Get all risk events
get
/api/v1/events/riskevents
Get Risk Events data comprising of Security Control, Policy Alerts and Anomalous behavior for your tenant. Risk Events can be obtained over a specific date range by indicating the startDate and pagesize. Use the priority field to obtain Risk Events with specific risks. The category field can be used to filter the event types such as Security Control, Policy Alerts and Anomalous behavior. Risk Events specific to Cloud Application and Cloud Application instance can be used by using the applicationType and applicationInstanceName field. The potentially large response contains a series of JSON objects, each separated with a line break and each corresponding to a risk event. The pagesize field can be used to indicate the number of risk events fetched in the API call. The marker position is set to the next set of risks related to pagesize + 1 from the previous call and can be used to obtain the next batch of data.
Request
Supported Media Types
- application/json
Query Parameters
-
applicationInstanceId(optional): string
The application instance ID. The default is to retrieve all application instances.
-
applicationInstanceName(optional): string
The application instance name. The default is to retrieve all application names.
-
applicationType(optional): string
The application type. Default is to retrieve all application types.Allowed Values:
[ "BOX", "AWS", "SFDC", "GITHUB", "SERVICENOW", "O365", "GOOGLEAPPS", "CUSTOMAPP", "RACKSPACE", "HCMCLOUD", "SLACK", "ERPCLOUD", "SALESCLOUD" ] -
category(optional): string
The risk event category. The default is to retrieve all risk event categories.Allowed Values:
[ "Anomalous activity", "Security control", "Policy alert", "Monitoring stopped" ] -
endDate(optional): string
End date indicating the time upto which the events need to be searched. Default is to retrieve risk events up to the present moment. The format for endDate is yyyy-MM-dd'T'HH:mm:ss.S.
-
markerPosition(optional): string
Marker position, indicating pagination, from which to begin retrieving the next set of events. Default is to retrieve risk from the beginning in the tenant's history.
-
pagesize: integer(int32)
Page size in number of events. The maximum value allowed is 100
-
priority(optional): string
Event priority, such as High, Medium, or Low. Default is to return all.Allowed Values:
[ "High", "Medium", "Low" ] -
startDate: string
Start date indicating the time from when the events need to be searched. The format for startDate is yyyy-MM-dd'T'HH:mm:ss.S.
-
status(optional): string
Event status, such as Open, or Resolved. Defaults to both.Allowed Values:
[ "Open", "Resolve" ]
Header Parameters
-
Authorization: string
Contains authorization token received by making create token API call. The format is 'Bearer' followed by the token which starts with v2.
-
X-Apprity-Tenant-Id: string
The tenant ID for which you are making this call.
Response
Supported Media Types
- application/json
- application/gzip
200 Response
Successfully retrieved all risk events for the given filters.
Root Schema : RiskEventsResponse
Type:
Show Source
object-
maxCount(optional):
integer(int32)
Maximum number of rows returned.
-
nextMarkerPosition(optional):
string
Marker position, indicating pagination, to fetch the next set of risk details.
-
riskevents(optional):
array riskevents
List of risk events.
-
size(optional):
integer(int32)
Number of records returned by the query.
-
tenantId(optional):
string
Tenant name for which risk events are to be returned.
Nested Schema : RiskEvent
Type:
Show Source
object-
additionalDetails(optional):
array additionalDetails
-
appinstance(optional):
string
-
appinstanceid(optional):
string
-
appname(optional):
string
-
assignee(optional):
string
-
category(optional):
string
-
comments(optional):
array comments
-
createdon(optional):
string(date-time)
-
eventresourcedetails(optional):
string
-
eventresourcedetailstype(optional):
string
-
id(optional):
string
-
lastevent(optional):
string(date-time)
-
logid(optional):
string
-
priority(optional):
string
-
realeventtime(optional):
string(date-time)
-
resolvedetails(optional):
string
-
snapdate(optional):
string
-
status(optional):
string
-
title(optional):
string
-
uri(optional):
string
400 Response
Bad request format. Check the response for more information on which fields are inaccurate. Ensure that you have a request which follows the format.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
401 Response
Unauthorized get API call. See response for more details.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
403 Response
Retrieving all risk events is forbidden. It is likely that the CASB APIs aren't enabled for the tenant.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
404 Response
Requested Resource(risk event id) is not present.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
412 Response
One of the preconditions for the API failed. See response for more details.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
500 Response
Internal Server error occurred. See response for more details.
Root Schema : Error
Type:
Show Source
object-
code(optional):
string
HTTP Status Code.
-
message(optional):
string
The error message.
Examples
The following examples show how to retrieve all, or a subset of risk events by submitting a GET request.
Example Response Body
The following example shows the contents of the response body in JSON format:
{
"riskevents" : [
{
"id" : "aa1eab35-6d84-3f5a-a9b5-3e1509bad244",
"uri" : "/v1/events/riskevent?eventId=aa1eab35-6d84-3f5a-a9b5-3e1509bad244&applicationInstanceId;=5786ed4c-3527-413d-9d19-da93d0f065c8",
"appname" : "AWS",
"appinstance" : "awse2e_01",
"appinstanceid" : "64909d3d-3855-5de1-49ed-6452ae9f6365",
"snapdate" : "2017-10-25",
"title" : "DeleteSecurityGroup action in EC2 SecurityGroup \"JKSecurityGroup\"",
"additionalDetails" : [
{
"Details" : [
{
"name" : "Actor",
"value" : "funct_test_nonservice"
},
{
"name" : "Resource type",
"value" : "EC2 SecurityGroup"
},
{
"name" : "Group",
"value" : "JKSecurityGroup"
},
{
"name" : "Resource name",
"value" : "[JKSecurityGroup]"
},
{
"name" : "Action",
"value" : "DeleteSecurityGroup"
},
{
"name" : "Policy alert name",
"value" : "EC2 - Instances Network Routes Network ACL VPN and Security Group changes"
},
{
"name" : "Occurred",
"value" : "2017-10-25T17:17:29Z"
},
{
"name" : "recommendationkey",
"value" : "AWS~PolicyAlert~ec2deletesecuritygroup"
}
],
"Logdata" :
"{\"requestParameters\" :{\"groupName\" :\"JKSecurityGroup\"},\"responseElements\" :{\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:29Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteSecurityGroup\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54
Linux/3.13.0-35-generic
Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"AIDAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111462111:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"AKIAJM4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"bc44cd99-fac7-4e6c-8868-382c26fc95ee\",\"eventID\" :\"664d6fa8-8bdf-4bda-af5c-55d447620a78\"}"
}
],
"category" : "Policy alert",
"priority" : "High",
"status" : "Open",
"createdon" : "2017-10-25T17:33:55.000Z",
"realeventtime" : "2017-10-25T17:17:29.000Z"
},
{
"id" : "1b098639-8965-3f0d-aa2b-5c92ef23ad2e",
"uri" :
"/v1/events/riskevent?eventId=1b098639-8965-3f0d-aa2b-5c92ef23ad2e&applicationInstanceId;=5786ed4c-3527-413d-9d19-da93d0f065c8",
"appname" : "AWS",
"appinstance" : "awse2e_01",
"appinstanceid" : "e4dc5876-7253-3d41-911d-0f065c8da93d",
"snapdate" : "2017-10-25",
"title" : "DeleteVpnConnection action in EC2 VPN \"vpn-de0d1fbf\"",
"additionalDetails" : [
{
"Details" : [
{
"name" : "Actor",
"value" : "funct_test_nonservice"
},
{
"name" : "Resource type",
"value" : "EC2 VPN"
},
{
"name" : "Resource name",
"value" : "[vpn-de0d1fbf]"
},
{
"name" : "Action",
"value" : "DeleteVpnConnection"
},
{
"name" : "Policy alert name",
"value" : "EC2 - Instances Network Routes Network ACL VPN and Security Group changes"
},
{
"name" : "Occurred",
"value" : "2017-10-25T17:17:44Z"
},
{
"name" : "recommendationkey",
"value" : "AWS~PolicyAlert~ec2deletevpnconnection"
}
],
"Logdata" :
"{\"requestParameters\" :{\"vpnConnectionId\" :\"vpn-de0d1fbf\"},\"responseElements\" :{\"requestId\" :\"df6729be-ccdb-4839-9c2e-25ed48d64908\",\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:44Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteVpnConnection\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54
Linux/3.13.0-35-generic
Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"AIDAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111462111:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"AKIAJM4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"df6729be-ccdb-4839-9c2e-25ed48d64908\",\"eventID\" :\"4c0d0878-ad12-48d6-b82d-d09d413077ae\"}"
}
],
"category" : "Policy alert",
"priority" : "High",
"status" : "Open",
"createdon" : "2017-10-25T17:33:56.000Z",
"realeventtime" : "2017-10-25T17:17:44.000Z"
},
],
"tenantId" : "abcdefgh-1234-ijkl-5678-mnopqrstuvwx",
"nextMarkerPosition" : "1508952846000",
"maxCount" : 100,
"size" : 10
}Paging Risk Events if More Than 100 Are Returned
The maximum number of risk events that can be returned in response is 100. This example shows how to ensure that you get all the risk events, whether or not the total is greater than 100. If there are more than 100 risk events, each response returns nextMarkerPosition (bolded below), which is then used for the subsequent request.
import requests
import json
def getRiskEvents():
auth_t = '<token_id>' ### add tokenId
tenantId = '<token_id>' ### add tenantId
headers = {
'content-type' : "application/json",
'cache-control' : "no-cache",
'X-Apprity-Tenant-Id' : tenantId,
'Authorization' : 'Bearer ' + auth_t
}
# This URL should point to the endpoint where the tenant has been created for the customer.
riskEventUrlTest = "https://<CASB-STACK>.casb.ocp.oraclecloud.com/api/v1/events/riskevents"
startDate = "2019-09-11T15:37:39.000Z"
nextMarkerPosition = ''
polling = 'no'
totalRecords = 0
noOfCallsToCasb = 1
while True:
if (polling == "no"):
params = {
'pagesize' : "100",
'startDate' : startDate
}
elif (polling == "yes"):
params = {
'pagesize' : "100",
'markerPosition' : nextMarkerPosition
}
print ("Number of calls to CASB: " + str(noOfCallsToCasb))
print ("Total Records: " + str(totalRecords))
noOfCallsToCasb += 1
response = requests.get(riskEventUrlTest, params=params, headers=headers)
print ("Response Status Code: " + str(response.status_code))
rawJsonFromCASBResp = json.loads(response.content.decode('utf-8'))
print (" ============ =========Response======== =======================>")
print rawJsonFromCASBResp
pageSize = rawJsonFromCASBResp['size']
print ("Page Size: " + str(pageSize))
totalRecords += pageSize
print ("Total Records: " + str(totalRecords))
if(totalRecords > 0):
if pageSize >= 100:
polling = "yes"
nextMarkerPosition = rawJsonFromCASBResp['nextMarkerPosition']
print ("Marker Position Value: " + str(nextMarkerPosition))
print (" ===== ================= ==============================>")
else:
print "Retrieved all records from CASB/no records available"
polling = "no"
return
getRiskEvents() Getting Risk Events for a Single Application Type
By default, all risk events for all application types in you Oracle CASB Cloud Service tenant are returned. If you want to fetch risk events for only a single application type, use applicationType in your parameters sections something like this example, which returns only risk events for Box:
parameters = {
'pagesize' : "100",
'applicationType' : "BOX",
'startDate' : "2017-08-11T15:37:39.000Z" }Getting Risk Events for a Single Application Instance
If you want to fetch risk events for only a single application instance, use applicationInstanceName in your parameters sections something like this example, which returns only risk events for a Box instance named Box_Sales:
parameters = {
'pagesize' : "100",
'applicationInstanceName' : "Box_Sales",
'startDate' : "2017-08-11T15:37:39.000Z" }