GET /siem/offenses

Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 1. GET /siem/offenses resource details
MIME Type

application/json

Table 2. GET /siem/offenses request parameter details
Parameter Type Optionality Data Type MIME Type Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 3. GET /siem/offenses response codes
HTTP Response Code Unique Code Description

200

The offense list was retrieved.

422

1005

A request parameter is not valid.

422

1030

The sort field or order is not valid.

422

1010

The filter parameter is not valid.

500

1020

An error occurred while the offense list was being retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:
  • id - Number - The ID of the offense. (Filterable. Sortable.)
  • description - String - The description of the offense.
  • assigned_to - String - The user to whom the offense is assigned. (Filterable. Sortable.)
  • categories - Array of strings - The event categories that are associated with the offense.
  • category_count - Number - The number of event categories that are associated with the offense. (Filterable. Sortable.)
  • policy_category_count - Number - The number of policy event categories that are associated with the offense. (Filterable. Sortable.)
  • security_category_count - Number - The number of security event categories that are associated with the offense. (Filterable. Sortable.)
  • close_time - Number - The number of milliseconds since epoch at the time when the offense was closed. (Filterable. Sortable.)
  • closing_user - String - The user who closed the offense. (Filterable. Sortable.)
  • closing_reason_id - Number - The ID of the reason the offense was closed. (Filterable. Sortable.)
  • credibility - Number - The credibility of the offense. (Filterable. Sortable.)
  • relevance - Number - The relevance of the offense. (Filterable. Sortable.)
  • severity - Number - The severity of the offense. (Filterable. Sortable.)
  • magnitude - Number - The magnitude of the offense. (Filterable. Sortable.)
  • destination_networks - Array of strings - The destination networks that are associated with the offense. (Filterable.)
  • source_network - String - The first seen source network that is associated with the offense.
  • device_count - Number - The number of devices that are associated with the offense. (Filterable. Sortable.)
  • event_count - Number - The number of events that are associated with the offense. (Filterable. Sortable.)
  • flow_count - Number - The number of flows that are associated with the offense. (Filterable. Sortable.)
  • inactive - Boolean - True if the offense is inactive. (Filterable. Sortable.)
  • last_updated_time - Number - The number of milliseconds since epoch of the most recent item that contributed to the offense. This timestamp represents the time that the latest item occurred, not the time at which this item was associated with the offense. (Filterable. Sortable.)
  • local_destination_count - Number - The number of local destinations that are associated with the offense. (Filterable. Sortable.)
  • offense_source - String - The source of the offense. The source is what the offense is indexed on, depending on what rule was triggered the source will correspond to that.
  • offense_type - Number - The ID that represents the offense type. Use GET /siem/offense_types to retrieve the list. (Filterable. Sortable.)
  • protected - Boolean - True if the offense is protected. (Filterable. Sortable.)
  • follow_up - Boolean - True if the offense is marked for follow up. (Filterable. Sortable.)
  • remote_destination_count - Number - The number of remote destinations that are associated with the offense. (Filterable. Sortable.)
  • source_count - Number - The number of sources that are associated with the offense. (Filterable. Sortable.)
  • start_time - Number - The number of milliseconds since epoch of the earliest item that contributed to the offense. This timestamp represents the time that the earliest item occurred, not the time at which this item was associated with the offense. (Filterable. Sortable.)
  • status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". (Filterable. Sortable.)
  • username_count - Number - The number of usernames that are associated with the offense. (Filterable. Sortable.)
  • source_address_ids - Array of numbers - The source address IDs that are associated with the offense. (Filterable.)
  • local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense. (Filterable.)
  • domain_id - Number - Optional. The ID of the associated domain if the offense is associated with a single domain. (Filterable. Sortable.)
  • last_persisted_time - Number - The number of milliseconds since epoch when an offense field was last updated. (Filterable. Sortable.)
  • first_persisted_time - Number - The number of milliseconds since epoch at the time when the offense was created. (Filterable. Sortable.)
  • rules - Array - An array containing the rules that contributed to the offense. (Filterable.):
    • id - Long - The id of the rule.
    • type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".
  • log_sources - Array - An array containing the log sources that contributed to the offense (Filterable.):
    • id - Long - The id of the log source.
    • name - String - The name of the log source.
    • type_id - Long - The id of the log source type.
    • type_name - String - The name of the log source type.

Response Sample


[{"last_persisted_time": 42, "username_count": 42, "description": "String", "rules": [{"id": 42, "type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"}], "event_count": 42, "flow_count": 42, "assigned_to": "String", "security_category_count": 42, "follow_up": true, "source_address_ids": [42], "source_count": 42, "inactive": true, "protected": true, "category_count": 42, "source_network": "String", "destination_networks": ["String"], "closing_user": "String", "close_time": 42, "remote_destination_count": 42, "start_time": 42, "last_updated_time": 42, "credibility": 42, "magnitude": 42, "id": 42, "categories": ["String"], "severity": 42, "log_sources": [{"name": "String", "type_name": "String", "type_id": 42, "id": 42}], "policy_category_count": 42, "device_count": 42, "closing_reason_id": 42, "first_persisted_time": 42, "offense_type": 42, "relevance": 42, "domain_id": 42, "offense_source": "String", "local_destination_address_ids": [42], "local_destination_count": 42, "status": "String <one of: OPEN, HIDDEN, CLOSED>"}]