POST /siem/offenses/{offense_id}
Update an offense.
Update an offense.
MIME Type |
---|
application/json |
Parameter | Type | Optionality | Data Type | MIME Type | Description |
---|---|---|---|---|---|
offense_id |
path |
Required |
Number (Integer) |
text/plain |
Required - The ID of the offense to update. |
protected |
query |
Optional |
Boolean |
text/plain |
Optional - Set to true to protect the offense. |
follow_up |
query |
Optional |
Boolean |
text/plain |
Optional - Set to true to set the follow up flag on the offense. |
status |
query |
Optional |
String |
text/plain |
Optional - The new status for the offense. Set to one of: OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status. |
closing_reason_id |
query |
Optional |
Number (Integer) |
text/plain |
Optional - The ID of a closing reason. You must provide a valid closing_reason_id when you close an offense. |
assigned_to |
query |
Optional |
String |
text/plain |
Optional - A user to assign the offense to. |
fields |
query |
Optional |
String |
text/plain |
Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
HTTP Response Code | Unique Code | Description |
---|---|---|
200 |
The offense was updated. |
|
403 |
1009 |
User does not have the required capability to perform the action. |
404 |
1002 |
No offense was found for the provided offense_id. |
409 |
1008 |
Request cannot be completed due to the state of the offense. |
422 |
1005 |
A request parameter is not valid. |
500 |
1020 |
An error occurred while the offense was being updated. |
Response Description
- id - Number - The ID of the offense.
- description - String - The description of the offense.
- assigned_to - String - The user the offense is assigned to.
- categories - Array of strings - Event categories that are associated with the offense.
- category_count - Number - The number of event categories that are associated with the offense.
- policy_category_count - Number - The number of policy event categories that are associated with the offense.
- security_category_count - Number - The number of security event categories that are associated with the offense.
- close_time - Number - The number of milliseconds since epoch when the offense was closed.
- closing_user - String - The user that closed the offense.
- closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
- credibility - Number - The credibility of the offense.
- relevance - Number - The relevance of the offense.
- severity - Number - The severity of the offense.
- magnitude - Number - The magnitude of the offense.
- destination_networks - Array of strings - The destination networks that are associated with the offense.
- source_network - String - The source network that is associated with the offense.
- device_count - Number - The number of devices that are associated with the offense.
- event_count - Number - The number of events that are associated with the offense.
- flow_count - Number - The number of flows that are associated with the offense.
- inactive - Boolean - True if the offense is inactive.
- last_updated_time - Number - The number of milliseconds since epoch when the offense was last updated.
- local_destination_count - Number - The number of local destinations that are associated with the offense.
- offense_source - String - The source of the offense.
- offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to retrieve the list.
- protected - Boolean - True if the offense is protected.
- follow_up - Boolean - True if the offense is marked for follow up.
- remote_destination_count - Number - The number of remote destinations that are associated wit the offense.
- source_count - Number - The number of sources that are associated with the offense.
- start_time - Number - The number of milliseconds since epoch when the offense was started.
- status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
- username_count - The number of usernames that are associated with the offense.
- source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
- local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense.
- domain_id - Number - Optional. ID of associated domain if the offense is associated with a single domain.
- rules - Array - An array of rules that contributed to the offense:
- id - Long - The id of the rule.
- type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".
Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"log_sources": [
{
"id": 42,
"name": "String",
"type_id": 42,
"type_name": "String"
}
],
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"rules": [
{
"id": 42,
"type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
}
],
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}