diff --git a/certified-connectors/IronDefense/Readme.md b/certified-connectors/IronDefense/Readme.md new file mode 100644 index 0000000000..b9fcc92dc9 --- /dev/null +++ b/certified-connectors/IronDefense/Readme.md @@ -0,0 +1,31 @@ + +## IronDefense Connector +IronNet provides an external REST API for its flagship product, IronDefense. The +API allows users to query and modify alerts as well as ingest alert, event, and +IronDome notifications. + + + +## Prerequisites +You will need the following to proceed: +* The URL where the IronDefense deployment is hosted +* User login credentials for IronVue with the permissions `Access IronAPI`, `View + Alert`, `Edit Alert`, and `Manage Threat Intelligence Rules` + + +## Supported Operations +The connector supports the following operations: +* `CommentOnAlert`: Allows a client to comment on any given alert, with the option to send to IronDome (if enrolled). +* `GetAlertIronDomeInformation`: Allows a client to retrieve community IronDome correlation information for an alert. +* `GetAlertNotifications`: Allows a client to retrieve alert notifications from IronDefense without pulling duplicate messages that have already been ingested. +* `GetAlerts`: Allows a client to retrieve IronDefense alerts in an environment. The response can be filtered based on the alert field parameters and limited to a given number of alerts. +* `GetDomeNotifications`: Allows a client to retrieve dome notifications from IronDefense without pulling duplicate messages that have already been ingested. +* `GetEvent`: Allows a client to retrieve details for an IronDefense event including the event context. +* `GetEventNotifications`: Allows a client to retrieve event notifications from IronDefense without pulling duplicate messages that have already been ingested. +* `GetEvents`: Allows a client to retrieve IronDefense events for a particular IronDefense alert. Event context information is not included in these event objects. +* `Login`: Allows a client to login and retrieve a valid JSON Web Token (JWT) to use in subsequent calls. +* `RateAlert`: Allows a client to rate an alert as part of the review/triage process. +* `ReportObservedBadActivity`: Allows a client to submit a domain and/or IP of observed bad activity for Threat Intelligence Rule, event/alert creation and IronDome correlation. +* `SetAlertStatus`: Allows a client to change an alert's status to progress it through the review process. +* `UpdateEntityRecord`: Allows a client to send IP lease information from a source of entity information. + diff --git a/certified-connectors/IronDefense/apiDefinition.swagger.json b/certified-connectors/IronDefense/apiDefinition.swagger.json new file mode 100644 index 0000000000..3b2c73f90e --- /dev/null +++ b/certified-connectors/IronDefense/apiDefinition.swagger.json @@ -0,0 +1,2245 @@ +{ + "securityDefinitions": { + "basic": { + "type": "basic" + } + }, + "security": [ + { + "basic": [] + } + ], + "swagger": "2.0", + "info": { + "title": "IronDefense", + "description": "IronNet allows clients to interface with the IronDefense backend through a curated set of endpoints. This provides customers with the capability to triage alerts outside of IronVue.", + "version": "1.0.0", + "contact": { + "name": "IronNet Support", + "url": "https://ironnet.com", + "email": "support@ironnet.com" + }, + "license": { + "name": "Commercial License", + "url": "https://www.ironnet.com/terms-of-use" + } + }, + "schemes": [ + "http", + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "paths": { + "/IronApi/CommentOnAlert": { + "post": { + "summary": "Comment on alert", + "description": "Allows a client to comment on any given alert, with the option to send to IronDome (if enrolled). The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "CommentOnAlert", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/alertCommentOnAlertResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/alertCommentOnAlertRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetAlertIronDomeInformation": { + "post": { + "summary": "Gets IronDome information related to an Alert", + "description": "Allows a client to retrieve community IronDome correlation information for an alert. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetAlertIronDomeInformation", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/domeGetAlertIronDomeInformationResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/domeGetAlertIronDomeInformationRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetAlertNotifications": { + "post": { + "summary": "Get alert notifications", + "description": "Allows a client to retrieve alert notifications from IronDefense without pulling duplicate messages that have already been ingested. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetAlertNotifications", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/alertGetAlertNotificationsResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/alertGetAlertNotificationsRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetAlerts": { + "post": { + "summary": "Get alerts", + "description": "Allows a client to retrieve IronDefense alerts in an environment. The response can be filtered based on the alert field parameters and limited to a given number of alerts. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetAlerts", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/alertGetAlertsResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/alertGetAlertsRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetDomeNotifications": { + "post": { + "summary": "Get IronDome notifications", + "description": "Allows a client to retrieve dome notifications from IronDefense without pulling duplicate messages that have already been ingested. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetDomeNotifications", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/domeGetDomeNotificationsResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/domeGetDomeNotificationsRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetEvent": { + "post": { + "summary": "Get an event", + "description": "Allows a client to retrieve details for an IronDefense event including the event context. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetEvent", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/eventGetEventResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/eventGetEventRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetEventNotifications": { + "post": { + "summary": "Get event notifications", + "description": "Allows a client to retrieve event notifications from IronDefense without pulling duplicate messages that have already been ingested. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetEventNotifications", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/eventGetEventNotificationsResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/eventGetEventNotificationsRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/GetEvents": { + "post": { + "summary": "Get events", + "description": "Allows a client to retrieve IronDefense events for a particular IronDefense alert. Event context information is not included in these event objects. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "GetEvents", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/eventGetEventsResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/eventGetEventsRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/Login": { + "post": { + "summary": "Login", + "description": "Allows a client to login and retrieve a valid JSON Web Token (JWT) to use in subsequent calls. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "Login", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/ironapi_typesLoginResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/ironapi_typesLoginRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/RateAlert": { + "post": { + "summary": "Rate alert", + "description": "Allows a client to rate an alert as part of the review/triage process. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "RateAlert", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/alertRateAlertResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/alertRateAlertRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/ReportObservedBadActivity": { + "post": { + "summary": "Report observed bad activity", + "description": "Allows a client to submit a domain and/or IP of observed bad activity for Threat Intelligence Rule, event/alert creation and IronDome correlation. The default request rate limit on this endpoint is one request per 10 minutes. This limit is imposed as the goal of this endpoint is to ingest malicious activity discovered by other security tools within the enterprise network. It is not intended to provide a means to integrate third party threat intelligence feeds or to query IronDome for information about indicators of compromise.", + "operationId": "ReportObservedBadActivity", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/threatReportObservedBadActivityResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/threatReportObservedBadActivityRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/SetAlertStatus": { + "post": { + "summary": "Set alert status", + "description": "Allows a client to change an alert's status to progress it through the review process. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "SetAlertStatus", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/alertSetAlertStatusResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/alertSetAlertStatusRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + }, + "/IronApi/UpdateEntityRecord": { + "post": { + "summary": "Update entity record", + "description": "Allows a client to send IP lease information from a source of entity information. The default request rate limit on this endpoint is 10 requests per second.", + "operationId": "UpdateEntityRecord", + "responses": { + "200": { + "description": "A successful response.", + "schema": { + "$ref": "#/definitions/entityUpdateEntityRecordResponse" + } + } + }, + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/entityUpdateEntityRecordRequest" + } + } + ], + "tags": [ + "IronApi" + ] + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "https://www.ironnet.com" + }, + { + "propertyName": "Privacy policy", + "propertyValue": "https://www.ironnet.com/privacy-statement" + }, + { + "propertyName": "Categories", + "propertyValue": "AI;Security" + } + ], + "definitions": { + "alertAlert": { + "type": "object", + "properties": { + "id": { + "type": "string", + "title": "The ID of the alert" + }, + "category": { + "type": "string", + "title": "The category of the alert" + }, + "sub_category": { + "type": "string", + "title": "The subcategory of the alert" + }, + "severity": { + "type": "integer", + "format": "int32", + "title": "The severity score of the alert" + }, + "status": { + "$ref": "#/definitions/alertAlertStatus", + "title": "The status of the alert" + }, + "analyst_severity": { + "$ref": "#/definitions/alertAnalystSeverity", + "title": "THe analyst severity of the alert" + }, + "analyst_expectation": { + "$ref": "#/definitions/alertAnalystExpectation", + "title": "The analyst expectation of the alert" + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Time the alert was created in IronDefense" + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Time the alert was last updated in IronDefense" + }, + "event_count": { + "type": "integer", + "format": "int32", + "title": "The number of non-whitelisted events associated with this alert" + }, + "first_event_created": { + "type": "string", + "format": "date-time", + "title": "The earliest created date of any associated event on this alert" + }, + "last_event_created": { + "type": "string", + "format": "date-time", + "title": "The last created date of any associated event on this alert" + }, + "raw_data_formats": { + "type": "array", + "items": { + "type": "string" + }, + "title": "List of distinct raw data formats for this event" + }, + "aggregation_criteria": { + "type": "string", + "title": "Criteria used to build alert, specific to the event context fields" + }, + "vue_url": { + "type": "string", + "title": "the url for displaying the alert within IronVUE" + } + }, + "title": "Representation of an IronDefense Alert" + }, + "alertAlertNotification": { + "type": "object", + "properties": { + "alert_action": { + "$ref": "#/definitions/alertAlertNotificationAction", + "title": "The action being performed on the alert" + }, + "alert": { + "$ref": "#/definitions/alertAlert", + "title": "The alert the action is being performed on" + } + }, + "title": "A notification of a lifecycle change related to an alert" + }, + "alertAlertNotificationAction": { + "type": "string", + "enum": [ + "ANA_NONE", + "ANA_ALERT_CREATED", + "ANA_ALERT_UPDATED", + "ANA_WORKFLOW_CREATED", + "ANA_WORKFLOW_UPDATED", + "ANA_ALERT_DELETED", + "ANA_NOTE_CREATED", + "ANA_NOTE_UPDATED", + "ANA_ALERT_EVENT_ADDED" + ], + "default": "ANA_NONE", + "description": "- ANA_ALERT_CREATED: alert created\n - ANA_ALERT_UPDATED: alert updated\n - ANA_WORKFLOW_CREATED: alert workflow created (alert being reviewed/rated)\n - ANA_WORKFLOW_UPDATED: alert workflow updated (alert being reviewed/rated)\n - ANA_ALERT_DELETED: alert deleted\n - ANA_NOTE_CREATED: alert note created (alert being commented on)\n - ANA_NOTE_UPDATED: alert note updated (alert being commented on)\n - ANA_ALERT_EVENT_ADDED: a new event has been associated with an alert", + "title": "The action being performed on an alert" + }, + "alertAlertSort": { + "type": "object", + "properties": { + "field": { + "$ref": "#/definitions/alertAlertSortField", + "title": "The field to sort on" + }, + "direction": { + "$ref": "#/definitions/query_typesSortDirection", + "title": "The direction to sort in - defaults to ascending if not present" + } + } + }, + "alertAlertSortField": { + "type": "string", + "enum": [ + "ASF_CREATED", + "ASF_UPDATED", + "ASF_SEVERITY", + "ASF_FIRST_EVENT_CREATED", + "ASF_LAST_EVENT_CREATED", + "ASF_FIRST_EVENT_START_TIME", + "ASF_LAST_EVENT_END_TIME" + ], + "default": "ASF_CREATED", + "title": "- ASF_CREATED: Sort on the alert created time\n - ASF_UPDATED: Sort on the alert updated time\n - ASF_SEVERITY: Sort on the alert severity\n - ASF_FIRST_EVENT_CREATED: Sort on the time the first event of this alert was created\n - ASF_LAST_EVENT_CREATED: Sort on the time the most recent event of this alert was created\n - ASF_FIRST_EVENT_START_TIME: Sort on the activity's start time for the first event of this alert\n - ASF_LAST_EVENT_END_TIME: Sort on the activity's end time for the most recent event of this alert" + }, + "alertAlertStatus": { + "type": "string", + "enum": [ + "STATUS_NONE", + "STATUS_AWAITING_REVIEW", + "STATUS_UNDER_REVIEW", + "STATUS_CLOSED" + ], + "default": "STATUS_NONE", + "title": "What review state should this alert move to?" + }, + "alertAnalystExpectation": { + "type": "string", + "enum": [ + "EXP_NONE", + "EXP_UNKNOWN", + "EXP_EXPECTED", + "EXP_UNEXPECTED" + ], + "default": "EXP_NONE", + "title": "Was this alert expected?" + }, + "alertAnalystSeverity": { + "type": "string", + "enum": [ + "SEVERITY_NONE", + "SEVERITY_UNDECIDED", + "SEVERITY_BENIGN", + "SEVERITY_SUSPICIOUS", + "SEVERITY_MALICIOUS", + "SEVERITY_WHITELISTED" + ], + "default": "SEVERITY_NONE", + "description": "- SEVERITY_WHITELISTED: Used for internal IronNet Alert processing only.", + "title": "How severe is this Alert?" + }, + "alertCommentOnAlertRequest": { + "type": "object", + "required": [ + "alert_id", + "comment", + "share_comment_with_irondome" + ], + "properties": { + "alert_id": { + "type": "string", + "title": "The ID of the alert to be modified." + }, + "comment": { + "type": "string", + "title": "The comment to add on the specified alert." + }, + "share_comment_with_irondome": { + "type": "boolean", + "format": "boolean", + "title": "Share comment with IronDome (if enrolled)?" + } + } + }, + "alertCommentOnAlertResponse": { + "type": "object", + "description": "This is an empty response. If an empty response was returned the call was successful." + }, + "alertGetAlertNotificationsRequest": { + "type": "object", + "properties": { + "limit": { + "type": "integer", + "format": "int32", + "title": "The maximum number of results to return" + } + } + }, + "alertGetAlertNotificationsResponse": { + "type": "object", + "properties": { + "alert_notifications": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAlertNotification" + } + } + } + }, + "alertGetAlertsRequest": { + "type": "object", + "properties": { + "alert_id": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Alert IDs to filter by" + }, + "category": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Categories to filter by" + }, + "sub_category": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Subcategories to filter by" + }, + "status": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAlertStatus" + }, + "title": "Alert status to filter by" + }, + "analyst_severity": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAnalystSeverity" + }, + "title": "Analyst Severities to filter by" + }, + "analyst_expectation": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAnalystExpectation" + }, + "title": "Analyst Expectations to filter by" + }, + "severity": { + "title": "Severity score ranges to filter by.", + "type": "object", + "properties": { + "lower_bound": { + "type": "integer", + "format": "int32", + "title": "The lower bound of the range" + }, + "upper_bound": { + "type": "integer", + "format": "int32", + "title": "The upper bound of the range" + } + } + }, + "created": { + "title": "Created time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "updated": { + "title": "Updated time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "first_event_created": { + "title": "First Event Created time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "last_event_created": { + "title": "Last Event Created time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "first_event_start_time": { + "title": "First Event Start Time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "last_event_end_time": { + "title": "Last Event End Time range to filter by.", + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + } + }, + "analytic_version": { + "type": "array", + "items": { + "type": "integer", + "format": "int32" + }, + "title": "Analystic Versions to filter by" + }, + "constraint": { + "$ref": "#/definitions/query_typesQueryConstraint", + "title": "Constraints to limit the search" + }, + "sort": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAlertSort" + }, + "title": "Criteria to sort the results on (defaults to sorting on the created field in descending order)" + } + } + }, + "alertGetAlertsResponse": { + "type": "object", + "properties": { + "alerts": { + "type": "array", + "items": { + "$ref": "#/definitions/alertAlert" + }, + "title": "Returned Alerts matching filters" + }, + "constraint": { + "$ref": "#/definitions/query_typesQueryConstraintResult", + "title": "Constraint result of the search" + } + } + }, + "alertRateAlertRequest": { + "type": "object", + "required": [ + "alert_id", + "analyst_severity", + "analyst_expectation", + "comment", + "share_comment_with_irondome" + ], + "properties": { + "alert_id": { + "type": "string", + "title": "The ID of the alert to be modified." + }, + "analyst_severity": { + "$ref": "#/definitions/alertAnalystSeverity" + }, + "analyst_expectation": { + "$ref": "#/definitions/alertAnalystExpectation" + }, + "comment": { + "type": "string", + "title": "Comments for any additional details when rating the alert." + }, + "share_comment_with_irondome": { + "type": "boolean", + "format": "boolean", + "title": "Share comment with IronDome (if enrolled)?" + }, + "create_service_now_event": { + "type": "boolean", + "format": "boolean", + "title": "Create ServiceNow event." + } + } + }, + "alertRateAlertResponse": { + "type": "object", + "description": "This is an empty response. If an empty response was returned the call was successful." + }, + "alertSetAlertStatusRequest": { + "type": "object", + "required": [ + "alert_id", + "status", + "comment", + "share_comment_with_irondome" + ], + "properties": { + "alert_id": { + "type": "string", + "title": "The ID of the alert to be modified." + }, + "status": { + "$ref": "#/definitions/alertAlertStatus" + }, + "comment": { + "type": "string", + "title": "Comments for any additional details when processing the alert. (REQUIRED - Except when transitioning from 'Awaiting Review' to 'Under Review')" + }, + "share_comment_with_irondome": { + "type": "boolean", + "format": "boolean", + "title": "Share comment with IronDome (if enrolled)?" + } + } + }, + "alertSetAlertStatusResponse": { + "type": "object", + "description": "This is an empty response. If an empty response was returned the call was successful." + }, + "domeAnalystSeverityMismatch": { + "type": "object", + "properties": { + "analyst_severity": { + "$ref": "#/definitions/alertAnalystSeverity", + "title": "The analyst severity category" + }, + "count": { + "type": "integer", + "format": "int64", + "title": "The count of the number of alerts with this analyst rating" + } + }, + "title": "Details related to mismatches between the severities of correlated alerts" + }, + "domeCommentAddedDetails": { + "type": "object", + "properties": { + "comment": { + "type": "string" + } + }, + "title": "Details related to a newly added comment" + }, + "domeCommunityComment": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "title": "The time that the comment was created" + }, + "comment": { + "type": "string", + "title": "The comment text" + }, + "dome_tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The IronDome tags related to the comment" + }, + "enterprise": { + "type": "boolean", + "format": "boolean", + "title": "True if enterprise" + }, + "self": { + "type": "boolean", + "format": "boolean", + "title": "True if the comment was made by the caller" + } + }, + "title": "A comment added by a community participant" + }, + "domeCorrelationTypeParticipation": { + "type": "object", + "properties": { + "malicious_count": { + "type": "integer", + "format": "int64", + "title": "Count of malicious ratings" + }, + "suspicious_count": { + "type": "integer", + "format": "int64", + "title": "Count of suspicious ratings" + }, + "benign_count": { + "type": "integer", + "format": "int64", + "title": "Count of benign ratings" + }, + "whitelisted_count": { + "type": "integer", + "format": "int64", + "title": "Count of whitelisted ratings" + }, + "comments_count": { + "type": "integer", + "format": "int64", + "title": "Count of comments made" + }, + "activity_count": { + "type": "integer", + "format": "int64", + "title": "Count of activity" + }, + "resource_owner": { + "type": "boolean", + "format": "boolean", + "title": "True if the caller is the resource owner" + }, + "first_seen": { + "type": "string", + "format": "date-time", + "title": "The time the activity was first seen" + }, + "last_seen": { + "type": "string", + "format": "date-time", + "title": "The time the activity was last seen" + } + }, + "title": "Correlation details" + }, + "domeDomeCorrelation": { + "type": "object", + "properties": { + "ip": { + "type": "string", + "title": "The IP correlated on (if an IP correlation)" + }, + "domain": { + "type": "string", + "title": "The Domain correlated on (if a Domain correlation)" + }, + "behavior": { + "type": "boolean", + "format": "boolean", + "title": "True if the correlation was behavior-based" + }, + "enterprise_correlations": { + "type": "integer", + "format": "int64", + "title": "The number of enterprise correlations" + }, + "community_correlations": { + "type": "integer", + "format": "int64", + "title": "The number of community correlations" + } + }, + "title": "Details related to data that was correlated in IronDome" + }, + "domeDomeCorrelationGroup": { + "type": "object", + "properties": { + "dome_tag": { + "type": "string", + "title": "The IronDome tag" + }, + "correlations": { + "type": "array", + "items": { + "$ref": "#/definitions/domeDomeCorrelation" + }, + "title": "The IronDome correlations related to this tag" + } + }, + "title": "Details correlations that were made within a community in IronDome" + }, + "domeDomeCorrelationParticipation": { + "type": "object", + "properties": { + "dome_tag": { + "type": "string", + "title": "The IronDome tag" + }, + "behavior": { + "$ref": "#/definitions/domeCorrelationTypeParticipation", + "title": "Participation information related to behavior correlations" + }, + "domain": { + "$ref": "#/definitions/domeCorrelationTypeParticipation", + "title": "Participation information related to domain correlations" + }, + "ip": { + "$ref": "#/definitions/domeCorrelationTypeParticipation", + "title": "Participation information related to IP correlations" + } + }, + "title": "Breakdown of the different correlation severities by the type of correlation" + }, + "domeDomeNotification": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int32", + "title": "The unique ID of the notification" + }, + "category": { + "$ref": "#/definitions/domeDomeNotificationCategory", + "title": "The category of the dome notification" + }, + "created": { + "type": "string", + "format": "date-time", + "title": "The time this notification was created" + }, + "dome_tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The IronDome tags related to this notification" + }, + "alert_ids": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The IDs of the alerts related to this notification" + }, + "mismatch_details": { + "$ref": "#/definitions/domeMismatchDetails", + "title": "Details regarding severity mismatches (present if the nofication is DNC_COMMUNITY_SEVERITY_MISMATCHED or DNC_ENTERPRISE_SEVERITY_MISMATCHED)" + }, + "severity_details": { + "$ref": "#/definitions/domeSeverityDetails", + "title": "Details related to the severity (present if the notification is DNC_COMMUNITY_SEVERITY_CHANGED)" + }, + "comment_details": { + "$ref": "#/definitions/domeCommentAddedDetails", + "title": "Details related to a community comment that has been added (present if the notification is DNC_COMMENT_ADDED)" + }, + "severity_suspicious_details": { + "$ref": "#/definitions/domeSeveritySuspiciousDetails", + "title": "Correlation-related details (present if the correlated alert has an analyst serverity of SUSPICIOUS)" + }, + "severity_malicious_details": { + "$ref": "#/definitions/domeSeverityMaliciousDetails", + "title": "Correlation-related details (present if the correlated alert has an analyst serverity of MALICIOUS)" + }, + "high_cognitive_system_score_details": { + "$ref": "#/definitions/domeHighCognitiveSystemScoreDetails", + "title": "Details related to a high score output from cognitive system" + } + }, + "title": "Notification sourced from IronDome" + }, + "domeDomeNotificationCategory": { + "type": "string", + "enum": [ + "DNC_NONE", + "DNC_PARTICIPANT_ADDED", + "DNC_COMMENT_ADDED", + "DNC_COMMUNITY_SEVERITY_CHANGED", + "DNC_COMMUNITY_SEVERITY_MISMATCHED", + "DNC_ENTERPRISE_SEVERITY_MISMATCHED", + "DNC_SEVERITY_SUSPICIOUS", + "DNC_SEVERITY_MALICIOUS", + "DNC_JOINED_HIGH_RISK", + "DNC_HIGH_COGNITIVE_SYSTEM_SCORE" + ], + "default": "DNC_NONE", + "description": "- DNC_PARTICIPANT_ADDED: A new participant was added\n - DNC_COMMENT_ADDED: A new comment was added\n - DNC_COMMUNITY_SEVERITY_CHANGED: The community severity of an alert has changed\n - DNC_COMMUNITY_SEVERITY_MISMATCHED: There is a mitmatch in the community severity of correlated alerts\n - DNC_ENTERPRISE_SEVERITY_MISMATCHED: There is a mismatch in the enterprise severity of correlated alerts\n - DNC_SEVERITY_SUSPICIOUS: An alert has been marked suspicious\n - DNC_SEVERITY_MALICIOUS: An alert has been marked malicious\n - DNC_JOINED_HIGH_RISK: An alert has been deemed high risk\n - DNC_HIGH_COGNITIVE_SYSTEM_SCORE: An alert has a high cognitive system score", + "title": "The category of Dome notification" + }, + "domeGetAlertIronDomeInformationRequest": { + "type": "object", + "required": [ + "alert_id" + ], + "properties": { + "alert_id": { + "type": "string", + "title": "Alert ID to get information for" + } + } + }, + "domeGetAlertIronDomeInformationResponse": { + "type": "object", + "properties": { + "correlations": { + "type": "array", + "items": { + "$ref": "#/definitions/domeDomeCorrelationGroup" + }, + "title": "Information related to the IronDome correlations for the alert" + }, + "correlation_participation": { + "type": "array", + "items": { + "$ref": "#/definitions/domeDomeCorrelationParticipation" + }, + "title": "Information related to the distribution of IronDome correlations for the alert amoung IronDome participants" + }, + "community_comments": { + "type": "array", + "items": { + "$ref": "#/definitions/domeCommunityComment" + }, + "title": "Comments related to the alert that were shared by IronDome community participants" + }, + "cognitive_system_score": { + "type": "integer", + "format": "int64", + "title": "The cognitive system score for the alert" + }, + "dome_notifications": { + "type": "array", + "items": { + "$ref": "#/definitions/domeDomeNotification" + }, + "title": "The most recent dome notifications for this alert" + } + } + }, + "domeGetDomeNotificationsRequest": { + "type": "object", + "properties": { + "limit": { + "type": "integer", + "format": "int32", + "title": "The maximum number of results to return" + } + } + }, + "domeGetDomeNotificationsResponse": { + "type": "object", + "properties": { + "dome_notifications": { + "type": "array", + "items": { + "$ref": "#/definitions/domeDomeNotification" + } + } + } + }, + "domeHighCognitiveSystemScoreDetails": { + "type": "object", + "properties": { + "enterprise_alert_score": { + "type": "integer", + "format": "int32", + "title": "The alert score for the enterprise" + }, + "cognitive_system_score": { + "type": "integer", + "format": "int32", + "title": "THe cognitive system score" + } + }, + "title": "Details related to a high score emitted from cognitive system" + }, + "domeIronDomeThreatIntelligenceRuleDetails": { + "type": "object", + "properties": { + "ip": { + "type": "string" + }, + "domain": { + "type": "string" + }, + "rule_id": { + "type": "string", + "format": "int64" + }, + "vue_url": { + "type": "string" + } + }, + "title": "Details of a Threat Intelligence Rule (TIR) that was created automatically based on an IronDome correlation" + }, + "domeMismatchDetails": { + "type": "object", + "properties": { + "enterprise_severities": { + "type": "array", + "items": { + "$ref": "#/definitions/domeAnalystSeverityMismatch" + }, + "title": "Analyst severity mismatches across correlated alerts within the enterprise" + }, + "community_severities": { + "type": "array", + "items": { + "$ref": "#/definitions/domeAnalystSeverityMismatch" + }, + "title": "Analyst severity mismatches across correlated alerts within the community" + } + }, + "title": "Listing of severity mismatches in the enterprise and community" + }, + "domeSeverityDetails": { + "type": "object", + "properties": { + "analyst_severity": { + "$ref": "#/definitions/alertAnalystSeverity", + "title": "The analyst severity category" + } + }, + "title": "Details related to the severity" + }, + "domeSeverityMaliciousDetails": { + "type": "object", + "properties": { + "domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of domains correlated on" + }, + "ips": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of IPs correlated on" + }, + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of associated community comments" + }, + "generated_threat_intel_rules": { + "type": "array", + "items": { + "$ref": "#/definitions/domeIronDomeThreatIntelligenceRuleDetails" + }, + "title": "The list of threat intelligence rules that were automatically created based on an IronDome correlation" + } + }, + "title": "Additional details related to correlated alerts that have been deemed malicious" + }, + "domeSeveritySuspiciousDetails": { + "type": "object", + "properties": { + "domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of domains correlated on" + }, + "ips": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of IPs correlated on" + }, + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of associated community comments" + } + }, + "title": "Additional details related to correlated alerts that have been deemed suspicious" + }, + "entityIPLease": { + "type": "object", + "properties": { + "ip": { + "type": "string", + "title": "The IP address leased to a device" + }, + "network_id": { + "type": "string", + "title": "id that uniquely identifies the network for the ip (to allow deduping of private IP space), or blank if public or unknown" + }, + "mac": { + "type": "string", + "title": "The MAC address of the device" + }, + "lease_start": { + "type": "string", + "format": "date-time", + "title": "The start time of the lease" + }, + "lease_end": { + "type": "string", + "format": "date-time", + "title": "The end time of the lease" + } + }, + "title": "A binding for a IP address to a device's MAC with a time range" + }, + "entityUpdateEntityRecordRequest": { + "type": "object", + "properties": { + "ipLeases": { + "type": "array", + "items": { + "$ref": "#/definitions/entityIPLease" + }, + "title": "A list of leases to create or update" + }, + "hostname": { + "type": "string", + "title": "The hostname of the entity" + } + } + }, + "entityUpdateEntityRecordResponse": { + "type": "object" + }, + "eventColumn": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "$ref": "#/definitions/eventContextEntry" + } + } + }, + "title": "A structure that represents a column name and the data for that column" + }, + "eventContextData": { + "type": "object", + "properties": { + "string_value": { + "type": "string" + }, + "int_value": { + "type": "integer", + "format": "int32" + }, + "long_value": { + "type": "string", + "format": "int64" + }, + "double_value": { + "type": "number", + "format": "double" + }, + "ip_value": { + "type": "string" + }, + "mac_value": { + "type": "string" + }, + "timestamp_value": { + "type": "string", + "format": "date-time" + }, + "bool_value": { + "type": "boolean", + "format": "boolean" + }, + "trans_protocol_value": { + "$ref": "#/definitions/networkTransProtocol" + }, + "app_protocol_value": { + "$ref": "#/definitions/networkAppProtocol" + }, + "uuid_value": { + "type": "string" + } + } + }, + "eventContextEntry": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "$ref": "#/definitions/eventContextData" + } + } + }, + "title": "An individual data point" + }, + "eventDataTable": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "columns": { + "type": "array", + "items": { + "$ref": "#/definitions/eventColumn" + } + } + }, + "title": "A columnar table" + }, + "eventEvent": { + "type": "object", + "properties": { + "id": { + "type": "string", + "title": "The event ID" + }, + "alert_id": { + "type": "string", + "title": "The associated alert ID" + }, + "category": { + "type": "string", + "title": "The event category" + }, + "sub_category": { + "type": "string", + "title": "The event sub category" + }, + "severity": { + "type": "integer", + "format": "int32", + "title": "The event severity (0-1000)" + }, + "confidence": { + "type": "number", + "format": "double", + "title": "The event confidence (real number between 0-1)" + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Time the event was created" + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Time the event was last updated" + }, + "start_time": { + "type": "string", + "format": "date-time", + "title": "The start time of this event's activity" + }, + "end_time": { + "type": "string", + "format": "date-time", + "title": "The end time of this event's activity" + }, + "iron_dome_shared_time": { + "type": "string", + "format": "date-time", + "title": "The time when the event was sent to IronDome - not present if not shared with irondome" + }, + "is_whitelisted": { + "type": "boolean", + "format": "boolean", + "title": "True if the event activity was whitelisted, false otherwise" + }, + "is_blacklisted": { + "type": "boolean", + "format": "boolean", + "title": "True if the event activity was blacklisted, false otherwise" + }, + "src_ip": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The source IP associated with this event" + }, + "dst_ip": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The destination IP associated with this event" + }, + "dst_port": { + "type": "string", + "format": "int64", + "title": "Deprecated in favor of SessionDetails. The destination port associated with this event" + }, + "app_domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Deprecated in favor of SessionDetails. Any domains associated with this event" + }, + "primary_app_protocol": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The primary application protocol associated with this event" + }, + "secondary_app_protocol": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The secondary application protocol associated with this event" + }, + "bytes_in": { + "type": "string", + "format": "int64", + "title": "Deprecated in favor of SessionDetails. The byte count of incoming traffic for this event" + }, + "bytes_out": { + "type": "string", + "format": "int64", + "title": "Deprecated in favor of SessionDetails. The byte count of outgoing traffic for this event" + }, + "total_bytes": { + "type": "string", + "format": "int64", + "title": "Deprecated in favor of SessionDetails. The byte count of the total traffic (in either direction) for this event" + }, + "url": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The related URL for this event, if applicable" + }, + "raw_data_formats": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The list of distinct raw data formats for this event" + }, + "src_entity_attribute": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The source entity attribute related to this event, if one could be determined" + }, + "src_entity_attribute_type": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The source entity attribute type related to this event, if one could be determined" + }, + "dst_entity_attribute": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The destination entity attribute related to this event, if one could be determined" + }, + "dst_entity_attribute_type": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. The destination entity attribute type related to this event, if one could be determined" + }, + "vue_url": { + "type": "string", + "title": "the url for displaying the event within IronVUE" + }, + "src_network_id": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. id that uniquely identifies the network (to allow deduping of private IP space) of the source address, or blank if public or unknown" + }, + "dst_network_id": { + "type": "string", + "title": "Deprecated in favor of SessionDetails. id that uniquely identifies the network (to allow deduping of private IP space) of the dest address, or blank if public or unknown" + }, + "session_details": { + "type": "array", + "items": { + "$ref": "#/definitions/eventSessionDetails" + }, + "title": "Session details contain information about sessions related to an event" + } + } + }, + "eventEventNotification": { + "type": "object", + "properties": { + "event_action": { + "$ref": "#/definitions/eventEventNotificationAction", + "title": "The action being performed on the event" + }, + "event": { + "$ref": "#/definitions/eventEvent", + "title": "The event the action is being performed on" + } + }, + "title": "A notification of a lifecycle change related to an event" + }, + "eventEventNotificationAction": { + "type": "string", + "enum": [ + "ENA_NONE", + "ENA_EVENT_CREATED", + "ENA_EVENT_RETRO_WHITELISTED", + "ENA_EVENT_ADDED_TO_ALERT", + "ENA_EVENT_DELETED", + "ENA_EVENT_ALERT_UNDER_REVIEW", + "ENA_EVENT_ALERT_CLOSED" + ], + "default": "ENA_NONE", + "description": "- ENA_EVENT_CREATED: event created\n - ENA_EVENT_RETRO_WHITELISTED: event was retroactively whitelisted\n - ENA_EVENT_ADDED_TO_ALERT: event was added to an alert\n - ENA_EVENT_DELETED: event deleted\n - ENA_EVENT_ALERT_UNDER_REVIEW: the alert that this event is associated with is under review\n - ENA_EVENT_ALERT_CLOSED: the alert that this event is associated with has been closed", + "title": "The action being performed on an event" + }, + "eventGetEventNotificationsRequest": { + "type": "object", + "properties": { + "limit": { + "type": "integer", + "format": "int32", + "title": "The maximum number of results to return" + } + } + }, + "eventGetEventNotificationsResponse": { + "type": "object", + "properties": { + "event_notifications": { + "type": "array", + "items": { + "$ref": "#/definitions/eventEventNotification" + } + } + } + }, + "eventGetEventRequest": { + "type": "object", + "required": [ + "event_id" + ], + "properties": { + "event_id": { + "type": "string", + "title": "The ID of the event to retrieve" + } + } + }, + "eventGetEventResponse": { + "type": "object", + "properties": { + "event": { + "$ref": "#/definitions/eventEvent" + }, + "context": { + "type": "array", + "items": { + "$ref": "#/definitions/eventDataTable" + }, + "description": "The event context contains additional information about the source of the event." + } + } + }, + "eventGetEventsRequest": { + "type": "object", + "required": [ + "alert_id" + ], + "properties": { + "alert_id": { + "type": "string", + "title": "Alert ID to retrieve events" + }, + "constraint": { + "$ref": "#/definitions/query_typesQueryConstraint", + "title": "Constraint for the query" + } + } + }, + "eventGetEventsResponse": { + "type": "object", + "properties": { + "events": { + "type": "array", + "items": { + "$ref": "#/definitions/eventEvent" + }, + "title": "The events returned from the query" + }, + "constraint": { + "$ref": "#/definitions/query_typesQueryConstraintResult", + "title": "Information related to the constraints put on the query" + } + } + }, + "eventSessionDetails": { + "type": "object", + "properties": { + "src_entity_id": { + "type": "string", + "title": "Source Entity ID" + }, + "src_ip": { + "type": "string", + "title": "IP of the Source Entity" + }, + "src_domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Domains associated with the Source IP" + }, + "dst_entity_id": { + "type": "string", + "title": "Destination Entity ID" + }, + "dst_ip": { + "type": "string", + "title": "IP of the Destination Entity" + }, + "dst_domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Domains associated with the Destination IP" + }, + "src_port": { + "type": "string", + "format": "int64", + "title": "Source port for this session context information" + }, + "dst_port": { + "type": "string", + "format": "int64", + "title": "Destination port for this session context information" + }, + "trans_protocol": { + "type": "string", + "title": "The transport protocol for this session context information" + }, + "primary_app_protocol": { + "type": "string", + "title": "The application protocol for this session context information" + }, + "secondary_app_protocol": { + "type": "string", + "title": "The service protocol for this session context information" + }, + "app_domains": { + "type": "array", + "items": { + "type": "string" + }, + "title": "The application domains found in the session information" + }, + "bytes_in": { + "type": "string", + "format": "int64", + "title": "The byte count of incoming traffic for this session context information" + }, + "bytes_out": { + "type": "string", + "format": "int64", + "title": "The byte count of outgoing traffic for this session context information" + }, + "total_bytes": { + "type": "string", + "format": "int64", + "title": "The byte count of total traffic for this session context information" + }, + "url": { + "type": "string", + "title": "The related URL for this session context information" + }, + "src_entity_attribute": { + "type": "string", + "title": "The source entity attribute related to this session context information" + }, + "src_entity_attribute_type": { + "type": "string", + "title": "The source entity attribute type related to this session context information" + }, + "dst_entity_attribute": { + "type": "string", + "title": "The destination entity attribute related to this session context information" + }, + "dst_entity_attribute_type": { + "type": "string", + "title": "The destination entity attribute type related to this session context information" + }, + "src_network_id": { + "type": "string", + "title": "ID that uniquely identifies the network (to allow deduping of private IP space) of the source address, or blank if public address" + }, + "dst_network_id": { + "type": "string", + "title": "ID that uniquely identifies the network (to allow deduping of private IP space) of the dest address, or blank if public address" + } + }, + "title": "Details about a session related to an event. All entity fields are the entity properties from the time then session was detected" + }, + "ironapi_typesLoginRequest": { + "type": "object", + "title": "There is no request body, user and password information should be\npassed in through Basic authentication https://swagger.io/docs/specification/authentication/basic-authentication/" + }, + "ironapi_typesLoginResponse": { + "type": "object", + "properties": { + "token": { + "type": "string", + "description": "The valid JSON Web Token (JWT) for the requested user." + } + } + }, + "networkAppProtocol": { + "type": "string", + "enum": [ + "UNKNOWN", + "ACTIVESYNC", + "AFP", + "AIMINI", + "AMAZON", + "APPLE", + "APPLE_ICLOUD", + "APPLE_ITUNES", + "APPLEJUICE", + "ARMAGETRON", + "AVI", + "AYIYA", + "BATTLEFIELD", + "BGP", + "BITTORRENT", + "CISCOVPN", + "CITRIX", + "CITRIX_ONLINE", + "CNN", + "COLLECTD", + "CORBA", + "CROSSFIRE", + "DCERPC", + "DHCP", + "DHCPV6", + "DIRECT_DOWNLOAD_LINK", + "DIRECTCONNECT", + "DNS", + "DOFUS", + "DROPBOX", + "EAQ", + "EBAY", + "EDONKEY", + "EPP", + "FACEBOOK", + "FASTTRACK", + "FIESTA", + "FILETOPIA", + "FLASH", + "FLORENSIA", + "FTP_CONTROL", + "FTP_DATA", + "GMAIL", + "GNUTELLA", + "GOOGLE", + "GOOGLE_MAPS", + "WAZE", + "GTP", + "GUILDWARS", + "H323", + "HALFLIFE2", + "HTTP", + "HTTP_CONNECT", + "HTTP_PROXY", + "IAX", + "ICECAST", + "IMESH", + "IPP", + "IRC", + "KAKAOTALK", + "KAKAOTALK_VOICE", + "KERBEROS", + "KONTIKI", + "LASTFM", + "LDAP", + "LLMNR", + "LOTUS_NOTES", + "MAIL_IMAP", + "MAIL_IMAPS", + "MAIL_POP", + "MAIL_POPS", + "MAIL_SMTP", + "MAIL_SMTPS", + "MAPLESTORY", + "MDNS", + "MEEBO", + "MEGACO", + "MEU", + "MGCP", + "MMS", + "MOVE", + "MPEG", + "MSN", + "MSSQL", + "MYSQL", + "NETBIOS", + "NETFLIX", + "NETFLOW", + "NFS", + "NOE", + "NTP", + "OGG", + "OPENFT", + "OPENVPN", + "ORACLE", + "OSCAR", + "PANDO", + "PANDORA", + "PCANYWHERE", + "POSTGRES", + "PPLIVE", + "PPSTREAM", + "PPTP", + "QQ", + "QQLIVE", + "QUAKE", + "QUIC", + "QUICKTIME", + "RADIUS", + "RDP", + "REALMEDIA", + "REDIS", + "REMOTE_SCAN", + "RSYNC", + "RTCP", + "RTMP", + "RTP", + "RTSP", + "SAP", + "SFLOW", + "SHOUTCAST", + "SIP", + "SKINNY", + "SKYFILE_POSTPAID", + "SKYFILE_PREPAID", + "SKYFILE_RUDICS", + "SKYPE", + "SMB", + "SNMP", + "SOCKS", + "OCS", + "SOCRATES", + "SOPCAST", + "SOULSEEK", + "SPOTIFY", + "SSDP", + "SSH", + "SSL", + "SSL_NO_CERT", + "STEALTHNET", + "STEAM", + "STUN", + "SYSLOG", + "TDS", + "TEAMSPEAK", + "TEAMVIEWER", + "TELEGRAM", + "TELNET", + "TFTP", + "THUNDER", + "TOR", + "TORCEDOR", + "TRUPHONE", + "TUENTI", + "TVANTS", + "TVUPLAYER", + "TWITCH", + "TWITTER", + "UBUNTUONE", + "UNENCRYPED_JABBER", + "UPNP", + "USENET", + "HTTP_DOWNLOAD", + "VEVO", + "VHUA", + "VIBER", + "VMWARE", + "VNC", + "WARCRAFT3", + "WEBEX", + "WEBM", + "WHATSAPP", + "WHATSAPP_VOICE", + "WHOIS_DAS", + "WIKIPEDIA", + "WINDOWS_UPDATE", + "WINDOWSMEDIA", + "COAP", + "WORLD_OF_KUNG_FU", + "WORLDOFWARCRAFT", + "XBOX", + "XDMCP", + "YAHOO", + "YOUTUBE", + "ZATTOO", + "ZMQ", + "DEEZER", + "EASYTAXI", + "GLOBOTV", + "HOTSPOT_SHIELD", + "INSTAGRAM", + "MICROSOFT", + "MPEGTS", + "NINETYNINETAXI", + "OPENSIGNAL", + "QUICKPLAY", + "SIMET", + "SNAPCHAT", + "TIM", + "TIMBETA", + "TIMMENU", + "TIMPORTASABERTAS", + "TIMRECARGA", + "TIMSOMDECHAMADA", + "OFFICE_365", + "CLOUDFLARE", + "MS_ONE_DRIVE", + "MQTT", + "RX", + "MODBUS", + "DNP3" + ], + "default": "UNKNOWN", + "title": "The application protocol of a network connection" + }, + "networkTransProtocol": { + "type": "string", + "enum": [ + "NONE", + "ETHERNET", + "ARP", + "BCST", + "DTP", + "LLDP", + "SP", + "STP", + "RESERVED_1", + "RESERVED_2", + "RESERVED_3", + "RESERVED_4", + "RESERVED_5", + "RESERVED_6", + "RESERVED_7", + "RESERVED_8", + "RESERVED_9", + "RESERVED_10", + "RESERVED_11", + "RESERVED_12", + "IP", + "ICMP", + "ICMP_V6", + "ICMPV6", + "IGMP", + "TCP", + "UDP", + "VRRP", + "IP_SEC", + "GRE", + "EGP", + "SCTP", + "OSPF", + "IP_IN_IP", + "FRAGMENTED_IP" + ], + "default": "NONE", + "title": "The transport protocol of a network connection" + }, + "query_typesIntRange": { + "type": "object", + "properties": { + "lower_bound": { + "type": "integer", + "format": "int32", + "title": "The lower bound of the range" + }, + "upper_bound": { + "type": "integer", + "format": "int32", + "title": "The upper bound of the range" + } + }, + "title": "IntRange is used for filtering with various integer ranges" + }, + "query_typesQueryConstraint": { + "type": "object", + "properties": { + "limit": { + "type": "integer", + "format": "int32", + "title": "The maximum number of results to return" + }, + "offset": { + "type": "integer", + "format": "int32", + "title": "The number of results to skip - used for paging the results" + } + }, + "title": "Query constraints." + }, + "query_typesQueryConstraintResult": { + "type": "object", + "properties": { + "limit": { + "type": "integer", + "format": "int32", + "title": "The maximum number of results that were requested to be returned" + }, + "offset": { + "type": "integer", + "format": "int32", + "title": "The number of results that were skipped - used for paging the results" + }, + "total": { + "type": "string", + "format": "int64", + "title": "The total number of results possible from the query" + } + }, + "title": "The contraints from a query execution" + }, + "query_typesSortDirection": { + "type": "string", + "enum": [ + "SD_ASCENDING", + "SD_DESCENDING" + ], + "default": "SD_ASCENDING", + "title": "- SD_ASCENDING: Sort in ascending order (default order if not specified)\n - SD_DESCENDING: Sort in descending order" + }, + "query_typesTimeRange": { + "type": "object", + "properties": { + "start": { + "type": "string", + "format": "date-time", + "title": "The start time of the range" + }, + "end": { + "type": "string", + "format": "date-time", + "title": "The end time of the range" + } + }, + "title": "TimeRange." + }, + "threatReportObservedBadActivityRequest": { + "type": "object", + "required": [ + "name", + "description", + "activity_start_time", + "activity_end_time" + ], + "properties": { + "name": { + "type": "string", + "title": "Identifying name of the observed bad activity, will be used for the Threat Intelligence Rule name." + }, + "description": { + "type": "string", + "title": "Description of the observed bad activity, will be used for the Threat Intelligence Rule description." + }, + "domain": { + "type": "string", + "title": "Domain associated with the observed bad activity. (Must provide domain OR IP address)" + }, + "ip": { + "type": "string", + "title": "IP associated with the observed bad activity. Both IPv4 and IPv6 are supported. (Must provide domain OR IP address)" + }, + "activity_start_time": { + "type": "string", + "format": "date-time", + "title": "Start time of observed bad activity." + }, + "activity_end_time": { + "type": "string", + "format": "date-time", + "title": "End time of observed bad activity." + } + } + }, + "threatReportObservedBadActivityResponse": { + "type": "object", + "description": "This is an empty response. If an empty response was returned the call was successful." + } + } +} diff --git a/certified-connectors/IronDefense/apiProperties.json b/certified-connectors/IronDefense/apiProperties.json new file mode 100644 index 0000000000..efaaeb51d8 --- /dev/null +++ b/certified-connectors/IronDefense/apiProperties.json @@ -0,0 +1,54 @@ +{ + "properties": { + "capabilities": [], + "connectionParameters": { + "ironDefenseUrl": { + "type": "string", + "uiDefinition": { + "constraints": { + "required": "true" + }, + "description": "IronDefense URL to connect to", + "displayName": "IronDefense URL", + "tooltip": "Provide the URL where your IronDefense instance is hosted" + } + }, + "username": { + "type": "string", + "uiDefinition": { + "constraints": { + "required": "true" + }, + "description": "IronVue username", + "displayName": "Username", + "tooltip": "Provide your IronVue username" + } + }, + "password": { + "type": "securestring", + "uiDefinition": { + "constraints": { + "clearText": false, + "required": "true", + "tabIndex": 2 + }, + "description": "IronVue password", + "displayName": "Password", + "tooltip": "Provide your IronVue password" + } + } + }, + "iconBrandColor": "#0C2340", + "policyTemplateInstances": [ + { + "parameters": { + "x-ms-apimTemplateParameter.urlTemplate": "@connectionParameters('ironDefenseUrl')" + }, + "templateId": "dynamichosturl", + "title": "IronAPI URL" + } + ], + "publisher": "IronNet", + "stackOwner": "IronNet" + } +}