Context - Cisco XDR APIs

{"type":"model","meta":{"id":"/apps/pubhub/media/cisco-xdr-api-docs/f4e065ff5977829c89df289df08411f83205f526/e9fbb387-4438-3b4b-b9f2-c8cb296686dc","info":{"title":"IROH-INT Response","description":"Manage Response from modules","contact":{"name":"Cisco Security Business Group -- Advanced Threat","email":"cisco-intel-api-support@cisco.com"},"license":{"name":"All Rights Reserved","url":"https://www.cisco.com"},"version":"1.0.107"},"security":[{"oAuth2":["integration:read","private-intel:read","profile:read","inspect:read","users:read","invite:read","enrich:read","oauth:read","response:read","global-intel:read","ao:read","playbook:read"]}],"tags":[{"name":"Response","description":"IROH Response"}],"x-parser-conf":{"serverConfig":"select","overview":{"markdownPath":"reference/response/overview.md","uri":"response-api-guide"},"disableAuthEditing":true,"exampleAsDefault":true,"oAuth2":{"clientId":"client-546e34fc-c6bf-4951-ac69-f6d7987a7814","clientSecret":"MYw4_E_tBdFwUwrX6WFYKVD5LQrG2k7XrJ5J046wWE0s1gAKCxJ8VA","proxyEnabled":false},"meta":{"useProxy":true}},"openapi":"3.0.1","servers":[{"url":"https://visibility.amp.cisco.com"}],"securitySchemes":{"oAuth2":{"type":"oauth2","flows":{"clientCredentials":{"tokenUrl":"https://visibility.amp.cisco.com/iroh/oauth2/token","scopes":{"telemetry":"Collect application data for analytics","integration:read":"Manage your modules","private-intel:read":"Access Private Intelligence","admin":"Provide admin privileges","cognitive":"Cognitive Integration","profile:read":"Get your profile information","inspect:read":"Extract Observables and data from text","asset":"Access and modify your assets","event":"Read IROH Events","feedback":"Submit Customer Feedback","sse":"SSE Integration. Manage your Devices.","registry":"Manage registry entries","users:read":"Manage users of your organization","investigation":"Perform threat analysis investigation","invite:read":"Invite users into your organization","casebook":"Access and modify your casebooks","playbook":"Access and modify your playbooks","orbital":"Orbital Integration.","enrich:read":"Query your configured modules for threat intelligence","oauth:read":"Manage OAuth2 Clients","vault":"Grants access to Module Vaults","response:read":"List and execute response actions using configured modules","notification":"Receive notifications from integrations","global-intel:read":"Access AMP Global Intelligence","webhook":"Manage your Webhooks","ao:read":"AO Integration."}}}}}},"spec":{"type":"object","properties":{"http_events":{"type":"array","description":"a list of `HTTPType`","example":[{"process_guid":10,"traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"method":"CONNECT","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"HTTPEvent","host":"string","process_name":"string","process_id":10,"process_username":"string","query":"string","encrypted":true,"url_port":10}],"items":{"required":["host","process_id","process_name","time","traffic","type"],"type":"object","properties":{"process_guid":{"type":"integer","format":"int64","example":10},"traffic":{"required":["destination_ip","destination_port","direction","protocol","source_ip","source_port"],"type":"object","properties":{"destination_host_name":{"type":"string","example":"string"},"protocol":{"type":"integer","description":"The IP [protocol id](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)","format":"int64","example":10},"source_ip":{"type":"string","example":"string"},"destination_subnet":{"type":"string","example":"string"},"destination_ip":{"type":"string","example":"string"},"source_subnet":{"type":"string","example":"string"},"destination_port":{"type":"integer","format":"int64","example":10},"direction":{"type":"string","example":"incoming","enum":["incoming","outgoing"]},"source_port":{"type":"integer","format":"int64","example":10}},"additionalProperties":false,"example":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"$$ref":"#/components/schemas/Traffic"},"method":{"type":"string","example":"CONNECT","enum":["OPTIONS","PATCH","TRACE","HEAD","POST","CONNECT","GET","PUT"]},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"HTTPEvent","enum":["HTTPEvent"]},"host":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"query":{"type":"string","description":"String with at most 5000 characters.","example":"string"},"encrypted":{"type":"boolean","example":true},"url_port":{"type":"integer","format":"int64","example":10}},"additionalProperties":false,"example":{"process_guid":10,"traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"method":"CONNECT","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"HTTPEvent","host":"string","process_name":"string","process_id":10,"process_username":"string","query":"string","encrypted":true,"url_port":10},"$$ref":"#/components/schemas/HTTPType"}},"process_create_events":{"type":"array","description":"a list of `ProcessCreate`","example":[{"parent_process_name":"string","process_guid":10,"parent_process_guid":10,"process_disposition":"string","parent_process_size":10,"process_size":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_disposition":"string","type":"ProcessCreateEvent","parent_process_username":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","parent_creation_time":"2016-01-01T01:01:01.000Z","process_args":"string"}],"items":{"required":["process_id","process_name","time","type"],"type":"object","properties":{"parent_process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"parent_process_guid":{"type":"integer","format":"int64","example":10},"process_disposition":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_process_size":{"type":"integer","format":"int64","example":10},"process_size":{"type":"integer","format":"int64","example":10},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"parent_process_disposition":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"ProcessCreateEvent","enum":["ProcessCreateEvent"]},"parent_process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_process_id":{"type":"integer","format":"int64","example":10},"parent_process_args":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_hash":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"parent_process_hash":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_creation_time":{"type":"string","description":"Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the [ISO8601](https://en.wikipedia.org/wiki/ISO_8601) standard.","format":"date-time","example":"2016-01-01T01:01:01Z"},"process_args":{"type":"string","description":"String with at most 2048 characters.","example":"string"}},"additionalProperties":false,"example":{"parent_process_name":"string","process_guid":10,"parent_process_guid":10,"process_disposition":"string","parent_process_size":10,"process_size":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_disposition":"string","type":"ProcessCreateEvent","parent_process_username":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","parent_creation_time":"2016-01-01T01:01:01.000Z","process_args":"string"},"$$ref":"#/components/schemas/ProcessCreateType"}},"registry_delete_events":{"type":"array","description":"a list of `RegistryDeleteType`","example":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryDeleteEvent","registry_value":"string"}],"items":{"required":["process_id","process_name","registry_key","time","type"],"type":"object","properties":{"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"process_id":{"type":"integer","format":"int64","example":10},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"registry_key":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"RegistryDeleteEvent","enum":["RegistryDeleteEvent"]},"registry_value":{"type":"string","description":"String with at most 2048 characters.","example":"string"}},"additionalProperties":false,"example":{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryDeleteEvent","registry_value":"string"},"$$ref":"#/components/schemas/RegistryDeleteType"}},"file_modify_events":{"type":"array","description":"a list of `FileModifyType`","example":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileModifyEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"items":{"required":["file_name","file_path","process_id","process_name","time","type"],"type":"object","properties":{"file_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"FileModifyEvent","enum":["FileModifyEvent"]},"file_path":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"failed":{"type":"boolean","example":false}},"additionalProperties":false,"example":{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileModifyEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false},"$$ref":"#/components/schemas/FileModifyType"}},"registry_set_events":{"type":"array","description":"a list of `RegistrySetType`","example":[{"process_guid":10,"registry_data":"string","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"RegistrySetEvent","registry_data_length":10,"registry_value":"string","registry_key":"string","process_name":"string","process_id":10,"process_username":"string"}],"items":{"required":["process_id","process_name","registry_key","registry_value","time","type"],"type":"object","properties":{"process_guid":{"type":"integer","format":"int64","example":10},"registry_data":{"type":"string","description":"String with at most 5000 characters.","example":"string"},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"RegistrySetEvent","enum":["RegistrySetEvent"]},"registry_data_length":{"type":"integer","format":"int64","example":10},"registry_value":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"registry_key":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"}},"additionalProperties":false,"example":{"process_guid":10,"registry_data":"string","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"RegistrySetEvent","registry_data_length":10,"registry_value":"string","registry_key":"string","process_name":"string","process_id":10,"process_username":"string"},"$$ref":"#/components/schemas/RegistrySetType"}},"file_create_events":{"type":"array","description":"a list of `FileCreateType`","example":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileCreateEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"items":{"required":["file_name","file_path","process_id","process_name","time","type"],"type":"object","properties":{"file_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"FileCreateEvent","enum":["FileCreateEvent"]},"file_path":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"failed":{"type":"boolean","example":false}},"additionalProperties":false,"example":{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileCreateEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false},"$$ref":"#/components/schemas/FileCreateType"}},"registry_create_events":{"type":"array","description":"a list of `RegistryCreateType`","example":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryCreateEvent"}],"items":{"required":["process_id","process_name","registry_key","time","type"],"type":"object","properties":{"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"process_id":{"type":"integer","format":"int64","example":10},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"registry_key":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"RegistryCreateEvent","enum":["RegistryCreateEvent"]}},"additionalProperties":false,"example":{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryCreateEvent"},"$$ref":"#/components/schemas/RegistryCreateType"}},"library_load_events":{"type":"array","description":"a list of `LibraryLoadType`","example":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","type":"LibraryLoadEvent","dll_library_name":"string","dll_library_path":"string"}],"items":{"required":["dll_library_name","dll_library_path","process_id","process_name","time","type"],"type":"object","properties":{"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"process_id":{"type":"integer","format":"int64","example":10},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"LibraryLoadEvent","enum":["LibraryLoadEvent"]},"dll_library_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"dll_library_path":{"type":"string","description":"String with at most 2048 characters.","example":"string"}},"additionalProperties":false,"example":{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","type":"LibraryLoadEvent","dll_library_name":"string","dll_library_path":"string"},"$$ref":"#/components/schemas/LibraryLoadType"}},"file_move_events":{"type":"array","description":"a list of `FileMoveType`","example":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileMoveEvent","old_name":"string","file_path":"string","process_name":"string","process_id":10,"process_username":"string","new_name":"string"}],"items":{"required":["file_name","file_path","new_name","old_name","process_id","process_name","time","type"],"type":"object","properties":{"file_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"FileMoveEvent","enum":["FileMoveEvent"]},"old_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"file_path":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"new_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"}},"additionalProperties":false,"example":{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileMoveEvent","old_name":"string","file_path":"string","process_name":"string","process_id":10,"process_username":"string","new_name":"string"},"$$ref":"#/components/schemas/FileMoveType"}},"file_delete_events":{"type":"array","description":"a list of `FileDeleteType`","example":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileDeleteEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"items":{"required":["file_name","file_path","process_id","process_name","time","type"],"type":"object","properties":{"file_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"type":{"type":"string","example":"FileDeleteEvent","enum":["FileDeleteEvent"]},"file_path":{"type":"string","description":"String with at most 2048 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"failed":{"type":"boolean","example":false}},"additionalProperties":false,"example":{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileDeleteEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false},"$$ref":"#/components/schemas/FileDeleteType"}},"netflow_events":{"type":"array","description":"a list of `NetflowType`","example":[{"parent_process_name":"string","byte_count_in":10,"process_guid":10,"process_path":"string","traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"flow_time":"2016-01-01T01:01:01.000Z","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_account":"string","type":"NetflowEvent","process_account_type":"string","parent_process_path":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_account":"string","parent_process_account_type":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","byte_count_out":10,"process_args":"string"}],"items":{"required":["process_id","process_name","time","traffic","type"],"type":"object","properties":{"parent_process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"byte_count_in":{"type":"integer","format":"int64","example":10},"process_guid":{"type":"integer","format":"int64","example":10},"process_path":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"traffic":{"required":["destination_ip","destination_port","direction","protocol","source_ip","source_port"],"type":"object","properties":{"destination_host_name":{"type":"string","example":"string"},"protocol":{"type":"integer","description":"The IP [protocol id](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)","format":"int64","example":10},"source_ip":{"type":"string","example":"string"},"destination_subnet":{"type":"string","example":"string"},"destination_ip":{"type":"string","example":"string"},"source_subnet":{"type":"string","example":"string"},"destination_port":{"type":"integer","format":"int64","example":10},"direction":{"type":"string","example":"incoming","enum":["incoming","outgoing"]},"source_port":{"type":"integer","format":"int64","example":10}},"additionalProperties":false,"example":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"$$ref":"#/components/schemas/Traffic"},"flow_time":{"type":"string","description":"Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the [ISO8601](https://en.wikipedia.org/wiki/ISO_8601) standard.","format":"date-time","example":"2016-01-01T01:01:01Z"},"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"parent_process_account":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"NetflowEvent","enum":["NetflowEvent"]},"process_account_type":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_process_path":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_process_id":{"type":"integer","format":"int64","example":10},"parent_process_args":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_account":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"parent_process_account_type":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_hash":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_id":{"type":"integer","format":"int64","example":10},"parent_process_hash":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"byte_count_out":{"type":"integer","format":"int64","example":10},"process_args":{"type":"string","description":"String with at most 1024 characters.","example":"string"}},"additionalProperties":false,"example":{"parent_process_name":"string","byte_count_in":10,"process_guid":10,"process_path":"string","traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"flow_time":"2016-01-01T01:01:01.000Z","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_account":"string","type":"NetflowEvent","process_account_type":"string","parent_process_path":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_account":"string","parent_process_account_type":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","byte_count_out":10,"process_args":"string"},"$$ref":"#/components/schemas/NetflowType"}},"registry_rename_events":{"type":"array","description":"a list of `RegistryRenameType`","example":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryRenameEvent","registry_old_key":"string"}],"items":{"required":["process_id","process_name","registry_key","registry_old_key","time","type"],"type":"object","properties":{"time":{"required":["start_time"],"type":"object","properties":{"start_time":{"type":"string","description":"Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"},"end_time":{"type":"string","description":"If the observation was made over a period of time, than this field indicates the end of that period.","format":"date-time","example":"2016-01-01T01:01:01Z"}},"additionalProperties":false,"description":"Period of time when a cyber observation is valid. `start_time` must come before `end_time` (if specified).","example":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"$$ref":"#/components/schemas/ObservedTime"},"process_id":{"type":"integer","format":"int64","example":10},"process_name":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"process_guid":{"type":"integer","format":"int64","example":10},"process_username":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"registry_key":{"type":"string","description":"String with at most 1024 characters.","example":"string"},"type":{"type":"string","example":"RegistryRenameEvent","enum":["RegistryRenameEvent"]},"registry_old_key":{"type":"string","description":"String with at most 1024 characters.","example":"string"}},"additionalProperties":false,"example":{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryRenameEvent","registry_old_key":"string"},"$$ref":"#/components/schemas/RegistryRenameType"}}},"additionalProperties":false,"description":"Context including the event type that best fits the type of the sighting.","example":{"http_events":[{"process_guid":10,"traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"method":"CONNECT","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"HTTPEvent","host":"string","process_name":"string","process_id":10,"process_username":"string","query":"string","encrypted":true,"url_port":10}],"process_create_events":[{"parent_process_name":"string","process_guid":10,"parent_process_guid":10,"process_disposition":"string","parent_process_size":10,"process_size":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_disposition":"string","type":"ProcessCreateEvent","parent_process_username":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","parent_creation_time":"2016-01-01T01:01:01.000Z","process_args":"string"}],"registry_delete_events":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryDeleteEvent","registry_value":"string"}],"file_modify_events":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileModifyEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"registry_set_events":[{"process_guid":10,"registry_data":"string","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"RegistrySetEvent","registry_data_length":10,"registry_value":"string","registry_key":"string","process_name":"string","process_id":10,"process_username":"string"}],"file_create_events":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileCreateEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"registry_create_events":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryCreateEvent"}],"library_load_events":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","type":"LibraryLoadEvent","dll_library_name":"string","dll_library_path":"string"}],"file_move_events":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileMoveEvent","old_name":"string","file_path":"string","process_name":"string","process_id":10,"process_username":"string","new_name":"string"}],"file_delete_events":[{"file_name":"string","process_guid":10,"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"type":"FileDeleteEvent","file_path":"string","process_name":"string","process_id":10,"process_username":"string","failed":false}],"netflow_events":[{"parent_process_name":"string","byte_count_in":10,"process_guid":10,"process_path":"string","traffic":{"destination_host_name":"string","protocol":10,"source_ip":"string","destination_subnet":"string","destination_ip":"string","source_subnet":"string","destination_port":10,"direction":"incoming","source_port":10},"flow_time":"2016-01-01T01:01:01.000Z","time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"parent_process_account":"string","type":"NetflowEvent","process_account_type":"string","parent_process_path":"string","parent_process_id":10,"parent_process_args":"string","process_name":"string","process_account":"string","parent_process_account_type":"string","process_hash":"string","process_id":10,"parent_process_hash":"string","process_username":"string","byte_count_out":10,"process_args":"string"}],"registry_rename_events":[{"time":{"start_time":"2016-01-01T01:01:01.000Z","end_time":"2016-01-01T01:01:01.000Z"},"process_id":10,"process_name":"string","process_guid":10,"process_username":"string","registry_key":"string","type":"RegistryRenameEvent","registry_old_key":"string"}]},"$$ref":"#/components/schemas/Context","title":"Context"}}