{"swagger":"2.0","info":{"description":"Swagger Specifications for public APIs","version":"beta","title":"Sophos Public API","termsOfService":"https://www.sophos.com/en-us/legal/sophos-end-user-license-agreement.aspx","contact":{"name":"Sophos-public-api-handler","url":"https://cloud.sophos.com/","email":"support@sophos.com"},"license":{"name":"Sophos Central License","url":"https://www.sophos.com/en-us/legal/sophos-professional-services.aspx"}},"basePath":"/gateway","tags":[{"name":"alert-controller-v-1-impl","description":"Retrieve alerts for a given customer"},{"name":"event-controller-v-1-impl","description":"Retrieve events for a given customer"}],"definitions":{"AlertAggregate":{"type":"object","required":["has_more","items"],"properties":{"has_more":{"type":"boolean"},"items":{"type":"array","items":{"$ref":"#/definitions/AlertEntity"}},"next_cursor":{"type":"string","description":"Value of the next cursor. This will be used to make next call of api"}},"title":"AlertAggregate","description":"Sophos Central Alert Model"},"AlertEntity":{"type":"object","properties":{"actionable":{"type":"boolean","description":"The Event Services actionable"},"allowedActions":{"type":"array","uniqueItems":true,"items":{"type":"string"}},"category":{"type":"string","description":"The category of the product from which this alert originated"},"created_at":{"type":"string","description":"The date at which the alert was created"},"customer_id":{"type":"string","format":"uuid","description":"The unique identifier of the customer linked with this record"},"data":{"type":"object","additionalProperties":{"type":"object"}},"description":{"type":"string","description":"The description of the alert that was generated"},"event_service_event_id":{"type":"string","format":"uuid","description":"The Event Services event id"},"id":{"type":"string","format":"uuid","description":"Identifier for the alert"},"info":{"type":"object","additionalProperties":{"type":"object"}},"javaUUID":{"type":"string","format":"uuid"},"location":{"type":"string","description":"The location captured for this record"},"product":{"type":"string","description":"The product from which this alert originated"},"severity":{"type":"string","description":"The severity for this alert","enum":["HIGH","LOW","MEDIUM"]},"source":{"type":"string","description":"Describes the source from alert was generated"},"threat":{"type":"string","description":"The name of the threat responsible for the generation of alert"},"threat_cleanable":{"type":"boolean"},"type":{"type":"string","description":"Describes the type of the device on which alert was generated"},"when":{"type":"string","description":"The date at which the alert was created"}},"title":"AlertEntity","description":"This model wraps up an Alert. This contains various fields that contain information regarding the alert that was generated."},"AmsiThreatData":{"type":"object","properties":{"parentProcessId":{"type":"string"},"parentProcessPath":{"type":"string"},"processId":{"type":"string"},"processName":{"type":"string"},"processPath":{"type":"string"}},"title":"AmsiThreatData"},"CoreRemedyItem":{"type":"object","properties":{"descriptor":{"type":"string"},"processPath":{"type":"string"},"result":{"type":"string","enum":["DELETED","FAILED_TO_DELETE","FAILED_TO_DELETE_SYSTEM_PROTECTED","NOT_APPLICABLE","NOT_FOUND","OTHER_ERROR","SUCCESS","WHITELISTED"]},"sophosPid":{"type":"string"},"suspendResult":{"type":"string","enum":["NOT_APPLICABLE","OTHER_ERROR","PROTECTED","SUCCESS","SUSPEND_FAILED"]},"type":{"type":"string"}},"title":"CoreRemedyItem"},"CoreRemedyItems":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/definitions/CoreRemedyItem"}},"totalItems":{"type":"integer","format":"int32"}},"title":"CoreRemedyItems"},"EndpointCoreEventCertificate":{"type":"object","properties":{"signer":{"type":"string"},"thumbprint":{"type":"string"}},"title":"EndpointCoreEventCertificate"},"EndpointWhitelistProperties":{"type":"object","properties":{"property":{"type":"string"},"type":{"type":"string","enum":["CERTIFICATE_SIGNER","DETECTION_KEY","MITIGATION","PATH","POSIX_PATH","PROCESS_NAME","SHA_256","THUMBPRINT"]}},"title":"EndpointWhitelistProperties"},"EventAggregate":{"type":"object","required":["has_more","items"],"properties":{"has_more":{"type":"boolean"},"items":{"type":"array","items":{"$ref":"#/definitions/LegacyEventEntity"}},"next_cursor":{"type":"string","description":"Value of the next cursor. This will be used to make next call of api"}},"title":"EventAggregate","description":"Sophos Central Event Model"},"EventDetailProperty":{"type":"object","properties":{"property":{"type":"string"},"type":{"type":"string","enum":["AMSI_PARENT_PROCESS_ID","AMSI_PARENT_PROCESS_PATH","AMSI_PROCESS_ID","AMSI_PROCESS_NAME","AMSI_PROCESS_PATH","AMSI_THREAT_SUB_TYPE","CORE_APPLICATION_PATH","CORE_APPLICATION_SHA_256","CORE_BEHAVIORAL_DETECTION_NAME","CORE_BEHAVIORAL_DETECTION_REPORT_SOURCE","CORE_BEHAVIORAL_DETECTION_THUMBPRINT","CORE_BEHAVIORAL_PATH","CORE_EVENT_REQUEST_ID","CORE_EVENT_RESPONSE_STATUS","HMPA_EVENT_REPORT","HMPA_EVENT_TYPE","HMPA_PROCESS_PATH","HMPA_PROCESS_PID","HMPA_PROCESS_VERSION","HOME_COOKIES_COUNT","HOME_COOKIES_DOMAINS","HOME_FAMILY_ID","HOME_REMNANT_FAMILY","HOME_REMNANT_NAME","HOME_REMNANT_PATHS","HOME_SCAN_CLEAN","HOME_SCAN_LABEL","HOME_SCAN_REBOOT","HOME_SCAN_STATE","IPS_EXECUTABLE_NAME","IPS_EXECUTABLE_PATH","IPS_EXECUTABLE_PID","IPS_EXECUTABLE_VERSION","IPS_LOCAL_PORT","IPS_RAW_DATA","IPS_REMOTE_IP","IPS_REMOTE_PORT","IPS_TECH_SUPPORT_ID"]}},"title":"EventDetailProperty"},"IpsThreatData":{"type":"object","properties":{"detectionType":{"type":"integer","format":"int32"},"executableName":{"type":"string"},"executablePath":{"type":"string"},"executablePid":{"type":"string"},"executableVersion":{"type":"string"},"localPort":{"type":"string"},"rawData":{"type":"string"},"remoteIp":{"type":"string"},"remotePort":{"type":"string"},"techSupportId":{"type":"string"}},"title":"IpsThreatData"},"LegacyEventEntity":{"type":"object","properties":{"amsi_threat_data":{"description":"AMSI Threat data associated with the threat, if available","$ref":"#/definitions/AmsiThreatData"},"appCerts":{"type":"array","description":"Certificate info of the application associated with the threat, if available","items":{"$ref":"#/definitions/EndpointCoreEventCertificate"}},"appSha256":{"type":"string","description":"SHA 256 hash of the application associated with the threat, if available"},"core_remedy_items":{"description":"details of the items cleaned or restored","$ref":"#/definitions/CoreRemedyItems"},"created_at":{"type":"string","description":"The date at which the event was created"},"customer_id":{"type":"string","description":"The identifier of the customer for which record is created"},"details":{"type":"array","items":{"$ref":"#/definitions/EventDetailProperty"}},"endpoint_id":{"type":"string","description":"The corresponding endpoint id associated with the record"},"endpoint_type":{"type":"string","description":"The corresponding endpoint type associated with the record"},"group":{"type":"string","description":"The group associated with the group"},"id":{"type":"string","description":"The Identifier for the event"},"ips_threat_data":{"description":"IPS Threat data associated with the threat, if available","$ref":"#/definitions/IpsThreatData"},"location":{"type":"string","description":"The location captured for this record"},"name":{"type":"string","description":"The name of the record created"},"origin":{"type":"string","description":"originating component of a detection"},"severity":{"type":"string","description":"The severity for this alert","enum":["CRITICAL","HIGH","LOW","MEDIUM","NONE"]},"source":{"type":"string","description":"The source for this record"},"source_info":{"type":"object","description":"Detailed source information for this record","additionalProperties":{"type":"string"}},"threat":{"type":"string","description":"The threat associated with the record"},"type":{"type":"string","description":"The type of this record"},"user_id":{"type":"string","description":"The identifier of the user for which record is created"},"when":{"type":"string","description":"The date at which the event was created"},"whitelist_properties":{"type":"array","items":{"$ref":"#/definitions/EndpointWhitelistProperties"}}},"title":"LegacyEventEntity","description":"This model wraps up an Event. This contains various fields that contain information regarding the event that was generated."}},"paths":{"/siem/v1/alerts":{"get":{"tags":["alert-controller-v-1-impl"],"summary":"Get alerts for customer based on the parameters provided","description":"Note: Alerts are retrieved for timestamps within last 24 hours","operationId":"getAlertsUsingGET_1","produces":["application/json"],"parameters":[{"name":"cursor","in":"query","description":"Identifier for next item in the list, this value is available in response as next_cursor. Response will default to last 24 hours if cursor is not within last 24 hours.","required":false,"type":"string"},{"name":"from_date","in":"query","description":"The starting date from which alerts will be retrieved defined as Unix timestamp in UTC. Ignored if cursor is set. Must be within last 24 hours.","required":false,"type":"integer","format":"int64"},{"name":"from_date_offset_minutes","in":"query","description":"Delay the data collection by X minute from API","required":false,"type":"integer","format":"int32"},{"name":"limit","in":"query","description":"The maximum number of items to return, default is 200, max is 1000","required":false,"type":"integer","default":200,"maximum":1000,"exclusiveMaximum":false,"minimum":200,"exclusiveMinimum":false,"format":"int32"},{"name":"x-api-key","in":"header","required":true,"type":"string"},{"name":"Authorization","in":"header","required":true,"type":"string"},{"name":"X-Timestamp","in":"header","required":false,"type":"string"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/AlertAggregate"}},"400":{"description":"Bad Request"},"401":{"description":"customer not authorized to make api call"},"403":{"description":"Forbidden"},"404":{"description":"Not Found"},"500":{"description":"Internal Server Error"}},"security":[{"api_key":[]}]}},"/siem/v1/events":{"get":{"tags":["event-controller-v-1-impl"],"summary":"Get events for customer based on the parameters provided","description":"Note: Events are retrieved for timestamps within last 24 hours","operationId":"getEventsUsingGET_1","produces":["application/json"],"parameters":[{"name":"cursor","in":"query","description":"Identifier for next item in the list, this value is available in response as next_cursor. Response will default to last 24 hours if cursor is not within last 24 hours.","required":false,"type":"string"},{"name":"exclude_types","in":"query","description":"The String of list of types of events to be excluded","required":false,"type":"string"},{"name":"from_date","in":"query","description":"The starting date from which alerts will be retrieved defined as Unix timestamp in UTC.Ignored if cursor is set. Must be within last 24 hours","required":false,"type":"integer","format":"int64"},{"name":"from_date_offset_minutes","in":"query","description":"Delay the data collection by X minute from API","required":false,"type":"integer","format":"int32"},{"name":"limit","in":"query","description":"The maximum number of items to return, default is 200, max is 1000","required":false,"type":"integer","default":200,"maximum":1000,"exclusiveMaximum":false,"minimum":200,"exclusiveMinimum":false,"format":"int32"},{"name":"x-api-key","in":"header","required":true,"type":"string"},{"name":"Authorization","in":"header","required":true,"type":"string"},{"name":"X-Timestamp","in":"header","required":false,"type":"string"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/EventAggregate"}},"400":{"description":"Bad Request"},"401":{"description":"customer not authorized to make api call"},"403":{"description":"Forbidden"},"404":{"description":"Not Found"},"500":{"description":"Internal Server Error"}},"security":[{"api_key":[]}]}}},"securityDefinitions":{"api_key":{"type":"apiKey","name":"x-api-key","in":"header"}},"host":"api1.central.sophos.com"}