# kics-scan ignore
components:
schemas:
BulkDeleteCollectionsRequest:
description: Request serializer for bulk delete collections endpoint.
properties:
collection_ids:
description: List of collection UUIDs to delete
items:
format: uuid
type: string
minItems: 1
type: array
required:
- collection_ids
type: object
BulkDeleteCollectionsResponse:
properties:
deleted_count:
description: Number of collections successfully deleted
type: integer
required:
- deleted_count
type: object
CanceledEnum:
description: '* `CANCEL_MANUAL` - CANCEL_MANUAL
* `CANCEL_THRESHOLD` - CANCEL_THRESHOLD'
enum:
- CANCEL_MANUAL
- CANCEL_THRESHOLD
type: string
ChatQueryNested:
properties:
chat_session:
format: uuid
nullable: true
type: string
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
interview:
$ref: '#/components/schemas/Interview'
progress_message:
type: string
progress_timestamp:
format: double
nullable: true
type: number
request_files: {}
request_text:
type: string
request_user:
$ref: '#/components/schemas/CustomUser'
response_citations:
nullable: true
response_text:
nullable: true
type: string
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- id
- interview
- request_text
- request_user
- updated_at
type: object
CustomInstruction:
properties:
content:
type: string
created_at:
format: date-time
readOnly: true
type: string
id:
type: integer
internal_origin_uuid:
format: uuid
nullable: true
readOnly: true
type: string
strategy_versions:
items:
type: integer
readOnly: true
type: array
usage_count:
readOnly: true
type: integer
required:
- content
- created_at
- internal_origin_uuid
- strategy_versions
- usage_count
type: object
CustomOutcome:
properties:
conclusions_affected:
readOnly: true
type: integer
condition: {}
created_at:
format: date-time
readOnly: true
type: string
id:
type: integer
internal_origin_uuid:
format: uuid
nullable: true
readOnly: true
type: string
outcome:
$ref: '#/components/schemas/CustomOutcomeOutcomeEnum'
strategy_versions:
items:
type: integer
readOnly: true
type: array
required:
- conclusions_affected
- condition
- created_at
- internal_origin_uuid
- outcome
- strategy_versions
type: object
CustomOutcomeOutcomeEnum:
description: '* `COMPLETED_BREACHED_CONFIRMED` - COMPLETED_BREACHED_CONFIRMED
* `COMPLETED_BREACHED_SUSPICIOUS` - COMPLETED_BREACHED_SUSPICIOUS
* `COMPLETED_FALSE_ALERT` - COMPLETED_FALSE_ALERT'
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
type: string
CustomPriority:
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
type: integer
insight_tag_rule:
nullable: true
internal_origin_uuid:
format: uuid
nullable: true
readOnly: true
type: string
outcomes:
items:
$ref: '#/components/schemas/OutcomesEnum'
minItems: 1
type: array
priorities_affected:
readOnly: true
type: integer
priority:
$ref: '#/components/schemas/PriorityEnum'
ranking:
maximum: 2147483647
minimum: 1
type: integer
strategy_versions:
items:
type: integer
readOnly: true
type: array
required:
- created_at
- internal_origin_uuid
- priorities_affected
- priority
- strategy_versions
type: object
CustomUser:
description: 'Basic serializer to pass CustomUser details to the front end.
Extend with any fields your app needs.'
properties:
email:
format: email
maxLength: 254
title: Email address
type: string
first_name:
maxLength: 150
type: string
id:
readOnly: true
type: integer
last_name:
maxLength: 150
type: string
oidc_user_id:
nullable: true
type: string
role:
$ref: '#/components/schemas/RoleEnum'
required:
- id
type: object
EvidenceData:
properties:
created_at:
format: date-time
readOnly: true
type: string
data:
type: string
id:
readOnly: true
type: integer
investigation:
type: integer
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- data
- id
- investigation
- updated_at
type: object
FileTypeEnum:
description: '* `single_file` - single_file
* `archive` - archive'
enum:
- single_file
- archive
type: string
FullCustomStrategy:
description: A serializer for a combined strategy and one of its versions.
properties:
alert_sources:
items:
type: string
type: array
attack_surfaces:
items:
type: string
type: array
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
instructions:
items:
$ref: '#/components/schemas/CustomInstruction'
readOnly: true
type: array
internal_origin_uuid:
format: uuid
readOnly: true
type: string
is_archived:
readOnly: true
type: boolean
is_enabled:
readOnly: true
type: boolean
is_latest:
readOnly: true
type: boolean
is_protected:
readOnly: true
type: boolean
mitre_tactics:
items:
type: string
type: array
outcomes:
items:
$ref: '#/components/schemas/CustomOutcome'
readOnly: true
type: array
priorities:
items:
$ref: '#/components/schemas/CustomPriority'
readOnly: true
type: array
rationale:
nullable: true
readOnly: true
type: string
scenario:
nullable: true
type: string
title:
readOnly: true
type: string
toggle_guidance:
nullable: true
readOnly: true
type: string
total_conclusions_affected:
readOnly: true
type: integer
total_instructions_used:
readOnly: true
type: integer
total_priorities_affected:
readOnly: true
type: integer
updated_at:
format: date-time
readOnly: true
type: string
version_id:
readOnly: true
type: integer
required:
- created_at
- id
- instructions
- internal_origin_uuid
- is_archived
- is_enabled
- is_latest
- is_protected
- outcomes
- priorities
- rationale
- title
- toggle_guidance
- total_conclusions_affected
- total_instructions_used
- total_priorities_affected
- updated_at
- version_id
type: object
ImportResult:
description: Serializer for ImportResult dataclass from threat intelligence
imports
properties:
collection_id:
description: UUID of the collection
nullable: true
type: string
collection_name:
description: Name of the collection
nullable: true
type: string
domain_objects:
allOf:
- $ref: '#/components/schemas/ObjectCounts'
description: Domain object counts
error_count:
description: Total number of errors
readOnly: true
type: integer
file_hash:
description: SHA-256 hash of the uploaded file
nullable: true
type: string
file_name:
description: Name of the uploaded file
nullable: true
type: string
file_type:
description: 'Type of file processed
* `single_file` - single_file
* `archive` - archive'
nullable: true
oneOf:
- $ref: '#/components/schemas/FileTypeEnum'
- $ref: '#/components/schemas/NullEnum'
files_errored:
description: List of filenames that had errors (empty for single files)
items:
type: string
type: array
files_failed:
description: Number of files that failed (0 for single files)
type: integer
files_parsed:
description: List of filenames that were successfully parsed (empty for
single files)
items:
type: string
type: array
files_processed:
description: Number of files processed (0 for single files)
type: integer
files_skipped:
description: List of skipped files with reasons. Each entry has 'filename'
and 'reason' keys. (empty for single files)
items:
additionalProperties: {}
type: object
type: array
files_succeeded:
description: Number of files that succeeded (0 for single files)
type: integer
indicators:
allOf:
- $ref: '#/components/schemas/ObjectCounts'
description: Indicator counts
relationships:
allOf:
- $ref: '#/components/schemas/ObjectCounts'
description: Relationship counts
sightings:
allOf:
- $ref: '#/components/schemas/ObjectCounts'
description: Sighting counts
total_objects:
description: Total STIX objects processed
type: integer
required:
- domain_objects
- error_count
- files_errored
- files_failed
- files_parsed
- files_processed
- files_skipped
- files_succeeded
- indicators
- relationships
- sightings
- total_objects
type: object
IntegrationDefinitionSerializerToCustomer:
description: 'Serializer for integration definitions/types in customer API.
Used for GET /api/v1/system/integration-definitions.
Returns the blueprint for each integration type including its configuration
schema.
Use this to discover what integrations are available and what config fields
they require.'
properties:
allows_multi_slot:
description: Whether multiple instances of this integration can be configured
(e.g., multiple AWS accounts)
readOnly: true
type: boolean
categories:
description: Categories (e.g., ['EDR'], ['Identity'])
items:
type: string
readOnly: true
type: array
config_schema:
description: JSON Schema defining required and optional configuration fields
for this integration
readOnly: true
connector_support:
description: 'Connector requirement: ''no_connector'', ''optional_connector'',
or ''required_connector'''
readOnly: true
type: string
description:
description: Description of the integration's capabilities
nullable: true
readOnly: true
type: string
display_name:
description: Human-readable integration name
readOnly: true
type: string
docs_url:
description: URL to integration documentation
nullable: true
readOnly: true
type: string
dz_provided:
description: Whether this integration type can be Dropzone-provided (configured
with Dropzone-managed keys)
readOnly: true
type: boolean
group:
description: 'Integration group: ''cloud'', ''prem'', or ''saas'''
readOnly: true
type: string
has_scanner:
description: 'Scanner capability: ''no_scan'', ''optional_scan'', or ''required_scan'''
readOnly: true
type: string
slug:
description: Unique slug for the integration (e.g., 'crowdstrike')
readOnly: true
type: string
required:
- allows_multi_slot
- categories
- config_schema
- connector_support
- description
- display_name
- docs_url
- dz_provided
- group
- has_scanner
- slug
type: object
IntegrationInstanceSerializerToCustomerCreate:
description: 'Serializer for creating integration instances via customer API.
Used for POST /api/v1/integrations/{slug}.'
properties:
config_data:
description: Configuration data matching the integration's config_schema.
Include all required fields.
connector_slug:
description: (Optional) Connector slug for on-premises integrations requiring
a connector. Only needed if the integration requires a connector.
nullable: true
type: string
is_enabled:
default: true
description: 'Whether to enable the integration immediately (default: true)'
type: boolean
tenant_union_id:
description: (Optional) Tenant union ID for multi-tenant integrations. Only
use if you need separate integration configs per tenant union.
nullable: true
type: integer
required:
- config_data
type: object
IntegrationInstanceSerializerToCustomerLight:
description: 'Lightweight serializer for listing integration instances in customer
API.
Does NOT include config_data - use GET /api/v1/integrations/{slug}/{uuid}
for full details.'
properties:
categories:
description: Categories this integration belongs to (e.g., ['EDR'])
items:
type: string
readOnly: true
type: array
created_at:
description: When this integration instance was created
format: date-time
readOnly: true
type: string
description:
description: Description of the integration
nullable: true
readOnly: true
type: string
display_name:
description: Human-readable name of the integration
readOnly: true
type: string
dz_provided:
description: Whether this is a Dropzone-provided integration (vs customer-configured)
readOnly: true
type: boolean
group:
description: 'Integration group: ''cloud'', ''prem'', or ''saas'''
nullable: true
readOnly: true
type: string
is_enabled:
description: Whether the integration is enabled
readOnly: true
type: boolean
slot_uuid:
description: Unique identifier for this specific instance
format: uuid
readOnly: true
type: string
slug:
description: Unique slug for the integration type (e.g., 'crowdstrike',
'aws')
readOnly: true
type: string
status:
description: 'Connection status: ''connected'', ''disconnected'', ''error'',
''pending'', ''disabled'', or ''never_connected'''
readOnly: true
type: string
tenant_union:
allOf:
- $ref: '#/components/schemas/TenantUnion'
description: Tenant union for this integration instance (if applicable)
nullable: true
readOnly: true
updated_at:
description: When this integration instance was last updated
format: date-time
readOnly: true
type: string
required:
- categories
- created_at
- description
- display_name
- dz_provided
- group
- is_enabled
- slot_uuid
- slug
- status
- tenant_union
- updated_at
type: object
IntegrationInstanceSerializerToCustomerTest:
description: 'Serializer for testing integration configuration via customer
API.
Used for POST /api/v1/integrations/{slug}/test.'
properties:
config_data:
description: Configuration data to test (does not modify the saved configuration)
connector_slug:
description: (Optional) Connector slug to use for testing. Only needed if
testing integrations that require a connector.
nullable: true
type: string
tenant_union_id:
description: (Optional) Tenant union ID to use for testing. Only use if
testing multi-tenant integration configs.
nullable: true
type: integer
required:
- config_data
type: object
IntegrationInstancesListResponse:
properties:
instances:
items:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerLight'
type: array
required:
- instances
type: object
IntegrationSlotSerializerToCustomerFull:
description: 'Full serializer for integration instances in customer API.
Used for GET /api/v1/integrations/{slug}/{uuid} - includes config_data.
This returns complete details including configuration data (with passwords
masked).
For listing many instances without config, use GET /api/v1/integrations/{slug}
instead.'
properties:
allows_multi_slot:
description: Whether multiple instances can be configured
readOnly: true
type: boolean
categories:
description: Categories (e.g., ['EDR'])
items:
type: string
readOnly: true
type: array
config_data:
description: Configuration data for this integration instance (passwords
are masked with asterisks)
nullable: true
readOnly: true
config_schema:
description: JSON Schema for configuration fields - describes what config_data
should contain
nullable: true
readOnly: true
connector_support:
description: Connector requirement level for this integration
readOnly: true
type: string
created_at:
description: When this integration instance was created
format: date-time
readOnly: true
type: string
description:
description: Integration description
nullable: true
readOnly: true
type: string
display_name:
description: Human-readable integration name
readOnly: true
type: string
docs_url:
description: URL to integration documentation
nullable: true
readOnly: true
type: string
dz_provided:
description: Whether this is a Dropzone-managed integration (vs customer-configured)
readOnly: true
type: boolean
group:
description: 'Integration group: ''cloud'', ''prem'', or ''saas'''
readOnly: true
type: string
has_scanner:
description: Scanner capability level for this integration
readOnly: true
type: string
is_enabled:
description: Whether the integration is enabled
readOnly: true
type: boolean
private_public_data:
description: Dropzone-provided configuration data (ARNs, service account
emails, etc.) that customers need but cannot modify
items:
additionalProperties: {}
type: object
nullable: true
readOnly: true
type: array
slot_uuid:
description: Unique identifier for this specific instance
format: uuid
readOnly: true
type: string
slug:
description: Integration type slug (e.g., 'crowdstrike')
readOnly: true
type: string
status:
description: 'Connection status: ''connected'', ''disconnected'', ''error'',
''pending'', etc.'
readOnly: true
type: string
tenant_union:
allOf:
- $ref: '#/components/schemas/TenantUnion'
description: Tenant union for this integration instance (if applicable)
nullable: true
readOnly: true
updated_at:
description: When this integration instance was last updated
format: date-time
readOnly: true
type: string
required:
- allows_multi_slot
- categories
- config_data
- config_schema
- connector_support
- created_at
- description
- display_name
- docs_url
- dz_provided
- group
- has_scanner
- is_enabled
- private_public_data
- slot_uuid
- slug
- status
- tenant_union
- updated_at
type: object
IntegrationTypesListResponse:
properties:
integrations:
items:
$ref: '#/components/schemas/IntegrationDefinitionSerializerToCustomer'
type: array
required:
- integrations
type: object
Interview:
properties:
auto_approved:
type: boolean
chat_history: {}
communicator:
nullable: true
type: string
completed_at:
format: date-time
nullable: true
type: string
context:
nullable: true
type: string
created_at:
format: date-time
readOnly: true
type: string
error_msg:
nullable: true
type: string
id:
readOnly: true
type: integer
interviewee_email:
type: string
investigation:
nullable: true
type: integer
question:
type: string
started_at:
format: date-time
nullable: true
readOnly: true
type: string
status:
$ref: '#/components/schemas/InterviewStatusEnum'
summary:
type: string
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- id
- interviewee_email
- question
- started_at
- summary
- updated_at
type: object
InterviewStatusEnum:
description: '* `pending` - pending
* `approved` - approved
* `active` - active
* `finished` - finished
* `finished_with_referral` - finished_with_referral
* `declined` - declined
* `failed` - failed
* `timed_out` - timed_out
* `canceled` - canceled'
enum:
- pending
- approved
- active
- finished
- finished_with_referral
- declined
- failed
- timed_out
- canceled
type: string
Investigation:
oneOf:
- $ref: '#/components/schemas/InvestigationFull'
- $ref: '#/components/schemas/InvestigationLight'
InvestigationFull:
properties:
alert:
$ref: '#/components/schemas/ScriptVarSerializer_Alert'
alert_summary:
nullable: true
type: string
attack_surface:
nullable: true
type: string
canceled:
nullable: true
oneOf:
- $ref: '#/components/schemas/CanceledEnum'
- $ref: '#/components/schemas/NullEnum'
conclusion:
readOnly: true
type: string
conclusion_summary:
nullable: true
type: string
created_at:
format: date-time
readOnly: true
type: string
custom_outcome:
additionalProperties: {}
nullable: true
readOnly: true
type: object
error_msg:
nullable: true
type: string
exec_summary:
nullable: true
type: string
feedback:
$ref: '#/components/schemas/ScriptVarSerializer_InvestigationFeedback'
findings: {}
findings_ranking: {}
generated_time:
format: date-time
nullable: true
type: string
id:
readOnly: true
type: integer
ignored_for_investigation_id:
nullable: true
readOnly: true
type: integer
insight_tags: {}
interview_proposals: {}
inv_url:
readOnly: true
type: string
key_findings: {}
mitre_tactic:
nullable: true
type: string
outcome:
nullable: true
oneOf:
- $ref: '#/components/schemas/Outcome982Enum'
- $ref: '#/components/schemas/NullEnum'
priority:
nullable: true
oneOf:
- $ref: '#/components/schemas/PriorityEnum'
- $ref: '#/components/schemas/NullEnum'
recommended_remediations: {}
related_alert_hypothesis:
nullable: true
remediation_action_runs:
items:
$ref: '#/components/schemas/ScriptVarSerializer_RemediationActionRun'
readOnly: true
type: array
start_time:
format: date-time
nullable: true
type: string
status:
$ref: '#/components/schemas/StatusE6aEnum'
updated_at:
format: date-time
readOnly: true
type: string
required:
- alert
- conclusion
- created_at
- custom_outcome
- feedback
- id
- ignored_for_investigation_id
- inv_url
- remediation_action_runs
- updated_at
type: object
InvestigationLight:
description: 'A lightweight investigation serializer that only picks up certain
fields.
Notably, we exclude:
- no alert
- no feedback
- no findings
On the contrary, we *include* custom_outcome via annotation'
properties:
alert_summary:
nullable: true
type: string
attack_surface:
nullable: true
type: string
conclusion:
readOnly: true
type: string
conclusion_summary:
nullable: true
type: string
custom_outcome:
additionalProperties: {}
nullable: true
readOnly: true
type: object
error_msg:
nullable: true
type: string
id:
readOnly: true
type: integer
insight_tags: {}
inv_url:
readOnly: true
type: string
key_findings: {}
mitre_tactic:
nullable: true
type: string
priority:
nullable: true
oneOf:
- $ref: '#/components/schemas/PriorityEnum'
- $ref: '#/components/schemas/NullEnum'
recommended_remediations: {}
status:
$ref: '#/components/schemas/StatusE6aEnum'
required:
- conclusion
- custom_outcome
- id
- inv_url
type: object
InvestigationNoteNested:
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
investigation:
type: integer
text:
type: string
updated_at:
format: date-time
readOnly: true
type: string
user:
$ref: '#/components/schemas/CustomUser'
required:
- created_at
- id
- investigation
- updated_at
- user
type: object
InvestigationThreshold:
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
is_enabled:
type: boolean
max_by_alert_source:
additionalProperties:
minimum: 0
type: integer
description: 'Per-source limits (0 = block). Valid keys: [''Check Point'',
''Check Point Harmony Email & Collaboration'', ''Gem'', ''Panther'', ''CrowdStrike'']...'
example:
CrowdStrike: 50
type: object
max_invs:
description: Maximum investigations per time window (0 = block all)
minimum: 0
type: integer
time_unit:
allOf:
- $ref: '#/components/schemas/TimeUnitEnum'
description: 'Valid: [''hour'', ''day'', ''week'', ''month'']
* `hour` - hour
* `day` - day
* `week` - week
* `month` - month'
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- id
- max_by_alert_source
- max_invs
- time_unit
- updated_at
type: object
NullEnum:
enum:
- null
ObjectCounts:
description: Serializer for ObjectCounts dataclass
properties:
created:
description: Number of objects created
type: integer
found:
description: Number of objects found
type: integer
skipped:
description: Number of objects skipped
type: integer
updated:
description: Number of objects updated
type: integer
required:
- created
- found
- skipped
- updated
type: object
Outcome982Enum:
description: '* `COMPLETED_BREACHED_CONFIRMED` - COMPLETED_BREACHED_CONFIRMED
* `COMPLETED_BREACHED_SUSPICIOUS` - COMPLETED_BREACHED_SUSPICIOUS
* `COMPLETED_FALSE_ALERT` - COMPLETED_FALSE_ALERT
* `INCOMPLETE` - INCOMPLETE
* `IGNORED` - IGNORED'
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
- INCOMPLETE
- IGNORED
type: string
OutcomesEnum:
description: '* `COMPLETED_BREACHED_CONFIRMED` - COMPLETED_BREACHED_CONFIRMED
* `COMPLETED_BREACHED_SUSPICIOUS` - COMPLETED_BREACHED_SUSPICIOUS
* `COMPLETED_FALSE_ALERT` - COMPLETED_FALSE_ALERT
* `INCOMPLETE` - INCOMPLETE
* `IGNORED` - IGNORED'
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
- INCOMPLETE
- IGNORED
type: string
PaginatedInvestigationList:
properties:
count:
description: Total number of investigations
type: integer
next:
description: URL to next page of results
format: uri
nullable: true
type: string
previous:
description: URL to previous page of results
format: uri
nullable: true
type: string
results:
items:
$ref: '#/components/schemas/Investigation'
type: array
required:
- count
- next
- previous
- results
type: object
PatchedIntegrationInstanceSerializerToCustomerUpdate:
description: 'Serializer for updating integration instances via customer API.
Used for PATCH /api/v1/integrations/{slug}/{uuid}.'
properties:
config_data:
description: New configuration data (must include all required fields from
config_schema)
connector_slug:
description: (Optional) Update the connector for this integration. Only
needed if the integration requires a connector.
nullable: true
type: string
is_enabled:
description: Enable or disable the integration
type: boolean
tenant_union_id:
description: (Optional) Update the tenant union for this integration. Only
use if you need separate integration configs per tenant union.
nullable: true
type: integer
type: object
PatchedInvestigationThreshold:
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
is_enabled:
type: boolean
max_by_alert_source:
additionalProperties:
minimum: 0
type: integer
description: 'Per-source limits (0 = block). Valid keys: [''Check Point'',
''Check Point Harmony Email & Collaboration'', ''Gem'', ''Panther'', ''CrowdStrike'']...'
example:
CrowdStrike: 50
type: object
max_invs:
description: Maximum investigations per time window (0 = block all)
minimum: 0
type: integer
time_unit:
allOf:
- $ref: '#/components/schemas/TimeUnitEnum'
description: 'Valid: [''hour'', ''day'', ''week'', ''month'']
* `hour` - hour
* `day` - day
* `week` - week
* `month` - month'
updated_at:
format: date-time
readOnly: true
type: string
type: object
PriorityEnum:
description: '* `informational` - Informational
* `notable` - Notable
* `urgent` - Urgent'
enum:
- informational
- notable
- urgent
type: string
ResponseScript:
properties:
created_at:
format: date-time
readOnly: true
type: string
display_name:
type: string
id:
readOnly: true
type: integer
is_archived:
type: boolean
is_enabled:
type: boolean
is_imported:
type: boolean
trigger_def:
format: uuid
type: string
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- display_name
- id
- trigger_def
- updated_at
type: object
ResponseScriptRunSerializerForUI:
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
script:
$ref: '#/components/schemas/ResponseScript'
script_version:
$ref: '#/components/schemas/ResponseScriptVersionSerializerForUI'
status:
$ref: '#/components/schemas/ResponseScriptRunSerializerForUIStatusEnum'
stderr:
nullable: true
type: string
stdout:
nullable: true
type: string
syserr:
nullable: true
type: string
trigger_run:
$ref: '#/components/schemas/ResponseTriggerRunSerializerForUI'
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- id
- script
- script_version
- status
- trigger_run
- updated_at
type: object
ResponseScriptRunSerializerForUIStatusEnum:
description: '* `running` - running
* `success` - success
* `failed` - failed
* `timed_out` - timed_out
* `error` - error'
enum:
- running
- success
- failed
- timed_out
- error
type: string
ResponseScriptSecret:
description: 'For UI: masks "value" field'
properties:
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
key:
type: string
last_modified_by:
$ref: '#/components/schemas/CustomUser'
updated_at:
format: date-time
readOnly: true
type: string
value:
readOnly: true
type: string
required:
- created_at
- id
- key
- last_modified_by
- updated_at
- value
type: object
ResponseScriptSerializerForUI:
properties:
created_at:
format: date-time
readOnly: true
type: string
display_name:
type: string
id:
readOnly: true
type: integer
is_archived:
type: boolean
is_enabled:
type: boolean
is_imported:
type: boolean
trigger_def:
$ref: '#/components/schemas/ResponseTriggerDef'
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- display_name
- id
- trigger_def
- updated_at
type: object
ResponseScriptVersionSerializerForUI:
properties:
author:
$ref: '#/components/schemas/CustomUser'
code:
type: string
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
script:
type: integer
updated_at:
format: date-time
readOnly: true
type: string
v_num:
maximum: 2147483647
minimum: -2147483648
type: integer
required:
- author
- created_at
- id
- script
- updated_at
- v_num
type: object
ResponseTriggerDef:
properties:
created_at:
format: date-time
readOnly: true
type: string
display_index:
maximum: 2147483647
minimum: -2147483648
type: integer
is_archived:
type: boolean
is_runnable:
type: boolean
is_scriptable:
type: boolean
parent:
format: uuid
nullable: true
type: string
script_var_names:
items:
type: string
type: array
trigger_arg_names:
items:
type: string
type: array
trigger_display_name:
type: string
trigger_fn_name:
type: string
trigger_tree_labels:
items:
type: string
type: array
updated_at:
format: date-time
readOnly: true
type: string
uuid:
format: uuid
readOnly: true
type: string
required:
- created_at
- trigger_display_name
- trigger_fn_name
- updated_at
- uuid
type: object
ResponseTriggerRunSerializerForUI:
properties:
batch:
nullable: true
type: integer
created_at:
format: date-time
readOnly: true
type: string
id:
readOnly: true
type: integer
trigger_args: {}
trigger_def:
$ref: '#/components/schemas/ResponseTriggerDef'
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- id
- trigger_def
- updated_at
type: object
RoleEnum:
description: '* `admin` - Admin
* `member` - Member
* `restricted-read-only` - RRO'
enum:
- admin
- member
- restricted-read-only
type: string
ScriptVarSerializerInvestigationFeedbackOutcomeEnum:
description: '* `COMPLETED_BREACHED_CONFIRMED` - Malicious
* `COMPLETED_BREACHED_SUSPICIOUS` - Suspicious
* `COMPLETED_FALSE_ALERT` - Benign
* `INCOMPLETE` - Inconclusive
* `IGNORED` - Ignored'
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
- INCOMPLETE
- IGNORED
type: string
ScriptVarSerializerInvestigationFeedbackStatusEnum:
description: '* `in_review` - In Review
* `reviewed` - Reviewed'
enum:
- in_review
- reviewed
type: string
ScriptVarSerializer_Alert:
properties:
alert_type:
type: string
assets: {}
coalesce_key:
nullable: true
type: string
create_time:
format: date-time
type: string
created_at:
format: date-time
readOnly: true
type: string
direct_source_label:
type: string
entities: {}
id:
readOnly: true
type: integer
origin_integration:
nullable: true
type: string
origin_ticket_id:
nullable: true
type: string
origin_ticket_id_label:
nullable: true
type: string
origin_ticket_url:
nullable: true
type: string
original_title:
type: string
proxy_source_label:
nullable: true
type: string
raw_alert_content:
type: string
schema_key:
type: string
severity:
nullable: true
type: string
start_time:
format: date-time
nullable: true
type: string
tenant_id:
nullable: true
type: string
tenant_integration_key:
nullable: true
type: string
tenant_label:
nullable: true
type: string
tenant_union:
$ref: '#/components/schemas/ScriptVarSerializer_TenantUnion'
title:
type: string
updated_at:
format: date-time
readOnly: true
type: string
required:
- alert_type
- create_time
- created_at
- direct_source_label
- id
- raw_alert_content
- schema_key
- tenant_union
- title
- updated_at
type: object
ScriptVarSerializer_InvestigationFeedback:
properties:
conclusion:
readOnly: true
type: string
conclusion_summary:
nullable: true
type: string
created_at:
format: date-time
readOnly: true
type: string
findings: {}
findings_ranking:
nullable: true
id:
readOnly: true
type: integer
insight_tags:
nullable: true
key_findings:
nullable: true
outcome:
nullable: true
oneOf:
- $ref: '#/components/schemas/ScriptVarSerializerInvestigationFeedbackOutcomeEnum'
- $ref: '#/components/schemas/NullEnum'
outcome_note:
nullable: true
type: string
priority:
nullable: true
oneOf:
- $ref: '#/components/schemas/PriorityEnum'
- $ref: '#/components/schemas/NullEnum'
remediations_done: {}
status:
$ref: '#/components/schemas/ScriptVarSerializerInvestigationFeedbackStatusEnum'
updated_at:
format: date-time
readOnly: true
type: string
required:
- conclusion
- created_at
- id
- updated_at
type: object
ScriptVarSerializer_RemediationAction:
properties:
name:
type: string
required:
- name
type: object
ScriptVarSerializer_RemediationActionRun:
properties:
entity:
type: string
remediation_action:
$ref: '#/components/schemas/ScriptVarSerializer_RemediationAction'
required:
- remediation_action
type: object
ScriptVarSerializer_TenantUnion:
properties:
created_at:
format: date-time
readOnly: true
type: string
display_name:
type: string
id:
readOnly: true
type: integer
lookup_dict: {}
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- display_name
- id
- updated_at
type: object
StatusE6aEnum:
description: '* `not_asked` - not_asked
* `loading` - loading
* `success` - success
* `error` - error'
enum:
- not_asked
- loading
- success
- error
type: string
TenantUnion:
description: Adds update nested feature
properties:
created_at:
format: date-time
readOnly: true
type: string
display_name:
type: string
id:
readOnly: true
type: integer
last_modified_by:
allOf:
- $ref: '#/components/schemas/CustomUser'
nullable: true
lookup_dict: {}
updated_at:
format: date-time
readOnly: true
type: string
required:
- created_at
- display_name
- id
- updated_at
type: object
ThreatIntelCollection:
description: Serializer for ThreatIntelCollection model
properties:
created_at:
format: date-time
readOnly: true
type: string
created_by:
description: User ID who created the collection. None indicates System user.
nullable: true
readOnly: true
type: integer
file_info:
additionalProperties:
properties:
files_errored:
description: List of filenames that had errors (only present for archives)
items:
type: string
type: array
files_failed:
description: Number of files that failed (only present for archives)
type: integer
files_parsed:
description: List of filenames that were successfully parsed (only
present for archives)
items:
type: string
type: array
files_processed:
description: Number of files processed from the archive (only present
for archives)
type: integer
files_skipped:
description: List of skipped files with reasons (only present for
archives)
items:
properties:
filename:
type: string
reason:
type: string
required:
- filename
- reason
type: object
type: array
files_succeeded:
description: Number of files that succeeded (only present for archives)
type: integer
hash:
description: SHA-256 hash of the uploaded file or archive
type: string
imported_at:
description: ISO 8601 timestamp when file was imported
type: string
indicators_created:
description: Number of indicators created from this file or archive
type: integer
indicators_updated:
description: Number of indicators updated from this file or archive
type: integer
total_objects:
description: Total STIX objects processed from this file or archive
type: integer
type:
description: 'File type: ''single_file'' for individual JSON files,
''archive'' for ZIP/TAR archives'
enum:
- single_file
- archive
type: string
required:
- type
- hash
- imported_at
- indicators_created
- indicators_updated
- total_objects
type: object
description: Dictionary keyed by filename containing file metadata. Each
entry contains common fields (type, hash, imported_at, indicators_created,
indicators_updated, total_objects). Archive entries (type='archive') additionally
include files_processed, files_succeeded, files_failed, files_parsed,
files_errored, and files_skipped fields for detailed filename tracking.
example:
threat_feeds_archive.tar.gz:
files_errored:
- invalid_file.json
files_failed: 1
files_parsed:
- threat_feed_1.json
- threat_feed_2.json
- threat_feed_3.json
- threat_feed_4.json
- threat_feed_5.json
- threat_feed_6.json
- threat_feed_7.json
- threat_feed_8.json
files_processed: 10
files_skipped:
- filename: __MACOSX/.DS_Store
reason: hidden_file
- filename: readme.txt
reason: not_json
files_succeeded: 8
hash: b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef1234567890
imported_at: '2024-01-15T10:30:00Z'
indicators_created: 500
indicators_updated: 100
total_objects: 750
type: archive
threat_intel_bundle.json:
hash: a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
imported_at: '2024-01-15T10:30:00Z'
indicators_created: 150
indicators_updated: 25
total_objects: 200
type: single_file
readOnly: true
type: object
id:
format: uuid
readOnly: true
type: string
indicators_count:
description: Get the count of indicators in this collection
readOnly: true
type: integer
name:
type: string
status:
allOf:
- $ref: '#/components/schemas/ThreatIntelCollectionStatusEnum'
description: 'Collection status: parsing, active, deleted, or error
* `parsing` - Parsing
* `active` - Active
* `deleted` - Deleted
* `error` - Error'
readOnly: true
updated_at:
format: date-time
readOnly: true
type: string
updated_by:
description: User ID who last updated the collection. None indicates System
user.
nullable: true
readOnly: true
type: integer
required:
- created_at
- created_by
- file_info
- id
- indicators_count
- name
- status
- updated_at
- updated_by
type: object
ThreatIntelCollectionList:
properties:
collections:
description: Array of collections
items:
$ref: '#/components/schemas/ThreatIntelCollection'
type: array
count:
description: Total number of collections returned
type: integer
required:
- collections
- count
type: object
ThreatIntelCollectionStatusEnum:
description: '* `parsing` - Parsing
* `active` - Active
* `deleted` - Deleted
* `error` - Error'
enum:
- parsing
- active
- deleted
- error
type: string
TimeUnitEnum:
description: '* `hour` - hour
* `day` - day
* `week` - week
* `month` - month'
enum:
- hour
- day
- week
- month
type: string
securitySchemes:
ApiKeyAuth:
in: header
name: Authorization
type: apiKey
info:
description: AI SOC Analyst
title: Dropzone AI
version: 0.1.0
openapi: 3.0.3
paths:
/app/api/v1/chat/:
post:
description: 'Send a chat query and receive an AI response.
This endpoint creates a new chat session if no session_id is
provided,
or reuses an existing session to maintain conversation context.
Usage:
POST to this endpoint with your question
Receive session_id, message_id, and message_url
in response
Poll the message_url or GET /app/api/v1/chat/{session_id}/message/{message_id}
for results
(Optional) Include session_id query param in subsequent queries
to maintain context
'
operationId: chat_create
parameters:
- description: 'Optional: UUID of existing chat session to maintain conversation
context'
in: query
name: session_id
schema:
type: string
requestBody:
content:
application/json:
schema:
properties:
files:
description: 'Optional: Files to include with your query. Each file
must have ''name'' and ''content'' (base64-encoded) fields.'
items:
properties:
content:
description: Base64-encoded file content
type: string
name:
description: File name (e.g., 'document.pdf')
type: string
required:
- name
- content
type: object
type: array
text:
description: Your question or chat message
type: string
required:
- text
type: object
responses:
'201':
content:
application/json:
schema:
properties:
message_id:
type: integer
message_url:
type: string
session_id:
format: uuid
type: string
type: object
description: Chat query created successfully. Use the message_url to poll
for results.
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- chat
/app/api/v1/chat/{session_id}/message/{message_id}:
get:
description: 'Get the status and result of a chat message.
Poll this endpoint after sending a query to check for completion.
Response fields:
response_text - AI response (null while processing)
response_citations - Supporting evidence/citations (null while
processing)
progress_message - Current processing status
progress_timestamp - Last update timestamp
When both response_text and response_citations are
populated, the query is complete.
'
operationId: chat_message_retrieve
parameters:
- description: The message ID returned from POST /app/api/v1/chat/
in: path
name: message_id
required: true
schema:
type: integer
- description: The chat session ID (UUID)
in: path
name: session_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ChatQueryNested'
description: Chat message details with status and response (if complete)
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- chat
/app/api/v1/config/investigation-threshold:
get:
description: Get investigation threshold configuration. The threshold controls
the maximum number of investigations allowed within a time window, with optional
per-alert-source limits.
operationId: investigation_threshold_retrieve_external
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/InvestigationThreshold'
description: Investigation threshold configuration
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
patch:
description: 'Update investigation threshold configuration. Supports partial
updates. Fields: is_enabled (bool), max_invs (positive int), time_unit (hour|day|week|month),
max_by_alert_source (object mapping alert source labels to max counts).'
operationId: investigation_threshold_update_external
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/PatchedInvestigationThreshold'
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/PatchedInvestigationThreshold'
multipart/form-data:
schema:
$ref: '#/components/schemas/PatchedInvestigationThreshold'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/InvestigationThreshold'
description: Updated investigation threshold configuration
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
/app/api/v1/config/investigation-threshold/status:
get:
description: Get investigation threshold status including current progress toward
limits and counts of exceeded/queued investigations. Returns real-time usage
data for the current time window.
operationId: config_investigation_threshold_status_retrieve
responses:
'200':
content:
application/json:
schema:
example:
exceeded: 3
progress:
by_alert_source: {}
curr_invs: 42
end: '2026-01-09T00:00:00Z'
max_invs: 100
now: '2026-01-08T12:00:00Z'
start: '2026-01-08T00:00:00Z'
time_unit: day
queued: 5
properties:
exceeded:
minimum: 0
type: integer
progress:
description: Current progress toward threshold limits. null when
threshold is disabled (is_enabled=false).
example:
by_alert_source:
CrowdStrike:
curr_invs: 12
max_invs: 50
curr_invs: 42
end: '2026-01-09T00:00:00Z'
max_invs: 100
now: '2026-01-08T12:00:00Z'
start: '2026-01-08T00:00:00Z'
time_unit: day
nullable: true
properties:
by_alert_source:
additionalProperties:
properties:
curr_invs:
minimum: 0
type: integer
max_invs:
minimum: 0
type: integer
type: object
description: 'Per-source progress. Valid keys: [''Check Point'',
''Check Point Harmony Email & Collaboration'', ''Gem'',
''Panther'', ''CrowdStrike'']...'
example:
CrowdStrike:
curr_invs: 12
max_invs: 50
type: object
curr_invs:
minimum: 0
type: integer
end:
format: date-time
type: string
max_invs:
minimum: 0
type: integer
now:
format: date-time
type: string
start:
format: date-time
type: string
time_unit:
enum:
- hour
- day
- week
- month
type: string
type: object
queued:
minimum: 0
type: integer
type: object
description: Threshold status with progress and counts
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
/app/api/v1/config/system:
get:
description: 'Get all system configuration data. Returns current config values.
Sections: org_info, dashboard_defaults, response_benchmarks, time_saved, chatops,
advanced_settings'
operationId: system_config_retrieve_external
responses:
'200':
content:
application/json:
schema:
properties:
advanced_settings:
properties:
advanced_alert_deduplication_settings:
allOf:
- if:
properties:
enable_title_entity_deduplication:
const: true
then:
properties:
title_entity_deduplication_settings:
properties:
title_entity_deduplication_minimum_entity_count:
default: 3
description: If an alert has fewer than this
many entities, it will not be considered for
deduplication.
minimum: 2
title: Minimum Entity Count
type: number
title: Title and Entity Deduplication Settings
type: object
properties:
enable_title_entity_deduplication:
default: false
description: Enable to deduplicate alerts with identical
title and entity values within an 8 hour window.
title: Enable Title and Entity Deduplication
type: boolean
title: Advanced Alert Deduplication Settings
type: object
enable_connector:
default: false
description: Enable for connecting to integrations behind
VPNs or firewalls.
title: Enable Integration Connector
type: boolean
enable_tenant_union:
default: false
description: Enable for vendor and/or dz-managed multi-tenant
integrations.
title: Enable Multi-Tenant Map
type: boolean
use_generated_alert_titles:
default: true
description: Enable to display Dropzone-generated alert titles,
otherwise display titles extracted from raw alert data.
title: Display Generated Alert Titles
type: boolean
title: Advanced Settings
type: object
chatops:
description: Configure Slack app secrets for ChatOps commands
and notifications.
properties:
slack_signing_secret:
description: The signing secret from your Slack app, used
to verify requests from Slack.
format: password
title: Slack Signing Secret
type: string
slack_token:
description: The bot token from your Slack app, used for making
API calls to Slack (e.g., xoxb-...).
format: password
title: Slack Bot Token
type: string
title: ChatOps Configuration
type: object
dashboard_defaults:
properties:
time_range:
default: last30days
oneOf:
- const: last24hours
title: Last 24 hours
- const: last3days
title: Last 3 days
- const: last7days
title: Last 7 days
- const: last30days
title: Last 30 days
- const: last6months
title: Last 6 months
- const: last1year
title: Last 1 year
title: Time Range
type: string
title: Dashboard Defaults
type: object
org_info:
properties:
company_name:
description: The name shown to users across the platform interface.
This is for visual branding only.
title: Organization Display Name
type: string
company_name_ai:
description: Your registered organization name. Our AI uses
this during security investigations to identify your assets
and differentiate internal networks from external entities.
title: Official Company Name
type: string
title: Organization Info
type: object
response_benchmarks:
description: These allow you to set performance targets reflecting
a human analyst's best effort—such as acknowledging alerts within
1 hour. This enables you to directly compare our AI SOC analyst
platform's speed with typical human response times for detection,
acknowledgment, investigation, and conclusion.
properties:
target1_ttd:
default: 10
title: Industry Average TTD (minutes)
type: number
target2_tta:
default: 60
title: Industry Average TTA (minutes)
type: number
target3_tti:
default: 30
title: Industry Average TTI (minutes)
type: number
target4_ttc:
default: 120
title: Industry Average TTC (minutes)
type: number
title: Response Metric Benchmarks
type: object
time_saved:
description: By measuring time saved, you can assess the platform's
efficiency and responsiveness relative to existing expectations.
properties:
avg_min_per_inv:
default: 25
description: this_value × successful_conclusive_investigations
= time_saved
title: Average time per manual investigation in your environment
(minutes)
type: number
title: Time Saved Metric
type: object
type: object
ui:order:
- org_info
- dashboard_defaults
- response_benchmarks
- time_saved
- chatops
- advanced_settings
description: System configuration data
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
patch:
description: 'Partially update system configuration (deep merge with existing).
Send any subset of config. Example: {"advanced_settings": {"enable_connector":
true}}'
operationId: system_config_update_external
requestBody:
content:
application/json:
schema:
properties:
advanced_settings:
properties:
advanced_alert_deduplication_settings:
allOf:
- if:
properties:
enable_title_entity_deduplication:
const: true
then:
properties:
title_entity_deduplication_settings:
properties:
title_entity_deduplication_minimum_entity_count:
default: 3
description: If an alert has fewer than this many
entities, it will not be considered for deduplication.
minimum: 2
title: Minimum Entity Count
type: number
title: Title and Entity Deduplication Settings
type: object
properties:
enable_title_entity_deduplication:
default: false
description: Enable to deduplicate alerts with identical
title and entity values within an 8 hour window.
title: Enable Title and Entity Deduplication
type: boolean
title: Advanced Alert Deduplication Settings
type: object
enable_connector:
default: false
description: Enable for connecting to integrations behind VPNs
or firewalls.
title: Enable Integration Connector
type: boolean
enable_tenant_union:
default: false
description: Enable for vendor and/or dz-managed multi-tenant
integrations.
title: Enable Multi-Tenant Map
type: boolean
use_generated_alert_titles:
default: true
description: Enable to display Dropzone-generated alert titles,
otherwise display titles extracted from raw alert data.
title: Display Generated Alert Titles
type: boolean
title: Advanced Settings
type: object
chatops:
description: Configure Slack app secrets for ChatOps commands and
notifications.
properties:
slack_signing_secret:
description: The signing secret from your Slack app, used to
verify requests from Slack.
format: password
title: Slack Signing Secret
type: string
slack_token:
description: The bot token from your Slack app, used for making
API calls to Slack (e.g., xoxb-...).
format: password
title: Slack Bot Token
type: string
title: ChatOps Configuration
type: object
dashboard_defaults:
properties:
time_range:
default: last30days
oneOf:
- const: last24hours
title: Last 24 hours
- const: last3days
title: Last 3 days
- const: last7days
title: Last 7 days
- const: last30days
title: Last 30 days
- const: last6months
title: Last 6 months
- const: last1year
title: Last 1 year
title: Time Range
type: string
title: Dashboard Defaults
type: object
org_info:
properties:
company_name:
description: The name shown to users across the platform interface.
This is for visual branding only.
title: Organization Display Name
type: string
company_name_ai:
description: Your registered organization name. Our AI uses
this during security investigations to identify your assets
and differentiate internal networks from external entities.
title: Official Company Name
type: string
title: Organization Info
type: object
response_benchmarks:
description: These allow you to set performance targets reflecting
a human analyst's best effort—such as acknowledging alerts within
1 hour. This enables you to directly compare our AI SOC analyst
platform's speed with typical human response times for detection,
acknowledgment, investigation, and conclusion.
properties:
target1_ttd:
default: 10
title: Industry Average TTD (minutes)
type: number
target2_tta:
default: 60
title: Industry Average TTA (minutes)
type: number
target3_tti:
default: 30
title: Industry Average TTI (minutes)
type: number
target4_ttc:
default: 120
title: Industry Average TTC (minutes)
type: number
title: Response Metric Benchmarks
type: object
time_saved:
description: By measuring time saved, you can assess the platform's
efficiency and responsiveness relative to existing expectations.
properties:
avg_min_per_inv:
default: 25
description: this_value × successful_conclusive_investigations
= time_saved
title: Average time per manual investigation in your environment
(minutes)
type: number
title: Time Saved Metric
type: object
type: object
ui:order:
- org_info
- dashboard_defaults
- response_benchmarks
- time_saved
- chatops
- advanced_settings
responses:
'200':
content:
application/json:
schema:
properties:
advanced_settings:
properties:
advanced_alert_deduplication_settings:
allOf:
- if:
properties:
enable_title_entity_deduplication:
const: true
then:
properties:
title_entity_deduplication_settings:
properties:
title_entity_deduplication_minimum_entity_count:
default: 3
description: If an alert has fewer than this
many entities, it will not be considered for
deduplication.
minimum: 2
title: Minimum Entity Count
type: number
title: Title and Entity Deduplication Settings
type: object
properties:
enable_title_entity_deduplication:
default: false
description: Enable to deduplicate alerts with identical
title and entity values within an 8 hour window.
title: Enable Title and Entity Deduplication
type: boolean
title: Advanced Alert Deduplication Settings
type: object
enable_connector:
default: false
description: Enable for connecting to integrations behind
VPNs or firewalls.
title: Enable Integration Connector
type: boolean
enable_tenant_union:
default: false
description: Enable for vendor and/or dz-managed multi-tenant
integrations.
title: Enable Multi-Tenant Map
type: boolean
use_generated_alert_titles:
default: true
description: Enable to display Dropzone-generated alert titles,
otherwise display titles extracted from raw alert data.
title: Display Generated Alert Titles
type: boolean
title: Advanced Settings
type: object
chatops:
description: Configure Slack app secrets for ChatOps commands
and notifications.
properties:
slack_signing_secret:
description: The signing secret from your Slack app, used
to verify requests from Slack.
format: password
title: Slack Signing Secret
type: string
slack_token:
description: The bot token from your Slack app, used for making
API calls to Slack (e.g., xoxb-...).
format: password
title: Slack Bot Token
type: string
title: ChatOps Configuration
type: object
dashboard_defaults:
properties:
time_range:
default: last30days
oneOf:
- const: last24hours
title: Last 24 hours
- const: last3days
title: Last 3 days
- const: last7days
title: Last 7 days
- const: last30days
title: Last 30 days
- const: last6months
title: Last 6 months
- const: last1year
title: Last 1 year
title: Time Range
type: string
title: Dashboard Defaults
type: object
org_info:
properties:
company_name:
description: The name shown to users across the platform interface.
This is for visual branding only.
title: Organization Display Name
type: string
company_name_ai:
description: Your registered organization name. Our AI uses
this during security investigations to identify your assets
and differentiate internal networks from external entities.
title: Official Company Name
type: string
title: Organization Info
type: object
response_benchmarks:
description: These allow you to set performance targets reflecting
a human analyst's best effort—such as acknowledging alerts within
1 hour. This enables you to directly compare our AI SOC analyst
platform's speed with typical human response times for detection,
acknowledgment, investigation, and conclusion.
properties:
target1_ttd:
default: 10
title: Industry Average TTD (minutes)
type: number
target2_tta:
default: 60
title: Industry Average TTA (minutes)
type: number
target3_tti:
default: 30
title: Industry Average TTI (minutes)
type: number
target4_ttc:
default: 120
title: Industry Average TTC (minutes)
type: number
title: Response Metric Benchmarks
type: object
time_saved:
description: By measuring time saved, you can assess the platform's
efficiency and responsiveness relative to existing expectations.
properties:
avg_min_per_inv:
default: 25
description: this_value × successful_conclusive_investigations
= time_saved
title: Average time per manual investigation in your environment
(minutes)
type: number
title: Time Saved Metric
type: object
type: object
ui:order:
- org_info
- dashboard_defaults
- response_benchmarks
- time_saved
- chatops
- advanced_settings
description: Updated system configuration
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
put:
description: Replace all system configuration data. Validates against JSON schema.
Must include all sections.
operationId: system_config_replace_external
requestBody:
content:
application/json:
schema:
properties:
advanced_settings:
properties:
advanced_alert_deduplication_settings:
allOf:
- if:
properties:
enable_title_entity_deduplication:
const: true
then:
properties:
title_entity_deduplication_settings:
properties:
title_entity_deduplication_minimum_entity_count:
default: 3
description: If an alert has fewer than this many
entities, it will not be considered for deduplication.
minimum: 2
title: Minimum Entity Count
type: number
title: Title and Entity Deduplication Settings
type: object
properties:
enable_title_entity_deduplication:
default: false
description: Enable to deduplicate alerts with identical
title and entity values within an 8 hour window.
title: Enable Title and Entity Deduplication
type: boolean
title: Advanced Alert Deduplication Settings
type: object
enable_connector:
default: false
description: Enable for connecting to integrations behind VPNs
or firewalls.
title: Enable Integration Connector
type: boolean
enable_tenant_union:
default: false
description: Enable for vendor and/or dz-managed multi-tenant
integrations.
title: Enable Multi-Tenant Map
type: boolean
use_generated_alert_titles:
default: true
description: Enable to display Dropzone-generated alert titles,
otherwise display titles extracted from raw alert data.
title: Display Generated Alert Titles
type: boolean
title: Advanced Settings
type: object
chatops:
description: Configure Slack app secrets for ChatOps commands and
notifications.
properties:
slack_signing_secret:
description: The signing secret from your Slack app, used to
verify requests from Slack.
format: password
title: Slack Signing Secret
type: string
slack_token:
description: The bot token from your Slack app, used for making
API calls to Slack (e.g., xoxb-...).
format: password
title: Slack Bot Token
type: string
title: ChatOps Configuration
type: object
dashboard_defaults:
properties:
time_range:
default: last30days
oneOf:
- const: last24hours
title: Last 24 hours
- const: last3days
title: Last 3 days
- const: last7days
title: Last 7 days
- const: last30days
title: Last 30 days
- const: last6months
title: Last 6 months
- const: last1year
title: Last 1 year
title: Time Range
type: string
title: Dashboard Defaults
type: object
org_info:
properties:
company_name:
description: The name shown to users across the platform interface.
This is for visual branding only.
title: Organization Display Name
type: string
company_name_ai:
description: Your registered organization name. Our AI uses
this during security investigations to identify your assets
and differentiate internal networks from external entities.
title: Official Company Name
type: string
title: Organization Info
type: object
response_benchmarks:
description: These allow you to set performance targets reflecting
a human analyst's best effort—such as acknowledging alerts within
1 hour. This enables you to directly compare our AI SOC analyst
platform's speed with typical human response times for detection,
acknowledgment, investigation, and conclusion.
properties:
target1_ttd:
default: 10
title: Industry Average TTD (minutes)
type: number
target2_tta:
default: 60
title: Industry Average TTA (minutes)
type: number
target3_tti:
default: 30
title: Industry Average TTI (minutes)
type: number
target4_ttc:
default: 120
title: Industry Average TTC (minutes)
type: number
title: Response Metric Benchmarks
type: object
time_saved:
description: By measuring time saved, you can assess the platform's
efficiency and responsiveness relative to existing expectations.
properties:
avg_min_per_inv:
default: 25
description: this_value × successful_conclusive_investigations
= time_saved
title: Average time per manual investigation in your environment
(minutes)
type: number
title: Time Saved Metric
type: object
type: object
ui:order:
- org_info
- dashboard_defaults
- response_benchmarks
- time_saved
- chatops
- advanced_settings
responses:
'200':
content:
application/json:
schema:
properties:
advanced_settings:
properties:
advanced_alert_deduplication_settings:
allOf:
- if:
properties:
enable_title_entity_deduplication:
const: true
then:
properties:
title_entity_deduplication_settings:
properties:
title_entity_deduplication_minimum_entity_count:
default: 3
description: If an alert has fewer than this
many entities, it will not be considered for
deduplication.
minimum: 2
title: Minimum Entity Count
type: number
title: Title and Entity Deduplication Settings
type: object
properties:
enable_title_entity_deduplication:
default: false
description: Enable to deduplicate alerts with identical
title and entity values within an 8 hour window.
title: Enable Title and Entity Deduplication
type: boolean
title: Advanced Alert Deduplication Settings
type: object
enable_connector:
default: false
description: Enable for connecting to integrations behind
VPNs or firewalls.
title: Enable Integration Connector
type: boolean
enable_tenant_union:
default: false
description: Enable for vendor and/or dz-managed multi-tenant
integrations.
title: Enable Multi-Tenant Map
type: boolean
use_generated_alert_titles:
default: true
description: Enable to display Dropzone-generated alert titles,
otherwise display titles extracted from raw alert data.
title: Display Generated Alert Titles
type: boolean
title: Advanced Settings
type: object
chatops:
description: Configure Slack app secrets for ChatOps commands
and notifications.
properties:
slack_signing_secret:
description: The signing secret from your Slack app, used
to verify requests from Slack.
format: password
title: Slack Signing Secret
type: string
slack_token:
description: The bot token from your Slack app, used for making
API calls to Slack (e.g., xoxb-...).
format: password
title: Slack Bot Token
type: string
title: ChatOps Configuration
type: object
dashboard_defaults:
properties:
time_range:
default: last30days
oneOf:
- const: last24hours
title: Last 24 hours
- const: last3days
title: Last 3 days
- const: last7days
title: Last 7 days
- const: last30days
title: Last 30 days
- const: last6months
title: Last 6 months
- const: last1year
title: Last 1 year
title: Time Range
type: string
title: Dashboard Defaults
type: object
org_info:
properties:
company_name:
description: The name shown to users across the platform interface.
This is for visual branding only.
title: Organization Display Name
type: string
company_name_ai:
description: Your registered organization name. Our AI uses
this during security investigations to identify your assets
and differentiate internal networks from external entities.
title: Official Company Name
type: string
title: Organization Info
type: object
response_benchmarks:
description: These allow you to set performance targets reflecting
a human analyst's best effort—such as acknowledging alerts within
1 hour. This enables you to directly compare our AI SOC analyst
platform's speed with typical human response times for detection,
acknowledgment, investigation, and conclusion.
properties:
target1_ttd:
default: 10
title: Industry Average TTD (minutes)
type: number
target2_tta:
default: 60
title: Industry Average TTA (minutes)
type: number
target3_tti:
default: 30
title: Industry Average TTI (minutes)
type: number
target4_ttc:
default: 120
title: Industry Average TTC (minutes)
type: number
title: Response Metric Benchmarks
type: object
time_saved:
description: By measuring time saved, you can assess the platform's
efficiency and responsiveness relative to existing expectations.
properties:
avg_min_per_inv:
default: 25
description: this_value × successful_conclusive_investigations
= time_saved
title: Average time per manual investigation in your environment
(minutes)
type: number
title: Time Saved Metric
type: object
type: object
ui:order:
- org_info
- dashboard_defaults
- response_benchmarks
- time_saved
- chatops
- advanced_settings
description: Updated system configuration
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- config
/app/api/v1/context-memory/create:
post:
description: Create a new user Context Memory Item (+ optional tenant union
OR tenant id/label). Prefer tenant_union_id for union-scoped context (multiple
integration slots); tenant_id+tenant_label for upstream tenant scoping.
operationId: context_memory_create_create
requestBody:
content:
application/json:
schema:
properties:
content:
default: Hello world
type: string
tenant_id:
default: null
type: string
tenant_label:
default: null
type: string
tenant_union_id:
default: null
type: number
type: object
responses:
'201':
content:
application/json:
schema:
properties:
item_id:
type: number
type: object
description: Context Memory Item created
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- context-memory
/app/api/v1/context-memory/delete/{item_id}:
delete:
description: Delete an existing user Context Memory Item
operationId: context_memory_delete_destroy
parameters:
- in: path
name: item_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
properties:
item_id:
type: number
type: object
description: Context Memory Item deleted
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- context-memory
/app/api/v1/context-memory/update/{item_id}:
put:
description: Update an existing user Context Memory Item (+ optional tenant
union OR tenant id/label). Prefer tenant_union_id for union-scoped context
(multiple integration slots); tenant_id+tenant_label for upstream tenant scoping.
operationId: context_memory_update_update
parameters:
- in: path
name: item_id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
properties:
content:
default: Hello world
type: string
tenant_id:
default: null
type: string
tenant_label:
default: null
type: string
tenant_union_id:
default: null
type: number
type: object
responses:
'200':
content:
application/json:
schema:
properties:
item_id:
type: number
type: object
description: Context Memory Item updated
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'409':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Invalid action taken on resource
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- context-memory
/app/api/v1/custom-strategies:
get:
description: List all custom strategies. Use is_protected filter to distinguish
between user-created and OOTB strategies.
operationId: custom_strategies_list_external
parameters:
- description: Filter by alert sources
in: query
name: alert_sources
schema:
items:
type: string
type: array
- description: Filter by attack surfaces
in: query
name: attack_surfaces
schema:
items:
type: string
type: array
- description: Filter by archived status
in: query
name: is_archived
schema:
type: boolean
- description: Filter by enabled status
in: query
name: is_enabled
schema:
type: boolean
- description: Filter by protected status (true=OOTB, false=user-created)
in: query
name: is_protected
schema:
type: boolean
- description: Filter by MITRE tactics
in: query
name: mitre_tactics
schema:
items:
type: string
type: array
- description: Search in strategy title and scenario
in: query
name: search_query
schema:
type: string
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/FullCustomStrategy'
type: array
description: List of custom strategies
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- custom-strategies
post:
description: Create a new custom strategy
operationId: custom_strategies_create_external
requestBody:
content:
application/json:
schema:
properties:
alert_sources:
items:
type: string
type: array
attack_surfaces:
items:
type: string
type: array
instructions:
items:
type: object
type: array
is_enabled:
default: false
type: boolean
mitre_tactics:
items:
type: string
type: array
outcomes:
items:
type: object
type: array
priorities:
items:
type: object
type: array
scenario:
type: string
title:
type: string
required:
- title
type: object
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/FullCustomStrategy'
description: Custom strategy created successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- custom-strategies
/app/api/v1/custom-strategies/{strategy_id}:
delete:
description: Delete or archive a custom strategy (archives if referenced by
investigations)
operationId: custom_strategy_destroy_external
parameters:
- in: path
name: strategy_id
required: true
schema:
type: string
responses:
'204':
description: Strategy deleted or archived successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Cannot delete already archived strategy
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- custom-strategies
get:
description: Get a specific custom strategy by ID. Includes both user-created
and OOTB (protected) strategies.
operationId: custom_strategy_retrieve_external
parameters:
- in: path
name: strategy_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/FullCustomStrategy'
description: Custom strategy details
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- custom-strategies
put:
description: Update a custom strategy (full replacement - creates new version)
operationId: custom_strategy_update_external
parameters:
- in: path
name: strategy_id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
properties:
alert_sources:
items:
type: string
type: array
attack_surfaces:
items:
type: string
type: array
instructions:
items:
type: object
type: array
is_enabled:
type: boolean
mitre_tactics:
items:
type: string
type: array
outcomes:
items:
type: object
type: array
priorities:
items:
type: object
type: array
scenario:
type: string
title:
type: string
required:
- title
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/FullCustomStrategy'
description: Strategy updated successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- custom-strategies
/app/api/v1/email/investigation/create:
post:
description: Creates a new email investigation, returning the ID.
operationId: email_investigation_create_create
requestBody:
content:
multipart/form-data:
schema:
properties:
email:
format: binary
type: string
type: object
responses:
'201':
content:
application/json:
schema:
properties:
id:
type: number
type: object
description: Creation success
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- email
/app/api/v1/integrations:
get:
description: Returns all integration definitions (types) available in the system.
Does not include instance-specific configuration.
operationId: list_integration_types
parameters:
- description: Filter by categories (can specify multiple, e.g., ?categories=siem&categories=edr)
explode: true
in: query
name: categories
schema:
items:
type: string
type: array
style: form
- description: Filter by whether the integration type can be Dropzone-provided
in: query
name: dz_provided
schema:
type: boolean
- description: Filter by integration groups (can specify multiple, e.g., ?group=security&group=cloud)
explode: true
in: query
name: group
schema:
items:
type: string
type: array
style: form
- description: Filter by integration service type (core, interviewer, poller,
remediator)
in: query
name: integration_type
schema:
enum:
- core
- interviewer
- poller
- remediator
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationTypesListResponse'
description: List of all available integration types/definitions
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
summary: List all available integration types
tags:
- integrations
/app/api/v1/integrations/{slug}:
get:
description: List all configured instances for a specific integration.
operationId: integrations_retrieve
parameters:
- in: path
name: slug
required: true
schema:
type: string
- description: Filter by tenant union ID
in: query
name: tenant_union_id
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationInstancesListResponse'
description: List of integration instances (config_data NOT included)
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
post:
description: Create a new integration instance.
operationId: integrations_create
parameters:
- in: path
name: slug
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerCreate'
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerCreate'
multipart/form-data:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerCreate'
required: true
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationSlotSerializerToCustomerFull'
description: Successfully created integration instance
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
/app/api/v1/integrations/{slug}/test:
post:
description: Test integration configuration without saving it. Validates the
config and tests connectivity.
operationId: integrations_test_create
parameters:
- in: path
name: slug
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerTest'
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerTest'
multipart/form-data:
schema:
$ref: '#/components/schemas/IntegrationInstanceSerializerToCustomerTest'
required: true
responses:
'200':
description: Test successful - returns test results
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
/app/api/v1/integrations/{slug}/{slot_uuid}:
delete:
description: Delete integration instance.
operationId: integrations_destroy
parameters:
- in: path
name: slot_uuid
required: true
schema:
format: uuid
type: string
- in: path
name: slug
required: true
schema:
type: string
responses:
'204':
description: Integration instance deleted successfully
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
get:
description: Get specific integration instance with full config.
operationId: integrations_retrieve_2
parameters:
- in: path
name: slot_uuid
required: true
schema:
format: uuid
type: string
- in: path
name: slug
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationSlotSerializerToCustomerFull'
description: Full integration instance details including masked config_data
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
patch:
description: Update integration instance (partial update supported).
operationId: integrations_partial_update
parameters:
- in: path
name: slot_uuid
required: true
schema:
format: uuid
type: string
- in: path
name: slug
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/PatchedIntegrationInstanceSerializerToCustomerUpdate'
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/PatchedIntegrationInstanceSerializerToCustomerUpdate'
multipart/form-data:
schema:
$ref: '#/components/schemas/PatchedIntegrationInstanceSerializerToCustomerUpdate'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/IntegrationSlotSerializerToCustomerFull'
description: Updated integration instance
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- integrations
/app/api/v1/investigation:
get:
description: 'List investigations (with optional filtering, sorting, and search)
Returns a paginated list of investigations. By default, only completed investigations
(state=''success'') are returned. Use query parameters to filter by state,
outcomes,
priorities, date ranges, and more.
'
operationId: investigation_retrieve
parameters:
- description: Filter by alert creation time (from). ISO 8601 format
in: query
name: alert_create_from
schema:
type: string
- description: Filter by alert creation time (until). ISO 8601 format
in: query
name: alert_create_until
schema:
type: string
- description: Filter by alert start time (from). ISO 8601 format (e.g., 2024-01-01
or 2024-01-01T00:00:00Z)
in: query
name: alert_start_from
schema:
type: string
- description: Filter by alert start time (until). ISO 8601 format
in: query
name: alert_start_until
schema:
type: string
- description: Filter by alert tenant name (can be repeated)
in: query
name: alert_tenants
schema:
items:
type: string
type: array
- description: Filter by alert type/handler key (can be repeated)
in: query
name: alert_types
schema:
items:
type: string
type: array
- description: Filter by attack surface (can be repeated)
in: query
name: attack_surfaces
schema:
items:
enum:
- Cloud Infrastructure
- Endpoint
- Identity
- Kubernetes
- Network
- Phishing
- SaaS
type: string
type: array
- description: Filter by alert source label (can be repeated)
in: query
name: direct_source_labels
schema:
items:
type: string
type: array
- description: Filter by feedback last updated time (from). ISO 8601 format
in: query
name: feedback_updated_from
schema:
type: string
- description: Filter by feedback last updated time (until). ISO 8601 format
in: query
name: feedback_updated_until
schema:
type: string
- description: Filter by insight tag name (can be repeated)
in: query
name: insight_tag_names
schema:
items:
type: string
type: array
- description: Filter by interview status (can be repeated)
in: query
name: interview_statuses
schema:
items:
enum:
- active
- approved
- canceled
- declined
- failed
- finished
- finished_with_referral
- pending
- timed_out
type: string
type: array
- description: Filter by investigation completion time (from). ISO 8601 format
in: query
name: inv_complete_from
schema:
type: string
- description: Filter by investigation completion time (until). ISO 8601 format
in: query
name: inv_complete_until
schema:
type: string
- description: 'Filter by investigation state. Valid values: not_asked (queued),
loading (running), success (complete), error (stopped). Defaults to ''success''.'
in: query
name: investigation_state
schema:
enum:
- error
- loading
- not_asked
- success
type: string
- description: If true, returns a lightweight response with fewer fields (no
alert, no findings)
in: query
name: light
schema:
default: false
type: boolean
- description: Number of results per page
in: query
name: limit
schema:
type: integer
- description: Filter by MITRE ATT&CK tactic (can be repeated)
in: query
name: mitre_tactics
schema:
items:
enum:
- Collection
- Command and Control
- Credential Access
- Defense Evasion
- Discovery
- Execution
- Exfiltration
- Impact
- Initial Access
- Lateral Movement
- Persistence
- Privilege Escalation
type: string
type: array
- description: Number of results to skip
in: query
name: offset
schema:
type: integer
- description: Filter by investigation outcome/conclusion (can be repeated)
in: query
name: outcomes
schema:
items:
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
- IGNORED
- INCOMPLETE
type: string
type: array
- description: Filter by investigation priority (can be repeated)
in: query
name: priorities
schema:
items:
enum:
- informational
- notable
- urgent
type: string
type: array
- description: Filter by priority status (can be repeated)
in: query
name: priority_statuses
schema:
items:
type: string
type: array
- description: Free-text search across investigation fields
in: query
name: search
schema:
type: string
- description: Sort direction. Defaults to 'desc'.
in: query
name: sort_dir
schema:
enum:
- asc
- desc
type: string
- description: Sort field. Defaults to 'alert_create'.
in: query
name: sort_type
schema:
enum:
- activity
- alert_create
- alert_source
- alert_title
- alert_type
- feedback_status
- investigation_create
- outcome
- priority_status
- stopped_reason
type: string
- description: Filter by stopped reason for error/canceled investigations
(can be repeated)
in: query
name: stopped_reasons
schema:
items:
enum:
- CANCEL_MANUAL
- CANCEL_THRESHOLD
- ERROR
type: string
type: array
- description: Filter by tenant ID
in: query
name: tenant_id
schema:
type: string
- description: Filter by tenant integration key
in: query
name: tenant_integration_key
schema:
type: string
- description: Filter by user feedback status (can be repeated)
in: query
name: user_statuses
schema:
items:
enum:
- in_review
- reviewed
type: string
type: array
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/PaginatedInvestigationList'
description: 'Paginated list of investigations
Returns a paginated list of investigations. By default, only completed
investigations
(state=''success'') are returned. Use query parameters to filter by state,
outcomes,
priorities, date ranges, and more.
Use next and previous
URLs in the response for easy page navigation.
If light=true, returns a subset of fields (InvestigationLight
schema).
'
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation
/app/api/v1/investigation-bulk-feedback:
patch:
description: 'Bulk update investigation feedback
feedback.status options:
- In Review =
in_review - Reviewed =
reviewed
feedback.outcome options:
- Malicious =
COMPLETED_BREACHED_CONFIRMED - Suspicious
=
COMPLETED_BREACHED_SUSPICIOUS - Benign =
COMPLETED_FALSE_ALERT
- Inconclusive =
INCOMPLETE - Ignored =
IGNORED
feedback.priority options:
- Informational =
informational - Notable =
notable
- Urgent =
urgent
'
operationId: investigation_bulk_feedback_partial_update
requestBody:
content:
application/json:
schema:
properties:
feedback:
properties:
exclude_learning:
default: false
description: Set true to exclude from context memory generation
type: boolean
outcome:
enum:
- COMPLETED_BREACHED_CONFIRMED
- COMPLETED_BREACHED_SUSPICIOUS
- COMPLETED_FALSE_ALERT
- INCOMPLETE
- IGNORED
type: string
outcome_note:
type: string
priority:
enum:
- informational
- notable
- urgent
type: string
status:
default: reviewed
enum:
- in_review
- reviewed
type: string
type: object
investigation_ids:
items:
type: number
type: array
required:
- investigation_ids
- feedback
type: object
responses:
'200':
content:
application/json:
schema:
properties:
investigation_id:
type: number
type: object
description: Feedback updated
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
validation_error:
properties:
json_path:
type: string
message:
type: string
type: object
type: object
description: Malformed request
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation-bulk-feedback
/app/api/v1/investigation-user-notes/{investigation_id}/create:
post:
description: Add a new investigation note
operationId: investigation_user_notes_create_create
parameters:
- in: path
name: investigation_id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
properties:
text:
type: string
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/InvestigationNoteNested'
description: New investigation note
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation-user-notes
/app/api/v1/investigation-user-notes/{investigation_id}/list:
get:
description: List user notes for an investigation
operationId: investigation_user_notes_list_retrieve
parameters:
- in: path
name: investigation_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/InvestigationNoteNested'
type: array
description: Investigation user notes
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation-user-notes
/app/api/v1/investigation-user-notes/{investigation_note_id}/delete:
delete:
description: Delete an investigation note
operationId: investigation_user_notes_delete_destroy
parameters:
- in: path
name: investigation_note_id
required: true
schema:
type: integer
responses:
'200':
description: Delete success
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation-user-notes
/app/api/v1/investigation-user-notes/{investigation_note_id}/update:
patch:
description: Update an investigation note
operationId: investigation_user_notes_update_partial_update
parameters:
- in: path
name: investigation_note_id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
properties:
text:
type: string
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/InvestigationNoteNested'
description: Updated investigation note
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation-user-notes
/app/api/v1/investigation/create:
post:
description: 'Creates a new alert investigation, returning investigation_id
Returns existing id if alert already exists (unless force_reinvestigation=True)
Then: Use GET /app/api/v1/investigation/{investigation_id}
for updates
'
operationId: investigation_create_create
requestBody:
content:
application/json:
schema:
properties:
force_reinvestigation:
default: false
type: boolean
raw_alert_content:
type: object
schema_key:
type: string
tenant_union_id:
default: null
nullable: true
type: number
type: object
responses:
'200':
content:
application/json:
schema:
properties:
investigation_id:
type: number
type: object
description: Existing investigation found
'201':
content:
application/json:
schema:
properties:
investigation_id:
type: number
type: object
description: New investigation created
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'422':
content:
application/json:
schema:
properties:
error_msg:
type: string
skip_reason:
type: string
type: object
description: Alert skipped due to missing data (e.g., propagation delay)
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation
/app/api/v1/investigation/create/custom:
post:
description: 'Request body = arbitrary alert JSON to be parsed & investigated
Response = investigation_id if successful, error_msg
otherwise
Returns existing id if alert already exists (unless ?force_reinvestigation=True)
Then: Use GET /app/api/v1/investigation/{investigation_id}
for updates
'
operationId: investigation_create_custom_create
parameters:
- description: Force reinvestigation
in: query
name: force_reinvestigation
schema:
type: boolean
- description: Tenant union ID
in: query
name: tenant_union_id
schema:
type: integer
requestBody:
content:
application/json:
schema:
type: object
responses:
'200':
content:
application/json:
schema:
properties:
investigation_id:
type: number
type: object
description: Existing investigation found
'201':
content:
application/json:
schema:
properties:
investigation_id:
type: number
type: object
description: New investigation created
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'413':
content:
application/json:
schema:
properties:
error_msg:
type: string
skip_reason:
type: string
type: object
description: Content Too Large
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation
/app/api/v1/investigation/{investigation_id}:
get:
description: Returns an alert investigation
operationId: investigation_retrieve_2
parameters:
- in: path
name: investigation_id
required: true
schema:
type: string
- description: If true, returns a lightweight response with fewer fields (no
alert, no findings)
in: query
name: light
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Investigation'
description: "Investigation data object. For progress: investigation.status=\n\
\n - \n
not_asked : queued\n \n - \n\
\
loading : running AI analyst\n \n - \n \
\
success : AI analyst finished with result\n \n\
\ - \n
error : AI analyst finished with error\n \
\ — See investigation.error_msg\n \n
\n
\n\
If light=true, returns a subset of fields (InvestigationLight\
\ schema).\n"
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation
/app/api/v1/investigation/{investigation_id}/evidence-data/{evidence_data_id}:
get:
description: 'Returns the requested evidence data for a specific investigation.
'
operationId: investigation_evidence_data_retrieve
parameters:
- description: The evidence data ID
in: path
name: evidence_data_id
required: true
schema:
type: integer
- description: The investigation ID
in: path
name: investigation_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/EvidenceData'
description: Evidence data object
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- investigation
/app/api/v1/ping:
get:
description: Tests API key, returns 200 if successful
operationId: ping_retrieve
responses:
'200':
content:
application/json:
schema:
properties:
message:
type: string
server_root:
type: string
type: object
description: Ping/auth success
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- ping
/app/api/v1/response-actions:
get:
description: List all response actions
operationId: response_actions_list_external
parameters:
- description: 'Filter by archived status (default: false)'
in: query
name: is_archived
schema:
type: boolean
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/ResponseScriptSerializerForUI'
type: array
description: List of response actions
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
post:
description: Create a new response action
operationId: response_actions_create_external
requestBody:
content:
application/json:
schema:
properties:
code:
type: string
display_name:
type: string
trigger_def_uuid:
format: uuid
type: string
required:
- display_name
- trigger_def_uuid
type: object
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/ResponseScriptSerializerForUI'
description: Response action created successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/secrets:
get:
description: List all response action secrets (metadata only, values are not
exposed)
operationId: response_action_secrets_list_external
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/ResponseScriptSecret'
type: array
description: List of secrets
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
post:
description: Create a new response action secret
operationId: response_action_secrets_create_external
requestBody:
content:
application/json:
schema:
properties:
key:
description: Secret key/name (must be unique)
type: string
value:
description: Secret value
type: string
required:
- key
- value
type: object
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/ResponseScriptSecret'
description: Secret created successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/secrets/{secret_id}:
delete:
description: Delete a response action secret
operationId: response_action_secret_destroy_external
parameters:
- in: path
name: secret_id
required: true
schema:
type: integer
responses:
'204':
description: Secret deleted successfully
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
get:
description: Get a response action secret by ID (metadata only, value is not
exposed)
operationId: response_action_secret_retrieve_external
parameters:
- in: path
name: secret_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ResponseScriptSecret'
description: Secret details
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
patch:
description: Update a response action secret
operationId: response_action_secret_update_external
parameters:
- in: path
name: secret_id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
properties:
key:
description: New secret key/name
type: string
value:
description: New secret value
type: string
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ResponseScriptSecret'
description: Secret updated successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/test:
post:
description: Execute a test run of a response action script without saving to
database. Useful for testing and debugging scripts before deployment.
operationId: response_actions_test_create
requestBody:
content:
application/json:
schema:
properties:
script_code:
description: The Python code to execute
type: string
trigger_args:
description: Arguments to pass to the script (depends on trigger
type)
type: object
required:
- script_code
- trigger_args
type: object
responses:
'200':
content:
application/json:
schema:
properties:
status:
description: Execution status
type: string
stderr:
description: Standard error from script execution
type: string
stdout:
description: Standard output from script execution
type: string
type: object
description: Test run completed successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'422':
content:
application/json:
schema:
properties:
status:
type: string
stderr:
type: string
stdout:
type: string
type: object
description: Script execution failed
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/triggers:
get:
description: List available response triggers for action creation
operationId: response_actions_triggers_retrieve
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/ResponseTriggerDef'
type: array
description: List of available triggers
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/{script_id}:
delete:
description: Archive (soft delete) a response action. Deletes unreferenced versions.
operationId: response_action_destroy_external
parameters:
- in: path
name: script_id
required: true
schema:
type: integer
responses:
'204':
description: Response action archived successfully
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
get:
description: Get response action details with version and run counts
operationId: response_action_retrieve_external
parameters:
- in: path
name: script_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
properties:
counts:
properties:
run:
type: integer
version:
type: integer
type: object
latest:
properties:
run:
type: object
version:
type: object
type: object
type: object
description: Response action details with counts and latest version/run
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
patch:
description: Update response action properties
operationId: response_action_update_external
parameters:
- in: path
name: script_id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
properties:
display_name:
type: string
is_enabled:
type: boolean
trigger_def_uuid:
format: uuid
type: string
type: object
responses:
'200':
description: Response action updated successfully
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request or cannot update archived action
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/response-actions/{script_id}/runs:
get:
description: List all runs for a response action
operationId: response_actions_runs_retrieve
parameters:
- in: path
name: script_id
required: true
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
items:
$ref: '#/components/schemas/ResponseScriptRunSerializerForUI'
type: array
description: List of response action runs
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- response-actions
/app/api/v1/system-events/list:
get:
description: List system events for each trigger run batch
operationId: system_events_list_retrieve
parameters:
- description: Filter by event date from (ISO format)
in: query
name: event_from
schema:
type: string
- description: Filter by event name
in: query
name: event_name
schema:
type: string
- description: Filter by event date until (ISO format)
in: query
name: event_until
schema:
type: string
- description: Filter by integration slug
in: query
name: integration_slug
schema:
type: string
- description: Filter by investigation ID
in: query
name: investigation_id
schema:
type: integer
- description: Number of results per page
in: query
name: limit
schema:
type: integer
- description: Number of results to skip
in: query
name: offset
schema:
type: integer
- description: Search in trigger arguments
in: query
name: search
schema:
type: string
- description: Filter by user ID
in: query
name: user_id
schema:
type: integer
responses:
'200':
content:
application/json:
schema:
properties:
count:
type: integer
results:
items:
properties:
enriched_context:
type: object
enriched_context_date:
type: string
event_date:
type: string
event_name:
type: string
id:
type: integer
original_metadata:
type: object
type: object
type: array
type: object
description: System events list
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - invalid input
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- system-events
/app/api/v1/threat-intel/collections:
get:
description: List all threat intelligence collections
operationId: threat_intel_list_external
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ThreatIntelCollectionList'
description: List of threat intelligence collections
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- threat-intel
post:
description: 'Create a new threat intelligence collection.
**Collection Name:**
If omitted and a file is provided, the filename (without extension) will be
used. If no file is provided, collection_name is required.**Supported Formats:**
- Single STIX JSON file (.json)
- Compressed tar/zip archives (.tar.gz, .tgz, .zip) containing multiple STIX
files
**Size Limits:**
- File size: 100.0MB max
'
operationId: threat_intel_create_external
requestBody:
content:
multipart/form-data:
schema:
properties:
collection_name:
description: Collection name (optional, defaults to filename)
example: My Threat Feed
type: string
file:
description: STIX JSON file or compressed tar archive
format: binary
type: string
type: object
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/ImportResult'
description: Successfully processed
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - missing file, invalid collection name, or invalid
MIME type
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'409':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Conflict - duplicate file (already uploaded in last 5 minutes)
or collection limit exceeded
'413':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: File too large - exceeds 100.0MB
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Internal server error - file processing failed or file save
failed during async upload
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
'507':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Insufficient storage space on server
security:
- ApiKeyAuth: []
tags:
- threat-intel
/app/api/v1/threat-intel/collections/bulk-delete:
post:
description: Bulk delete threat intelligence collections (marks as deleted,
does not permanently remove). Skips non-existent and already-deleted collections.
operationId: threat_intel_bulk_delete_external
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/BulkDeleteCollectionsRequest'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/BulkDeleteCollectionsResponse'
description: Bulk delete completed
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - missing or invalid collection_ids
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- threat-intel
/app/api/v1/threat-intel/collections/{collection_id}:
delete:
description: Delete a threat intelligence collection (marks as deleted, does
not permanently remove)
operationId: threat_intel_destroy_external
parameters:
- in: path
name: collection_id
required: true
schema:
format: uuid
type: string
responses:
'204':
description: Collection deleted successfully
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Collection not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- threat-intel
get:
description: Get details for a specific threat intelligence collection.
operationId: threat_intel_retrieve_external
parameters:
- in: path
name: collection_id
required: true
schema:
format: uuid
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ThreatIntelCollection'
description: 'Collection details. The file_info field is a dictionary keyed
by filename. Each value is either a SingleFileInfo (for single files)
or ArchiveFileInfo (for archives), determined by the ''type'' field. All
file types include indicators_skipped count. ArchiveFileInfo includes
detailed filename tracking: files_parsed (successfully parsed), files_errored
(had errors), files_skipped (skipped entirely), and files_warning (partial
success - imported some indicators but also had errors or skipped indicators).'
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Resource not found
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System error
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
security:
- ApiKeyAuth: []
tags:
- threat-intel
/app/api/v1/threat-intel/collections/{collection_id}/files:
put:
description: 'Replace all files in a threat intelligence collection with a new
STIX 2.x file or compressed archive.
This endpoint replaces all existing collection content with the uploaded data.
**Supported Formats:**
- Single STIX JSON file (.json)
- Compressed tar archives (.tar.gz, .tgz) containing multiple STIX files
**Size Limits:**
- File size: 100.0MB max
'
operationId: threat_intel_files_replace_external
parameters:
- in: path
name: collection_id
required: true
schema:
format: uuid
type: string
requestBody:
content:
multipart/form-data:
schema:
properties:
file:
description: STIX JSON file or compressed tar archive
format: binary
type: string
required:
- file
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ImportResult'
description: Successfully processed
'400':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Bad request - missing file or invalid MIME type
'401':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Unauthorized
'403':
content:
application/json:
schema:
properties:
detail:
type: string
type: object
description: Access denied
'404':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Collection not found
'413':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: File too large - exceeds 100.0MB
'500':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Internal server error - file processing failed or file save
failed during async upload
'503':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: System not ready for requests
'507':
content:
application/json:
schema:
properties:
error_msg:
type: string
type: object
description: Insufficient storage space on server
security:
- ApiKeyAuth: []
tags:
- threat-intel