Get all risk events
/api/v1/events/riskevents
Request
- application/json
-
applicationInstanceId(optional): string
The application instance ID. The default is to retrieve all application instances.
-
applicationInstanceName(optional): string
The application instance name. The default is to retrieve all application names.
-
applicationType(optional): string
The application type. Default is to retrieve all application types.Allowed Values:
[ "BOX", "AWS", "SFDC", "GITHUB", "SERVICENOW", "O365", "GOOGLEAPPS", "CUSTOMAPP", "RACKSPACE", "HCMCLOUD", "SLACK", "ERPCLOUD", "SALESCLOUD" ]
-
category(optional): string
The risk event category. The default is to retrieve all risk event categories.Allowed Values:
[ "Anomalous activity", "Security control", "Policy alert", "Monitoring stopped" ]
-
endDate(optional): string
End date indicating the time upto which the events need to be searched. Default is to retrieve risk events up to the present moment. The format for endDate is yyyy-MM-dd'T'HH:mm:ss.S.
-
markerPosition(optional): string
Marker position, indicating pagination, from which to begin retrieving the next set of events. Default is to retrieve risk from the beginning in the tenant's history.
-
pagesize: integer(int32)
Page size in number of events. The maximum value allowed is 100
-
priority(optional): string
Event priority, such as High, Medium, or Low. Default is to return all.Allowed Values:
[ "High", "Medium", "Low" ]
-
startDate: string
Start date indicating the time from when the events need to be searched. The format for startDate is yyyy-MM-dd'T'HH:mm:ss.S.
-
status(optional): string
Event status, such as Open, or Resolved. Defaults to both.Allowed Values:
[ "Open", "Resolve" ]
-
Authorization: string
Contains authorization token received by making create token API call. The format is 'Bearer' followed by the token which starts with v2.
-
X-Apprity-Tenant-Id: string
The tenant ID for which you are making this call.
Response
- application/json
- application/gzip
200 Response
object
-
maxCount(optional):
integer(int32)
Maximum number of rows returned.
-
nextMarkerPosition(optional):
string
Marker position, indicating pagination, to fetch the next set of risk details.
-
riskevents(optional):
array riskevents
List of risk events.
-
size(optional):
integer(int32)
Number of records returned by the query.
-
tenantId(optional):
string
Tenant name for which risk events are to be returned.
object
-
additionalDetails(optional):
array additionalDetails
-
appinstance(optional):
string
-
appinstanceid(optional):
string
-
appname(optional):
string
-
assignee(optional):
string
-
category(optional):
string
-
comments(optional):
array comments
-
createdon(optional):
string(date-time)
-
eventresourcedetails(optional):
string
-
eventresourcedetailstype(optional):
string
-
id(optional):
string
-
lastevent(optional):
string(date-time)
-
logid(optional):
string
-
priority(optional):
string
-
realeventtime(optional):
string(date-time)
-
resolvedetails(optional):
string
-
snapdate(optional):
string
-
status(optional):
string
-
title(optional):
string
-
uri(optional):
string
400 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
401 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
403 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
404 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
412 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
500 Response
object
-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
Examples
The following examples show how to retrieve all, or a subset of risk events by submitting a GET request.
Example Response Body
The following example shows the contents of the response body in JSON format:
{
"riskevents" : [
{
"id" : "aa1eab35-6d84-3f5a-a9b5-3e1509bad244",
"uri" : "/v1/events/riskevent?eventId=aa1eab35-6d84-3f5a-a9b5-3e1509bad244&applicationInstanceId;=5786ed4c-3527-413d-9d19-da93d0f065c8",
"appname" : "AWS",
"appinstance" : "awse2e_01",
"appinstanceid" : "64909d3d-3855-5de1-49ed-6452ae9f6365",
"snapdate" : "2017-10-25",
"title" : "DeleteSecurityGroup action in EC2 SecurityGroup \"JKSecurityGroup\"",
"additionalDetails" : [
{
"Details" : [
{
"name" : "Actor",
"value" : "funct_test_nonservice"
},
{
"name" : "Resource type",
"value" : "EC2 SecurityGroup"
},
{
"name" : "Group",
"value" : "JKSecurityGroup"
},
{
"name" : "Resource name",
"value" : "[JKSecurityGroup]"
},
{
"name" : "Action",
"value" : "DeleteSecurityGroup"
},
{
"name" : "Policy alert name",
"value" : "EC2 - Instances Network Routes Network ACL VPN and Security Group changes"
},
{
"name" : "Occurred",
"value" : "2017-10-25T17:17:29Z"
},
{
"name" : "recommendationkey",
"value" : "AWS~PolicyAlert~ec2deletesecuritygroup"
}
],
"Logdata" :
"{\"requestParameters\" :{\"groupName\" :\"JKSecurityGroup\"},\"responseElements\" :{\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:29Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteSecurityGroup\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54
Linux/3.13.0-35-generic
Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"AIDAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111462111:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"AKIAJM4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"bc44cd99-fac7-4e6c-8868-382c26fc95ee\",\"eventID\" :\"664d6fa8-8bdf-4bda-af5c-55d447620a78\"}"
}
],
"category" : "Policy alert",
"priority" : "High",
"status" : "Open",
"createdon" : "2017-10-25T17:33:55.000Z",
"realeventtime" : "2017-10-25T17:17:29.000Z"
},
{
"id" : "1b098639-8965-3f0d-aa2b-5c92ef23ad2e",
"uri" :
"/v1/events/riskevent?eventId=1b098639-8965-3f0d-aa2b-5c92ef23ad2e&applicationInstanceId;=5786ed4c-3527-413d-9d19-da93d0f065c8",
"appname" : "AWS",
"appinstance" : "awse2e_01",
"appinstanceid" : "e4dc5876-7253-3d41-911d-0f065c8da93d",
"snapdate" : "2017-10-25",
"title" : "DeleteVpnConnection action in EC2 VPN \"vpn-de0d1fbf\"",
"additionalDetails" : [
{
"Details" : [
{
"name" : "Actor",
"value" : "funct_test_nonservice"
},
{
"name" : "Resource type",
"value" : "EC2 VPN"
},
{
"name" : "Resource name",
"value" : "[vpn-de0d1fbf]"
},
{
"name" : "Action",
"value" : "DeleteVpnConnection"
},
{
"name" : "Policy alert name",
"value" : "EC2 - Instances Network Routes Network ACL VPN and Security Group changes"
},
{
"name" : "Occurred",
"value" : "2017-10-25T17:17:44Z"
},
{
"name" : "recommendationkey",
"value" : "AWS~PolicyAlert~ec2deletevpnconnection"
}
],
"Logdata" :
"{\"requestParameters\" :{\"vpnConnectionId\" :\"vpn-de0d1fbf\"},\"responseElements\" :{\"requestId\" :\"df6729be-ccdb-4839-9c2e-25ed48d64908\",\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:44Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteVpnConnection\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54
Linux/3.13.0-35-generic
Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"AIDAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111462111:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"AKIAJM4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"df6729be-ccdb-4839-9c2e-25ed48d64908\",\"eventID\" :\"4c0d0878-ad12-48d6-b82d-d09d413077ae\"}"
}
],
"category" : "Policy alert",
"priority" : "High",
"status" : "Open",
"createdon" : "2017-10-25T17:33:56.000Z",
"realeventtime" : "2017-10-25T17:17:44.000Z"
},
],
"tenantId" : "abcdefgh-1234-ijkl-5678-mnopqrstuvwx",
"nextMarkerPosition" : "1508952846000",
"maxCount" : 100,
"size" : 10
}
Paging Risk Events if More Than 100 Are Returned
The maximum number of risk events that can be returned in response is 100. This example shows how to ensure that you get all the risk events, whether or not the total is greater than 100. If there are more than 100 risk events, each response returns nextMarkerPosition
(bolded below), which is then used for the subsequent request.
import requests
import json
def getRiskEvents():
auth_t = '<token_id>' ### add tokenId
tenantId = '<token_id>' ### add tenantId
headers = {
'content-type' : "application/json",
'cache-control' : "no-cache",
'X-Apprity-Tenant-Id' : tenantId,
'Authorization' : 'Bearer ' + auth_t
}
# This URL should point to the endpoint where the tenant has been created for the customer.
riskEventUrlTest = "https://<CASB-STACK>.casb.ocp.oraclecloud.com/api/v1/events/riskevents"
startDate = "2019-09-11T15:37:39.000Z"
nextMarkerPosition = ''
polling = 'no'
totalRecords = 0
noOfCallsToCasb = 1
while True:
if (polling == "no"):
params = {
'pagesize' : "100",
'startDate' : startDate
}
elif (polling == "yes"):
params = {
'pagesize' : "100",
'markerPosition' : nextMarkerPosition
}
print ("Number of calls to CASB: " + str(noOfCallsToCasb))
print ("Total Records: " + str(totalRecords))
noOfCallsToCasb += 1
response = requests.get(riskEventUrlTest, params=params, headers=headers)
print ("Response Status Code: " + str(response.status_code))
rawJsonFromCASBResp = json.loads(response.content.decode('utf-8'))
print (" ============ =========Response======== =======================>")
print rawJsonFromCASBResp
pageSize = rawJsonFromCASBResp['size']
print ("Page Size: " + str(pageSize))
totalRecords += pageSize
print ("Total Records: " + str(totalRecords))
if(totalRecords > 0):
if pageSize >= 100:
polling = "yes"
nextMarkerPosition = rawJsonFromCASBResp['nextMarkerPosition']
print ("Marker Position Value: " + str(nextMarkerPosition))
print (" ===== ================= ==============================>")
else:
print "Retrieved all records from CASB/no records available"
polling = "no"
return
getRiskEvents()
Getting Risk Events for a Single Application Type
By default, all risk events for all application types in you Oracle CASB Cloud Service tenant are returned. If you want to fetch risk events for only a single application type, use applicationType
in your parameters
sections something like this example, which returns only risk events for Box:
parameters = {
'pagesize' : "100",
'applicationType' : "BOX",
'startDate' : "2017-08-11T15:37:39.000Z" }
Getting Risk Events for a Single Application Instance
If you want to fetch risk events for only a single application instance, use applicationInstanceName
in your parameters
sections something like this example, which returns only risk events for a Box instance named Box_Sales:
parameters = {
'pagesize' : "100",
'applicationInstanceName' : "Box_Sales",
'startDate' : "2017-08-11T15:37:39.000Z" }