CDC Automation API 8.5.1

CDC's queued automation API specs.

Servers

amqp://asyncapi.cyberproof.io amqp

Operations

Pub CdcActions.alert.create

Alert creation channel

Create Alert

Creates a new alert, assuming the payload is valid.

If the alert already exists, CDC will treat this command with UPSERT semantics.

Effects

Creates a new alert in CDC
An AlertCreated event will be fired
A create alert reply will be sent.

Notes

Alerts creation may be parallelized by CDC. There is no guarantee that alerts will be created in the order these messages are queued.

Accepts the following message:

Alert Creation Command CreateAlertCommand

Create a new alert in the CDC.

This message is a command message that will result in alert creation, assuming all required fields were specified.

Payload

allOf

object

length <= 2097152

source

required

string

length <= 50

The name of the source system from which this alert originated. Normally, the name of the SIEM.

name

required

string

length <= 200

The name of the alert

sourceId

required

string

length <= 400

The identifier of the alert, as it appears in the source system. In most cases this would be the ID as it appears in the SIEM.

description

required

string

length <= 5000

The description of the alert. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

severity

required

string

length <= 50

The severity of the alert. Must be one of the severities defined in CDC.

detected

required

string

date-time

Timestamp of alert detection

sourceUrl

string

uri

The source URL of the alert in the SIEM or in the origin system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

raw

object

Alert raw data, as provided by the SIEM or source system.

Keys must not begin with . or $

Additional properties are allowed.

tags

array<string>

Unique

Alert tags

Items:

string

must match ^\S*$

Additional items are allowed.

useCase

string

Mapping of alert to one of the use cases

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

Mapping of alert to specific Kill Chain phases. The case of the names will be ignored, as well as spaces and duplicate values. All values will be normalized accroding to the provided enum. See in Wikipedia

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

observables

array<allOf >

The observables associated with this alert

Items:

allOf

object

type

required

string

The type of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

value

required

string

The value of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

tags

array<string>

Unique

Tags associated with this observable. May be empty if an observable has no tags associated.

Items:

string

must match ^\S*$

Additional items are allowed.

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

isIoc

boolean

Determines if the observable is an IOC. (false by default)

Additional properties are allowed.

object

extraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

events

deprecated

array<object>

Events property is deprecatd. Used for backwards compatibility, use observables property.

observables

array<allOf >

The observables associated with this alert

Items:

allOf

object

type

required

string

The type of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

value

required

string

The value of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

tags

array<string>

Unique

Tags associated with this observable. May be empty if an observable has no tags associated.

Items:

string

must match ^\S*$

Additional items are allowed.

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

isIoc

boolean

Determines if the observable is an IOC. (false by default)

Additional properties are allowed.

object

extraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

length <= 50

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

length <= 200

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

length <= 200

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

length <= 2000

Additional items are allowed.

recommendations

string

length <= 3000

Instruction how to handle alert.

classification

string

length <= 50

Classification category that the alert falls into.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-alert-command; version=1;"

alerts

Examples

CreateAlertCommand

Payload

{
  "source": "arcsight",
  "name": "Email messages containing malware removed after delivery",
  "sourceId": "345ffe9a",
  "description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
  "severity": "Medium",
  "detected": "2019-08-24T14:15:22Z",
  "sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
  "company": "CompanyName",
  "raw": {
    "attributeInitializationInProgress": false,
    "createdTime": {
      "day": {
        "numberInt": "18"
      },
      "hour": {
        "numberInt": "16"
      },
      "milliSecond": {
        "numberInt": "711"
      },
      "minute": {
        "numberInt": "10"
      },
      "month": {
        "numberInt": "6"
      },
      "second": {
        "numberInt": "47"
      },
      "timezoneID": "Israel",
      "year": {
        "numberInt": "2017"
      }
    },
    "createdTimestamp": {
      "numberDouble": "1500383447711"
    },
    "deprecated": false,
    "description": "Customer Name -       CyberProof\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 192.168.231.1\nSource Host Name - SHEFA-LAPTOP-DS\nSource Zone Name - RFC1918: 192.168.0.0-192.168.255.255\nSource Asset Name - SHEFA-LAPTOP-DS\nDestination User Name - owner\nDevice Address - 172.31.40.183\nDevice Host Name - ip-172-31-40-183.us-west-2.compute.internal\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
    "disabled": false,
    "inCache": true,
    "inactive": false,
    "initialized": true,
    "isAdditionalLoaded": false,
    "localID": {
      "numberDouble": "30064798760"
    },
    "modificationCount": {
      "numberInt": "1"
    }
  },
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "useCase": "string",
  "categories": [
    "Ransomware",
    "Phishing"
  ],
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.17.6",
      "tags": [
        "Cloud-Computing",
        "Virus",
        "Phishing"
      ],
      "suspiciousRate": 74.8,
      "isIoc": false,
      "extraProperties": {
        "property1": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        },
        "property2": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        }
      },
      "relatedExtraProperties": {
        "property1": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        },
        "property2": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        }
      }
    }
  ],
  "events": [
    {
      "observables": [
        {
          "type": "IPv4 Address",
          "value": "192.168.17.6",
          "tags": [
            "Cloud-Computing",
            "Virus",
            "Phishing"
          ],
          "suspiciousRate": 74.8,
          "isIoc": false,
          "extraProperties": {
            "property1": {
              "value": "aaa-bbcc",
              "type": "WeakIdentifier"
            },
            "property2": {
              "value": "aaa-bbcc",
              "type": "WeakIdentifier"
            }
          },
          "relatedExtraProperties": {
            "property1": {
              "value": "aaa-bbcc",
              "type": "WeakIdentifier"
            },
            "property2": {
              "value": "aaa-bbcc",
              "type": "WeakIdentifier"
            }
          }
        }
      ]
    }
  ],
  "alertType": "CTI-Landscape",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "ctiSourceUrls": [
    "https://blog.malwarebytes.com/someTopic"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/create-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.create

Alert creation reply channel

Create Alert Reply

Result of a create alert command.

Accepts one of the following messages:

#1 Create Alert Reply CreateAlertReply

The reply which returned after creating an alert

replies

This message is a reply for alert create

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

required

string

The description of the alert

severity

required

string

The severity of the alert. Must be one of the severities defined in CDC.

created

required

string

date-time

Alert creation timestamp, in UTC

modified

required

string

date-time

Last modification timestamp, in UTC

detected

required

string

date-time

Alert detection timestamp, in UTC

status

required

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

required

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

required

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

CreateAlertReply

Payload

{
  "id": "5e7c6cf54b832e0018f191ad",
  "source": "QRadar",
  "sourceId": 296,
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Customer Name - SmithCo\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 10.6.100.82\nSource Host Name - PLYF-ASC\nSource Zone Name - RFC1918: 10.0.0.0-10.255.255.255\nDestination User Name - administrator\nDevice Address - 172.31.25.94\nDevice Host Name - ip-172-31-25-94.eu-central-1.compute.internal\nDevice Zone Name - RFC1918: 172.16.0.0-172.31.255.255\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
  "severity": "Medium",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z",
  "detected": "2019-08-24T14:15:22Z",
  "status": "New",
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
  "company": "CompanyName",
  "useCase": "UC216 - EPP - Persistent Malware",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertType": "CTI-Landscape",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "ctiSourceUrls": [
    "https://blog.malwarebytes.com/someTopic"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "categories": [
    "Ransomware",
    "Phishing"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "observableTags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-create-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.close

Alert closure channel

Close Alert

Closes an alert.

Effects

Changes alert status to the provided status
An AlertClosed event will be fired
A close alert reply will be sent.

Notes

If the alert is attached to a closed incident, this command will be ignored.
Currently we only allow alerts to be closed as "Closed" via this API

Accepts the following message:

Close Alert Command CloseAlertCommand

Closes an alert

This message is a command message that will result in alert closure

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

closingReason

required

object

Details explaining why this alert was marked as irrelevant. Only appears if the alert was closed as irrelevant.

reason

required

string

Alert closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

comment

required

string

Analyst-provided comment for closing an alert

Note: property "comment" is required if the "reason" property is "Other"

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

alerts

Examples

CloseAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "closingReason": {
    "reason": "False positive",
    "comment": "This was just a test"
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/close-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.close

Alert closure reply channel

Close Alert Reply

Result of a close alert command.

Accepts one of the following messages:

#1 Close Alert Reply CloseAlertReply

Closes an alert

replies

The message payload is empty
This message is a reply for alert close

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-close-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

CloseAlertReply

Payload

{}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-close-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.reopen

Alert reopen channel

Reopen Alert

Reopens an alert.

Effects

Changes alert status to New
An AlertReopened event will be fired
A reopen alert reply will be sent.

Accepts the following message:

Reopen Alert Command ReopenAlertCommand

Reopens an alert

This message is a command message that will result in alert reopen

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

reopenReason

string

The reason why this alert was reopened, as provided by the analyst

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/reopen-alert-command; version=1;"

alerts

Examples

ReopenAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "reopenReason": "Windows — Multiple failed logins different users same host irrelevant"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/reopen-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.reopen

Alert reopen reply channel

Reopen Alert Reply

Result of a reopen alert command.

Accepts one of the following messages:

#1 Reopen Alert Reply ReopenAlertReply

Reopens an alert

replies

The message payload is empty
This message is a reply for alert reopen

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-reopen-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

ReopenAlertReply

Payload

{}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-reopen-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.detail.set

Alert set detail channel

Set Alert Detail

Set alert detail.

Effects

A set alert detail reply will be sent.
An event AlertDetailChanged will be fired.
When company field is set, KPI event "106: Alert Associated With Company" will be sent.

Accepts the following message:

Set Alert Detail Command SetAlertDetailCommand

set alert detail

This message is a command message that will result in setting the specified detail in alert. By using this command it's possible to update the fields, which are only informational, they are not related to any flow or operation.

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

name

string

If specified, will set the name field of the alert

description

string

length <= 5000

If specified, will set the description field of the alert.It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

useCase

string

If specified, will set the useCase field of the alert

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/set-alert-detail-command; version=1;"

alerts

Examples

SetAlertDetailCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "name": "string",
  "description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
  "useCase": "UC216 - EPP - Persistent Malware",
  "company": "CompanyName",
  "severity": "Medium",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/set-alert-detail-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.detail.set

Set Alert Detail reply channel

Set Alert Detail Reply

Result of a alert detail set command.

Accepts one of the following messages:

#1 Set Alert Detail Reply SetAlertDetail

The reply which returned after alert detail set

replies

This message is a reply for alert detail set

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

required

string

The description of the alert

severity

required

string

The severity of the alert. Must be one of the severities defined in CDC.

created

required

string

date-time

Alert creation timestamp, in UTC

modified

required

string

date-time

Last modification timestamp, in UTC

detected

required

string

date-time

Alert detection timestamp, in UTC

status

required

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

required

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

required

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-detail-set-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

SetAlertDetail

Payload

{
  "id": "5e7c6cf54b832e0018f191ad",
  "source": "QRadar",
  "sourceId": 296,
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Customer Name - SmithCo\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 10.6.100.82\nSource Host Name - PLYF-ASC\nSource Zone Name - RFC1918: 10.0.0.0-10.255.255.255\nDestination User Name - administrator\nDevice Address - 172.31.25.94\nDevice Host Name - ip-172-31-25-94.eu-central-1.compute.internal\nDevice Zone Name - RFC1918: 172.16.0.0-172.31.255.255\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
  "severity": "Medium",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z",
  "detected": "2019-08-24T14:15:22Z",
  "status": "New",
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
  "company": "CompanyName",
  "useCase": "UC216 - EPP - Persistent Malware",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertType": "CTI-Landscape",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "ctiSourceUrls": [
    "https://blog.malwarebytes.com/someTopic"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "categories": [
    "Ransomware",
    "Phishing"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "observableTags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-detail-set-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.classification.update

Alert update classification channel

Update Alert Classification

Update alert classification.

Effects

A reply with alert details with new classification value will be sent.
An event AlertEvidenceCreated will be fired.
KPI event "107: Alert Classification updated" will be sent.

Accepts the following message:

Update Alert Classification Command alertClassificationUpdate

update alert classification

This message is a command message that will result updating the alert classification.

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

classification

required

string

length <= 50

New value for the alert classification

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/alert-classification-update-command; version=1;"

alerts

Examples

alertClassificationUpdate

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "classification": "Unclassified"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/alert-classification-update-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.classification.update

Update alert classification update reply channel

Update Alert Classification Reply

Result of a alert classification update command.

Accepts one of the following messages:

#1 Update Alert Classification Reply UpdateAlertClassification

The reply which returned after alert classification updated

replies

This message is a reply for alert classification update

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

required

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-classification-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

UpdateAlertClassification

Payload

{
  "id": "5e7c6cf54b832e0018f191ad",
  "source": "QRadar",
  "sourceId": 296,
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Customer Name - SmithCo\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 10.6.100.82\nSource Host Name - PLYF-ASC\nSource Zone Name - RFC1918: 10.0.0.0-10.255.255.255\nDestination User Name - administrator\nDevice Address - 172.31.25.94\nDevice Host Name - ip-172-31-25-94.eu-central-1.compute.internal\nDevice Zone Name - RFC1918: 172.16.0.0-172.31.255.255\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
  "severity": "Medium",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z",
  "detected": "2019-08-24T14:15:22Z",
  "status": "New",
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
  "company": "CompanyName",
  "useCase": "UC216 - EPP - Persistent Malware",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertType": "CTI-Landscape",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "ctiSourceUrls": [
    "https://blog.malwarebytes.com/someTopic"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "categories": [
    "Ransomware",
    "Phishing"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "observableTags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-classification-update-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.composite.update

Composite Update Alert channel

Composite Update Alert

Aggregates multiple update operations on alert:

For "Single" fields (e.g. company, descritption) - Will override the values.

For "Collection" fields (e.g. killChain, tags) - Will add new values.

Update operations:

setAlertDetails
addTags
addKillChain
addThreatActors
addMalwareTools
addMitreAttacks

Errors

Composite Update Alert operations will fail only when ALL update operations failed. I this case a composite error will be sent.
When only part of the update operations failed, the reply will containd the updated alert state and a list of errors describing the failure causes of the failed operstions.

Effects

A composite update alert reply will be sent.
When at least one of alert fields was updated AlertUpdated event will be fired, holding the new alert state.
When one of the following fields on the alert is changed, An event AlertDetailChanged will be fired. Relevant to fields: name, description, severity, useCase, company, detectionRule.
When company field is set, KPI event "106: Alert Associated With Company" will be sent.
When new values are added to KillChain, all effects (except 1: the reply message) of Add to Alert Kill Chain will apply.
When new values are added to alert tags, all effects (except 1: the reply message) of Add tags to Alert will apply.
When new values are added to alert Mitre attacks, all effects (except 1: the reply message) of Add mitre attacks to Alert will apply.

Accepts the following message:

Composite Update Alert Command CompositeUpdateAlertCommand

Composite Update Alert

This message is a command message that will result in a multiple update operations on an Alert.

For "Single" fields (e.g. company, descritption) - Will override the values.

For "Collection" fields (e.g. killChain, tags) - Will add new values.

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

name

string

If specified, will set the name field of the alert

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

description

string

length <= 5000

If specified, will set the description field of the alert

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

useCase

string,null

If specified, will set the useCase field of the alert

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

company

string,null

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

severity

string

Alert severity (could be also the custom value defined in settings)

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

Enum: "Low" "Medium" "High" "Critical"

detectionRule

string,null

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

threatType

string

length <= 50

The threat type with which this alert is associated.

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Update operation: addThreatActors - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

length <= 200

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Update operation: addMalwareTools - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

length <= 200

Additional items are allowed.

recommendations

string,null

length <= 3000

Instruction how to handle alert.

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

killChain

array<string>

Validations:

The phases array should not be empty
Each phase name cannot exceed 256 characters.
The added phases array, must be a sub-set of values in the provided enum.

Update operation: addKillChain - New values will be added. Can be null or empty - In such case will ignore the field.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

tags

array<string>

>= 1 items <= 10 items Unique

The tags to be added to the alert Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Update operation: addTags - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

must match ^\S*$

Additional items are allowed.

mitreAttacks

array<string>

Unique

The MitreAttack Ids to be added to the Alert

Update operation: addMitreAttacks - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/composite-update-alert-command; version=1;"

alerts

Examples

CompositeUpdateAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "name": "Persistent Malware 1",
  "description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
  "useCase": "UC216 - EPP - Persistent Malware",
  "company": "CompanyName",
  "severity": "Medium",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/composite-update-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.composite.update

Composite update alert reply channel

Composite update alert Reply

Result of a composite update alert command.

Accepts one of the following messages:

#1 Composite Update Alert Reply CompositeUpdateAlertReply

The reply which returned after Composite Update Alert operation

replies

This message is a reply for Composite Update Alert operation

Errors

Composite Update Alert operations will fail only when ALL update operations failed. In this case a composite error will be sent. Note: A CompositeServerError will be received also for a single update operation. e.g. If there is only single field update (e.g. "description") that means there will be one only one update operations "setAlertDetails" so if this update will fail => 1 out of 1 operation failed => A CompositeServerError will be received holding this single error.
When only part of the update operations failed, the reply will containd the updated alert state and a list of errors describing the failure causes of the failed operstions.

Payload

object

alert

required

object

The state of the alert after the update.

string

A unique, machine-oriented ID identifying this alert.

source

string

The name of the source system

sourceId

string

The ID of the alert in the source system

name

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

errors

required

array<object>

List of errors

errorMessage

string

A message summarizing the cause of the error

error

object

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/composite-update-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Composite Server Error Message CompositeServerError

The reply which returned if errors (single or multiple) occured while running an operation on the server.

errors

This reply will hold a General error message and a list of errors that occured while running an operation.

Note: the errors array may be with only one item.

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

errorMessage

required

string

A general error message that summarize the failure of the operation.

errors

required

array<object>

List of errors

errorMessage

string

A message summarizing the cause of the error

error

object

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

CompositeUpdateAlertReply

Payload

{
  "alert": {
    "id": "5e7c6cf54b832e0018f191ad",
    "source": "QRadar",
    "sourceId": 296,
    "name": "Windows - Multiple failed logins same user same host",
    "description": "Customer Name - SmithCo\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 10.6.100.82\nSource Host Name - PLYF-ASC\nSource Zone Name - RFC1918: 10.0.0.0-10.255.255.255\nDestination User Name - administrator\nDevice Address - 172.31.25.94\nDevice Host Name - ip-172-31-25-94.eu-central-1.compute.internal\nDevice Zone Name - RFC1918: 172.16.0.0-172.31.255.255\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
    "severity": "Medium",
    "created": "2019-08-24T14:15:22Z",
    "modified": "2019-08-24T14:15:22Z",
    "detected": "2019-08-24T14:15:22Z",
    "status": "New",
    "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
    "company": "CompanyName",
    "useCase": "UC216 - EPP - Persistent Malware",
    "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
    "killChain": [
      "Reconnaissance",
      "Weaponization",
      "Delivery"
    ],
    "mitreAttacks": [
      "T1003",
      "T1001",
      "T1595.001"
    ],
    "alertType": "CTI-Landscape",
    "threatType": "Phishing",
    "threatActors": [
      "Cyber Criminals",
      "Anonymous"
    ],
    "malwareTools": [
      "TrickBot",
      "IcedID",
      "Cobalt Strike"
    ],
    "ctiSourceUrls": [
      "https://blog.malwarebytes.com/someTopic"
    ],
    "recommendations": "Implement the attached IOCs in your security systems.",
    "categories": [
      "Ransomware",
      "Phishing"
    ],
    "tags": [
      "Cloud-Computing",
      "Virus",
      "Phishing"
    ],
    "observableTags": [
      "Cloud-Computing",
      "Virus",
      "Phishing"
    ],
    "classification": "Phishing"
  },
  "errors": [
    {
      "errorMessage": "Operation setAlertDetails failed",
      "error": {}
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/composite-update-alert-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

CompositeServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER",
  "errorMessage": "Update X Operation failed with multiple errors.",
  "errors": [
    {
      "errorMessage": "Operation setAlertDetails failed",
      "error": {}
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.observables.add

Alert add observables channel

Add Observables to Alert

Adds observables to an alert.

Notes

If an observable exists - additional properties of the mentioned observable are merged, the existing property value is overridden
A observables added to alert reply will be sent.

Accepts the following message:

Add Observables To Alert Command AddObservablesToAlertCommand

Adds observables to alert

This message is a command message that adds observables to an alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

observables

required

array< object>

>= 1 items

The observables to be added to the alert

Items:

object

type

required

string

The type of the observable

value

required

string

The value of the observable

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

extraProperties

anyOf

Extra properties of the observable

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

Related extra properties of the observable

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-observables-to-alert-command; version=1;"

alerts observables

Examples

AddObservablesToAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45",
      "tags": [
        "Cloud-Computing",
        "Virus",
        "Phishing"
      ],
      "extraProperties": {
        "property1": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        },
        "property2": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        }
      },
      "relatedExtraProperties": {
        "property1": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        },
        "property2": {
          "value": "aaa-bbcc",
          "type": "WeakIdentifier"
        }
      }
    }
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-observables-to-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.observables.add

Adding Observables to Alert reply channel

Add Observables to Alert Reply

Result of a add observables to alert command.

Accepts one of the following messages:

#1 Add Observables To Alert Reply AddObservablesToAlertReply

The reply which returned after adding observables to alert

replies

This message is a reply for additing observables to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

observables

required

array<object>

>= 1 items Unique

The list of all observables associated with the alert after the operation has completed

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-observables-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts observables

Examples

AddObservablesToAlertReply

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-observables-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.tags.add

Alert add tag channel

Add tags to Alert

Adds tags to an alert.

Effects

An event tags added to alert reply will be sent.
An event alert tags added will be fired.

Notes

Any tags already associated with the alert will be ignored (the command won't fail)

Accepts the following message:

Add Tags To Alert Command AddTagsToAlertCommand

Adds tags to alert

This message is a command message that adds tags to an alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

tags

required

array<string>

>= 1 items <= 10 items Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-tags-to-alert-command; version=1;"

alerts

Examples

AddTagsToAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-tags-to-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.tags.add

Adding tags to Alert reply channel

Add tags to Alert Reply

Result of a add tags to alert command.

Accepts one of the following messages:

#1 Add Tags To Alert Reply AddTagsToAlertReply

The reply which returned after tags added to alert

replies

This message is a reply for add tags to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-tags-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

AddTagsToAlertReply

Payload

{
  "alertId": "603cde4464522f260aacf14a"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-tags-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.killChain.add

Add to Alert Kill Chain channel

Add to Alert Kill Chain

Add phases to alert Kill Chain. This operation is idempotent (upsert)

Effects

Alert Kill Chain Mapping will be updated. If specified phases already exist, no changes will be made to alert.
alert:updated webpush event will be published with updated Kill Chain data.
An add to alert killChain reply will be sent.

This feature is not yet implemented:

4. If the killChain value was updated, an event will be added to alert Timeline:

Title: Kill Chain mapping changed

Body: <username> changed Kill Chain mapping from […] to […].

Accepts the following message:

Add Phases To Alert Kill Chain Command AddToAlertKillChainCommand

Adds phases to alert Kill Chain

This message is a command message that adds phases to alert Kill Chain Mapping

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

phases

required

array<string>

>= 1 items

Validations:

The phases array should not be empty
Each phase name cannot exceed 256 characters.
The added phases array, must be a sub-set of values in the provided enum.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-to-alert-kill-chain-command; version=1;"

alerts

Examples

AddToAlertKillChainCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "phases": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-to-alert-kill-chain-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.killChain.add

Add to Alert Kill Chain reply channel

Add to Alert Kill Chain Reply

Result of a add to alert killChain command.

Accepts one of the following messages:

#1 Updata Alert Kill Chain Reply AlertKillChainUpdateReply

Updata Alert Kill Chain Reply

replies

This message is a reply for update (Add Phases / Remove Phases) of Alert Kill Chain action.
The payload represents updated Alert data with updated killChain.

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

modified

required

string

date-time

Last modification timestamp

modifiedBy

required

string

The Id of the user responsible for last alert update.

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-kill-chain-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

AlertKillChainUpdateReply

Payload

{
  "id": "5e7c6cf54b832e0018f191ad",
  "modified": "2019-08-24T14:15:22Z",
  "modifiedBy": "9e7b6af34b632a7718f191ad",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-kill-chain-update-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.raw-data.append

Alert append raw data channel

Append Alert Raw Data

Append data to alert raw data

Effects

An event Append data to alert reply will be sent.
An event alert raw data appended will be fired.

Notes

When externalId is passed it will ensure the data won't be duplicated. When two requests passed with the same externalId and the first request succeed, the second request will be ignored and the success response will be returned.

Accepts the following message:

Append To Alert Raw Data Command AppendAlertRawDataCommand

Append To Alert Raw Data

This message is a command message append raw data to an alert

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

raw

required

object

Alert raw data, as provided by the SIEM or source system.

Notice Keys must not begin with . or * or $

Additional properties are allowed.

externalId

string

External identification for the raw data slices to ensure the same data won't be written twice. When two requests passed with the same externalId and the first request succeed, the second request will be ignored and the success response will be returned. When externalId is not passed it won't be guaranteed the data won't be duplicated.

NOTICE External Id must be unique (for alert scope) for the data appended.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/append-alert-raw-data-command; version=1;"

alerts

Examples

AppendAlertRawDataCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "raw": {
    "attributeInitializationInProgress": false,
    "createdTime": {
      "day": {
        "$numberInt": "18"
      },
      "hour": {
        "$numberInt": "16"
      },
      "milliSecond": {
        "$numberInt": "711"
      },
      "minute": {
        "$numberInt": "10"
      },
      "month": {
        "$numberInt": "6"
      },
      "second": {
        "$numberInt": "47"
      },
      "timezoneID": "Israel",
      "year": {
        "$numberInt": "2017"
      }
    },
    "createdTimestamp": {
      "$numberDouble": "1500383447711"
    },
    "deprecated": false,
    "description": "Customer Name -       CyberProof\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 192.168.231.1\nSource Host Name - SHEFA-LAPTOP-DS\nSource Zone Name - RFC1918: 192.168.0.0-192.168.255.255\nSource Asset Name - SHEFA-LAPTOP-DS\nDestination User Name - owner\nDevice Address - 172.31.40.183\nDevice Host Name - ip-172-31-40-183.us-west-2.compute.internal\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
    "disabled": false,
    "inCache": true,
    "inactive": false,
    "initialized": true,
    "isAdditionalLoaded": false,
    "localID": {
      "$numberDouble": "30064798760"
    },
    "modificationCount": {
      "$numberInt": "1"
    }
  },
  "externalId": "string"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/append-alert-raw-data-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.raw-data.append

Append Alert Raw Data reply channel

Append Alert Raw Data Reply

Result of a Append Alert Raw Data command.

Accepts one of the following messages:

#1 Append Raw Data Reply AppendRawDataReply

The reply which returned after raw data appended to alert

replies

This message is a reply for append alert raw data

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-raw-data-append-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

AppendRawDataReply

Payload

{
  "alertId": "603cde4464522f260aacf14a"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-raw-data-append-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.attacks.add

Add mitre attacks to Alert

Adds the specified mitre attacks to the specified alert.

Preconditions

The alert must already exist

Effects

Mitre attacks which don't exist yet are created.
The alert will be associated with the mitre attacks.
If alert belongs to incident, mitre attacks will be associated with incident as well.
A alert mitre attacks add reply will be sent.

Accepts the following message:

Add MitreAttacks To Alert Command AddMitreAttacksToAlertCommand

Adds the specified MitreAttacks to the specified alert

Payload

object

mitreAttacks

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-mitre-attacks-to-alert-command; version=1;"

alerts

Examples

AddMitreAttacksToAlertCommand

Payload

{
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertId": "603cde4464522f260aacf14a"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-mitre-attacks-to-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.attacks.add

Adding mitre attacks to alert reply channel

Add Mitre Attacks to Alert Reply

Result of a add mitre attacks to alert command.

Accepts one of the following messages:

#1 Add Mitre Attacks To Alert Reply AddMitreAttacksToAlertReply

The reply which returned after adding mitre attacks to alert

replies

This message is a reply for additing mitre attacks to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/add-mitre-attacks-to-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

AddMitreAttacksToAlertReply

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/add-mitre-attacks-to-alert-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.attacks.remove

Remove mitre attacks from Alert

Removes the specified mitre attacks from the specified alert.

Preconditions

The alert must already exist

Effects

The alert will not be associated with the mitre attacks.
If alert belongs to incident, mitre attacks will be removed from incident as well, unless other alerts from this incident have it.
A alert mitre attacks remove reply will be sent.

Accepts the following message:

Remove MitreAttacks From Alert Command RemoveMitreAttacksFromAlertCommand

Removes the specified MitreAttacks from the specified alert

Payload

object

mitreAttacks

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-mitre-attacks-from-alert-command; version=1;"

alerts

Examples

RemoveMitreAttacksFromAlertCommand

Payload

{
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertId": "603cde4464522f260aacf14a"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/remove-mitre-attacks-from-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.attacks.remove

Removing mitre attacks from alert reply channel

Remove Mitre Attacks from Alert Reply

Result of a remove mitre attacks from alert command.

Accepts one of the following messages:

#1 Remove Mitre Attacks From Alert Reply RemoveMitreAttacksFromAlertReply

The reply which returned after removing mitre attacks from alert

replies

This message is a reply for removing mitre attacks from alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/remove-mitre-attacks-from-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

RemoveMitreAttacksFromAlertReply

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/remove-mitre-attacks-from-alert-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.evidence.add

Alert add evidence channel

Add evidence to Alert

Adds evidence to an alert.

Effects

An event evidence added to alert reply will be sent.
An event alert evidence added will be fired.

Accepts the following message:

Add Evidence To Alert Command AddEvidenceToAlertCommand

Adds evidence to alert

This message is a command message that adds evidence to an alert

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId
In case of creating evidence for another custom type, the following fields should be provided: type, data

alertId

required

string

The unique Alert ID as defined by CDC

type

string

The type of evidence

Enum: "TEXT" "ALERT_OWNER_ASSIGNED" "ALERT_OWNER_REMOVED" "ALERT_STATUS_CHANGED" "ALERT_ATTACHED_TO_INCIDENT" "ALERT_AUTOMATION_JOB_ENDED" "ALERT_AUTOMATION_JOB_STARTED" "ALERT_CLOSED" "ALERT_DETACHED_FROM_INCIDENT" "ALERT_DETECTED" "ALERT_RESOLVED" "ALERT_INCIDENT_CREATED" "ALERT_PLAYBOOK_STEP_COMPLETED" "ALERT_REOPENED" "ALERT_ATTACHED_TO_INCIDENT_BY_GROUPING_RULE" "MITRE_ATTACK_ADDED" "MITRE_ATTACK_REMOVED" "INCIDENT_ALERT_ADDED" "INCIDENT_ALERT_REMOVED" "INCIDENT_CREATED" "INCIDENT_CLOSED" "INCIDENT_REOPENED" "INCIDENT_STATUS_CHANGED" "INCIDENT_COMPANY_CHANGED" "INCIDENT_SEVERITY_CHANGED" "INCIDENT_PRIORITY_CHANGED" "INCIDENT_TYPE_CHANGED" "INCIDENT_OWNER_CHANGED" "INCIDENT_ESCALATED" "INCIDENT_ESCALATION_REVOKED" "INCIDENT_ESCALATION_ACCEPTED" "INCIDENT_ESCALATION_REMINDER_SENT" "PLAYBOOK_ADDED" "PLAYBOOK_STEP_COMPLETED" "PLAYBOOK_USER_INPUT_REQUIRED" "PLAYBOOK_EVIDENCES_PROVIDED" "PLAYBOOK_TERMINATED"

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

reported

required

string

date-time

The time when this evidence was reported

caption

string

The caption of the evidence

messageId

string

The ID of the message this evidence was created from.

description

string

The description of this evidence

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-evidence-to-alert-command; version=1;"

alerts evidence

Examples

AddEvidenceToAlertCommand

Payload

{
  "alertId": "603cde4464522f260aacf14a",
  "type": "MITRE_ATTACK_ADDED",
  "data": {
    "alertId": "603cde4464522f260aacf14a",
    "alertName": "Windows - Multiple failed logins same user same host",
    "incidentId": "5a92dbb61487fe0007fa4fd5",
    "incidentName": "Windows - Multiple failed logins same user same host",
    "ruleTitle": "Phishing",
    "groupingRules": [
      {
        "matchValue": [
          "mailware"
        ],
        "fieldName": "classification",
        "operator": "oneOf"
      }
    ]
  },
  "reported": "2019-08-24T14:15:22Z",
  "caption": "Severity changed",
  "messageId": "string",
  "description": "System Admin has changed severity from Low to Medium",
  "externalId": "345ffe9a"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-evidence-to-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.evidence.add

Adding evidence to Alert reply channel

Add evidence to Alert Reply

Result of a add evidence to alert command.

Accepts one of the following messages:

#1 Add Evidence To Alert Reply AddEvidenceToAlertReply

The reply which returned after evidence added to alert

replies

This message is a reply for add evidence to alert

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-evidence-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts evidence

Examples

AddEvidenceToAlertReply

Payload

{
  "id": "5aa4d8fcbdee5a000a911882",
  "caption": "Priority changed",
  "name": "Priority changed",
  "description": "System Admin has changed priority from Low to Medium",
  "type": "MITRE_ATTACK_ADDED",
  "data": {
    "alertId": "603cde4464522f260aacf14a",
    "alertName": "Windows - Multiple failed logins same user same host",
    "incidentId": "5a92dbb61487fe0007fa4fd5",
    "incidentName": "Windows - Multiple failed logins same user same host",
    "ruleTitle": "Phishing",
    "groupingRules": [
      {
        "matchValue": [
          "mailware"
        ],
        "fieldName": "classification",
        "operator": "oneOf"
      }
    ]
  },
  "created": "2019-08-24T14:15:22Z",
  "reported": "2019-08-24T14:15:22Z",
  "messageId": "string",
  "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
  "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
  "externalId": "345ffe9a"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-evidence-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.create

Incident creation channel

Create Incident

Creates a new incident.

Preconditions

If a list of alerts is provided, the alerts must already exist in CDC DB

Effects

Creates a new incident in CDC
An "IncidentCreated" event will be published
If alerts were specified:
- The alerts will be added to the incident
- An "AlertAddedToIncident" event will be published for each alert
- Any observable found in these alerts will be associated with the incident and an "IncidentObservableAdded" event will be published
If a company was specified, an "IncidentAssociatedWithCompany" will be published
A incident create reply will be sent.

Notes

Specified alerts that are already associated to a different incident will be ignored

Accepts the following message:

Incident Creation Command CreateIncidentCommand

Create a new incident in the CDC.

This message is a command message that will result in incident creation

Payload

object

length <= 2097152

name

required

string

The name of the incident

description

required

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

priority

required

string

The incident priority must be one of the priorities defined in CDC.

type

string

Incident type. Must be one of the types defined in CDC.

Examples: "Malware" "Unauthorized access"

alertIds

array<string>

Unique

The alert IDs to be added to the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

externalIds

array<object>

IDs of this incident as listed in external systems

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-incident-command; version=1;"

incidents

Examples

CreateIncidentCommand

Payload

{
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Windows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n",
  "company": "CompanyName",
  "priority": "Medium",
  "type": "Malware",
  "alertIds": [
    "603cde4464522f260aacf14a"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "externalIds": [
    {
      "system": "SILVA",
      "id": "AAZ-93485"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/create-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.create

Incident creation reply channel

Create Incident Reply

Result of a create incident command.

Accepts one of the following messages:

#1 Create Incident Reply CreateIncidentReply

The reply which returned after creating an incident

replies

This message is a reply for incident create

Payload

allOf

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

object

alertIds

required

array<string>

The IDs of all alerts associated with the incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Validation Error Message IncidentValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

IncidentValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

CreateIncidentReply

Payload

{
  "id": "string",
  "key": "CDC-20191208-00046",
  "name": "Web Proxy - Execution file download",
  "description": "Customer Name - ACME Inc
Alert Name - Web Proxy - Execution file download
Source Address - 172.23.2.13
Source Host Name - laptop2057.bdo.co.il
Source Zone Name - Haifa - Users
Source User Name - EshelS
Destination Address - 52.174.64.84
Destination Host Name - download.teamviewer.com
Destination Zone Name - E.I. duPont de Nemours and Co. Inc.
Destination Geo Country Name - Netherlands
Protocol/Version - HTTP/1.1
URL Categories - Remote Access, Web Meetings
Policy - Default
Reputation - Minimal Risk
Request URL - http://download.teamviewer.com/download/version_11x/TeamViewerQS.exe
Request Protocol - http
Request Method - GET
Request Client Application - Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Device Address - 80.74.110.141
Device Host Name - MWG-A
Device Zone Name - DMZ1
Device Vendor - McAfee
Device Product - Web Gateway
Category Outcome - /Failure
\n",
  "created": "2019-08-24T14:15:22Z",
  "updated": "2019-08-24T14:15:22Z",
  "type": "DDOS",
  "status": "open",
  "priority": "Medium",
  "group": "L1",
  "externalIds": [
    {
      "system": "SILVA",
      "id": "AAZ-93485"
    }
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "company": "CompanyName",
  "pendingForGroup": "string",
  "redirectionReason": "string",
  "endSlaDate": "2019-08-23T14:15:22.000Z",
  "alertIds": [
    "603cde4464522f260aacf14a"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-create-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentValidationError

Payload

{
  "name": "IncidentValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.alerts.add

Add (Attach) Alerts to Incident

Adds the specified alerts to the specified incident.

Preconditions

The incident must already exist
The incident must not be closed
All specified alerts must exist

Effects

The incident will be associated with the alerts
The alerts will change status to "in incident"
An "AlertAddedToIncident" event will be published for each added alert
The alerts added to incident reply will be sent.

Notes

Any alert that is already attached to a different incident (has status "in incident") will be silently ignored.
While we try to ensure an alert is only attached to a single incident at a given moment, unresolved concurrency issues in CDC sometimes cause the same alert to be attached to multiple incidents.

Accepts the following message:

Add Alerts To Incident Command AddAlertsToIncidentCommand

Adds the specified alerts to the specified incident

This message is a command message that adds alerts to an incident

Payload

object

alertIds

required

array<string>

>= 1 items Unique

The alert IDs to be added to the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-alerts-to-incident-command; version=1;"

alerts incidents

Examples

AddAlertsToIncidentCommand

Payload

{
  "alertIds": [
    "603cde4464522f260aacf14a"
  ],
  "incidentId": "5a92dbb61487fe0007fa4fd5"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-alerts-to-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.alerts.add

Add (Attach) Alerts to Incident reply channel

Add (Attach) Alerts to Incident Reply

Result of an add alerts to incident command.

Accepts one of the following messages:

#1 Add Alerts To Incident Reply AddAlertsToIncidentReply

The reply which returned after adding alerts to the incident

replies

This message is a reply for adding alerts to the incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

alertIds

required

array<string>

>= 1 items

The IDs of all alerts associated with the incident after the operation has completed

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-alerts-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts incidents

Examples

AddAlertsToIncidentReply

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "alertIds": [
    "603cde4464522f260aacf14a"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-alerts-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.alerts.remove

Remove (Detach) Alerts from Incident

Detaches the specified alerts from specified incident which alerts belongs to.

Preconditions

All specified alerts must exist
Alerts must be in specified incident
Incident must not be closed

Effects

Alerts will be detached from incident
The alerts will change status to "new" or "closed" depending on what was sent in message payload.nextStateOptions
An "AlertRemovedFromIncident" event will be published for each removed alert
The alerts removed from incident reply will be sent.

Notes

Any alert that is not attached to any incident (has status "new" or "closed") will be silently ignored.
Any alert that is attached different incident (has status "in incident" but different incident ID) will be silently ignored.

Accepts the following message:

Remove Alerts From Incident Command RemoveAlertsFromIncidentCommand

Removes the specified alerts from the specified incident

This message is a command message that removes alerts from an incident

Payload

object

alertIds

required

array<string>

>= 1 items Unique

The alert IDs to be removed from the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

detachWithObservables

boolean

Flag that indicates if Alert Observables should be removed from the Incident

nextStateOptions

required

object

status

required

string

alert status after detaching

Enum: "New" "Closed"

closingReason

object

alert closing reason, required if nextStateOptions.status is Closed

reason

string

alert closing reason (value should be one of pre-set in metamodels)

comment

string

alert closing comment

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-alerts-from-incident-command; version=1;"

alerts incidents

Examples

RemoveAlertsFromIncidentCommand

Payload

{
  "alertIds": [
    "603cde4464522f260aacf14a"
  ],
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "detachWithObservables": true,
  "nextStateOptions": {
    "status": "New",
    "closingReason": {
      "reason": "string",
      "comment": "string"
    }
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/remove-alerts-from-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.alerts.remove

Remove (Detach) Alerts from Incident reply channel

Remove (Detach) Alerts from Incident Reply

Result of a remove alerts from incident command.

Accepts one of the following messages:

#1 Remove Alerts From Incident Reply RemoveAlertsFromIncidentReply

The reply which returned after removing alerts from the incident

replies

This message is a reply for removing alerts from the incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

alertIds

required

array<string>

>= 1 items

The IDs of all alerts removed from the incident after the operation has completed

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

observableIds

required

array<string>

The IDs of all observables removed from the incident after the operation has completed

Items:

string

The unique Observable ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-alerts-remove-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts incidents

Examples

RemoveAlertsFromIncidentReply

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "alertIds": [
    "603cde4464522f260aacf14a"
  ],
  "observableIds": [
    "601277891802cf598a22bd4f"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-alerts-remove-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.observables.add

Add observables to incident

Add Observables to Incident

Adds the specified observables to the specified incident.

Preconditions

The incident must already exist

Effects

Observables which don't exist yet are created.
For observables that already exist, the provided tags will be merged with the existing tags (resulting in a union set).
The incident will be associated with the observables.
An "IncidentObservableAdded" event will be published.
A incident observables add reply will be sent.

Accepts the following message:

Add Observables To Incident Command AddObservablesToIncidentCommand

Adds the specified observables to the specified incident

Payload

object

observables

required

array<object>

>= 1 items Unique

The observables to be added to the Incident

value

string

The observable's value

type

string

The observable's type

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-observables-to-incident-command; version=1;"

observables incidents

Examples

AddObservablesToIncidentCommand

Payload

{
  "observables": [
    {
      "type": "Host Name",
      "value": "TOK7"
    },
    {
      "type": "Domain Name",
      "value": "fake.com"
    },
    {
      "type": "Email Address",
      "value": "Alexander.Korznikov@ust-global.com"
    },
    {
      "type": "IPv4 Address",
      "value": "12.54.2.55",
      "tags": [
        "Critical-Infrastructure",
        "Internal-Server"
      ]
    }
  ],
  "incidentId": "5a92dbb61487fe0007fa4fd5"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-observables-to-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.observables.add

Adding observables to incident reply channel

Add Observables to Incident Reply

Result of a add observables to incident command.

Accepts one of the following messages:

#1 Add Observables To Incident Reply AddObservablesToIncidentReply

The reply which returned after adding observables to incident

replies

This message is a reply for additing observables to incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

observables

required

array<object>

>= 1 items Unique

The list of all observables associated with the incident after the operation has completed

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-observables-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents observables

Examples

AddObservablesToIncidentReply

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-observables-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.attacks.add

Add mitre attacks to Incident

Adds the specified mitre attacks to the specified incident.

Preconditions

The incident must already exist

Effects

Mitre attacks which don't exist yet are created.
The incident will be associated with the mitre attacks.
A incident mitre attacks add reply will be sent.

Accepts the following message:

Add MitreAttacks To Incident Command AddMitreAttacksToIncidentCommand

Adds the specified MitreAttacks to the specified incident

Payload

object

mitreAttackIds

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-mitre-attacks-to-incident-command; version=1;"

incidents

Examples

AddMitreAttacksToIncidentCommand

Payload

{
  "mitreAttackIds": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "incidentId": "5a92dbb61487fe0007fa4fd5"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-mitre-attacks-to-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.attacks.add

Adding mitre attacks to incident reply channel

Add Mitre Attacks to Incident Reply

Result of a add mitre attacks to incident command.

Accepts one of the following messages:

#1 Add Mitre Attacks To Incident Reply AddMitreAttacksToIncidentReply

The reply which returned after adding mitre attacks to incident

replies

This message is a reply for additing mitre attacks to incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/add-mitre-attacks-to-incident-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

AddMitreAttacksToIncidentReply

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/add-mitre-attacks-to-incident-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.attacks.remove

Remove mitre attacks from Incident

Removes the specified mitre attacks from the specified incident.

Preconditions

The incident must already exist

Effects

The incident will not be associated with the mitre attacks.
A incident mitre attacks remove reply will be sent.

Accepts the following message:

Remove MitreAttacks From Incident Command RemoveMitreAttacksFromIncidentCommand

Removes the specified MitreAttacks from the specified incident

Payload

object

mitreAttackIds

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-mitre-attacks-from-incident-command; version=1;"

incidents

Examples

RemoveMitreAttacksFromIncidentCommand

Payload

{
  "mitreAttackIds": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "incidentId": "5a92dbb61487fe0007fa4fd5"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/remove-mitre-attacks-from-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.attacks.remove

Removing mitre attacks from incident reply channel

Remove Mitre Attacks from Incident Reply

Result of a remove mitre attacks from incident command.

Accepts one of the following messages:

#1 Remove Mitre Attacks From Incident Reply RemoveMitreAttacksFromIncidentReply

The reply which returned after removing mitre attacks from incident

replies

This message is a reply for removing mitre attacks from incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/remove-mitre-attacks-from-incident-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

RemoveMitreAttacksFromIncidentReply

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/remove-mitre-attacks-from-incident-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.details.update

Incident updates channel

Update Incident Details

Updates specified fields of the incident

Preconditions

The incident must already exist in CDC database

Effects

If name was specified:
- Updates incident name
- An IncidentNameChanged event will be published
If description was specified, the incident description will be updated
If priority was specified:
- Updates incident priority
- An IncidentPriorityChanged event will be published
If type was specified, updates incident type
A incident details update reply will be sent.

Accepts the following message:

Update Incident Details UpdateIncidentDetailsCommand

Updates specified incident fields

This message is a command message that will update the specified incident details

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

name

string

The name of the incident

description

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

priority

string

The priority of this incident. Must be one of the priorities defined in CDC.

type

string

Incident type. Must be one of the types defined in CDC.

Examples: "Malware" "Unauthorized access"

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/update-incident-details-command; version=1;"

incidents

Examples

UpdateIncidentDetailsCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Windows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n",
  "priority": "Low",
  "type": "Malware",
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ]
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/update-incident-details-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.details.update

Incident updating reply channel

Update Incident Details Reply

Result of a update incident details command.

Accepts one of the following messages:

#1 Update Incident Details Reply UpdateIncidentDetailsReply

The reply which returned after updating the incident details

replies

This message is a reply for incident details update

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-details-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

UpdateIncidentDetailsReply

Payload

{
  "id": "string",
  "key": "CDC-20191208-00046",
  "name": "Web Proxy - Execution file download",
  "description": "Customer Name - ACME Inc
Alert Name - Web Proxy - Execution file download
Source Address - 172.23.2.13
Source Host Name - laptop2057.bdo.co.il
Source Zone Name - Haifa - Users
Source User Name - EshelS
Destination Address - 52.174.64.84
Destination Host Name - download.teamviewer.com
Destination Zone Name - E.I. duPont de Nemours and Co. Inc.
Destination Geo Country Name - Netherlands
Protocol/Version - HTTP/1.1
URL Categories - Remote Access, Web Meetings
Policy - Default
Reputation - Minimal Risk
Request URL - http://download.teamviewer.com/download/version_11x/TeamViewerQS.exe
Request Protocol - http
Request Method - GET
Request Client Application - Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Device Address - 80.74.110.141
Device Host Name - MWG-A
Device Zone Name - DMZ1
Device Vendor - McAfee
Device Product - Web Gateway
Category Outcome - /Failure
\n",
  "created": "2019-08-24T14:15:22Z",
  "updated": "2019-08-24T14:15:22Z",
  "type": "DDOS",
  "status": "open",
  "priority": "Medium",
  "group": "L1",
  "externalIds": [
    {
      "system": "SILVA",
      "id": "AAZ-93485"
    }
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "company": "CompanyName",
  "pendingForGroup": "string",
  "redirectionReason": "string",
  "endSlaDate": "2019-08-23T14:15:22.000Z"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-details-update-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.close

Incident closure channel

Close Incident

Closes an incident

Preconditions

The incident must already exist in CDC DB
The incident must not be in "closed" status

Effects

Incident status will be changed to "closed"
An "IncidentClosed" event will be published
A incident close reply will be sent.

Accepts the following message:

Close Incident Command CloseIncidentCommand

Closes an incident

This message is a command message that will result in incident closure

Payload

object

incidentId

required

string

Incident ID to close

text

required

string

Incident closure summary

reason

string

Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

shouldTerminatePlaybooks

boolean

Terminate playbooks parameter

Possible values:

true - will terminate all running playbooks in the alerts within the incident and change status(es) and close the incident/alert(s)
false (default) - close incident if there are no running playbooks, else - close incident flow will be canceled

group

string

Incident closure tier group

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-incident-command; version=1;"

incidents

Examples

CloseIncidentCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "text": "All Windows 7 endpoints were infected with a ransomware. We paid the ransom but no decryption key was provided.",
  "reason": "True Positive",
  "shouldTerminatePlaybooks": true,
  "group": "L2"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/close-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.close

Incident closure reply channel

Close Incident Reply

Result of a close incident command.

Accepts one of the following messages:

#1 Close Incident Reply CloseIncidentReply

Closes an incident

replies

The message payload is empty
This message is a reply for incident close

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-close-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

CloseIncidentReply

Payload

{}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-close-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ConflictError

Payload

{
  "name": "ConflictError",
  "code": "ERR_CONFLICT",
  "message": "This {entityName} was already changed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/conflict-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.redirect

Incident redirection channel

Redirect Incident

Redirects an incident to a different group.

Preconditions

The incident must already exist in CDC DB
The incident must not be in "closed" status
The incident must not already be in a redirection process

Effects

Incident status will be changed to "pending" and the incident will await acceptance or rejection by the target group
An "IncidentRedirectionInitiated" event will be published.
The incident redirection accept reply will be sent.

Accepts the following message:

Redirect Incident Command RedirectIncidentCommand

Redirects an incident to another group

This message is a command message that will result in incident redirection

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

targetGroup

required

string

The group to which the incident is being redirected

reason

required

string

The reason why this incident is being redirected

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/redirect-incident-command; version=1;"

incidents incident redirection

Examples

RedirectIncidentCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "targetGroup": "L2",
  "reason": "Automatic escalation by SEEMO"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/redirect-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.redirect

Incident redirection reply channel

Redirect Incident Reply

Result of a incident redirect action.

Accepts one of the following messages:

#1 Redirect Incident Reply RedirectIncidentReply

The reply which returned after redirection of incident to another group

replies

The message payload is empty
This message is a reply of successfull redirection of an incident to another group

Payload

object

Additional properties are allowed.

Headers

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-redirect-reply; version=1;"

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents incident redirection

Examples

RedirectIncidentReply

Payload

{}

This example has been generated automatically.

Headers

{
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "reply/incident-redirect-reply; version=1;"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ConflictError

Payload

{
  "name": "ConflictError",
  "code": "ERR_CONFLICT",
  "message": "This {entityName} was already changed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/conflict-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.externalid.link

Incident external ID linking channel

Link External ID

Links an incident to an external ID

Preconditions

The incidents must already exist in CDC DB

Effects

If the incident is not linked to the external ID, it will be linked.
If the incident is already linked to this external ID, no change will take place.
A incident link external id reply will be sent.

Accepts the following message:

Link Incident External ID Command LinkIncidentExternalIdCommand

Links an incident to an external ID

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

externalId

required

object

The external ID that will be linked to the incident

system

required

string

The name of the external system

required

string

The entity's identifier in the external system

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/link-incident-external-id-command; version=1;"

incidents

Examples

LinkIncidentExternalIdCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "externalId": {
    "system": "SILVA",
    "id": "AAZ-93485"
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/link-incident-external-id-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.externalid.link

Incident external ID linking reply channel

Link External ID Reply

Result of a link external id to incident command.

Accepts one of the following messages:

#1 Link Incident External ID Reply LinkIncidentExternalIdReply

The reply which returned after linking external id to the incident

replies

This message is a reply for linking external id to the incident

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-link-external-id-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

LinkIncidentExternalIdReply

Payload

{
  "id": "string",
  "key": "CDC-20191208-00046",
  "name": "Web Proxy - Execution file download",
  "description": "Customer Name - ACME Inc
Alert Name - Web Proxy - Execution file download
Source Address - 172.23.2.13
Source Host Name - laptop2057.bdo.co.il
Source Zone Name - Haifa - Users
Source User Name - EshelS
Destination Address - 52.174.64.84
Destination Host Name - download.teamviewer.com
Destination Zone Name - E.I. duPont de Nemours and Co. Inc.
Destination Geo Country Name - Netherlands
Protocol/Version - HTTP/1.1
URL Categories - Remote Access, Web Meetings
Policy - Default
Reputation - Minimal Risk
Request URL - http://download.teamviewer.com/download/version_11x/TeamViewerQS.exe
Request Protocol - http
Request Method - GET
Request Client Application - Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Device Address - 80.74.110.141
Device Host Name - MWG-A
Device Zone Name - DMZ1
Device Vendor - McAfee
Device Product - Web Gateway
Category Outcome - /Failure
\n",
  "created": "2019-08-24T14:15:22Z",
  "updated": "2019-08-24T14:15:22Z",
  "type": "DDOS",
  "status": "open",
  "priority": "Medium",
  "group": "L1",
  "externalIds": [
    {
      "system": "SILVA",
      "id": "AAZ-93485"
    }
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "company": "CompanyName",
  "pendingForGroup": "string",
  "redirectionReason": "string",
  "endSlaDate": "2019-08-23T14:15:22.000Z"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-link-external-id-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.externalid.unlink

Incident external ID unlinking channel

Unlink External ID

Unlinks an external ID from the incident

Preconditions

The incidents must already exist in CDC DB

Effects

If the incident is linked to the external ID, it will be unlinked.
If the incident is not linked to this external ID, no change will take place.
A incident unlink external id reply will be sent.

Accepts the following message:

Unlink Incident External ID Command UnlinkIncidentExternalIdCommand

Unlinks an incident from an external ID

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

externalId

required

object

The external ID that will be unlinked from the incident

system

required

string

The name of the external system

required

string

The entity's identifier in the external system

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/unlink-incident-external-id-command; version=1;"

incidents

Examples

UnlinkIncidentExternalIdCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "externalId": {
    "system": "SILVA",
    "id": "AAZ-93485"
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/unlink-incident-external-id-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.externalid.unlink

Incident external ID unlinking reply channel

Unlink External ID Reply

Result of a unlink external id from incident command.

Accepts one of the following messages:

#1 Unlink Incident External ID Reply UnlinkIncidentExternalIdReply

The reply which returned after unlinking external id from the incident

replies

This message is a reply for unlinking external id from the incident

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-unlink-external-id-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

UnlinkIncidentExternalIdReply

Payload

{
  "id": "string",
  "key": "CDC-20191208-00046",
  "name": "Web Proxy - Execution file download",
  "description": "Customer Name - ACME Inc
Alert Name - Web Proxy - Execution file download
Source Address - 172.23.2.13
Source Host Name - laptop2057.bdo.co.il
Source Zone Name - Haifa - Users
Source User Name - EshelS
Destination Address - 52.174.64.84
Destination Host Name - download.teamviewer.com
Destination Zone Name - E.I. duPont de Nemours and Co. Inc.
Destination Geo Country Name - Netherlands
Protocol/Version - HTTP/1.1
URL Categories - Remote Access, Web Meetings
Policy - Default
Reputation - Minimal Risk
Request URL - http://download.teamviewer.com/download/version_11x/TeamViewerQS.exe
Request Protocol - http
Request Method - GET
Request Client Application - Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Device Address - 80.74.110.141
Device Host Name - MWG-A
Device Zone Name - DMZ1
Device Vendor - McAfee
Device Product - Web Gateway
Category Outcome - /Failure
\n",
  "created": "2019-08-24T14:15:22Z",
  "updated": "2019-08-24T14:15:22Z",
  "type": "DDOS",
  "status": "open",
  "priority": "Medium",
  "group": "L1",
  "externalIds": [
    {
      "system": "SILVA",
      "id": "AAZ-93485"
    }
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "company": "CompanyName",
  "pendingForGroup": "string",
  "redirectionReason": "string",
  "endSlaDate": "2019-08-23T14:15:22.000Z"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-unlink-external-id-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

IncidentNotFoundError

Payload

{
  "name": "IncidentNotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The incident ${incidentId} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.evidence.add

Incident add evidence channel

Add evidence to Incident

Adds evidence to an incident.

Effects

An event evidence added to incident reply will be sent.
An event incident evidence added will be fired.

Accepts the following message:

Add Evidence To Incident Command AddEvidenceToIncidentCommand

Adds evidence to incident

This message is a command message that adds evidence to an incident

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId
In case of creating evidence for another custom type, the following fields should be provided: type, data

incidentId

required

string

The unique Incident ID as defined by CDC

type

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

reported

required

string

date-time

The time when this evidence was reported

caption

string

The caption of the evidence

messageId

string

The ID of the message this evidence was created from.

description

string

The description of this evidence

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-evidence-to-incident-command; version=1;"

incidents evidence

Examples

AddEvidenceToIncidentCommand

Payload

{
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "type": "MITRE_ATTACK_ADDED",
  "data": {
    "alertId": "603cde4464522f260aacf14a",
    "alertName": "Windows - Multiple failed logins same user same host",
    "incidentId": "5a92dbb61487fe0007fa4fd5",
    "incidentName": "Windows - Multiple failed logins same user same host",
    "ruleTitle": "Phishing",
    "groupingRules": [
      {
        "matchValue": [
          "mailware"
        ],
        "fieldName": "classification",
        "operator": "oneOf"
      }
    ]
  },
  "reported": "2019-08-24T14:15:22Z",
  "caption": "Severity changed",
  "messageId": "string",
  "description": "System Admin has changed severity from Low to Medium",
  "externalId": "345ffe9a"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/add-evidence-to-incident-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.evidence.add

Adding evidence to Incident reply channel

Add evidence to Incident Reply

Result of a add evidence to incident command.

Accepts one of the following messages:

#1 Add Evidence To Incident Reply AddEvidenceToIncidentReply

The reply which returned after evidence added to incident

replies

This message is a reply for add evidence to incident

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-evidence-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents evidence

Examples

AddEvidenceToIncidentReply

Payload

{
  "id": "5aa4d8fcbdee5a000a911882",
  "caption": "Priority changed",
  "name": "Priority changed",
  "description": "System Admin has changed priority from Low to Medium",
  "type": "MITRE_ATTACK_ADDED",
  "data": {
    "alertId": "603cde4464522f260aacf14a",
    "alertName": "Windows - Multiple failed logins same user same host",
    "incidentId": "5a92dbb61487fe0007fa4fd5",
    "incidentName": "Windows - Multiple failed logins same user same host",
    "ruleTitle": "Phishing",
    "groupingRules": [
      {
        "matchValue": [
          "mailware"
        ],
        "fieldName": "classification",
        "operator": "oneOf"
      }
    ]
  },
  "created": "2019-08-24T14:15:22Z",
  "reported": "2019-08-24T14:15:22Z",
  "messageId": "string",
  "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
  "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
  "externalId": "345ffe9a"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-evidence-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.observable.enrichment.add

Add Enrichment to Observable channel

Add Enrichment to Observable

Adds new enrichment to the specified observable.

Preconditions

The observable must already exist

Effects

New enrichment will be added to observable
Enrichment will be added in status "completed"

Notes

If observable has any other enrichment with the same name, that enrichment will be marked as historical and will be removed from observable

Accepts the following message:

Add Enrichment To Observable AddEnrichmentToObservable

Adds the enrichment to the specified observable

This message is a command message that adds enrichment to the observable

Payload

object

observableId

required

string

The unique Observable ID as defined by CDC

name

required

string

dataType

string

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

number

double

rawData

required

object

Raw data of completed enrichment

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/observable-enrichment-add-command; version=1;"

observables observable enrichment

Examples

AddEnrichmentToObservable

Payload

{
  "observableId": "601277891802cf598a22bd4f",
  "name": "ibm_xforce_enrich_ip_cli",
  "dataType": "generic_post",
  "suspiciousRate": 74.8,
  "suspiciousWeight": 3,
  "rawData": {}
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/observable-enrichment-add-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.observable.enrichment.add

Add Enrichment to Observable reply channel

Add Enrichment to Observable Reply

Result of an add enrichment to observable command.

Accepts one of the following messages:

#1 Add Enrichment To Observable Reply AddEnrichmentToObservableReply

The reply which returned after adding enrichment to the observable

replies

This message is a reply for adding adding enrichment to the observable

Payload

object

name

required

string

status

required

string

Enrichment status

Enum: "started" "completed" "failed"

suspiciousRate

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

required

number

double

ttl

number

int32

Enrichment expiration, in seconds.

endDate

string

date-time

dataType

string

rawData

required

object

Raw data of completed enrichment

Additional properties are allowed.

reportedAt

string

date-time

The time of when the enriched data was reported to the information provider

error

string

In case the enrichment failed, this field contains the error message

created

string

date-time

Enrichment creation timestamp

modified

string

date-time

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/observable-enrichment-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

observables observable enrichment

Examples

AddEnrichmentToObservableReply

Payload

{
  "name": "ibm_xforce_enrich_ip_cli",
  "status": "started",
  "suspiciousRate": 74.8,
  "suspiciousWeight": 3,
  "ttl": 86400,
  "endDate": "2019-08-24T14:15:22Z",
  "dataType": "generic_post",
  "rawData": {},
  "reportedAt": "2019-08-24T14:15:22Z",
  "error": "Not Found",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/observable-enrichment-add-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.message.create

Message creating channel

Create Chat Message

Create a message in CDC and post it to chat. The message can be posted in scope of alert, incident or channel.

Effects

The create message reply will be sent.

Accepts the following message:

Create Message CreateMessageCommand

Creates a message to CDC chat

This message is a command message that will create a chat message in CDC

Payload

object

length <= 2097152

externalId

required

string

The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId.

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

parentMessageId

string

Parent message ID, used for displaying replies in a threaded manner.

If provided, the new message will be posted as a child of another message as the last message in it's thread
If not present, the message will be posted as a regular message to the specified destination

attachmentIds

array<string>

A list of file id's that should be attached to the message.

Files Entity Scope:

Files scope should match to the provided message scope.

e.g. if file is uploaded to alert:123 then it cannot be attached to message with scope alert:456 but only to messages with scope alert:123.

Trying to attach fileIds where some file scope does not match the message scope, will result in a ConflictError.

Items:

string

Additional items are allowed.

content

required

oneOf

The content of the message

object

message

required

string

the text of the message. can be simple text or rich text

contentType

required

string

Message content type that has text representation

Enum: "text"

Additional properties are allowed.

object

json

required

object

the raw data attached for the porpuse of populating the card

Additional properties are allowed.

templateName

required

string

The Adaptive Card template name.

contentType

required

string

Message content type that represents an adaptiveCard

Enum: "adaptiveCard"

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-message-command; version=1;"

messages

Examples

CreateMessageCommand

Payload

{
  "externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
  "scope": {
    "id": "616ea579f2631c8d4c68a1b7",
    "type": "alert"
  },
  "parentMessageId": "616ea579f2631c8d4c68a1b7",
  "attachmentIds": [
    "fe0007214d55fa4f96a87dbb",
    "b35072142a7c94f96a826a"
  ],
  "content": {
    "message": "some text bold message",
    "contentType": "text"
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "X-Initiated-By": "d4599677-be17-4a61-b6d8-72899c771f75",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/create-message-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.message.create

Message creating reply channel

Create Chat Message Reply

Result of a create message action.

Special errors:

ConflictError will be received when:
- Trying to create message with attachemtIds, where some attachment is uploaded to a different entity scope.
- Trying to create message for a closed alert or incident.
NotFoundError will be received in case of using scope that represent entity which does not exist or a channel that is archived.
ForbiddenError will be received in case of targeting a private channel when the author of the message is not a part of.

Accepts one of the following messages:

#1 Create Message Reply CreateMessageReply

The reply which returned after creating message to the chat

replies

This message is a reply of successfull creating message to the chat

Payload

object

required

string

ID of the message as saved in the system

externalId

required

string

The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId.

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

parentMessageId

string

If present, this message was posted in another message's thread

content

required

oneOf

The content of the message

object

message

required

string

the text of the message. can be simple text or rich text

contentType

required

string

Message content type that has text representation

Enum: "text"

Additional properties are allowed.

object

json

required

object

the raw data attached for the porpuse of populating the card

Additional properties are allowed.

templateName

required

string

The Adaptive Card template name.

contentType

required

string

Message content type that represents an adaptiveCard

Enum: "adaptiveCard"

Additional properties are allowed.

attachments

array<object>

An array of FileInfo objects, each holds the metadata of an attached file

The field is mandatory, an empty array will be returned when no files attached to the message.

status

required

string

The status of the file, respecting the upload and sanitaion process. Every file should have a status

uploaded - uploaded but not ready yet, requires additional processing
processing - being processed by the system, i.e. pending sanitation
verified - completed sanitation processes, needs to move to final storage location
ready - completed and made available
failed - the file upload process has failed, such as when sanitation can't be applied
blocked - the file sanitation process failed ( i.e. file has malicious content )

Enum: "uploaded" "processing" "verified" "ready" "failed" "blocked"

required

string

A unique, machine-oriented ID identifying this file.

name

required

string

The file name

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

url

required

string

The file url

thumbnailUrl

string

The url of the file thumbnail. A thumbnail is a small image representation of a larger image or a video.

size

required

number

the file size in bytes

mimeType

required

string

The MIME (Multipurpose Internet Mail Extensions) type of the file. A two-part identifier for file formats and format contents transmitted on the Internet. see more: https://en.wikipedia.org/wiki/Media_type

extension

string

An identifier specified as a suffix to the name of a file

createdAt

required

string

date-time

File creation timestamp

createdBy

required

string

The ID of the user who created this file.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/message-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Forbidden Error Message ForbiddenError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ForbiddenError

code

required

string

ERR_FORBIDDEN

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/forbidden-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#6 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

messages

Examples

CreateMessageReply

Payload

{
  "id": "616ea579f2631c8d4c68a1b7",
  "externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
  "scope": {
    "id": "616ea579f2631c8d4c68a1b7",
    "type": "alert"
  },
  "parentMessageId": "616ea579f2631c8d4c68a1b7",
  "content": {
    "message": "some text bold message",
    "contentType": "text"
  },
  "attachments": [
    {
      "status": "uploaded",
      "id": "5e7c6cf54b832e0018f191ad",
      "name": "attachment.txt",
      "scope": {
        "id": "616ea579f2631c8d4c68a1b7",
        "type": "alert"
      },
      "url": "https://someDomain/somePath/attachment.txt",
      "thumbnailUrl": "https://someDomain/somePath/attachment.thm",
      "size": 2680000,
      "mimeType": "text/plain",
      "extension": "txt",
      "createdAt": "2019-08-24T14:15:22Z",
      "createdBy": "8e2c4cf54b832e0018f191ad"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/message-create-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ConflictError

Payload

{
  "name": "ConflictError",
  "code": "ERR_CONFLICT",
  "message": "This {entityName} was already changed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/conflict-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ForbiddenError

Payload

{
  "name": "ForbiddenError",
  "code": "ERR_FORBIDDEN",
  "message": "The access for the resource is denied."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/forbidden-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.alert.extended.properties.set

Alert extended properties channel

Add additional properties to the alert

Set additional properties for Alert.

Notes

Before saving additional properties, need to add the definition for each property, therefore need to go to CDC settings and define Alert extended properties definition.
This operation is supporting update/insert by fieldName.

Accepts the following message:

Alert Extended Properties AlertExtendedPropertiesSet

A definition for Alert extended properties set

Payload

object

request

required

array<object>

Unique

The list of the Alert extended properties which need to be set

name

required

string

The internal field name which defined by CDC modeling for fields.

value

The value that fit to the entity type which defined in CDC settings For email it will be an email and for IP address it will be IP address.

Additional items are allowed.

alertId

required

string

The alert id

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

alerts

Examples

AlertExtendedPropertiesSet

Payload

{
  "request": [
    {
      "name": "alert_myemail_email",
      "value": "user@cyberproof.com"
    }
  ],
  "alertId": "string"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/close-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.alert.extended.properties.set

Alert Extended Properties Set reply channel

Alert Extended Properties Set Reply

Result of a alert extended properties set.

Accepts one of the following messages:

#1 Alert Extended Properties Set Reply AlertExtendedPropertiesSetReply

The reply which is returned after the addition of alert extended properties

replies

This message is a reply for alert extended properties set action

Payload

object

fields

required

array<object>

>= 1 items Unique

The list of fields that were added

name

required

string

field name

value

object

field value which can be of type string or date or number

Additional properties are allowed.

required

string

The unique mongo ID of the saved document

createdBy

required

string

The mongo id of the user

updatedBy

required

string

The mongo id of the user

createdAt

required

string

updatedAt

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-extended-properties-set-reply; version=1;"

#2 Forbidden Error Message ForbiddenError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ForbiddenError

code

required

string

ERR_FORBIDDEN

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/forbidden-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Bad Request Error Message BadRequestError

The reply which is returned if an invalid argument was passed which caused the action to fail.

errors

Payload

object

name

required

string

BadRequestError

code

required

string

ERR_BAD_REQUEST

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/bad-request-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#6 Application Error Message ApplicationError

The reply which returned if unhandled error occurred during action execution.

errors

Payload

object

name

required

string

ApplicationError

code

required

string

ERR_APPLICATION

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/application-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

alerts

Examples

AlertExtendedPropertiesSetReply

Payload

{
  "fields": [
    {
      "name": "alert_what_happened_text",
      "value": "test",
      "id": "603cde4464522f260aacf14a",
      "createdBy": "63ecdd1f5117329258d11c63",
      "updatedBy": "63ecdd1f5117329258d11c63",
      "createdAt": "2023-03-23T19:01:29.485Z",
      "updatedAt": "2023-03-23T19:01:29.485Z"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/alert-extended-properties-set-reply; version=1;"
}

This example has been generated automatically.

ForbiddenError

Payload

{
  "name": "ForbiddenError",
  "code": "ERR_FORBIDDEN",
  "message": "The access for the resource is denied."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/forbidden-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ConflictError

Payload

{
  "name": "ConflictError",
  "code": "ERR_CONFLICT",
  "message": "This {entityName} was already changed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/conflict-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

BadRequestError

Payload

{
  "name": "BadRequestError",
  "code": "ERR_BAD_REQUEST",
  "message": "creating/updating {entityType} failed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/bad-request-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ApplicationError

Payload

{
  "name": "ApplicationError",
  "code": "ERR_APPLICATION",
  "message": "An unexpected error has occured."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/application-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Pub CdcActions.incident.summary.set

Incident summary set channel

Add summary values for incident

Set summary overview fields for incident.

Notes

Before saving overview fields for incident, need to add the definition for each property, therefore need to go to CDC settings and define incident summary properties definition.
This operation is supporting update/insert by fieldName.

Accepts the following message:

Incident summary set many IncidentSummarySetMany

A definition for Incident summary set

Payload

object

request

required

array<object>

Unique

The list of the Incident summary answers which need to be set

name

required

string

The internal field name which defined by CDC modeling for fields.

value

The value that fit to the entity type which defined in CDC settings. By default HTML format is selected.

Additional items are allowed.

incidentId

required

string

The incident id

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

incidents

Examples

IncidentSummarySetMany

Payload

{
  "request": [
    {
      "name": "incident_whatwasdone_rich_text",
      "value": "some test here need to be provided with HTML tags."
    }
  ],
  "incidentId": "string"
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/close-alert-command; version=1;"
}

This example has been generated automatically.

Sub CdcActions.replies.incident.summary.set

Incident Summary set reply channel

Incident Summary Set Reply

Result of a incident summary set.

Accepts one of the following messages:

#1 Incident Summary Set Reply IncidentSummarySetReply

The reply which is returned after the addition of incident summary fields

replies

This message is a reply for incident summary set action

Payload

object

fields

required

array<object>

>= 1 items Unique

The list of fields that were added

name

required

string

field name

value

object

field value which can be of type string or date or number

Additional properties are allowed.

required

string

The unique mongo ID of the saved document

createdBy

required

string

The mongo id of the user

updatedBy

required

string

The mongo id of the user

createdAt

required

string

updatedAt

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-summary-set-reply; version=1;"

#2 Forbidden Error Message ForbiddenError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ForbiddenError

code

required

string

ERR_FORBIDDEN

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/forbidden-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Bad Request Error Message BadRequestError

The reply which is returned if an invalid argument was passed which caused the action to fail.

errors

Payload

object

name

required

string

BadRequestError

code

required

string

ERR_BAD_REQUEST

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/bad-request-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#6 Application Error Message ApplicationError

The reply which returned if unhandled error occurred during action execution.

errors

Payload

object

name

required

string

ApplicationError

code

required

string

ERR_APPLICATION

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/application-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

incidents

Examples

IncidentSummarySetReply

Payload

{
  "fields": [
    {
      "name": "incident_what_happened_rich_text",
      "value": "test",
      "id": "603cde4464522f260aacf14a",
      "createdBy": "63ecdd1f5117329258d11c63",
      "updatedBy": "63ecdd1f5117329258d11c63",
      "createdAt": "2023-03-23T19:01:29.485Z",
      "updatedAt": "2023-03-23T19:01:29.485Z"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/incident-summary-set-reply; version=1;"
}

This example has been generated automatically.

ForbiddenError

Payload

{
  "name": "ForbiddenError",
  "code": "ERR_FORBIDDEN",
  "message": "The access for the resource is denied."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/forbidden-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ConflictError

Payload

{
  "name": "ConflictError",
  "code": "ERR_CONFLICT",
  "message": "This {entityName} was already changed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/conflict-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

BadRequestError

Payload

{
  "name": "BadRequestError",
  "code": "ERR_BAD_REQUEST",
  "message": "creating/updating {entityType} failed."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/bad-request-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ApplicationError

Payload

{
  "name": "ApplicationError",
  "code": "ERR_APPLICATION",
  "message": "An unexpected error has occured."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/application-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Sub cdcevents.alert.closed

AlertClosed events

Subscribes to all "AlertClosed" events. These events are fired once an alert changes status to "Closed" OR "Resolved" (when incident with alert was closed).

Accepts the following message:

Alert Closed Event AlertClosedEvent

An alert was closed

This event is fired when an alert is closed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

The identifier of the source system from which this alert originated. Usually this is the name of the SIEM, but in some cases the alert may originate from some other kind of system, like an IT tickets management system.

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

status

required

string

Alert status upon closure

Enum: "Closed" "Resolved"

closingReason

required

object

Details explaining why this alert was marked as irrelevant. Only appears if the alert was closed as irrelevant.

reason

required

string

Alert closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

comment

required

string

Analyst-provided comment for closing an alert

Note: property "comment" is required if the "reason" property is "Other"

Additional properties are allowed.

comment

deprecated

string

Alert closure summary that consists of closingReason.reason and closingReason.comment.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-closed; version=1;"

alerts

Examples

AlertClosedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "status": "Closed",
  "closingReason": {
    "reason": "False positive",
    "comment": "This was just a test"
  },
  "comment": "Incident closed after malware removal"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-closed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.created

AlertCreated events

Subscribes to all "AlertCreated" events. These events are fired once an alert is created.

Accepts the following message:

Alert Created Event AlertCreatedEvent

An alert was created

This event is fired when an alert is created in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

classification

string

Classification category that the alert falls into.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-created; version=1;"

alerts

Examples

AlertCreatedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-created; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.updated

AlertUpdated events

Subscribes to all "AlertUpdated" events. These events are fired when an update operation was applied to an alert changing at least one of its fields.

Accepts the following message:

Alert Updated Event AlertUpdatedEvent

An alert was updated

This event is fired when at least one of the fields on an alert was changed due to an update operation.

The payload of this event holds the new state of the alert, after the update.

Relevant update operations:

Composite Update Alert

Payload

object

string

A unique, machine-oriented ID identifying this alert.

source

string

The name of the source system

sourceId

string

The ID of the alert in the source system

name

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-updated; version=1;"

alerts

Examples

AlertUpdatedEvent

Payload

{
  "id": "5e7c6cf54b832e0018f191ad",
  "source": "QRadar",
  "sourceId": 296,
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Customer Name - SmithCo\nAlert Name - Windows - Multiple failed logins same user same host\nSource Address - 10.6.100.82\nSource Host Name - PLYF-ASC\nSource Zone Name - RFC1918: 10.0.0.0-10.255.255.255\nDestination User Name - administrator\nDevice Address - 172.31.25.94\nDevice Host Name - ip-172-31-25-94.eu-central-1.compute.internal\nDevice Zone Name - RFC1918: 172.16.0.0-172.31.255.255\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
  "severity": "Medium",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z",
  "detected": "2019-08-24T14:15:22Z",
  "status": "New",
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
  "company": "CompanyName",
  "useCase": "UC216 - EPP - Persistent Malware",
  "detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
  "killChain": [
    "Reconnaissance",
    "Weaponization",
    "Delivery"
  ],
  "mitreAttacks": [
    "T1003",
    "T1001",
    "T1595.001"
  ],
  "alertType": "CTI-Landscape",
  "threatType": "Phishing",
  "threatActors": [
    "Cyber Criminals",
    "Anonymous"
  ],
  "malwareTools": [
    "TrickBot",
    "IcedID",
    "Cobalt Strike"
  ],
  "ctiSourceUrls": [
    "https://blog.malwarebytes.com/someTopic"
  ],
  "recommendations": "Implement the attached IOCs in your security systems.",
  "categories": [
    "Ransomware",
    "Phishing"
  ],
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "observableTags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ],
  "classification": "Phishing"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-updated; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.rate.changed

AlertRateChanged events

Subscribes to all "AlertRateChanged" events. These events are fired when an alert's rate is changed.

Accepts the following message:

Alert Rate Changed Event AlertRateChangedEvent

An alert's suspicious rate has changed

This event is fired when an alert's suspicious rate changes

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

newValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

oldValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-rate-changed; version=1;"

alerts

Examples

AlertRateChangedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "newValue": 74.8,
  "oldValue": 74.8
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-rate-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.reopened

AlertReopened events

Subscribes to all "AlertReopened" events. These events are fired once an alert changes status from "Closed" or from "Resolved" (when incident with alert was reopened).

Accepts the following message:

Alert Reopened Event AlertReopenedEvent

An alert was reopened

This event is fired when an alert is reopened

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

statusBeforeReopen

required

string

Alert status before reopen

Enum: "Closed" "Resolved"

reopenReason

string

The reason why this alert was reopened, as provided by the analyst

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-reopened; version=1;"

alerts

Examples

AlertReopenedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "statusBeforeReopen": "Closed",
  "reopenReason": "Windows — Multiple failed logins different users same host irrelevant"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-reopened; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.rawdata.appended

AlertRawDataAppended events

Subscribes to all "AlertRawDataAppended" events. These events are fired when an raw data is appended to alert.

Accepts the following message:

Alert Raw Data Appended Event AlertRawDataAppendedEvent

Raw data appended to alert

This event is fired when a raw data appended to alert

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

rawDataItemId

required

string

Appended raw data id

externalId

string

Raw data external id. Can be used for idempotence and deduplication

created

required

string

date-time

Creation timestamp

modified

required

string

date-time

Last modification timestamp

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-raw-data-appended; version=1;"

alerts

Examples

AlertRawDataAppendedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "rawDataItemId": "string",
  "externalId": "string",
  "created": "2019-08-24T14:15:22Z",
  "modified": "2019-08-24T14:15:22Z"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-raw-data-appended; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.message.added

AlertMessageAdded events

Subscribes to all "AlertMessageAdded" events. These events are fired once message added to alert".

Accepts the following message:

Alert Message Added Event AlertMessageAddedEvent

A message added to alert

This event is fired when a message added to alert in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

messageId

required

string

Alert messageId

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-message-added; version=1;"

alerts

Examples

AlertMessageAddedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "messageId": "string"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-message-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.owner.changed

AlertOwnerChanged events

Subscribes to all "AlertOwnerChanged" events. These events are fired once alert owner changed".

Accepts the following message:

Alert Owner Changed Event AlertOwnerChangedEvent

An alert was changed owner

This event is fired when an alert is changed owner in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

assigneeId

required

string,null

BSON ObjectId

Alert owner assignee Id

This field is Nullable.

Null value meaning: The owner was removed from an alert.

Examples: "60ef0707447dc03cf1ce8ed3" null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-owner-changed; version=1;"

alerts

Examples

AlertOwnerChangedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "assigneeId": "60ef0707447dc03cf1ce8ed3"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-owner-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.company.changed

AlertCompanyChanged events

Subscribes to all "AlertCompanyChanged" events.

These events are fired when an alert's company has changed.

Accepts the following message:

Alert Company Changed Event AlertCompanyChangedEvent

An alert's company has changed

This event is fired when an alert's company changes

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

company

required

string,null

The new (current) name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was removed from alert.

Examples: "CompanyName" null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-company-changed; version=1;"

alerts

Examples

AlertCompanyChangedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "status": "New",
  "company": "CompanyName"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-company-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.observable.added

AlertObservableAdded events

Subscribes to all "AlertObservableAdded" events, which are fired whenever an observable is added to an alert

Accepts the following message:

Alert Observables Added AlertObservablesAdded

Observables were added to the alert

This event is fired when observables are added to an alert. If multiple observables are added in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

observables

required

array<object>

>= 1 items Unique

The list of observables that were added to the alert

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-observable-added; version=1;"

alerts observables

Examples

AlertObservablesAdded

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-observable-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.tags.added

AlertTagsAdded events

Subscribes to all "AlertTagsAdded" events, which are fired whenever tags are added to an alert

Accepts the following message:

Alert Tags Added AlertTagsAdded

Tags were added to the alert

This event is fired when tags are added to an alert. If multiple tags are added in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

addedItems

required

array<string>

Unique

The list of tags that were added to the alert

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-tags-added; version=1;"

alerts

Examples

AlertTagsAdded

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "addedItems": [
    "Malware",
    "Data Breach",
    "Passive Attack"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-tags-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.detail.changed

AlertDetailChanged events

Subscribes to all "AlertDetailChanged" events.

These events are fired when an alert's detail has changed.

Accepts the following message:

Alert Detail Changed Event AlertDetailChangedEvent

An alert's detail has changed

This event is fired when an alert's detail changes.

The possible fields are: name, description, severity, useCase, company, detectionRule which are only informational, they are not related to any flow or operation

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

name

object

oldValue

required

string

The previous alert name

newValue

required

string

The new (current) alert name

Additional properties are allowed.

description

object

oldValue

required

string

The previous alert description

newValue

required

string

The new (current) alert description

Additional properties are allowed.

company

object

oldValue

required

string,null

The previous name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was not attached or removed from alert.

Examples: "CompanyName" null

newValue

required

string,null

The new (current) name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was removed from alert.

Examples: "CompanyName2" null

Additional properties are allowed.

severity

object

oldValue

required

string

The previous alert severity

newValue

required

string

The new (current) alert severity

Additional properties are allowed.

useCase

object

oldValue

required

string

The previous alert useCase

newValue

required

string

The new (current) alert useCase

Additional properties are allowed.

detectionRule

object

oldValue

required

string

The previous alert detectionRule

newValue

required

string

The new (current) alert detectionRule

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-detail-changed; version=1;"

alerts

Examples

AlertDetailChangedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "name": {
    "oldValue": "Alert 2234",
    "newValue": "Alert 123"
  },
  "description": {
    "oldValue": "Windows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n",
    "newValue": "Invalid:\nWindows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1  \n"
  },
  "company": {
    "oldValue": "CompanyName",
    "newValue": "CompanyName2"
  },
  "severity": {
    "oldValue": "High",
    "newValue": "Low"
  },
  "useCase": {
    "oldValue": "UC216 - EPP - Persistent Malware",
    "newValue": "UC218 - EPP - Wrong Password"
  },
  "detectionRule": {
    "oldValue": "WRONG_PASSWORD_3_ATTEMPTS",
    "newValue": "WRONG_PASSWORD_5_ATTEMPTS"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-detail-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.evidence.added

AlertEvidenceAdded events

Subscribes to all "AlertEvidenceAdded" events. These events are fired when an evidence is added to an alert.

Accepts the following message:

Alert Evidence Added AlertEvidenceAdded

Evidence was added to or removed from the alert

This event is fired when an evidence is added to an alert.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-evidence-added; version=1;"

alerts evidence

Examples

AlertEvidenceAdded

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "evidence": {
    "id": "5aa4d8fcbdee5a000a911882",
    "caption": "Priority changed",
    "name": "Priority changed",
    "description": "System Admin has changed priority from Low to Medium",
    "type": "MITRE_ATTACK_ADDED",
    "data": {
      "alertId": "603cde4464522f260aacf14a",
      "alertName": "Windows - Multiple failed logins same user same host",
      "incidentId": "5a92dbb61487fe0007fa4fd5",
      "incidentName": "Windows - Multiple failed logins same user same host",
      "ruleTitle": "Phishing",
      "groupingRules": [
        {
          "matchValue": [
            "mailware"
          ],
          "fieldName": "classification",
          "operator": "oneOf"
        }
      ]
    },
    "created": "2019-08-24T14:15:22Z",
    "reported": "2019-08-24T14:15:22Z",
    "messageId": "string",
    "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "externalId": "345ffe9a"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-evidence-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.alert.evidence.removed

AlertEvidenceRemoved events

Subscribes to all "AlertEvidenceRemoved" events. These events are fired when an evidence is removed from an alert.

Accepts the following message:

Alert Evidence Removed AlertEvidenceRemoved

Evidence was added to or removed from the alert

This event is fired when an evidence is removed from an alert.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-evidence-removed; version=1;"

alerts evidence

Examples

AlertEvidenceRemoved

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "sourceUrl": "https://13.93.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=263",
  "evidence": {
    "id": "5aa4d8fcbdee5a000a911882",
    "caption": "Priority changed",
    "name": "Priority changed",
    "description": "System Admin has changed priority from Low to Medium",
    "type": "MITRE_ATTACK_ADDED",
    "data": {
      "alertId": "603cde4464522f260aacf14a",
      "alertName": "Windows - Multiple failed logins same user same host",
      "incidentId": "5a92dbb61487fe0007fa4fd5",
      "incidentName": "Windows - Multiple failed logins same user same host",
      "ruleTitle": "Phishing",
      "groupingRules": [
        {
          "matchValue": [
            "mailware"
          ],
          "fieldName": "classification",
          "operator": "oneOf"
        }
      ]
    },
    "created": "2019-08-24T14:15:22Z",
    "reported": "2019-08-24T14:15:22Z",
    "messageId": "string",
    "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "externalId": "345ffe9a"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/alert-evidence-removed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.alert.added

AlertAddedToIncident events

Subscribes to all "AlertAddedToIncident" events. These events are fired when an alert is added (attached) to an incident. For the opposite event, see the "AlertRemovedFromIncident" event.

Guarantees

For alerts added to incident using the queued "AddAlertsToIncident" API call, this event provides the "at least once" delivery guarantees
For alerts added to incident using the public REST API or the internal REST API (via CDC GUI), this event provides the "at most once" delivery guarantees.

Notes

An alert is supposed to be attached to zero or one incidents at any given moment. However, unresolved concurrency bugs in CDC may result in the same alert being attached to multiple incidents at the same time.

Accepts the following message:

Alert Added To Incident Event AlertAddedToIncidentEvent

An alert was added to an incident

This event is fired when an alert is added to an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-alert-added; version=1;"

alerts incidents

Examples

AlertAddedToIncidentEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-alert-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.alert.removed

AlertRemovedFromIncident events

Subscribes to all "AlertRemovedFromIncident" events. These events are fired when an alert is removed (detached) from an incident. For the opposite event, see the "AlertAddedToIncident" event.

Accepts the following message:

Alert Removed From Incident Event AlertRemovedFromIncidentEvent

An alert was removed from an incident

This event is fired when an alert is removed from an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-alert-removed; version=1;"

alerts incidents

Examples

AlertRemovedFromIncidentEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "alertId": "603cde4464522f260aacf14a",
  "source": "arcsight",
  "sourceId": 12345,
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-alert-removed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.company.associated

IncidentAssociatedWithCompany events

Subscribes to all "IncidentAssociatedWithCompany" events. These events are fired when an incident is associated with a company: both on initial association and on association changes. Note that most tenants do not use the "company" feature.

Accepts the following message:

Incident Associated with Company IncidentAssociatedWithCompany

An incident was associated with a company

This event is fired when an incident is associated with a company (both upon initial association, and upon changes to the association)

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string,null

The previous name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was not attached or removed from alert. examples: [CompanyName, null]

newValue

required

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-associated-with-company; version=1;"

incidents

Examples

IncidentAssociatedWithCompany

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": null,
  "newValue": "CompanyName"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-associated-with-company; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.closed

IncidentClosed events

Subscribes to all "IncidentClosed" events. These events are fired when an incident is closed. Note that an incident may be closed, then reopened, then closed again - in such case a second "Incident Closed" event will be fired.

Accepts the following message:

Incident Closed Event IncidentClosedEvent

An incident was closed

This event is fired when an incident is closed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

status

required

string

summary

required

object

Incident closure summary and survey

text

required

string

Incident closure summary

reason

string

Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

survey

required

array<object>

Incident closure survey, which includes system-defined questions and the answers provided by the SoC analyst. In case the incident is closed via the external API or by SeeMo, no survey will be included.

question

string

Survey question text

answer

string

Survey answer as provided by the SoC analyst

Additional items are allowed.

closedBy

required

string

the identifier of user who closed an incident

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-closed; version=1;"

incidents

Examples

IncidentClosedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "incidentName": "Windows - Multiple failed logins same user same host",
  "status": "string",
  "summary": {
    "text": "All Windows 7 endpoints were infected with a ransomware. We paid the ransom but no decryption key was provided.",
    "reason": "True Positive",
    "survey": [
      {
        "question": "Did you notify the CIO about this incident?",
        "answer": "Yes. He didn't take it very well."
      }
    ],
    "closedBy": "5fc8fbcd52c2b20011446797"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-closed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.created

IncidentCreated events

Subscribes to all "IncidentCreated" events. These events are fired when a new incident is created.

Accepts the following message:

Incident Created Event IncidentCreatedEvent

A new incident was created

This event is fired when an incident is created

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

name

required

string

The name of the incident

description

required

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

priority

required

string

Incident priority

status

required

string

Incident status

Enum: "open" "pending" "closed"

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

owner

required

object

The incident owner.

This field is Nullable.

Null value meaning: The incident was created by BOT.

string

the user id as defined in CDC

displayName

string

User display name

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The name of the group (tier) to which this incident is assigned

type

required

string

Incident type

Examples: "Malware" "Unauthorized access"

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-created; version=1;"

incidents

Examples

IncidentCreatedEvent

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "name": "Windows - Multiple failed logins same user same host",
  "description": "Windows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n",
  "priority": "High",
  "status": "open",
  "company": "CompanyName",
  "owner": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "group": "L1",
  "type": "Malware",
  "tags": [
    "Cloud-Computing",
    "Virus",
    "Phishing"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-created; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.description.changed

IncidentDescriptionChanged events

Subscribes to all "IncidentDescriptionChanged" events

Accepts the following message:

Incident Description Changed IncidentDescriptionChanged

Incident description has changed

This event is fired when the description of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident description

newValue

required

string

The new (current) incident description

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-description-changed; version=1;"

incidents

Examples

IncidentDescriptionChanged

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": "Windows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n",
  "newValue": "Invalid:\nWindows - Multiple failed logins same user same host\nSource Address - 10.1.200.60\nSource Host Name - HTZ-ADC1\n"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-description-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.evidence.added

IncidentEvidenceAdded events

Subscribes to all "IncidentEvidenceAdded" events. These events are fired when an evidence is added to an incident.

Accepts the following message:

Incident Evidence Added IncidentEvidenceAdded

Evidence was added to or removed from the incident

This event is fired when an evidence is added to an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-evidence-added; version=1;"

incidents evidence

Examples

IncidentEvidenceAdded

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "evidence": {
    "id": "5aa4d8fcbdee5a000a911882",
    "caption": "Priority changed",
    "name": "Priority changed",
    "description": "System Admin has changed priority from Low to Medium",
    "type": "MITRE_ATTACK_ADDED",
    "data": {
      "alertId": "603cde4464522f260aacf14a",
      "alertName": "Windows - Multiple failed logins same user same host",
      "incidentId": "5a92dbb61487fe0007fa4fd5",
      "incidentName": "Windows - Multiple failed logins same user same host",
      "ruleTitle": "Phishing",
      "groupingRules": [
        {
          "matchValue": [
            "mailware"
          ],
          "fieldName": "classification",
          "operator": "oneOf"
        }
      ]
    },
    "created": "2019-08-24T14:15:22Z",
    "reported": "2019-08-24T14:15:22Z",
    "messageId": "string",
    "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "externalId": "345ffe9a"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-evidence-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.evidence.removed

IncidentEvidenceRemoved events

Subscribes to all "IncidentEvidenceRemoved" events. These events are fired when an evidence is removed from an incident.

Accepts the following message:

Incident Evidence Removed IncidentEvidenceRemoved

Evidence was added to or removed from the incident

This event is fired when an evidence is removed from an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-evidence-removed; version=1;"

incidents evidence

Examples

IncidentEvidenceRemoved

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "evidence": {
    "id": "5aa4d8fcbdee5a000a911882",
    "caption": "Priority changed",
    "name": "Priority changed",
    "description": "System Admin has changed priority from Low to Medium",
    "type": "MITRE_ATTACK_ADDED",
    "data": {
      "alertId": "603cde4464522f260aacf14a",
      "alertName": "Windows - Multiple failed logins same user same host",
      "incidentId": "5a92dbb61487fe0007fa4fd5",
      "incidentName": "Windows - Multiple failed logins same user same host",
      "ruleTitle": "Phishing",
      "groupingRules": [
        {
          "matchValue": [
            "mailware"
          ],
          "fieldName": "classification",
          "operator": "oneOf"
        }
      ]
    },
    "created": "2019-08-24T14:15:22Z",
    "reported": "2019-08-24T14:15:22Z",
    "messageId": "string",
    "messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "guiUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
    "externalId": "345ffe9a"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-evidence-removed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.name.changed

IncidentNameChanged events

Subscribes to all "IncidentNameChanged" events

Accepts the following message:

Incident Name Changed IncidentNameChanged

Incident name has changed

This event is fired when the name of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident name

newValue

required

string

The new (current) incident name

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-name-changed; version=1;"

incidents

Examples

IncidentNameChanged

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": "Windows - Multiple failed logins same user same host",
  "newValue": "Windows - Multiple failed logins same user same host myhostname.com"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-name-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.observable.added

IncidentObservableAdded events

Subscribes to all "IncidentObservableAdded" events, which are fired whenever an observable is added to an incident

Accepts the following message:

Incident Observables Added IncidentObservablesAdded

Observables were added to the incident

This event is fired when observables are added to an incident. If multiple observables are added or removed in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

observables

required

array<object>

>= 1 items Unique

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-observable-added; version=1;"

incidents observables

Examples

IncidentObservablesAdded

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-observable-added; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.observable.removed

IncidentObservableRemoved events

Subscribes to all "IncidentObservableRemoved" events, which are fired whenever an observable is removed from an incident

Accepts the following message:

Incident Observables Removed IncidentObservablesRemoved

Observables were removed from the incident

This event is fired when observables are removed from an incident. If multiple observables are removed in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

observables

required

array<object>

>= 1 items Unique

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-observable-removed; version=1;"

incidents observables

Examples

IncidentObservablesRemoved

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "observables": [
    {
      "type": "IPv4 Address",
      "value": "192.168.40.45"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-observable-removed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.priority.changed

IncidentPriorityChanged events

Subscribes to all "IncidentPriorityChanged" events, which are fired whenever an incident's priority is changed

Accepts the following message:

Incident Priority Changed IncidentPriorityChanged

Incident priority has changed

This event is fired when the priority of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident priority

newValue

required

string

The new incident priority

alertId

string

Alert's id that triggered incident priority change

reason

string

Reason for priority change

Enum: "ALERT_SEVERITY_CHANGED" "PRIORITY_CHANGED_ATTACHED_ALERT" "PRIORITY_CHANGED_MAPPING_NOT_FOUND"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-priority-changed; version=1;"

incidents

Examples

IncidentPriorityChanged

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": "High",
  "newValue": "Low",
  "alertId": "Low",
  "reason": "ALERT_SEVERITY_CHANGED"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-priority-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.redirection.accepted

IncidentRedirectionAccepted events

Subscribes to all "IncidentRedirectionAccepted" events, which are fired whenever an incident redirection is accepted by the target group

Accepts the following message:

Incident Redirection Accepted IncidentRedirectionAccepted

Incident redirection request has been accepted

This event is fired when an incident redirection request is accepted by the target group. Note that an incident may be redirected several times during its lifetime.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentName

required

string

The name of the incident

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

object

owner

required

object

The user who owned this incident prior to the redirection

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident was assigned before the redirection (source group)

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

newValue

required

object

owner

required

object

The user who owns this incident after the redirection

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident was redirected (target group / destination group)

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-accepted; version=1;"

incident redirection incidents

Examples

IncidentRedirectionAccepted

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentName": "Windows - Multiple failed logins same user same host",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": {
    "owner": {
      "id": "5fc8fbcd52c2b20011446797",
      "displayName": "John Doe",
      "email": "john.doe@gmail.com",
      "group": "L1"
    },
    "group": "L1",
    "status": "open"
  },
  "newValue": {
    "owner": {
      "id": "5fc8fbcd52c2b20011446797",
      "displayName": "John Doe",
      "email": "john.doe@gmail.com",
      "group": "L1"
    },
    "group": "L2",
    "status": "open"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-redirection-accepted; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.redirection.initiated

IncidentRedirectionInitiated events

Subscribes to all "IncidentRedirectionInitiated" events, which are fired whenever an incident redirection is initiated

Accepts the following message:

Incident Redirection Initiated IncidentRedirectionInitiated

Incident redirection request has been initiated

This event is fired when an incident redirection request is issued. Note that an incident may be redirected several times during its lifetime.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

sourceGroup

required

string

The group to which the incident was assigned before the redirection

targetGroup

required

string

The group to which the incident is being redirected

reason

required

string

The reason for redirecting this incident

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-initiated; version=1;"

incident redirection incidents

Examples

IncidentRedirectionInitiated

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "incidentName": "Windows - Multiple failed logins same user same host",
  "sourceGroup": "L1",
  "targetGroup": "L2",
  "reason": "L1 is not allowed to mitigate DDoS attacks, L2 intervention is required",
  "status": "open"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-redirection-initiated; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.redirection.revoked

IncidentRedirectionRevoked events

Subscribes to all "IncidentRedirectionRevoked" events, which are fired whenever an incident redirection request is revoked.

Notes

Note that revocation occurs in all following scenarios:

A member of the target group rejects the redirection
A member of the source group cancels the redirection
A user with elevated permissions cancels the redirection

Accepts the following message:

Incident Redirection Revoked IncidentRedirectionRevoked

Incident redirection request has been revoked

This event is fired when an incident redirection request is revoked.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

sourceGroup

required

string

The group to which the incident is assigned

targetGroup

required

string

The group to which the incident was being redirected

status

required

string

Incident status

Enum: "open" "pending" "closed"

reason

required

string

Analyst-provided reason for revoking the redirection request

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-revoked; version=1;"

incident redirection incidents

Examples

IncidentRedirectionRevoked

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "incidentName": "Windows - Multiple failed logins same user same host",
  "sourceGroup": "L1",
  "targetGroup": "L2",
  "status": "open",
  "reason": "This is a trivial case of and invalid firewall rule that should be handled by L1"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-redirection-revoked; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.reopened

IncidentReopened events

Subscribes to all "IncidentReopened" events, which are fired whenever a closed incident is being reopened

Accepts the following message:

Incident Reopened IncidentReopened

Incident reopened

This event is fired when an incident that was closed has been reopened.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentName

required

string

The name of the incident

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

reason

required

string

The reason why this incident was reopened, as provided by the analyst

owner

required

object

The user who owns currently owns this incident (after it was reopened)

string

the user id as defined in CDC

displayName

string

User display name

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident is currently assigned (after it was reopened)

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-reopened; version=1;"

incidents

Examples

IncidentReopened

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentName": "Windows - Multiple failed logins same user same host",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "reason": "Newly-arriving alerts show this DDoS attack is still live",
  "owner": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "group": "L1"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-reopened; version=1;"
}

This example has been generated automatically.

Sub cdcevents.incident.tags.changed

IncidentTagsChanged events

Subscribes to all "IncidentTagsChanged" events, which are fired whenever tags are added or removed from an incident

Accepts the following message:

Incident Tags Changed IncidentTagsChanged

Incident tags changed

This event is fired when tags are added or removed from an incident

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

array<string>

Unique

The incident tags prior to the change

Items:

string

Additional items are allowed.

newValue

required

array<string>

Unique

The incident tags after the change

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-tags-changed; version=1;"

incidents

Examples

IncidentTagsChanged

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentId": "5a92dbb61487fe0007fa4fd5",
  "incidentKey": "CDC-20200924-00003",
  "incidentExternalIds": [
    {
      "system": "SILVA",
      "id": "QAZ-5432"
    },
    {
      "system": "DMYSTO",
      "id": "04328df"
    }
  ],
  "oldValue": [
    "Virus",
    "Data Breach"
  ],
  "newValue": [
    "Malware",
    "Data Breach",
    "Passive Attack"
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/incident-tags-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.observable.enriched

ObservableEnriched events

Subscribes to all "ObservableEnriched" events, which are fired whenever an observable has been enriched. Note that the same observable may be enriched multiple times, in which case multiple such events will be fired

Accepts the following message:

Observable Enriched ObservableEnriched

An observable has been enriched

This event is fired when an observable has been enriched with additional data from external infromation providers. Notice that the same observable may be enriched multiple times.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

type

required

string

The type of the observable.

value

required

string

The value of the observable.

enrichments

required

array<object>

name

required

string

status

required

string

Enrichment status

Enum: "started" "completed" "failed"

suspiciousRate

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

required

number

double

ttl

required

number

int32

Enrichment expiration, in seconds.

endDate

string

date-time

dataType

string

rawData

object

Raw data of completed enrichment

Additional properties are allowed.

reportedAt

string

date-time

The time of when the enriched data was reported to the information provider

error

string

In case the enrichment failed, this field contains the error message

created

string

date-time

Enrichment creation timestamp

modified

string

date-time

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/observable-enriched; version=1;"

observable enrichment observables

Examples

ObservableEnriched

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "type": "IPv4 Address",
  "value": "192.168.17.6",
  "enrichments": [
    {
      "name": "ibm_xforce_enrich_ip_cli",
      "status": "started",
      "suspiciousRate": 74.8,
      "suspiciousWeight": 3,
      "ttl": 86400,
      "endDate": "2019-08-24T14:15:22Z",
      "dataType": "generic_post",
      "rawData": {},
      "reportedAt": "2019-08-24T14:15:22Z",
      "error": "Not Found",
      "created": "2019-08-24T14:15:22Z",
      "modified": "2019-08-24T14:15:22Z"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/observable-enriched; version=1;"
}

This example has been generated automatically.

Sub cdcevents.observable.rate.changed

ObservableRateChanged events

Subscribes to all "ObservableRateChanged" events, which are fired whenever an observable's suspicious rate is changed.

Accepts the following message:

Observable Rate Changed ObservableRateChanged

An observable's rate has changed

This event is fired when an observable's suspicious rate has changed.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

type

required

string

The type of the observable.

value

required

string

The value of the observable.

newValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

oldValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/observable-rate-changed; version=1;"

observables

Examples

ObservableRateChanged

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "type": "IPv4 Address",
  "value": "192.168.17.6",
  "newValue": 74.8,
  "oldValue": 74.8
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/observable-rate-changed; version=1;"
}

This example has been generated automatically.

Sub cdcevents.grouping.settings.updated

GroupingSettingsUpdated events

Subscribes to all "GroupingSettingsUpdated" events. These events are fired when grouping settings are updated in cdc settings.

Accepts the following message:

Grouping Settings Updated GroupingSettingsUpdated

Grouping Settings were updated

This event is fired when Grouping Settings were updated

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentTimeLimit

required

number

time limit in milliseconds. Time within which alerts could be grouped to an incident since it was created.

maxAlertsPerIncident

required

number

maximum number of alerts which can be attached to one incident.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/grouping-settings-updated; version=1;"

settings

Examples

GroupingSettingsUpdated

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  },
  "incidentTimeLimit": 86400000,
  "maxAlertsPerIncident": 150
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/grouping-settings-updated; version=1;"
}

This example has been generated automatically.

Sub cdcevents.grouping.rules.rewritten

GroupingRulesRewritten events

Subscribes to all "GroupingRulesRewritten" events. These events are fired when grouping rules are rewritten in cdc settings.

Accepts the following message:

Grouping Rules Rewritten GroupingRulesRewritten

Grouping Rules were rewritten

This event is fired when Grouping Rules were rewritten

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/grouping-rules-rewritten; version=1;"

settings

Examples

GroupingRulesRewritten

Payload

{
  "eventId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "eventTimestamp": "2019-08-24T14:15:22Z",
  "initiatedBy": {
    "id": "5fc8fbcd52c2b20011446797",
    "displayName": "John Doe",
    "email": "john.doe@gmail.com",
    "group": "L1"
  }
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/grouping-rules-rewritten; version=1;"
}

This example has been generated automatically.

Sub cdcevents.logicapps.userAction.replied

Subscribes to user replied events

Subscribes too all UserActionRepliedEvent events. These are fired when a user completes a manual step in a playbook.

Effects

An "UserActionRepliedEvent" event will be published.

Accepts the following message:

User Action Replied Event UserActionRepliedEvent

Manual step has been marked as completed

This event is fired when a playbook step has been completed by the user.

Payload

object

inputData

object

Object with properties

Additional properties are allowed.

correlationId

required

string

A unique identifier of for this step. Used to get corresponding user action on uca side.

source

required

string

Step's related playbook source

Enum: "logicappsConsumption" "logicappsStandard"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/user-action-replied-event; version=1;"

workflows

Examples

UserActionRepliedEvent

Payload

{
  "inputData": {
    "type": "object",
    "properties": {
      "score": {
        "type": "string",
        "description": "score for the current step",
        "example": 80
      },
      "category": {
        "type": "string",
        "description": "Category of the provided step",
        "example": "malware"
      }
    }
  },
  "correlationId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "source": "logicappsStandard"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/user-action-replied-event; version=1;"
}

This example has been generated automatically.

Pub UcaActions.st2.command.invoke

Command invocation channel

Invoke automation command

Starts automation command

Preconditions

Command must exist in the automation engine

Effects

Runs the command for the automation engine with the specified parameters
When command completes, the command completed will be sent.

Accepts the following message:

Command Invocation Command CommandInvokeCommand

Invoke the command for the automation engine.

This message invokes a command run for the automation engine

Payload

object

length <= 2097152

scope

required

string

Command pack name

action

required

string

Action from the command pack

context

required

object

Details about the command invocation context

contextType

required

string

Entity type that the command was initiated for

Enum: "alert" "incident" "channel" "observable"

entityId

required

string

CDC ID for the entity initiating the command invocation

messageId

string

CDC ID for the message that requested the command invocation

userId

required

string

ID of the user who requested the command invocation

Additional properties are allowed.

parameters

object

Object with properties specific to the invoked command and its action.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

required

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/invoke-command-command; version=1;"

commands uca

Examples

CommandInvokeCommand

Payload

{
  "scope": "abuseipdb",
  "action": "enrich-ip",
  "context": {
    "contextType": "alert",
    "entityId": "507f191e810c19729de860ea",
    "messageId": "5349b4ddd2781d08c09890f3",
    "userId": "6414b4ccc2781c08c07670f4"
  },
  "parameters": {
    "max_age_in_days": 7,
    "ip": "8.8.8.8"
  }
}

This example has been generated automatically.

Headers

{
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1",
  "reply_to": "stackstorm-replies:create-alert-replies\n",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "X-Message-Schema": "action/invoke-command-command; version=1;"
}

This example has been generated automatically.

Sub UcaActions.replies.command.invoke

Command invocation reply channel

Invoke automation command reply

Result of a command invocation.

Accepts one of the following messages:

#1 Invoke Command Reply InvokeCommandReply

The reply which returned after the automation command completes

replies

This message is a reply for invoke automation command

Payload

object

error

string

Command invocation error if it has occurred

dataType

string

Adaptive card type to display the proper command result

data

object

Object with Properties specific for the dataType to display the proper command result

Additional properties are allowed.

attachments

array<object>

File attachments related to the command invocation response

filename

required

string

filesize

required

number

fileId

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/command-invoke-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

#2 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

uca commands

Examples

InvokeCommandReply

Payload

{
  "error": "string",
  "dataType": "abuseipdb_enrich_ip",
  "data": "{ \"ipAddress\": \"139.59.40.163\", \"isPublic\": true, \"ipVersion\": 4, \"isWhitelisted\": false, \"abuseConfidenceScore\": 100, \"countryCode\": \"IN\", \"usageType\": \"Data Center/Web Hosting/Transit\", \"isp\": \"DigitalOcean LLC\", \"domain\": \"digitalocean.com\", \"hostnames\": [], \"countryName\": \"India\", \"totalReports\": 89, \"numDistinctUsers\": 61, \"lastReportedAt\": \"2022-02-09T13:00:47+00:00\", \"reports\": [], \"geo_link\": \"http://www.google.com/maps/place/22.3511148,78.6677428\", \"suspiciousRate\": 100 }",
  "attachments": [
    {
      "filename": "abuseipdb_report.pdf",
      "filesize": 122256,
      "fileId": "61fd2142e5b99c6d1e55479c"
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "reply/command-invoke-reply; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d",
  "message_id": "4176e52e-b7d6-4aab-a38b-6b43a8d43ed1"
}

This example has been generated automatically.

ValidationError

Payload

{
  "name": "ValidationError",
  "code": "ERR_INVALID_INPUT",
  "message": "The property {propertyName} is required."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/validation-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

NotFoundError

Payload

{
  "name": "NotFoundError",
  "code": "ERR_NOT_FOUND",
  "message": "The {entityName} is not exist."
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/not-found-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

ServerError

Payload

{
  "name": "ServerError",
  "code": "ERR_SERVER"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "error/server-error; version=1;",
  "correlation_id": "278940cd-cde8-40ed-adb2-caafd89bcb5d"
}

This example has been generated automatically.

Sub UcaEvents.st2.command.list

CommandsList events

Subscribes to all "CommandsList" events, which trigger whenever the commands list changes for the Automation Engine

Accepts the following message:

Command List Updated CommandListUpdated

Command list changes for the Automation Engine

This event is fired when the command list changes for the Automation Engine. The event payload contains the full updated command list

Payload

object

commands

array<object>

The comaplete list of commands thatare available in ST2 engine

scope

required

string

Command pack name

action

required

string

Action from the command pack

description

required

string

Short description for the command

parameters

object

Object with properties specific to the invoked command and its action. | Property names may vary, but each property implements the provided interface

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/command-list; version=1;"

commands uca

Examples

CommandListUpdated

Payload

{
  "commands": [
    {
      "scope": "abuseipdb",
      "action": "enrich-ip",
      "description": "Get information from AbuseIPDB about certain ip.",
      "parameters": {
        "max_age_in_days": {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "description": "Command property type",
              "example": "integer"
            },
            "description": {
              "type": "string",
              "description": "Short description of what is the parameter impact for the command",
              "example": "Parameter to only return reports within the last x amount of days"
            },
            "defaultValue": {
              "type": "string",
              "description": "Value to be used for the parameter if no value provided by the user",
              "example": 7
            },
            "isRequired": {
              "type": "boolean",
              "description": "Is the parameter required for the command",
              "example": false
            }
          },
          "required": [
            "type",
            "description",
            "isRequired"
          ]
        }
      }
    }
  ]
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/command-list; version=1;"
}

This example has been generated automatically.

Sub ucaevents.logicapps.workflow.created

WorkflowCreated events by a service

Subscribes to all "WorkflowCreated" events. These events are fired once workflow is created.

Accepts the following message:

Workflow Created Event WorkflowCreatedEvent

A workflow was created

This event is fired when an workflow is created

Payload

object

workflowName

required

string

The workflow name

workflowRunId

required

string

The workflow execution id

issuerId

required

string

The unique workflow ID as defined by the service

issuerType

required

string

The type of issuer of the workflow that was created

source

required

string

The identifier of the source system from which this workflow originated. Usually this is the name of the Service

Enum: "logicappsConsumption" "logicappsStandard"

bundleId

string

The application name of the created workflow

startTime

required

string

date-time

valid iso date string representation

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/workflow-created; version=1;"

workflows

Examples

WorkflowCreatedEvent

Payload

{
  "workflowName": "workflow_name",
  "workflowRunId": "08585507179393810133956438229CU202",
  "issuerId": "626690dc59cecca0f1e28a0a",
  "issuerType": "alert",
  "source": "logicappsStandard",
  "bundleId": "some_bundle_id",
  "startTime": "2023-01-04T10:53:03+00:00"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/workflow-created; version=1;"
}

This example has been generated automatically.

Sub ucaevents.logicapps.userAction.created

UserActionCreated events by a service

Subscribes to all "UserActionCreated" events. These events are fired once a user action is waiting for user response.

Accepts the following message:

User Action Created Event UserActionCreatedEvent

A user action step was sent

This event is fired when a workflow run contains a user action step that requires user response

Payload

object

executionId

required

string

The action's execution Id

inputSchema

object

JSONSchema7

Additional properties are allowed.

issuerId

string

The unique workflow ID as defined by the service

issuerType

string

The type of issuer of the workflow that was created

status

string

The step status

Enum: "completed" "inProgress" "pending" "failed" "terminated" "skipped"

actionName

required

string

Action name

workflowName

required

string

The workflow name

workflowRunId

required

string

The workflow execution id

startTime

required

string

date-time

valid iso date string representation

userId

string

ID of the user who sent the event

correlationId

required

string

A unique identifier of for this step. Used to get corresponding user action on uca side.

source

string

The identifier of the source system from which this workflow originated. Usually this is the name of the Service

Enum: "logicappsConsumption" "logicappsStandard"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/workflow-created; version=1;"

workflows

Examples

UserActionCreatedEvent

Payload

{
  "executionId": "a1374fe0-f323-462c-a41c-c56f2a09a850",
  "inputSchema": {
    "properties": {
      "emilFileUpload": {
        "title": "Did you upload EML file?",
        "type": "boolean"
      }
    },
    "required": [
      "emilFileUpload"
    ],
    "title": "Did you upload EML file",
    "type": "object"
  },
  "issuerId": "626690dc59cecca0f1e28a0a",
  "issuerType": "alert",
  "status": "inProgress",
  "actionName": "User_action",
  "workflowName": "workflow_name",
  "workflowRunId": "08585507179393810133956438229CU202",
  "startTime": "2023-01-04T10:53:03+00:00",
  "userId": "6414b4ccc2781c08c07670f4",
  "correlationId": "fb56d0ea-4a4c-4dd1-8bc1-b26b5fd6cf31",
  "source": "logicappsStandard"
}

This example has been generated automatically.

Headers

{
  "X-Message-Schema": "event/workflow-created; version=1;"
}

This example has been generated automatically.

Messages

#1 Alert Creation Command CreateAlertCommand

Create a new alert in the CDC.

This message is a command message that will result in alert creation, assuming all required fields were specified.

Payload

allOf

object

length <= 2097152

source

required

string

length <= 50

The name of the source system from which this alert originated. Normally, the name of the SIEM.

name

required

string

length <= 200

The name of the alert

sourceId

required

string

length <= 400

The identifier of the alert, as it appears in the source system. In most cases this would be the ID as it appears in the SIEM.

description

required

string

length <= 5000

The description of the alert. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

severity

required

string

length <= 50

The severity of the alert. Must be one of the severities defined in CDC.

detected

required

string

date-time

Timestamp of alert detection

sourceUrl

string

uri

The source URL of the alert in the SIEM or in the origin system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

raw

object

Alert raw data, as provided by the SIEM or source system.

Keys must not begin with . or $

Additional properties are allowed.

tags

array<string>

Unique

Alert tags

Items:

string

must match ^\S*$

Additional items are allowed.

useCase

string

Mapping of alert to one of the use cases

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

observables

array<allOf >

The observables associated with this alert

Items:

allOf

object

type

required

string

The type of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

value

required

string

The value of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

tags

array<string>

Unique

Tags associated with this observable. May be empty if an observable has no tags associated.

Items:

string

must match ^\S*$

Additional items are allowed.

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

isIoc

boolean

Determines if the observable is an IOC. (false by default)

Additional properties are allowed.

object

extraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

events

deprecated

array<object>

Events property is deprecatd. Used for backwards compatibility, use observables property.

observables

array<allOf >

The observables associated with this alert

Items:

allOf

object

type

required

string

The type of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

value

required

string

The value of the observable. Notice that an observable is uniquely identified by the combination of its type and value.

tags

array<string>

Unique

Tags associated with this observable. May be empty if an observable has no tags associated.

Items:

string

must match ^\S*$

Additional items are allowed.

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

isIoc

boolean

Determines if the observable is an IOC. (false by default)

Additional properties are allowed.

object

extraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

length <= 50

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

length <= 200

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

length <= 200

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

length <= 2000

Additional items are allowed.

recommendations

string

length <= 3000

Instruction how to handle alert.

classification

string

length <= 50

Classification category that the alert falls into.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-alert-command; version=1;"

#2 Create Alert Reply CreateAlertReply

The reply which returned after creating an alert

replies

This message is a reply for alert create

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

required

string

The description of the alert

severity

required

string

The severity of the alert. Must be one of the severities defined in CDC.

created

required

string

date-time

Alert creation timestamp, in UTC

modified

required

string

date-time

Last modification timestamp, in UTC

detected

required

string

date-time

Alert detection timestamp, in UTC

status

required

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

required

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

required

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#3 Validation Error Message ValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

ValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/validation-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#4 Not Found Message NotFoundError

The reply which returned if some entity does not exist.

errors

Payload

object

name

required

string

NotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#5 Server Error Message ServerError

The reply which returned if unexpected error occurred during action execution.

errors

Notes:

The error message is hidden due to security concerns

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#6 Close Alert Command CloseAlertCommand

Closes an alert

This message is a command message that will result in alert closure

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

closingReason

required

object

Details explaining why this alert was marked as irrelevant. Only appears if the alert was closed as irrelevant.

reason

required

string

Alert closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

comment

required

string

Analyst-provided comment for closing an alert

Note: property "comment" is required if the "reason" property is "Other"

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

#7 Close Alert Reply CloseAlertReply

Closes an alert

replies

The message payload is empty
This message is a reply for alert close

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-close-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#8 Reopen Alert Command ReopenAlertCommand

Reopens an alert

This message is a command message that will result in alert reopen

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

reopenReason

string

The reason why this alert was reopened, as provided by the analyst

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/reopen-alert-command; version=1;"

#9 Reopen Alert Reply ReopenAlertReply

Reopens an alert

replies

The message payload is empty
This message is a reply for alert reopen

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-reopen-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#10 Set Alert Detail Command SetAlertDetailCommand

set alert detail

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

name

string

If specified, will set the name field of the alert

description

string

length <= 5000

If specified, will set the description field of the alert.It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

useCase

string

If specified, will set the useCase field of the alert

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/set-alert-detail-command; version=1;"

#11 Set Alert Detail Reply SetAlertDetail

The reply which returned after alert detail set

replies

This message is a reply for alert detail set

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

required

string

The description of the alert

severity

required

string

The severity of the alert. Must be one of the severities defined in CDC.

created

required

string

date-time

Alert creation timestamp, in UTC

modified

required

string

date-time

Last modification timestamp, in UTC

detected

required

string

date-time

Alert detection timestamp, in UTC

status

required

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

required

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

required

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-detail-set-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#12 Update Alert Classification Command alertClassificationUpdate

update alert classification

This message is a command message that will result updating the alert classification.

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

classification

required

string

length <= 50

New value for the alert classification

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/alert-classification-update-command; version=1;"

#13 Update Alert Classification Reply UpdateAlertClassification

The reply which returned after alert classification updated

replies

This message is a reply for alert classification update

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

source

required

string

The name of the source system

sourceId

required

string

The ID of the alert in the source system

name

required

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

required

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-classification-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#14 Composite Update Alert Command CompositeUpdateAlertCommand

Composite Update Alert

This message is a command message that will result in a multiple update operations on an Alert.

For "Single" fields (e.g. company, descritption) - Will override the values.

For "Collection" fields (e.g. killChain, tags) - Will add new values.

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

name

string

If specified, will set the name field of the alert

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

description

string

length <= 5000

If specified, will set the description field of the alert

useCase

string,null

If specified, will set the useCase field of the alert

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

company

string,null

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

severity

string

Alert severity (could be also the custom value defined in settings)

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

Enum: "Low" "Medium" "High" "Critical"

detectionRule

string,null

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

threatType

string

length <= 50

The threat type with which this alert is associated.

Update operation: setAlertDetails - The existing value will be overriden Shouldn't be null or empty

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Update operation: addThreatActors - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

length <= 200

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Update operation: addMalwareTools - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

length <= 200

Additional items are allowed.

recommendations

string,null

length <= 3000

Instruction how to handle alert.

Update operation: setAlertDetails - The existing value will be overriden Can be null or empty - In such case will delete the existing value

killChain

array<string>

Validations:

The phases array should not be empty
Each phase name cannot exceed 256 characters.
The added phases array, must be a sub-set of values in the provided enum.

Update operation: addKillChain - New values will be added. Can be null or empty - In such case will ignore the field.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

tags

array<string>

>= 1 items <= 10 items Unique

The tags to be added to the alert Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Update operation: addTags - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

must match ^\S*$

Additional items are allowed.

mitreAttacks

array<string>

Unique

The MitreAttack Ids to be added to the Alert

Update operation: addMitreAttacks - New values will be added. Can be null or empty - In such case will ignore the field.

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/composite-update-alert-command; version=1;"

#15 Composite Update Alert Reply CompositeUpdateAlertReply

The reply which returned after Composite Update Alert operation

replies

This message is a reply for Composite Update Alert operation

Errors

Composite Update Alert operations will fail only when ALL update operations failed. In this case a composite error will be sent. Note: A CompositeServerError will be received also for a single update operation. e.g. If there is only single field update (e.g. "description") that means there will be one only one update operations "setAlertDetails" so if this update will fail => 1 out of 1 operation failed => A CompositeServerError will be received holding this single error.
When only part of the update operations failed, the reply will containd the updated alert state and a list of errors describing the failure causes of the failed operstions.

Payload

object

alert

required

object

The state of the alert after the update.

string

A unique, machine-oriented ID identifying this alert.

source

string

The name of the source system

sourceId

string

The ID of the alert in the source system

name

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

errors

required

array<object>

List of errors

errorMessage

string

A message summarizing the cause of the error

error

object

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/composite-update-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#16 Composite Server Error Message CompositeServerError

The reply which returned if errors (single or multiple) occured while running an operation on the server.

errors

This reply will hold a General error message and a list of errors that occured while running an operation.

Note: the errors array may be with only one item.

Payload

object

name

required

string

ServerError

code

required

string

ERR_SERVER

errorMessage

required

string

A general error message that summarize the failure of the operation.

errors

required

array<object>

List of errors

errorMessage

string

A message summarizing the cause of the error

error

object

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/server-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#17 Add Observables To Alert Command AddObservablesToAlertCommand

Adds observables to alert

This message is a command message that adds observables to an alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

observables

required

array< object>

>= 1 items

The observables to be added to the alert

Items:

object

type

required

string

The type of the observable

value

required

string

The value of the observable

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

extraProperties

anyOf

Extra properties of the observable

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

relatedExtraProperties

anyOf

Related extra properties of the observable

object

Additional properties must adhere to the following schema:

(property name)

object

value

required

anyOf

string

number

boolean

array<string>

Items:

string

Additional items are allowed.

array<number>

Items:

number

Additional items are allowed.

array<boolean>

Items:

boolean

Additional items are allowed.

type

string

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-observables-to-alert-command; version=1;"

#18 Add Observables To Alert Reply AddObservablesToAlertReply

The reply which returned after adding observables to alert

replies

This message is a reply for additing observables to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

observables

required

array<object>

>= 1 items Unique

The list of all observables associated with the alert after the operation has completed

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-observables-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#19 Add Tags To Alert Command AddTagsToAlertCommand

Adds tags to alert

This message is a command message that adds tags to an alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

tags

required

array<string>

>= 1 items <= 10 items Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-tags-to-alert-command; version=1;"

#20 Add Tags To Alert Reply AddTagsToAlertReply

The reply which returned after tags added to alert

replies

This message is a reply for add tags to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-tags-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#21 Add Phases To Alert Kill Chain Command AddToAlertKillChainCommand

Adds phases to alert Kill Chain

This message is a command message that adds phases to alert Kill Chain Mapping

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

phases

required

array<string>

>= 1 items

Validations:

The phases array should not be empty
Each phase name cannot exceed 256 characters.
The added phases array, must be a sub-set of values in the provided enum.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-to-alert-kill-chain-command; version=1;"

#22 Updata Alert Kill Chain Reply AlertKillChainUpdateReply

Updata Alert Kill Chain Reply

replies

This message is a reply for update (Add Phases / Remove Phases) of Alert Kill Chain action.
The payload represents updated Alert data with updated killChain.

Payload

object

required

string

A unique, machine-oriented ID identifying this alert.

modified

required

string

date-time

Last modification timestamp

modifiedBy

required

string

The Id of the user responsible for last alert update.

killChain

required

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-kill-chain-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#23 Append To Alert Raw Data Command AppendAlertRawDataCommand

Append To Alert Raw Data

This message is a command message append raw data to an alert

Payload

object

length <= 2097152

alertId

required

string

The unique Alert ID as defined by CDC

raw

required

object

Alert raw data, as provided by the SIEM or source system.

Notice Keys must not begin with . or * or $

Additional properties are allowed.

externalId

string

NOTICE External Id must be unique (for alert scope) for the data appended.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/append-alert-raw-data-command; version=1;"

#24 Append Raw Data Reply AppendRawDataReply

The reply which returned after raw data appended to alert

replies

This message is a reply for append alert raw data

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-raw-data-append-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#25 Add MitreAttacks To Alert Command AddMitreAttacksToAlertCommand

Adds the specified MitreAttacks to the specified alert

Payload

object

mitreAttacks

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-mitre-attacks-to-alert-command; version=1;"

#26 Add Mitre Attacks To Alert Reply AddMitreAttacksToAlertReply

The reply which returned after adding mitre attacks to alert

replies

This message is a reply for additing mitre attacks to alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/add-mitre-attacks-to-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#27 Remove MitreAttacks From Alert Command RemoveMitreAttacksFromAlertCommand

Removes the specified MitreAttacks from the specified alert

Payload

object

mitreAttacks

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-mitre-attacks-from-alert-command; version=1;"

#28 Remove Mitre Attacks From Alert Reply RemoveMitreAttacksFromAlertReply

The reply which returned after removing mitre attacks from alert

replies

This message is a reply for removing mitre attacks from alert

Payload

object

alertId

required

string

The unique Alert ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/remove-mitre-attacks-from-alert-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#29 Add Evidence To Alert Command AddEvidenceToAlertCommand

Adds evidence to alert

This message is a command message that adds evidence to an alert

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId
In case of creating evidence for another custom type, the following fields should be provided: type, data

alertId

required

string

The unique Alert ID as defined by CDC

type

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

reported

required

string

date-time

The time when this evidence was reported

caption

string

The caption of the evidence

messageId

string

The ID of the message this evidence was created from.

description

string

The description of this evidence

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-evidence-to-alert-command; version=1;"

#30 Add Evidence To Alert Reply AddEvidenceToAlertReply

The reply which returned after evidence added to alert

replies

This message is a reply for add evidence to alert

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-evidence-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#31 Incident Creation Command CreateIncidentCommand

Create a new incident in the CDC.

This message is a command message that will result in incident creation

Payload

object

length <= 2097152

name

required

string

The name of the incident

description

required

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

priority

required

string

The incident priority must be one of the priorities defined in CDC.

type

string

Incident type. Must be one of the types defined in CDC.

Examples: "Malware" "Unauthorized access"

alertIds

array<string>

Unique

The alert IDs to be added to the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

externalIds

array<object>

IDs of this incident as listed in external systems

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-incident-command; version=1;"

#32 Create Incident Reply CreateIncidentReply

The reply which returned after creating an incident

replies

This message is a reply for incident create

Payload

allOf

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

object

alertIds

required

array<string>

The IDs of all alerts associated with the incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#33 Incident Validation Error Message IncidentValidationError

The reply which returned if any of the input data is not valid.

errors

Payload

object

name

required

string

IncidentValidationError

code

required

string

ERR_INVALID_INPUT

message

required

string

The Error Message

Additional properties are allowed.

Headers

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#34 Add Alerts To Incident Command AddAlertsToIncidentCommand

Adds the specified alerts to the specified incident

This message is a command message that adds alerts to an incident

Payload

object

alertIds

required

array<string>

>= 1 items Unique

The alert IDs to be added to the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-alerts-to-incident-command; version=1;"

#35 Add Alerts To Incident Reply AddAlertsToIncidentReply

The reply which returned after adding alerts to the incident

replies

This message is a reply for adding alerts to the incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

alertIds

required

array<string>

>= 1 items

The IDs of all alerts associated with the incident after the operation has completed

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-alerts-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#36 Incident Not Found Message IncidentNotFoundError

The reply which returned if incident with specified identifier does not exist

errors

Payload

object

name

required

string

IncidentNotFoundError

code

required

string

ERR_NOT_FOUND

message

required

string

The incident ${incidentId} is not exist.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/not-found-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#37 Remove Alerts From Incident Command RemoveAlertsFromIncidentCommand

Removes the specified alerts from the specified incident

This message is a command message that removes alerts from an incident

Payload

object

alertIds

required

array<string>

>= 1 items Unique

The alert IDs to be removed from the Incident

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

detachWithObservables

boolean

Flag that indicates if Alert Observables should be removed from the Incident

nextStateOptions

required

object

status

required

string

alert status after detaching

Enum: "New" "Closed"

closingReason

object

alert closing reason, required if nextStateOptions.status is Closed

reason

string

alert closing reason (value should be one of pre-set in metamodels)

comment

string

alert closing comment

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-alerts-from-incident-command; version=1;"

#38 Remove Alerts From Incident Reply RemoveAlertsFromIncidentReply

The reply which returned after removing alerts from the incident

replies

This message is a reply for removing alerts from the incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

alertIds

required

array<string>

>= 1 items

The IDs of all alerts removed from the incident after the operation has completed

Items:

string

The unique Alert ID as defined by CDC

Additional items are allowed.

observableIds

required

array<string>

The IDs of all observables removed from the incident after the operation has completed

Items:

string

The unique Observable ID as defined by CDC

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-alerts-remove-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#39 Add Observables To Incident Command AddObservablesToIncidentCommand

Adds the specified observables to the specified incident

Payload

object

observables

required

array<object>

>= 1 items Unique

The observables to be added to the Incident

value

string

The observable's value

type

string

The observable's type

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-observables-to-incident-command; version=1;"

#40 Add Observables To Incident Reply AddObservablesToIncidentReply

The reply which returned after adding observables to incident

replies

This message is a reply for additing observables to incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

observables

required

array<object>

>= 1 items Unique

The list of all observables associated with the incident after the operation has completed

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-observables-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#41 Add MitreAttacks To Incident Command AddMitreAttacksToIncidentCommand

Adds the specified MitreAttacks to the specified incident

Payload

object

mitreAttackIds

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-mitre-attacks-to-incident-command; version=1;"

#42 Add Mitre Attacks To Incident Reply AddMitreAttacksToIncidentReply

The reply which returned after adding mitre attacks to incident

replies

This message is a reply for additing mitre attacks to incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/add-mitre-attacks-to-incident-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#43 Remove MitreAttacks From Incident Command RemoveMitreAttacksFromIncidentCommand

Removes the specified MitreAttacks from the specified incident

Payload

object

mitreAttackIds

required

array<string>

>= 1 items Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/remove-mitre-attacks-from-incident-command; version=1;"

#44 Remove Mitre Attacks From Incident Reply RemoveMitreAttacksFromIncidentReply

The reply which returned after removing mitre attacks from incident

replies

This message is a reply for removing mitre attacks from incident

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

mitreAttacks

required

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/remove-mitre-attacks-from-incident-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#45 Update Incident Details UpdateIncidentDetailsCommand

Updates specified incident fields

This message is a command message that will update the specified incident details

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

name

string

The name of the incident

description

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

priority

string

The priority of this incident. Must be one of the priorities defined in CDC.

type

string

Incident type. Must be one of the types defined in CDC.

Examples: "Malware" "Unauthorized access"

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/update-incident-details-command; version=1;"

#46 Update Incident Details Reply UpdateIncidentDetailsReply

The reply which returned after updating the incident details

replies

This message is a reply for incident details update

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-details-update-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#47 Close Incident Command CloseIncidentCommand

Closes an incident

This message is a command message that will result in incident closure

Payload

object

incidentId

required

string

Incident ID to close

text

required

string

Incident closure summary

reason

string

Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

shouldTerminatePlaybooks

boolean

Terminate playbooks parameter

Possible values:

true - will terminate all running playbooks in the alerts within the incident and change status(es) and close the incident/alert(s)
false (default) - close incident if there are no running playbooks, else - close incident flow will be canceled

group

string

Incident closure tier group

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-incident-command; version=1;"

#48 Close Incident Reply CloseIncidentReply

Closes an incident

replies

The message payload is empty
This message is a reply for incident close

Payload

object

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-close-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#49 Conflict Error Message ConflictError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ConflictError

code

required

string

ERR_CONFLICT

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/conflict-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#50 Redirect Incident Command RedirectIncidentCommand

Redirects an incident to another group

This message is a command message that will result in incident redirection

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

targetGroup

required

string

The group to which the incident is being redirected

reason

required

string

The reason why this incident is being redirected

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/redirect-incident-command; version=1;"

#51 Redirect Incident Reply RedirectIncidentReply

The reply which returned after redirection of incident to another group

replies

The message payload is empty
This message is a reply of successfull redirection of an incident to another group

Payload

object

Additional properties are allowed.

Headers

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-redirect-reply; version=1;"

#52 Link Incident External ID Command LinkIncidentExternalIdCommand

Links an incident to an external ID

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

externalId

required

object

The external ID that will be linked to the incident

system

required

string

The name of the external system

required

string

The entity's identifier in the external system

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/link-incident-external-id-command; version=1;"

#53 Link Incident External ID Reply LinkIncidentExternalIdReply

The reply which returned after linking external id to the incident

replies

This message is a reply for linking external id to the incident

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-link-external-id-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#54 Unlink Incident External ID Command UnlinkIncidentExternalIdCommand

Unlinks an incident from an external ID

Payload

object

incidentId

required

string

The unique Incident ID as defined by CDC

externalId

required

object

The external ID that will be unlinked from the incident

system

required

string

The name of the external system

required

string

The entity's identifier in the external system

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/unlink-incident-external-id-command; version=1;"

#55 Unlink Incident External ID Reply UnlinkIncidentExternalIdReply

The reply which returned after unlinking external id from the incident

replies

This message is a reply for unlinking external id from the incident

Payload

object

required

string

A unique, machine-oriented ID identifying this incident

key

required

string

A unique, human-oriented key identifying this incident

name

required

string

The name of the incident

description

required

string

The incident description

created

required

string

date-time

The time when the incident was created, in UTC

updated

required

string

date-time

The time when the incident was last updated, in UTC

type

required

string

Incident type

status

required

string

Incident status

Enum: "open" "pending" "closed"

priority

required

string

The incident priority must be one of the priorities defined in CDC.

group

required

string

The group to which this incident is currently assigned

externalIds

required

array<object>

Array of external identifiers of the entity.

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

pendingForGroup

string

If this incident was redirected to a different group this will contain the name of the target group

redirectionReason

string

If this incident was redirected to a different group this will contain the user comment provided with redirection request

endSlaDate

string

date-time

Service level agreement end date

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-unlink-external-id-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#56 Add Evidence To Incident Command AddEvidenceToIncidentCommand

Adds evidence to incident

This message is a command message that adds evidence to an incident

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId
In case of creating evidence for another custom type, the following fields should be provided: type, data

incidentId

required

string

The unique Incident ID as defined by CDC

type

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

reported

required

string

date-time

The time when this evidence was reported

caption

string

The caption of the evidence

messageId

string

The ID of the message this evidence was created from.

description

string

The description of this evidence

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/add-evidence-to-incident-command; version=1;"

#57 Add Evidence To Incident Reply AddEvidenceToIncidentReply

The reply which returned after evidence added to incident

replies

This message is a reply for add evidence to incident

Payload

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-evidence-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#58 Add Enrichment To Observable AddEnrichmentToObservable

Adds the enrichment to the specified observable

This message is a command message that adds enrichment to the observable

Payload

object

observableId

required

string

The unique Observable ID as defined by CDC

name

required

string

dataType

string

suspiciousRate

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

number

double

rawData

required

object

Raw data of completed enrichment

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/observable-enrichment-add-command; version=1;"

#59 Add Enrichment To Observable Reply AddEnrichmentToObservableReply

The reply which returned after adding enrichment to the observable

replies

This message is a reply for adding adding enrichment to the observable

Payload

object

name

required

string

status

required

string

Enrichment status

Enum: "started" "completed" "failed"

suspiciousRate

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

required

number

double

ttl

number

int32

Enrichment expiration, in seconds.

endDate

string

date-time

dataType

string

rawData

required

object

Raw data of completed enrichment

Additional properties are allowed.

reportedAt

string

date-time

The time of when the enriched data was reported to the information provider

error

string

In case the enrichment failed, this field contains the error message

created

string

date-time

Enrichment creation timestamp

modified

string

date-time

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/observable-enrichment-add-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#60 Create Message CreateMessageCommand

Creates a message to CDC chat

This message is a command message that will create a chat message in CDC

Payload

object

length <= 2097152

externalId

required

string

The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId.

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

parentMessageId

string

Parent message ID, used for displaying replies in a threaded manner.

If provided, the new message will be posted as a child of another message as the last message in it's thread
If not present, the message will be posted as a regular message to the specified destination

attachmentIds

array<string>

A list of file id's that should be attached to the message.

Files Entity Scope:

Files scope should match to the provided message scope.

e.g. if file is uploaded to alert:123 then it cannot be attached to message with scope alert:456 but only to messages with scope alert:123.

Trying to attach fileIds where some file scope does not match the message scope, will result in a ConflictError.

Items:

string

Additional items are allowed.

content

required

oneOf

The content of the message

object

message

required

string

the text of the message. can be simple text or rich text

contentType

required

string

Message content type that has text representation

Enum: "text"

Additional properties are allowed.

object

json

required

object

the raw data attached for the porpuse of populating the card

Additional properties are allowed.

templateName

required

string

The Adaptive Card template name.

contentType

required

string

Message content type that represents an adaptiveCard

Enum: "adaptiveCard"

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

X-Initiated-By

required

string

The user id of the user who initiated this action, as defined in CDC

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/create-message-command; version=1;"

#61 Create Message Reply CreateMessageReply

The reply which returned after creating message to the chat

replies

This message is a reply of successfull creating message to the chat

Payload

object

required

string

ID of the message as saved in the system

externalId

required

string

The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId.

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

parentMessageId

string

If present, this message was posted in another message's thread

content

required

oneOf

The content of the message

object

message

required

string

the text of the message. can be simple text or rich text

contentType

required

string

Message content type that has text representation

Enum: "text"

Additional properties are allowed.

object

json

required

object

the raw data attached for the porpuse of populating the card

Additional properties are allowed.

templateName

required

string

The Adaptive Card template name.

contentType

required

string

Message content type that represents an adaptiveCard

Enum: "adaptiveCard"

Additional properties are allowed.

attachments

array<object>

An array of FileInfo objects, each holds the metadata of an attached file

The field is mandatory, an empty array will be returned when no files attached to the message.

status

required

string

The status of the file, respecting the upload and sanitaion process. Every file should have a status

uploaded - uploaded but not ready yet, requires additional processing
processing - being processed by the system, i.e. pending sanitation
verified - completed sanitation processes, needs to move to final storage location
ready - completed and made available
failed - the file upload process has failed, such as when sanitation can't be applied
blocked - the file sanitation process failed ( i.e. file has malicious content )

Enum: "uploaded" "processing" "verified" "ready" "failed" "blocked"

required

string

A unique, machine-oriented ID identifying this file.

name

required

string

The file name

scope

required

object

entities in the system can have a scope defining their assosication with a bussiness object

required

string

id of the entity as saved in the system

type

required

string

The type of the entity( alert / incident ...)

Enum: "alert" "incident" "channel"

Additional properties are allowed.

url

required

string

The file url

thumbnailUrl

string

The url of the file thumbnail. A thumbnail is a small image representation of a larger image or a video.

size

required

number

the file size in bytes

mimeType

required

string

extension

string

An identifier specified as a suffix to the name of a file

createdAt

required

string

date-time

File creation timestamp

createdBy

required

string

The ID of the user who created this file.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/message-create-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#62 Forbidden Error Message ForbiddenError

The reply which returned if there is concurrency issues during operation execution

errors

Payload

object

name

required

string

ForbiddenError

code

required

string

ERR_FORBIDDEN

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/forbidden-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#63 Alert Extended Properties AlertExtendedPropertiesSet

A definition for Alert extended properties set

Payload

object

request

required

array<object>

Unique

The list of the Alert extended properties which need to be set

name

required

string

The internal field name which defined by CDC modeling for fields.

value

The value that fit to the entity type which defined in CDC settings For email it will be an email and for IP address it will be IP address.

Additional items are allowed.

alertId

required

string

The alert id

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

#64 Alert Extended Properties Set Reply AlertExtendedPropertiesSetReply

The reply which is returned after the addition of alert extended properties

replies

This message is a reply for alert extended properties set action

Payload

object

fields

required

array<object>

>= 1 items Unique

The list of fields that were added

name

required

string

field name

value

object

field value which can be of type string or date or number

Additional properties are allowed.

required

string

The unique mongo ID of the saved document

createdBy

required

string

The mongo id of the user

updatedBy

required

string

The mongo id of the user

createdAt

required

string

updatedAt

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/alert-extended-properties-set-reply; version=1;"

#65 Bad Request Error Message BadRequestError

The reply which is returned if an invalid argument was passed which caused the action to fail.

errors

Payload

object

name

required

string

BadRequestError

code

required

string

ERR_BAD_REQUEST

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/bad-request-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#66 Application Error Message ApplicationError

The reply which returned if unhandled error occurred during action execution.

errors

Payload

object

name

required

string

ApplicationError

code

required

string

ERR_APPLICATION

message

required

string

The Error Message

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "error/application-error; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

#67 Incident summary set many IncidentSummarySetMany

A definition for Incident summary set

Payload

object

request

required

array<object>

Unique

The list of the Incident summary answers which need to be set

name

required

string

The internal field name which defined by CDC modeling for fields.

value

The value that fit to the entity type which defined in CDC settings. By default HTML format is selected.

Additional items are allowed.

incidentId

required

string

The incident id

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/close-alert-command; version=1;"

#68 Incident Summary Set Reply IncidentSummarySetReply

The reply which is returned after the addition of incident summary fields

replies

This message is a reply for incident summary set action

Payload

object

fields

required

array<object>

>= 1 items Unique

The list of fields that were added

name

required

string

field name

value

object

field value which can be of type string or date or number

Additional properties are allowed.

required

string

The unique mongo ID of the saved document

createdBy

required

string

The mongo id of the user

updatedBy

required

string

The mongo id of the user

createdAt

required

string

updatedAt

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/incident-summary-set-reply; version=1;"

#69 Alert Closed Event AlertClosedEvent

An alert was closed

This event is fired when an alert is closed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

status

required

string

Alert status upon closure

Enum: "Closed" "Resolved"

closingReason

required

object

Details explaining why this alert was marked as irrelevant. Only appears if the alert was closed as irrelevant.

reason

required

string

Alert closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

comment

required

string

Analyst-provided comment for closing an alert

Note: property "comment" is required if the "reason" property is "Other"

Additional properties are allowed.

comment

deprecated

string

Alert closure summary that consists of closingReason.reason and closingReason.comment.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-closed; version=1;"

#70 Alert Created Event AlertCreatedEvent

An alert was created

This event is fired when an alert is created in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

classification

string

Classification category that the alert falls into.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-created; version=1;"

#71 Alert Updated Event AlertUpdatedEvent

An alert was updated

This event is fired when at least one of the fields on an alert was changed due to an update operation.

The payload of this event holds the new state of the alert, after the update.

Relevant update operations:

Composite Update Alert

Payload

object

string

A unique, machine-oriented ID identifying this alert.

source

string

The name of the source system

sourceId

string

The ID of the alert in the source system

name

string

The name of the alert

description

string

The description of the alert

severity

string

The severity of the alert. Must be one of the severities defined in CDC.

created

string

date-time

Alert creation timestamp, in UTC

modified

string

date-time

Last modification timestamp, in UTC

detected

string

date-time

Alert detection timestamp, in UTC

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

sourceUrl

string

uri

A URI of this alert pointing to the source system

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

useCase

string

Alert Use Case name

detectionRule

string

length <= 256

Name of detection rule from SIEM that triggered the generation of alert

killChain

array<string>

This field accepts any value; the provided enum shows the recommended values.

Enum: "Reconnaissance" "Weaponization" "Delivery" "Exploitation" "Installation" "Command and Control" "Actions on Objective"

Items:

string

length <= 256

Additional items are allowed.

mitreAttacks

array<string>

Unique

MitreAttack Ids List

Items:

string

Additional items are allowed.

alertType

string

length <= 15

The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General.

Enum: "CTI-Landscape" "CTI-Assetbased" "General"

threatType

string

The threat type with which this alert is associated.

threatActors

array<string>

The attacker, whoever launched the attack/campaign/malware.

Items:

string

Additional items are allowed.

malwareTools

array<string>

The Malware/Tools that were used in the attack.

Items:

string

Additional items are allowed.

ctiSourceUrls

array<string>

The data source that was used for opening the alert.

Items:

string

Additional items are allowed.

recommendations

string

Instruction how to handle alert.

categories

array<string>

Mapping of alert to specific category in SIEM

Items:

string

Additional items are allowed.

tags

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

observableTags

array<string>

Unique

List of tags of alert observables

Items:

string

must match ^\S*$

Additional items are allowed.

classification

string

length <= 50

Classification for the alert

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-updated; version=1;"

#72 Alert Rate Changed Event AlertRateChangedEvent

An alert's suspicious rate has changed

This event is fired when an alert's suspicious rate changes

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

newValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

oldValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-rate-changed; version=1;"

#73 Alert Reopened Event AlertReopenedEvent

An alert was reopened

This event is fired when an alert is reopened

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

statusBeforeReopen

required

string

Alert status before reopen

Enum: "Closed" "Resolved"

reopenReason

string

The reason why this alert was reopened, as provided by the analyst

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-reopened; version=1;"

#74 Alert Raw Data Appended Event AlertRawDataAppendedEvent

Raw data appended to alert

This event is fired when a raw data appended to alert

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

rawDataItemId

required

string

Appended raw data id

externalId

string

Raw data external id. Can be used for idempotence and deduplication

created

required

string

date-time

Creation timestamp

modified

required

string

date-time

Last modification timestamp

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-raw-data-appended; version=1;"

#75 Alert Message Added Event AlertMessageAddedEvent

A message added to alert

This event is fired when a message added to alert in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

messageId

required

string

Alert messageId

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-message-added; version=1;"

#76 Alert Owner Changed Event AlertOwnerChangedEvent

An alert was changed owner

This event is fired when an alert is changed owner in CDC

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

assigneeId

required

string,null

BSON ObjectId

Alert owner assignee Id

This field is Nullable.

Null value meaning: The owner was removed from an alert.

Examples: "60ef0707447dc03cf1ce8ed3" null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-owner-changed; version=1;"

#77 Alert Company Changed Event AlertCompanyChangedEvent

An alert's company has changed

This event is fired when an alert's company changes

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

status

string

Alert status

Enum: "New" "In incident" "Closed" "Resolved"

company

required

string,null

The new (current) name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was removed from alert.

Examples: "CompanyName" null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-company-changed; version=1;"

#78 Alert Observables Added AlertObservablesAdded

Observables were added to the alert

This event is fired when observables are added to an alert. If multiple observables are added in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

observables

required

array<object>

>= 1 items Unique

The list of observables that were added to the alert

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-observable-added; version=1;"

#79 Alert Tags Added AlertTagsAdded

Tags were added to the alert

This event is fired when tags are added to an alert. If multiple tags are added in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

addedItems

required

array<string>

Unique

The list of tags that were added to the alert

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-tags-added; version=1;"

#80 Alert Detail Changed Event AlertDetailChangedEvent

An alert's detail has changed

This event is fired when an alert's detail changes.

The possible fields are: name, description, severity, useCase, company, detectionRule which are only informational, they are not related to any flow or operation

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

name

object

oldValue

required

string

The previous alert name

newValue

required

string

The new (current) alert name

Additional properties are allowed.

description

object

oldValue

required

string

The previous alert description

newValue

required

string

The new (current) alert description

Additional properties are allowed.

company

object

oldValue

required

string,null

The previous name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was not attached or removed from alert.

Examples: "CompanyName" null

newValue

required

string,null

The new (current) name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was removed from alert.

Examples: "CompanyName2" null

Additional properties are allowed.

severity

object

oldValue

required

string

The previous alert severity

newValue

required

string

The new (current) alert severity

Additional properties are allowed.

useCase

object

oldValue

required

string

The previous alert useCase

newValue

required

string

The new (current) alert useCase

Additional properties are allowed.

detectionRule

object

oldValue

required

string

The previous alert detectionRule

newValue

required

string

The new (current) alert detectionRule

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-detail-changed; version=1;"

#81 Alert Evidence Added AlertEvidenceAdded

Evidence was added to or removed from the alert

This event is fired when an evidence is added to an alert.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-evidence-added; version=1;"

#82 Alert Evidence Removed AlertEvidenceRemoved

Evidence was added to or removed from the alert

This event is fired when an evidence is removed from an alert.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

sourceUrl

string

url

The URL of the alert, as defined in the source system. Note: not all alerts include this field

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/alert-evidence-removed; version=1;"

#83 Alert Added To Incident Event AlertAddedToIncidentEvent

An alert was added to an incident

This event is fired when an alert is added to an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-alert-added; version=1;"

#84 Alert Removed From Incident Event AlertRemovedFromIncidentEvent

An alert was removed from an incident

This event is fired when an alert is removed from an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

alertId

required

string

The unique Alert ID as defined by CDC

source

required

string

sourceId

required

string

The ID of the alert, as defined in the source system. The combination of source + sourceId is guaranteed to be unique (a composite identifier)

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-alert-removed; version=1;"

#85 Incident Associated with Company IncidentAssociatedWithCompany

An incident was associated with a company

This event is fired when an incident is associated with a company (both upon initial association, and upon changes to the association)

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string,null

The previous name of the company / division to which this alert belongs.

This field is Nullable.

Null value meaning: The company was not attached or removed from alert. examples: [CompanyName, null]

newValue

required

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-associated-with-company; version=1;"

#86 Incident Closed Event IncidentClosedEvent

An incident was closed

This event is fired when an incident is closed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

status

required

string

summary

required

object

Incident closure summary and survey

text

required

string

Incident closure summary

reason

string

Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"

Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)

survey

required

array<object>

question

string

Survey question text

answer

string

Survey answer as provided by the SoC analyst

Additional items are allowed.

closedBy

required

string

the identifier of user who closed an incident

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-closed; version=1;"

#87 Incident Created Event IncidentCreatedEvent

A new incident was created

This event is fired when an incident is created

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

name

required

string

The name of the incident

description

required

string

length <= 5000

Incident description. It cannot exceed 5000 characters, when exceeds the command will not fail but description will be truncated.

priority

required

string

Incident priority

status

required

string

Incident status

Enum: "open" "pending" "closed"

company

string

Name of the company / division to which this incident or alert belongs.

Not to be confused with the "organization" field, which was used to distinguish between tenants and is deprecated.

Note that most customer don't use the "company" feature. Note the value must be in the list of companies defined in CDC database

owner

required

object

The incident owner.

This field is Nullable.

Null value meaning: The incident was created by BOT.

string

the user id as defined in CDC

displayName

string

User display name

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The name of the group (tier) to which this incident is assigned

type

required

string

Incident type

Examples: "Malware" "Unauthorized access"

tags

required

array<string>

Unique

Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.

Items:

string

must match ^\S*$

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-created; version=1;"

#88 Incident Description Changed IncidentDescriptionChanged

Incident description has changed

This event is fired when the description of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident description

newValue

required

string

The new (current) incident description

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-description-changed; version=1;"

#89 Incident Evidence Added IncidentEvidenceAdded

Evidence was added to or removed from the incident

This event is fired when an evidence is added to an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-evidence-added; version=1;"

#90 Incident Evidence Removed IncidentEvidenceRemoved

Evidence was added to or removed from the incident

This event is fired when an evidence is removed from an incident.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

evidence

required

object

Validations:

In case of creating text evidence, the following fields should be provided: caption, description (type="TEXT")
In case of creating evidence from the message, the following fields should be provided: caption, messageId or externalId (type="TEXT")
In case of creating evidence for another custom type, the following fields should be provided: type, data

required

string

A unique, machine-oriented ID identifying this evidence.

caption

string

The caption of the evidence

name

deprecated

string

name property is deprecated. Used for backwards compatibility, instead use caption property.

description

string

The evidence description. Note that this field may contain HTML tags.

type

required

string

The type of evidence

data

oneOf

object

alertId

string

The unique Alert ID as defined by CDC

alertName

string

The name of the alert

incidentId

string

The unique Incident ID as defined by CDC

incidentName

string

The name of the incident

ruleTitle

string

The name of the rule on which alert was attached to the incident using grouping rules mechanism

groupingRules

array<object>

matchValue

array<string>

Items:

string

to check if the value matches with alert field

Additional items are allowed.

fieldName

required

string

alert field name for grouping mechanism

operator

required

string

compare fieldName with matchValue by this operator

Enum: "allOf" "oneOf" "equal"

Additional items are allowed.

Additional properties are allowed.

created

required

string

date-time

Timestamp of when the evidence was created

reported

required

string

date-time

Timestamp of when the evidence was reported (could be different than the evidence creation timestamp)

messageId

string

The ID of the message this evidence was created from

messageCdcUrl

string

url

The URL of the message in the CDC application that this evidence was created from.

guiUrl

deprecated

string

url

guiUrl property is deprecated. Used for backwards compatibility, instead use messageCdcUrl property.

externalId

string

The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-evidence-removed; version=1;"

#91 Incident Name Changed IncidentNameChanged

Incident name has changed

This event is fired when the name of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident name

newValue

required

string

The new (current) incident name

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-name-changed; version=1;"

#92 Incident Observables Added IncidentObservablesAdded

Observables were added to the incident

This event is fired when observables are added to an incident. If multiple observables are added or removed in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

observables

required

array<object>

>= 1 items Unique

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-observable-added; version=1;"

#93 Incident Observables Removed IncidentObservablesRemoved

Observables were removed from the incident

This event is fired when observables are removed from an incident. If multiple observables are removed in a single API call, then a single event will be fired

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

observables

required

array<object>

>= 1 items Unique

type

required

string

The type of the observable

value

required

string

The value of the observable

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-observable-removed; version=1;"

#94 Incident Priority Changed IncidentPriorityChanged

Incident priority has changed

This event is fired when the priority of the incident is changed

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

string

The previous incident priority

newValue

required

string

The new incident priority

alertId

string

Alert's id that triggered incident priority change

reason

string

Reason for priority change

Enum: "ALERT_SEVERITY_CHANGED" "PRIORITY_CHANGED_ATTACHED_ALERT" "PRIORITY_CHANGED_MAPPING_NOT_FOUND"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-priority-changed; version=1;"

#95 Incident Redirection Accepted IncidentRedirectionAccepted

Incident redirection request has been accepted

This event is fired when an incident redirection request is accepted by the target group. Note that an incident may be redirected several times during its lifetime.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentName

required

string

The name of the incident

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

object

owner

required

object

The user who owned this incident prior to the redirection

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident was assigned before the redirection (source group)

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

newValue

required

object

owner

required

object

The user who owns this incident after the redirection

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident was redirected (target group / destination group)

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-accepted; version=1;"

#96 Incident Redirection Initiated IncidentRedirectionInitiated

Incident redirection request has been initiated

This event is fired when an incident redirection request is issued. Note that an incident may be redirected several times during its lifetime.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

sourceGroup

required

string

The group to which the incident was assigned before the redirection

targetGroup

required

string

The group to which the incident is being redirected

reason

required

string

The reason for redirecting this incident

status

required

string

Incident status

Enum: "open" "pending" "closed"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-initiated; version=1;"

#97 Incident Redirection Revoked IncidentRedirectionRevoked

Incident redirection request has been revoked

This event is fired when an incident redirection request is revoked.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

incidentName

required

string

The name of the incident

sourceGroup

required

string

The group to which the incident is assigned

targetGroup

required

string

The group to which the incident was being redirected

status

required

string

Incident status

Enum: "open" "pending" "closed"

reason

required

string

Analyst-provided reason for revoking the redirection request

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-redirection-revoked; version=1;"

#98 Incident Reopened IncidentReopened

Incident reopened

This event is fired when an incident that was closed has been reopened.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentName

required

string

The name of the incident

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

reason

required

string

The reason why this incident was reopened, as provided by the analyst

owner

required

object

The user who owns currently owns this incident (after it was reopened)

string

the user id as defined in CDC

displayName

string

User display name

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

group

required

string

The group to which the incident is currently assigned (after it was reopened)

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-reopened; version=1;"

#99 Incident Tags Changed IncidentTagsChanged

Incident tags changed

This event is fired when tags are added or removed from an incident

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentId

required

string

The unique Incident ID as defined by CDC

incidentKey

required

string

incident unique key

incidentExternalIds

required

array<object>

Incident's external identifiers

system

string

The name of the external system

string

The entity's identifier in the external system

Additional items are allowed.

oldValue

required

array<string>

Unique

The incident tags prior to the change

Items:

string

Additional items are allowed.

newValue

required

array<string>

Unique

The incident tags after the change

Items:

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/incident-tags-changed; version=1;"

#100 Observable Enriched ObservableEnriched

An observable has been enriched

This event is fired when an observable has been enriched with additional data from external infromation providers. Notice that the same observable may be enriched multiple times.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

type

required

string

The type of the observable.

value

required

string

The value of the observable.

enrichments

required

array<object>

name

required

string

status

required

string

Enrichment status

Enum: "started" "completed" "failed"

suspiciousRate

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

suspiciousWeight

required

number

double

ttl

required

number

int32

Enrichment expiration, in seconds.

endDate

string

date-time

dataType

string

rawData

object

Raw data of completed enrichment

Additional properties are allowed.

reportedAt

string

date-time

The time of when the enriched data was reported to the information provider

error

string

In case the enrichment failed, this field contains the error message

created

string

date-time

Enrichment creation timestamp

modified

string

date-time

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/observable-enriched; version=1;"

#101 Observable Rate Changed ObservableRateChanged

An observable's rate has changed

This event is fired when an observable's suspicious rate has changed.

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

type

required

string

The type of the observable.

value

required

string

The value of the observable.

newValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

oldValue

required

number,null

double >= 0 <= 100

The suspicious rate of the observable (higher is more suspicious), between 0 and 100.

This field is Nullable.

Null value meaning: Not enough data to calculate suspiciousRate, could be updated later.

Examples: 74.8 null

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/observable-rate-changed; version=1;"

#102 Grouping Settings Updated GroupingSettingsUpdated

Grouping Settings were updated

This event is fired when Grouping Settings were updated

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

incidentTimeLimit

required

number

time limit in milliseconds. Time within which alerts could be grouped to an incident since it was created.

maxAlertsPerIncident

required

number

maximum number of alerts which can be attached to one incident.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/grouping-settings-updated; version=1;"

#103 Grouping Rules Rewritten GroupingRulesRewritten

Grouping Rules were rewritten

This event is fired when Grouping Rules were rewritten

Payload

object

eventId

required

string

A unique identifier of this event. Can be used for idempotence and deduplication.

eventTimestamp

required

string

date-time

The time when this event occured, in UTC

initiatedBy

required

object

Details about the user which initiated this event or operation. May be empty if the operation was not initiated by a user.

required

string

the user id as defined in CDC

displayName

required

string

User display name

required

string

User email address

group

string

The group this user is a member of

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/grouping-rules-rewritten; version=1;"

#104 User Action Replied Event UserActionRepliedEvent

Manual step has been marked as completed

This event is fired when a playbook step has been completed by the user.

Payload

object

inputData

object

Object with properties

Additional properties are allowed.

correlationId

required

string

A unique identifier of for this step. Used to get corresponding user action on uca side.

source

required

string

Step's related playbook source

Enum: "logicappsConsumption" "logicappsStandard"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/user-action-replied-event; version=1;"

#105 Command Invocation Command CommandInvokeCommand

Invoke the command for the automation engine.

This message invokes a command run for the automation engine

Payload

object

length <= 2097152

scope

required

string

Command pack name

action

required

string

Action from the command pack

context

required

object

Details about the command invocation context

contextType

required

string

Entity type that the command was initiated for

Enum: "alert" "incident" "channel" "observable"

entityId

required

string

CDC ID for the entity initiating the command invocation

messageId

string

CDC ID for the message that requested the command invocation

userId

required

string

ID of the user who requested the command invocation

Additional properties are allowed.

parameters

object

Object with properties specific to the invoked command and its action.

Additional properties are allowed.

Headers

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

reply_to

required

string

Reply address to which the reply message will be sent, in the following format: <exchangeName>:<routingKey>. If not specified, no reply will be sent.

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "action/invoke-command-command; version=1;"

#106 Invoke Command Reply InvokeCommandReply

The reply which returned after the automation command completes

replies

This message is a reply for invoke automation command

Payload

object

error

string

Command invocation error if it has occurred

dataType

string

Adaptive card type to display the proper command result

data

object

Object with Properties specific for the dataType to display the proper command result

Additional properties are allowed.

attachments

array<object>

File attachments related to the command invocation response

filename

required

string

filesize

required

number

fileId

required

string

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "reply/command-invoke-reply; version=1;"

correlation_id

required

string

Action identifier, used for tracing and for matching replies to requests.

message_id

required

string

Unique identifier of the operation, used for deduplication in case of reruns.

#107 Command List Updated CommandListUpdated

Command list changes for the Automation Engine

This event is fired when the command list changes for the Automation Engine. The event payload contains the full updated command list

Payload

object

commands

array<object>

The comaplete list of commands thatare available in ST2 engine

scope

required

string

Command pack name

action

required

string

Action from the command pack

description

required

string

Short description for the command

parameters

object

Object with properties specific to the invoked command and its action. | Property names may vary, but each property implements the provided interface

Additional properties are allowed.

Additional items are allowed.

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/command-list; version=1;"

#108 Workflow Created Event WorkflowCreatedEvent

A workflow was created

This event is fired when an workflow is created

Payload

object

workflowName

required

string

The workflow name

workflowRunId

required

string

The workflow execution id

issuerId

required

string

The unique workflow ID as defined by the service

issuerType

required

string

The type of issuer of the workflow that was created

source

required

string

The identifier of the source system from which this workflow originated. Usually this is the name of the Service

Enum: "logicappsConsumption" "logicappsStandard"

bundleId

string

The application name of the created workflow

startTime

required

string

date-time

valid iso date string representation

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/workflow-created; version=1;"

#109 User Action Created Event UserActionCreatedEvent

A user action step was sent

This event is fired when a workflow run contains a user action step that requires user response

Payload

object

executionId

required

string

The action's execution Id

inputSchema

object

JSONSchema7

Additional properties are allowed.

issuerId

string

The unique workflow ID as defined by the service

issuerType

string

The type of issuer of the workflow that was created

status

string

The step status

Enum: "completed" "inProgress" "pending" "failed" "terminated" "skipped"

actionName

required

string

Action name

workflowName

required

string

The workflow name

workflowRunId

required

string

The workflow execution id

startTime

required

string

date-time

valid iso date string representation

userId

string

ID of the user who sent the event

correlationId

required

string

A unique identifier of for this step. Used to get corresponding user action on uca side.

source

string

The identifier of the source system from which this workflow originated. Usually this is the name of the Service

Enum: "logicappsConsumption" "logicappsStandard"

Additional properties are allowed.

Headers

X-Message-Schema

required

string

Schema and schema version, described in mime-type like format, e.g. {event-type}/{schema-name}; version={version}({-stage});

The schema name is always only dash-separated and in lowercase. The schema part is separated from version by semicolon symbol ";"

Usually only major part of version is important, so in most cases the version will be integer.

A pre-release version MAY be denoted by appending a hyphen and a series of dot separated identifiers immediately following the major version.

Const: "event/workflow-created; version=1;"

CDC Automation API 0.1.0 1.0.0 1.1.0 1.1.1 2.0.1 4.0.0 4.4.0 6.1.0 7.0.0 8.3.0 8.4.0 8.5.0 8.5.1

Operations

CDC Automation API 8.5.1

Servers

Operations

Pub CdcActions.alert.create

Effects

Notes

Examples

CreateAlertCommand

This example has been generated automatically.

This example has been generated automatically.

Sub CdcActions.replies.alert.create

Notes:

Examples

CreateAlertReply

This example has been generated automatically.

This example has been generated automatically.

ValidationError

This example has been generated automatically.

This example has been generated automatically.

NotFoundError

This example has been generated automatically.

This example has been generated automatically.

ServerError

This example has been generated automatically.

This example has been generated automatically.

Pub CdcActions.alert.close

Effects

Notes

Examples

CloseAlertCommand

This example has been generated automatically.

This example has been generated automatically.

Sub CdcActions.replies.alert.close

Notes:

Examples

CloseAlertReply

This example has been generated automatically.

This example has been generated automatically.

ValidationError

This example has been generated automatically.

This example has been generated automatically.

NotFoundError

This example has been generated automatically.

This example has been generated automatically.

ServerError

This example has been generated automatically.

This example has been generated automatically.

Pub CdcActions.alert.reopen

Effects

Examples

ReopenAlertCommand

This example has been generated automatically.

This example has been generated automatically.

Sub CdcActions.replies.alert.reopen

Notes:

Examples

ReopenAlertReply

This example has been generated automatically.

This example has been generated automatically.

ValidationError

This example has been generated automatically.

This example has been generated automatically.

NotFoundError

This example has been generated automatically.

This example has been generated automatically.

ServerError

This example has been generated automatically.

This example has been generated automatically.

Pub CdcActions.alert.detail.set

Effects

Examples

SetAlertDetailCommand

This example has been generated automatically.

This example has been generated automatically.

Sub CdcActions.replies.alert.detail.set

Notes:

Examples

SetAlertDetail

CDC Automation API