira projects.
Fetches the projects information needed for creating a ticket. The projectIDs, issueIDs, and list of assignable users are fetched for a valid integration.
GET /api/ticketing/v1/integrations/{provider}/{integration_id}/projects
Response
Jira project object
Example:
1000
Example:
ENDPT
Example:
ENDPOINT
Status Code
List all jira projects for an integration.
Project could not be fetched.
Account is forbidden (inactive/expired customer).
Integration could not be found.
The server encountered an unexpected condition.
No Sample Response
Pull all jira project metadata.
Fetches the projects information needed for creating a ticket. The list of assignable and issue types users are fetched to help create a ticket.
GET /api/ticketing/v1/integrations/{provider}/{integration_id}/project/{project_id}/projectMeta
Request
Path Parameters
The ticket management provider.
Example:
jira
index of the integration
index of jira project id
Query Parameters
A query string that is matched against user attributes, such as displayName, and emailAddress, to find relevant assignable users.
Response
Example:
1234
Account ID.
Example:
1234567890
User email address.
Example:
jira@sysdig.com
Display name.
Example:
Jira User Name
Wheither the user is active
Example:
true
assignableUsers
Issue type ID.
Example:
1000
Issue type name.
Example:
Bug
Issue type description.
Example:
Bug description
issueTypes
Status Code
Project metadata
Project could not be fetched.
Account is forbidden (inactive/expired customer).
Integration could not be found.
The server encountered an unexpected condition.
No Sample Response
Request
Query Parameters
Allowable values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]
Response
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Possible values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
accounts
Status Code
OK
Invalid or missing auth token.
The server encountered an unexpected condition.
No Sample Response
Request
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Allowable values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
Response
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Possible values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
Status Code
OK
The given request is invalid.
Invalid or missing auth token.
The server encountered an unexpected condition.
No Sample Response
Response
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Possible values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
Status Code
OK
Invalid or missing auth token.
The requested entity was not found.
The server encountered an unexpected condition.
No Sample Response
Request
Path Parameters
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Allowable values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
Response
CloudAccount captures a snapshot of basic metadata fields associated with a cloud.
Possible values: [
PROVIDER_UNSPECIFIED
,PROVIDER_AWS
,PROVIDER_AZURE
,PROVIDER_GCP
]AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureThreatDetection
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureConfigPosture
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
secureIdentityEntitlement
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
monitorCloudMetrics
feature
Status Code
OK
The given request is invalid.
Invalid or missing auth token.
The requested entity was not found.
The server encountered an unexpected condition.
No Sample Response
Response
AccountComponent captures a cloud resource within an account
Possible values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
components
Status Code
OK
Invalid or missing auth token.
The server encountered an unexpected condition.
No Sample Response
Request
Path Parameters
AccountComponent captures a cloud resource within an account
Allowable values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
Response
AccountComponent captures a cloud resource within an account
Possible values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
Status Code
OK
The given request is invalid.
Invalid or missing auth token.
The server encountered an unexpected condition.
No Sample Response
Get Account Component
GET /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}
Request
Path Parameters
Allowable values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]
Response
AccountComponent captures a cloud resource within an account
Possible values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
Status Code
OK
Invalid or missing auth token.
The requested entity was not found.
The server encountered an unexpected condition.
No Sample Response
Delete Account Component
DELETE /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}
Update Account Component
PUT /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}
Request
Path Parameters
Allowable values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]
AccountComponent captures a cloud resource within an account
Allowable values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
Response
AccountComponent captures a cloud resource within an account
Possible values: [
COMPONENT_UNSPECIFIED
,COMPONENT_CLOUD_CONNECTOR
,COMPONENT_TRUSTED_ROLE
,COMPONENT_EVENT_BRIDGE
,COMPONENT_SERVICE_PRINCIPAL
]CloudConnectorMetadata captures the metadata associated with a cloud connector deployment, segmented by provider type
aws
azure
gcp
cloudConnectorMetadata
TrustedRoleMetadata captures the metadata associated with a trusted role resource, segmented by provider type
aws
trustedRoleMetadata
EventBridgeMetadata captures the metadata associated with an event bridge, segmented by provider type
aws
eventBridgeMetadata
ServicePrincipalMetadata captures the metadata associated with a service principal, segmented by provider type
key
gcp
servicePrincipalMetadata
Status Code
OK
The given request is invalid.
Invalid or missing auth token.
The requested entity was not found.
The server encountered an unexpected condition.
No Sample Response
Update Account Feature
update/enable a feature
PUT /api/cloudauth/v1/accounts/{accountId}/features/{featureType}
Request
Path Parameters
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
AccountFeature captures a sysdig feature enabled on a cloud account
Allowable values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
Response
AccountFeature captures a sysdig feature enabled on a cloud account
Possible values: [
FEATURE_UNSPECIFIED
,FEATURE_SECURE_THREAT_DETECTION
,FEATURE_SECURE_CONFIG_POSTURE
,FEATURE_SECURE_IDENTITY_ENTITLEMENT
,FEATURE_MONITOR_CLOUD_METRICS
]
Status Code
OK
The given request is invalid.
Invalid or missing auth token.
The requested entity was not found.
The server encountered an unexpected condition.