Discover subdomains of a given domain.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@discover",
"params": {
"domain": "The seed domain."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"subdomains": "An array of subdomains."
}
}
Returns all the information known about an asset concerning its external perimeter. This method does not return any information concerning the asset's internal perimeter e.g. security events and IoCs.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@get",
"params": {
"asset": "The asset name. (string|required|min:1|max:191)",
"trial_id": "If any, the trial id this asset belongs to."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The asset name. May be different from the one given in the request on ranges.",
"modifications": "The asset's creation and modification history.",
"tags": "The asset's tags.",
"ports": "The asset's open ports.",
"vulnerabilities": "The asset's vulnerabilities.",
"timeline": {
"nmap": {
"start": "When the port scan started.",
"end": "When the port scan ended."
},
"sentinel": {
"start": "When the vuln. scan started.",
"end": "When the vuln. scan ended."
},
"next_scan": "When the next scans will start.",
"nb_vulns_scans_running": "The number of running scans.",
"nb_vulns_scans_completed": "The number of completed scans."
},
"hiddenAlerts": "The asset's hidden vulnerabilities (if any)."
}
}
Create and optionally monitor an asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@create",
"params": {
"asset": "The asset as an IP address or a DNS. (string|required|min:1|max:191)",
"watch": "True if the asset should be monitored directly after the creation. False otherwise. (boolean)",
"trial_id": "If any, the trial id this asset belongs to."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "An asset object."
}
}
Delete an asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@delete",
"params": {
"asset": "The asset as an IP address or DNS. (string|required|min:1|max:191)",
"asset_id": "The asset id if the parameter asset is not specified."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Compute the number of monitored and monitorable assets for a given user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@counts",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"monitored": "The number of monitored assets.",
"monitorable": "The number of monitorable assets."
}
}
List the user's assets, e.g. servers for which the external perimeter is monitored.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@list",
"params": {
"type": "The type of asset to list: domain or ip_address. (string|nullable|in:domain,ip_address)",
"is_monitored": "The asset status: true to get only monitored assets, false to get only unmonitored assets, null to get all assets. (boolean|nullable)",
"created_the_last_x_hours": "Keep only assets created after now - x hours."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"assets": "A list of assets."
}
}
Start monitoring an existing asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@monitor",
"params": {
"asset": "The asset as an IP address or DNS. (string|required|min:1|max:191)",
"asset_id": "The asset id if the parameter asset is not specified."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The monitored asset."
}
}
Stop monitoring an existing asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@unmonitor",
"params": {
"asset": "The asset as an IP address or DNS. (string|required|min:1|max:191)",
"asset_id": "The asset id if the parameter asset is not specified."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The unmonitored asset."
}
}
Tag an asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@tag",
"params": {
"asset_id": "The asset id.",
"tag": "The tag to add."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tag": "The added tag."
}
}
Untag an asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@untag",
"params": {
"asset_id": "The asset id.",
"tag_id": "The tag id of the tag to remove."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all tags that belong to the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@listTags",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tags": "The list of tags."
}
}
Force-scan a given asset.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@restartScan",
"params": {
"asset_id": "The asset id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The scanned asset."
}
}
Group together assets sharing given tags.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@group",
"params": {
"tags": "An array of tags.",
"hash": "An optional hash for the group."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"group": "The group object."
}
}
Degroup previously grouped assets.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@degroup",
"params": {
"group": "The group hash."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all groups that belong to the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@listGroups",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"groups": "The list of groups."
}
}
Get a specific group.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@getGroup",
"params": {
"group": "The group hash."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"group": "The group."
}
}
Get the assets that belong to a given group.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@assetsInGroup",
"params": {
"group": "The group hash."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Get the vulnerabilities that belong to a given group.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@vulnerabilitiesInGroup",
"params": {
"group": "The group hash."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Mark a vulnerability that belongs to a given group as resolved.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@resolveVulnerabilityInGroup",
"params": {
"group": "The group hash.",
"vulnerability_id": "The vulnerability id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Share assets with a user by email.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "assets@share",
"params": {
"email": "The recipient's email address.",
"tags": "An array of tags to share."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Delete a single chunk.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "chunks@delete",
"params": {
"chunk_id": "The chunk id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Update an existing chunk.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "chunks@update",
"params": {
"chunk_id": "The chunk id.",
"value": "The new chunk value."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all chunks visible to the current tenant user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "chunks@list",
"params": {
"page": "The page number (optional, default 1).",
"page_size": "The page size (optional, default 25).",
"collection": "The collection name (optional).",
"file": "The file name (optional)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"page": "The current page number.",
"page_size": "The page size.",
"nb_pages": "The total number of pages.",
"collection": "The collection name (if any).",
"file": "The file name (if any).",
"chunks": "A list of chunks."
}
}
Update an existing collection.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "collections@update",
"params": {
"collection_id": "The collection id.",
"priority": "The new collection priority."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Delete a single collection.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "collections@delete",
"params": {
"collection_id": "The collection id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all collections visible to the current tenant user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "collections@list",
"params": {
"page": "The page number (optional, default 1).",
"page_size": "The page size (optional, default 25)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"page": "The current page number.",
"page_size": "The page size.",
"nb_pages": "The total number of pages.",
"collections": "A list of collections."
}
}
Ask CyberBuddy to answer a question or execute some tasks.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "cyberbuddy@ask",
"params": {
"thread_id": "The thread identifier.",
"directive": "The user's directive.",
"fallback_on_next_collection": "Automatically search the next collection if the first one yields no result (optional)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"html": "CyberBuddy's answer in HTML.",
"chain_of_thought": "CyberBuddy's chain of thought."
}
}
Delete an existing conversation.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "cyberbuddy@delete",
"params": {
"conversation_id": "The conversation identifier."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List available templates.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "cyberscribe@listTemplates",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"templates": "A list of templates."
}
}
Delete an existing template.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "cyberscribe@deleteTemplate",
"params": {
"template_id": "The template id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Save a template.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "cyberscribe@saveTemplate",
"params": {
"template_id": "The template id (optional).",
"is_model": "Whether the template is a model (optional).",
"name": "The template name.",
"blocks": "The template blocks."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Compute the number of high, medium and low IoCs for a given user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "events@counts",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"high": "The number of IoCs with criticality high.",
"medium": "The number of IoCs with criticality medium.",
"low": "The number of IoCs with criticality low."
}
}
Returns the security events and IoCs collected by the agent deployed on the server. This method does not return any information concerning the asset's external perimeter e.g. vulnerabilities.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "events@list",
"params": {
"min_score": "A score of 0 indicates a system event; any score above 0 indicates an IoC, with values closer to 100 reflecting a higher probability of compromise. (integer|required|min:0|max:100)",
"max_score": "An optional maximum score to filter events by. (integer|nullable|min:0|max:100)",
"rule_name": "An optional rule name to filter events by. (string|nullable|min:0|max:191)",
"server_id": "An optional server id to filter events by.",
"server_name": "An optional server name to filter events by. (string|nullable|min:0|max:191|exists:ynh_servers,name)",
"ip_address": "An optional server IP address to filter events by. (string|nullable|min:4|max:15|exists:ynh_servers,ip_address)",
"window": "An optional window of time [min_date, max_date] to filter events by.",
"categories": "An optional list of categories to filter events by."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"events": "The list of events over the last 3 days."
}
}
Dismiss an event (false positive).
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "events@dismiss",
"params": {
"event_id": "The event identifier."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Analyze security events and IoCs collected by the agent deployed on the server to detect suspicious activity. This method does not take into account any information concerning the asset's external perimeter e.g. vulnerabilities.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "events@socOperator",
"params": {
"server_id": "If the IP address is not specified, the server id.",
"ip_address": "If the server id is not specified, the server IP address. (string|min:4|max:15|exists:ynh_servers,ip_address)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"activity": "The activity status: UNKNOWN, NORMAL, SUSPICIOUS, or ANORMAL.",
"report": "A full text report in Markdown format."
}
}
Delete a single file.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "files@delete",
"params": {
"file_id": "The file id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all files that belong to the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "files@list",
"params": {
"page": "The page number (optional, default 1).",
"page_size": "The page size (optional, default 25).",
"collection": "The collection name (optional)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"page": "The current page number.",
"page_size": "The page size.",
"nb_pages": "The total number of pages.",
"collection": "The collection name (if any).",
"files": "A list of files."
}
}
Load a framework into a collection.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "frameworks@load",
"params": {
"framework_id": "The framework id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Remove a framework from a collection.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "frameworks@unload",
"params": {
"framework_id": "The framework id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Get a list of qualified IP addresses to blacklist. If the attacker_id parameter is set, this endpoint only returns the IP addresses of the specified attacker.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "honeypots@blacklist",
"params": {
"attacker_id": "An attacker id (optional)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"blacklist": "The list of IP addresses to blacklist."
}
}
Returns the number of humans and targeted events for each day of the last 10 days
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "honeypots@counts",
"params": {
"honeypot_id": "A honeypot identifier."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"counts": "The daily counts."
}
}
The last events generated by the honeypots. If the honeypot_id parameter is set, this endpoint only returns the events of the specified honeypot.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "honeypots@events",
"params": {
"honeypot_id": "A honeypot identifier (optional).",
"limit": "The number of events to return (optional).",
"human": "Only keep events that have been generated by manually tinkering with the honeypots (optional).",
"targeted": "Only keep events that have been generated by a lateral movement (optional)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"events": "A list of events."
}
}
Returns the list of human attackers that targeted your honeypots.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "honeypots@attackers",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"attackers": "The list of human attackers that targeted your honeypots."
}
}
Get the full profile of an attacker.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "honeypots@attackerProfile",
"params": {
"attacker_id": "An attacker id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"profile": "The attacker profile: internal name, date of first contact, date of last contact, etc.",
"ip_addresses": "The attacker's known IP addresses.",
"events": "The last known events triggered by the attacker.",
"tools": "The attacker toolkit.",
"counts": "Misc. counts (nb human events, nb targeted events, etc.)",
"skills": "The attacker's skills."
}
}
Retrieve a list of the user's FusionLive workspaces.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "fusionlive@workspaces",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"workspaces": "A list of workspaces."
}
}
List all folders and documents for a given FusionLive workspace.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "fusionlive@documents",
"params": {
"workspace_id": "The workspace ID. (integer|required|min:0)",
"status": "An optional document status to filter by. (string|nullable|min:1|max:50)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"documents": "A list of documents."
}
}
List all users for a given FusionLive workspace.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "fusionlive@users",
"params": {
"workspace_id": "The workspace ID. (integer|required|min:0)",
"group_id": "An optional group ID. (integer|nullable|min:0)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"users": "A list of users."
}
}
List all groups for a given FusionLive workspace.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "fusionlive@groups",
"params": {
"workspace_id": "The workspace ID. (integer|required|min:0)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"groups": "A list of groups."
}
}
Create a single invitation and send it.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "invitations@create",
"params": {
"email": "The user email address."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List leaks.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "leaks@list",
"params": {
"asset": "An optional asset to filter leaks by. (string|nullable|min:1|max:191)",
"created_at_or_after": "An optional date of the leak."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"leaks": "An array of leaks."
}
}
Create a note.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "notes@create",
"params": {
"subject": "An optional subject of the note. (string|nullable|min:1|max:1000)",
"note": "The note content. (string|required|min:1|max:1000)",
"scopes": "An optional set of scopes associated with the note such as 'CyberBuddy', 'Orchestrator' or 'SOC Operator' (array|nullable|min:0|max:3)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Delete a note.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "notes@delete",
"params": {
"note_id": "The note id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all notes.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "notes@list",
"params": {
"scope": "An optional scope such as 'CyberBuddy', 'Orchestrator' or 'SOC Operator'."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"notes": "A list of notes."
}
}
Get a given prompt.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "prompts@get",
"params": {
"name": "The prompt name."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"prompt": "A prompt object."
}
}
Create a new prompt.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "prompts@create",
"params": {
"name": "The prompt name.",
"template": "The prompt template."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"prompt": "A prompt object."
}
}
Update an existing prompt.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "prompts@update",
"params": {
"prompt_id": "The prompt id.",
"template": "The new prompt template."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Delete a single prompt.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "prompts@delete",
"params": {
"prompt_id": "The prompt id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List all prompts that belong to the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "prompts@list",
"params": {
"page": "The page number (optional, default 1).",
"page_size": "The page size (optional, default 25)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"page": "The current page number.",
"page_size": "The page size.",
"nb_pages": "The total number of pages.",
"prompts": "A list of prompts."
}
}
Trigger a vulnerability scan.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "rapidapi@triggerScan",
"params": {
"asset": "A domain or an IP address."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The asset name. May be different from the one given in the request on ranges.",
"modifications": "The asset's creation and modification history.",
"tags": "The asset's tags.",
"ports": "The asset's open ports.",
"vulnerabilities": "The asset's vulnerabilities.",
"timeline": {
"nmap": {
"start": "When the port scan started.",
"end": "When the port scan ended."
},
"sentinel": {
"start": "When the vuln. scan started.",
"end": "When the vuln. scan ended."
},
"next_scan": "When the next scans will start.",
"nb_vulns_scans_running": "The number of running scans.",
"nb_vulns_scans_completed": "The number of completed scans."
},
"hiddenAlerts": "The asset's hidden vulnerabilities (if any)."
}
}
Trigger a vulnerability scan.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "rapidapi@collectScanResults",
"params": {
"asset": "A domain or an IP address."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"asset": "The asset name. May be different from the one given in the request on ranges.",
"modifications": "The asset's creation and modification history.",
"tags": "The asset's tags.",
"ports": "The asset's open ports.",
"vulnerabilities": "The asset's vulnerabilities.",
"timeline": {
"nmap": {
"start": "When the port scan started.",
"end": "When the port scan ended."
},
"sentinel": {
"start": "When the vuln. scan started.",
"end": "When the vuln. scan ended."
},
"next_scan": "When the next scans will start.",
"nb_vulns_scans_running": "The number of running scans.",
"nb_vulns_scans_completed": "The number of completed scans."
},
"hiddenAlerts": "The asset's hidden vulnerabilities (if any)."
}
}
Save action settings for tenant or user scope.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "remoteactions@saveSettings",
"params": {
"scope_type": "Scope type: 'tenant' or 'user'.",
"scope_id": "The tenant id or the user id depending on scope_type.",
"actions": "Array of action names to enable (others will be disabled)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Create a single remote action.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "remoteactions@create",
"params": {
"name": "The action name.",
"description": "The action description.",
"url": "The action URL.",
"headers": "The action headers.",
"schema": "The action schema.",
"payload_template": "The action payload template.",
"response_template": "The action response template.",
"examples": "The action examples."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"action": "A remote action."
}
}
Delete a remote action.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "remoteactions@delete",
"params": {
"action_id": "The action identifier."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Generate a report for vulnerabilities, open ports, assets (Excel) or a specific vulnerability remediation (Word).
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "reporting@create",
"params": {
"report": "The type of report to create: vulnerabilities, open ports, assets or remediation. (string|min:5|max:15|in:vulnerabilities,ports,assets,remediation)",
"alert_id": "The alert id to use for a remediation Word report. (integer|nullable)",
"vulnerability_name": "The name of the vulnerability. Extract the core technical identifier or keywords, for example 'uploads\/' or '.env' or 'admin.php', rather than a full sentence. (string|nullable)",
"asset_name": "The name of the asset or server. (string|nullable)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"report": "A link to the Excel spreadsheet or Word document."
}
}
Create a single Osquery rule.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "osquery@create",
"params": {
"name": "The rule name.",
"description": "The rule description.",
"category": "The rule category.",
"platform": "The rule platform.",
"interval": "The rule trigger interval in seconds.",
"is_ioc": "true iif the rule is an indicator of compromise, false otherwise.",
"score": "The score of the rule. Must be greater than 0 but no greater than 100 if is_ioc is true, and 0 otherwise.",
"query": "The rule query."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"rule": "An Osquery rule."
}
}
Delete a single Osquery rule and all its associated data.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "osquery@delete",
"params": {
"rule_id": "The rule id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List the enabled Osquery rules.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "osquery@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"rules": "The list of enabled Osquery rules."
}
}
Create a single OSSEC rule.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "ossec@create",
"params": {
"name": "The rule name.",
"description": "The rule description.",
"rationale": "The reason behind this rule.",
"rule": "The rule checks."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"rule": "An OSSEC rule."
}
}
Delete a single OSSEC rule and all its associated data.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "ossec@delete",
"params": {
"rule_id": "The rule id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
List the OSSEC rules.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "ossec@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"rules": "The list of OSSEC rules."
}
}
Add a permission to a role.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "roles@addPermission",
"params": {
"role": "Role name (string) or ID (integer).",
"permission": "Permission name (string) or ID (integer)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "Success message."
}
}
Remove a permission from a role.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "roles@removePermission",
"params": {
"role": "Role name (string) or ID (integer).",
"permission": "Permission name (string) or ID (integer)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "Success message."
}
}
List all roles with their permissions (permissions sorted alphabetically).
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "roles@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"roles": "Array of roles with permissions"
}
}
List the scheduled tasks of the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "scheduled-tasks@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tasks": "A list of tasks."
}
}
Create a new scheduled task.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "scheduled-tasks@create",
"params": {
"cron": "Schedule a repetitive task, e.g. \"every Monday at 9am\", using a cron expression MIN HOUR DOM MON DOW. (string|required_without:schedule|prohibits:schedule|nullable)",
"schedule": "Schedule a one-off task, e.g. \"in 10 minutes\" or \"tomorrow\", using PHP relative format: https:\/\/www.php.net\/manual\/en\/datetime.formats.php#datetime.formats.relative. (string|required_without:cron|prohibits:cron|nullable)",
"trigger": "Optional condition that must evaluate to true to run the task. (string|nullable)",
"task": "The task\/instruction to execute when the schedule\/trigger matches. (string|required)",
"run_once": "Optional boolean. If true, the task will be deleted after being successfully executed once. (boolean|nullable)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "Success message.",
"task_id": "The id of the created scheduled task."
}
}
Pause or resume a scheduled task.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "scheduled-tasks@toggle",
"params": {
"task_id": "The scheduled task id. (integer|required|exists:cb_scheduled_tasks,id)",
"enabled": "Optional boolean. If omitted, the flag will be toggled. (boolean|nullable)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "Success message."
}
}
Delete a scheduled task.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "scheduled-tasks@delete",
"params": {
"task_id": "The scheduled task id. (integer|required|exists:cb_scheduled_tasks,id)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "Success message."
}
}
List servers where an agent has been deployed, e.g. servers for which the internal perimeter is monitored.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": []
}
Create a single server.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@create",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"server": "A server object."
}
}
Delete a single server and all its associated data.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@delete",
"params": {
"server_id": "The server id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Configure the SSH connection of a server.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@configure",
"params": {
"name": "The server name.",
"ip": "The server IP address.",
"port": "The server SSH port.",
"username": "The server SSH username.",
"domain": "The domain pointing to the server.",
"server_id": "The server id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Test if the SSH connection to a server is working.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@testSshConnection",
"params": {
"ip": "The server IP address.",
"port": "The server SSH port.",
"username": "The server SSH username.",
"server_id": "The server id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Execute a shell command on a server.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@executeShellCommand",
"params": {
"cmd": "The shell command to execute.",
"server_id": "The server id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"output": "The command output."
}
}
Retrieve the security events and IoCs for a specific server over the past 5 days.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "servers@events",
"params": {
"server_id": "The server id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"events": "An array of security events."
}
}
List the available tables.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@list",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tables": "An array of tables."
}
}
Import one or more tables.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@import",
"params": {
"storage": "The type of storage (AWS S3 or Azure Blob Storage).",
"region": "The AWS\/Azure region.",
"access_key_id": "The access key (AWS only).",
"secret_access_key": "The secret key (AWS only).",
"connection_string": "The connection string to the storage account (Azure only).",
"input_folder": "Where the input files will be read.",
"output_folder": "Where the output (or temporary) files will be written.",
"tables": [
{
"table": "The table name.",
"old_name": "The old table name.",
"new_name": "The new table name.",
"type": "The table type (materialized or view)."
}
],
"updatable": "",
"copy": "",
"deduplicate": "",
"description": ""
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"message": "A success message."
}
}
Force the import of a given table.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@forceImport",
"params": {
"table_id": "The identifier of the table to reimport."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"message": "A success message."
}
}
Execute a SQL query.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@executeSqlQuery",
"params": {
"query": "The SQL query.",
"store": "Whether to store the query as a virtual or physical table (optional).",
"materialize": "Whether to store the query as a physical table (mandatory if store is true).",
"name": "The name of the virtual or physical table (mandatory if store is true).",
"description": "The description of the virtual or physical table (mandatory if store is true).",
"format": "The format of the query (arrays, arrays_with_header or objects) (mandatory if store is false)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"message": "A success message.",
"data": "The requested data."
}
}
List the content of a given bucket.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@listBucketContent",
"params": {
"storage": "The type of storage (AWS S3 or Azure Blob Storage).",
"region": "The AWS\/Azure region.",
"access_key_id": "The access key (AWS only).",
"secret_access_key": "The secret key (AWS only).",
"connection_string": "The connection string to the storage account (Azure only).",
"input_folder": "Where the input files will be read.",
"output_folder": "Where the output (or temporary) files will be written."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"files": "An array of files."
}
}
List the content of a given list of files (in a given bucket).
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@listFileContent",
"params": {
"storage": "The type of storage (AWS S3 or Azure Blob Storage).",
"region": "The AWS\/Azure region.",
"access_key_id": "The access key (AWS only).",
"secret_access_key": "The secret key (AWS only).",
"connection_string": "The connection string to the storage account (Azure only).",
"input_folder": "Where the input files will be read.",
"output_folder": "Where the output (or temporary) files will be written.",
"tables": "An array of tables to inspect."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tables": "An array of tables."
}
}
Convert a prompt to a SQL query.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@promptToQuery",
"params": {
"prompt": "The prompt."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"query": "The SQL query."
}
}
Update a table description.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tables@updateDescription",
"params": {
"name": "The table name.",
"description": "The new description."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"message": "A success message.",
"data": "The updated table object."
}
}
List the last n traces.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "traces@list",
"params": {
"limit": "The maximum number of traces to return."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"traces": "An array of traces."
}
}
Toggle the envoy of the weekly email report to a given user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@toggleGetsAuditReport",
"params": {
"user_id": "An optional user id. If both the user_id and the email are null, the email of the current user is used.",
"email": "An optional user email. If both the user_id and the email are null, the email of the current user is used. (string|nullable|email|max:191|exists:users,email)",
"gets_audit_report": "true if the user wants to receive the weekly email report, false otherwise. When null, the current value is toggled. (boolean|nullable)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Immediately send the weekly email report to a given user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@sendAuditReport",
"params": {
"user_id": "An optional user id. If both the user_id and the email are null, the email of the current user is used.",
"email": "An optional user email. If both the user_id and the email are null, the email of the current user is used. (string|nullable|email|max:255|exists:users,email)"
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Configure Telegram bot token for the current user and returns the webhook URL to set at Telegram.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@setTelegramConfiguration",
"params": {
"bot_token": "The Telegram bot token to save for this user."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"webhook": "The absolute URL to configure as Telegram webhook."
}
}
Get Telegram's configuration for the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@getTelegramConfiguration",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"bot_token": "The Telegram bot token of the current user.",
"webhook": "The absolute URL to configure as Telegram webhook or an empty string."
}
}
Configure WhatsApp configuration for the current user and returns the webhook URL.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@setWhatsAppConfiguration",
"params": {
"access_token": "The WhatsApp access token.",
"phone_number_id": "The WhatsApp phone number ID."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"webhook": "The absolute URL to configure as WhatsApp webhook.",
"verify_token": "The verify token to use when configuring the webhook at Meta."
}
}
Get WhatsApp's configuration for the current user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "users@getWhatsAppConfiguration",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"access_token": "The WhatsApp access token of the current user.",
"phone_number_id": "The WhatsApp phone number ID of the current user.",
"webhook": "The absolute URL to configure as WhatsApp webhook or an empty string.",
"verify_token": "The verify token or an empty string."
}
}
Compute the number of high, medium and low vulnerabilities for a given user.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "vulnerabilities@counts",
"params": []
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"high": "The number of vulnerabilities with criticality high.",
"medium": "The number of vulnerabilities with criticality medium.",
"low": "The number of vulnerabilities with criticality low."
}
}
List the user's vulnerabilities.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "vulnerabilities@list",
"params": {
"asset_id": "An optional asset id.",
"asset": "An optional asset as a domain or an IP address. (string|nullable|min:1|max:191|exists:am_assets,asset)",
"level": "An optional criticality level such as high, medium or low. (string|nullable|min:3|max:6|in:high,medium,low)",
"tld": "An optional asset TLD to match. (string|nullable)",
"tags": "An optional list of assets tags to match.",
"port_tags": "An optional list of ports tags to match."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"high": "A list of vulnerabilities with critical severity.",
"medium": "A list of vulnerabilities with medium severity.",
"low": "A list of vulnerabilities with low severity."
}
}
Hide/Show one or more vulnerabilities.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "vulnerabilities@toggleVisibility",
"params": {
"uid": "The vulnerability unique identifier (optional).",
"type": "The vulnerability type (optional).",
"title": "The vulnerability title (optional)."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}
Flag a given vulnerability as resolved and trigger a new scan.
Request:
{
"jsonrpc": "2.0",
"id": 1,
"method": "vulnerabilities@markAsResolved",
"params": {
"vulnerability_id": "The vulnerability id."
}
}
Response:
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"msg": "A success message."
}
}