Get Activity Intrusion - Cloud Security API

{"type":"api","title":"Get Activity Intrusion","meta":{"id":"/apps/pubhub/media/cloud-security-apis-in-eft/9d37d008417d562ab46d4b67547a68457ce288d2/cba65c33-1da3-3556-a885-2c67eb61196b","info":{"title":"Cisco Umbrella Reporting API","description":"The Reporting API provides the data to generate the Umbrella reports.","version":"2.0.0","contact":{"name":"Cloud Security Developer Community"}},"security":[{"oauthFlow":[]}],"tags":[{"name":"Activity"},{"name":"Top Identities"},{"name":"Identity Distribution"},{"name":"Top Destinations"},{"name":"Top Categories"},{"name":"Top Event Types"},{"name":"Top DNS Query Types"},{"name":"Organization Requests by Hour"},{"name":"Organization Requests by Timerange"},{"name":"Organization Requests by Hour and Category"},{"name":"Organization Requests by Timerange and Category"},{"name":"Deployment Status"},{"name":"Provider Deployment Status"},{"name":"Provider Requests by Hour"},{"name":"Provider Requests by Timerange"},{"name":"Provider Requests by Organization"},{"name":"Provider Requests by Category"},{"name":"Provider Requests by Destination"},{"name":"Provider Category Requests by Organization"},{"name":"Bandwidth by Hour"},{"name":"Bandwidth by Timerange"},{"name":"Top Files"},{"name":"Total Requests"},{"name":"Top Threats"},{"name":"Top Threat Types"},{"name":"Utility"},{"name":"Top IPs"},{"name":"Summary"},{"name":"Summaries by Category"},{"name":"Summaries by Destination"},{"name":"Summaries by Rule (Intrusion)"},{"name":"Umbrella"}],"x-parser-conf":{"overview":{"markdownPath":"reference/reports/reporting-overview.md","uri":"umbrella-api-reference-reporting-overview"}},"openapi":"3.0.1","servers":[{"url":"https://api.umbrella.com/{basePath}","variables":{"basePath":{"default":"reports/v2"}}}],"securitySchemes":{"oauthFlow":{"type":"oauth2","description":"client credential flow","flows":{"clientCredentials":{"tokenUrl":"https://api.umbrella.com/auth/v2/token","scopes":{"reports.granularEvents:read":"Read reports granular events","reports.utilities:read":"Read reports utilities","reports.aggregations:read":"Read reports aggregations","reports.summariesByRule:read":"Read reports for the summaries of the rule","reports.customers:read":"Read reports for the customers"}}}}}},"spec":{"tags":["Activity","Umbrella"],"summary":"Get Activity Intrusion","description":"List all Intrusion Prevention System (IPS) activity within the timeframe.\n\n**Access Scope:** Reports \u003e Granular Events \u003e Read-Only","operationId":"getActivityIntrusion","security":[{"oauthFlow":["reports.granularEvents:read"]}],"parameters":[{"name":"from","in":"query","description":"A timestamp or relative time string (for example: '-1days').\nFilter for data that appears after this time.","required":true,"schema":{"type":"string"},"example":"1639146300000","$$ref":"#/components/parameters/fromParam"},{"name":"to","in":"query","description":"A timestamp or relative time string (for example: 'now').\nFilter for data that appears before this time.","required":true,"schema":{"type":"string"},"example":"1640010300000","$$ref":"#/components/parameters/toParam"},{"name":"offset","in":"query","description":"A number that represents an index in the collection.","schema":{"type":"number","default":0},"example":0,"$$ref":"#/components/parameters/offsetParam"},{"name":"limit","in":"query","description":"The maximum number of records to return from the collection.","required":true,"schema":{"type":"number","default":100},"example":100,"$$ref":"#/components/parameters/limitParam"},{"name":"identityids","in":"query","description":"An identity ID or comma-delimited list of identity IDs.","schema":{"type":"string"},"example":"1,2,3","$$ref":"#/components/parameters/identityIdsParam"},{"name":"signatures","in":"query","description":"The signature or comma-separated list of \u003csignatureid\u003e-\u003cgeneratorid\u003e signatures.","schema":{"type":"string"},"example":"1-2,1-4","$$ref":"#/components/parameters/signaturesParam"},{"name":"signaturelistids","in":"query","description":"The signature ID or comma-separated list of signature list IDs.","schema":{"type":"string"},"example":"1,2","$$ref":"#/components/parameters/signatureListIdsParam"},{"name":"intrusionaction","in":"query","description":"An action or list of comma-separated intrusion actions. Valid values are: `would_block`, `blocked`, and `detected`.","schema":{"type":"string"},"example":"detected,would_block","$$ref":"#/components/parameters/intrusionActionParam"},{"name":"ip","in":"query","description":"An IP address.","schema":{"type":"string"},"example":"10.10.10.10","$$ref":"#/components/parameters/ipParam"},{"name":"ports","in":"query","description":"A port number or comma-delimited list of port numbers.","schema":{"type":"string"},"example":"7351,80","$$ref":"#/components/parameters/portsParam"},{"name":"filternoisydomains","in":"query","description":"Filter out domains that generate a lot of insignificant traffic (noise).","schema":{"type":"boolean"},"example":true,"$$ref":"#/components/parameters/filterNoisyDomainsParam"},{"name":"timezone","in":"query","description":"Display the timestamp of the traffic events in the specified timezone.\nFor the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.","schema":{"type":"string"},"example":"ASIA%2fCALCUTTA","$$ref":"#/components/parameters/timezoneParam"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"type":"object","description":"The information about the intrusion activity.","properties":{"classification":{"type":"string","description":"The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.","example":"trojan-activity","$$ref":"#/components/schemas/Classification"},"date":{"type":"string","description":"The date from the timestamp based on the timezone parameter.","example":"2020-07-12","$$ref":"#/components/schemas/Date"},"destinationip":{"type":"string","description":"The destination IP for the entry.","example":"12.10.10.10","$$ref":"#/components/schemas/DestinationIp"},"destinationport":{"type":"number","description":"The destination port for entry.","example":89,"$$ref":"#/components/schemas/DestinationPort"},"identities":{"type":"array","description":"The list of identities for the entry.","items":{"type":"object","description":"The information about the identity.","properties":{"id":{"type":"number","description":"The ID of the identity."},"label":{"type":"string","description":"The descriptive label for the identity."},"type":{"type":"object","description":"The information about the identity including the type.","properties":{"id":{"type":"number","description":"The ID of the origin type for the identity."},"label":{"type":"string","description":"The label of the origin type for the identity."},"type":{"type":"string","description":"The name of the origin type for the identity."}},"$$ref":"#/components/schemas/IdentityType"},"deleted":{"type":"boolean","description":"Indicates whether the identity was deleted.","example":true}},"required":["id","label","type","deleted"],"example":{"id":1,"label":"Catch Rate Testing System","type":{"id":21,"label":"Sites","type":"site"},"deleted":false},"$$ref":"#/components/schemas/Identity"},"$$ref":"#/components/schemas/identities"},"protocol":{"type":"object","description":"The properties of the protocol.","properties":{"id":{"type":"number","description":"The ID of protocol."},"label":{"type":"string","description":"The name of the protocol."}},"required":["id","label"],"$$ref":"#/components/schemas/Protocol"},"sessionid":{"type":"number","description":"The unique identifier of a session, which is used to group the correlated events between various services.","example":7878797,"$$ref":"#/components/schemas/SessionId"},"severity":{"type":"string","description":"The severity level of the rule.","enum":["HIGH","MEDIUM","LOW","VERY LOW"],"example":"HIGH","$$ref":"#/components/schemas/Severity"},"signature":{"type":"object","description":"The properties of the signature.","properties":{"generatorid":{"type":"number","description":"The unique ID that is assigned to the part of the IPS, which generated the event."},"id":{"type":"number","description":"The ID that is used to uniquely identify signatures."},"label":{"type":"string","description":"A descriptive label for the the signature."},"cves":{"type":"array","description":"The list of common vulnerabilites and exposures (CVEs).","items":{"type":"string","description":"An identifier for a known security vulnerability/exposure.","example":"cve-2015-0279","$$ref":"#/components/schemas/CVE"}}},"required":["generatorid","id","label","cves"],"example":{"generatorid":148,"id":2,"label":"(cip) CIP data is non-conforming to ODVA standard","cves":["cve-2015-0279"]},"$$ref":"#/components/schemas/Signature"},"signaturelist":{"type":"object","description":"The properties of the signature list.","properties":{"id":{"type":"number","description":"The unique ID assigned to a default or custom signature list."}},"required":["id"],"example":{"id":1112},"$$ref":"#/components/schemas/SignatureList"},"sourceip":{"type":"string","description":"The source IP for the entry.","example":"10.11.10.10","$$ref":"#/components/schemas/SourceIp"},"sourceport":{"type":"number","description":"The source port for the entry.","example":3000,"$$ref":"#/components/schemas/SourcePort"},"time":{"type":"string","description":"The time in 24-hour format based on the timezone parameter.","example":"12:34","$$ref":"#/components/schemas/Time"},"timestamp":{"type":"number","description":"The timestamp represented in milliseconds.","example":1594557263000,"$$ref":"#/components/schemas/Timestamp"},"type":{"type":"string","description":"The type of the request. An intrusion request always has type intrusion.","example":"intrusion"},"verdict":{"type":"string","description":"The verdict for the entry.","enum":["detected"],"example":"detected","$$ref":"#/components/schemas/verdictDetected"}},"required":["classification","date","destinationip","destinationport","identities","protocol","sessionid","severity","signature","signaturelist","sourceip","sourceport","time","timestamp","type","verdict"],"example":{"type":"intrusion","date":"12-02-22","destinationip":"10.10.10.10","protocol":{"id":17,"label":"UDP"},"sourceip":"10.10.10.10","signaturelist":{"id":1111},"classification":"malicious","sourceport":22,"sessionid":190898098,"verdict":"detected","destinationport":33,"timestamp":1594557262000,"time":"09:30","identities":[{"id":211034846,"type":{"id":34,"type":"anyconnect","label":"Anyconnect Roaming Client"},"label":"omerta","deleted":false}],"severity":"HIGH","signature":{"generatorid":1,"id":47829,"label":"SERVER-OTHER JBoss Richfaces expression language injection attempt","cves":["cve-2015-0279","cve-2018-12532"]}},"$$ref":"#/components/schemas/ActivityIntrusion"}},"meta":{"type":"object","description":"The properties of the metadata.","example":{},"$$ref":"#/components/schemas/Meta"}},"required":["data","meta"]},"example":{"data":[{"type":"intrusion","date":"12-02-22","destinationip":"10.10.10.10","protocol":{"id":17,"label":"UDP"},"sourceip":"10.10.10.10","signaturelist":{"id":1111},"classification":"malicious","rule":[{"id":391327,"label":"UNKNOWN"}],"ipsProfile":"PROFILE","sourceport":22,"sessionid":190898098,"verdict":"detected","destinationport":33,"timestamp":1594557262000,"time":"09:30","identities":[{"id":211034846,"type":{"id":34,"type":"anyconnect","label":"Anyconnect Roaming Client"},"label":"omerta","deleted":false}],"severity":"HIGH","signature":{"generatorid":1,"id":47829,"label":"SERVER-OTHER JBoss Richfaces expression language injection attempt","cves":["cve-2015-0279","cve-2018-12532"]}}],"meta":{}}}}},"400":{"description":"Bad Request","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"example":{"message":"Bad Request"}}}},"$$ref":"#/components/responses/400Error"},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"example":{"message":"Unauthorized"}}}},"$$ref":"#/components/responses/401Error"},"403":{"description":"Forbidden","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"example":{"message":"Forbidden"}}}},"$$ref":"#/components/responses/403Error"},"404":{"description":"Not Found","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"example":{"message":"Not Found"}}}},"$$ref":"#/components/responses/404Error"},"500":{"description":"Internal Server Error","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string"}},"example":{"message":"Internal Server Error"}}}},"$$ref":"#/components/responses/500Error"}},"__originalOperationId":"getActivityIntrusion","method":"get","path":"/activity/intrusion"}}