Managing Security Events
Get the details of a specific security event
URI - GET
To use this endpoint, send a GET request to receive a specific security event by its Harmony Email & Collaboration ID: /event/{eventId}
Request
The request includes HTTP headers obtained during the authentication/authorization process and used to sign the request together with request string parameters.
Request Headers
|
Header |
Type |
Required |
Format |
Description/Sample |
|---|---|---|---|---|
|
x-av-req-id |
String |
Yes |
UUID – Generated and supplied on the request. |
d290f1ee-6c54-4b01-90e6 |
|
Authorization |
Bearer Token |
Yes |
Bearer <API Access Token> |
A string Bearer followed by the API Access Token. See Generating API Access Token. For example, assuming that the API Access Token is 1234, the Bearer Token will be Bearer 1234 |
Request String Parameters
|
Header |
Type |
Required |
Format |
Description/Sample |
|---|---|---|---|---|
|
eventId |
String |
Yes |
|
Harmony Email & Collaboration internal request ID, such as: “ebb3e4bc8a9b14d7a529bb54ea6991b6” |
Request Body
Not applicable for GET method.
Request sample (CURL) format
This request sample shows URI base in USA region. For URI base in other regions, see URLs and URL Base.
curl -X GET -H "Accept: application/json" \
-H "x-av-req-id: d290f1ee-6c54-4b01-90e6-d701748f0851" \
-H "Authorization: Bearer 2462b23346ab0642b65d7d094aca5fb4c29fd96d0468deceae2704d258e81497" \
https://cloudinfra-gw-us.portal.checkpoint.com/app/hec-api/v1.0/event/ebb3e4bc8a9b14d7a529bb54ea6991b6Response
The response obtained from the service includes an HTTP response code and JSON formatted structure. It consists of responseEnvelope structure and a responseData object that holds an array of security events.
Each event consists of event details and an array of actions taken on the event entity (under the actions array). The response also includes an array of available actions to take on the event and their relevant parameters (availableEventActions array).
Response Structure
A valid response obtained from the service (JSON format):
{
"responseEnvelope":
{
"requestId": "string",
"responseCode": 0,
"responseText": "string",
"additionalText": "string",
"recordsNumber": 1,
"totalRecordsNumber": 1,
"scrollId": "string"
},
"responseData":
[
{
"eventId": "string",
"cusomerId": "string",
"saas": "string",
"entityId": "string",
"state": "string",
"type": "string",
"confidenceIndicator": "string",
"eventCreated": "string",
"severity": "string",
"description": "string",
"data": "string",
"additionalData": {},
"availableEventActions":
[
{
"actionName": "string",
"actionParameter": {}
}
],
"actions":
[
{
"actionType": "string",
"createTime": "string",
"relatedEntityId": "string"
}
]
}
]
}Response Parameters
These are the response parameters:
|
Parameter |
Type |
Description |
|
|---|---|---|---|
|
responseEnvelope |
Object |
Container for metadata properties. |
|
|
|
requestId |
String |
Unique ID to trace the request-response cycle. Helpful for debugging and support. |
|
|
responseCode |
Integer |
HTTP API code response. |
|
|
responseTest |
String |
Human-readable description of the status or error. |
|
|
additionalText |
String |
Need to see an example. |
|
|
recordsNumber |
Integer |
Number of records found. |
|
|
totalRecordsNumber |
Integer |
Total number of records. |
|
|
scrollId |
String |
Pagination ID to get next batch of records. |
|
responseData |
Object |
An array of event entities. |
|
|
|
eventId |
String |
Unique identifier for the event. |
|
|
customerId |
String |
Identifier of the customer associated with the event. |
|
|
saas |
String |
SaaS provider/source (For example, Office 365, Gmail). |
|
|
entityId |
String |
ID of the impacted or triggering entity (For example, Email ID). |
|
|
state |
String |
Current state of the event. |
|
|
type |
String |
Type/Category of event (For example, Phishing, Malware). |
|
|
confidenceIndicator |
String |
Indicator of the event's credibility. |
|
|
eventCreated |
String |
Timestamp when the event was created. |
|
|
severity |
String |
Severity of the event (For example, low, medium, high, critical). |
|
|
description |
String |
Readable summary of the event. |
|
|
data |
String |
Security event description (longer description). |
|
|
additionalData |
Object |
Additional information. |
|
availableEventActions |
Array |
List of available actions. |
|
|
|
actionName |
String |
List of actions that can be performed ( For example, quarantine, restore, sent to admin). |
|
|
actionParameter |
Object |
List of parameters needed for each action that can be performed (parameter= admin email). |
|
actions |
Array |
A list of actions performed on this event. |
|
|
|
actionType |
String |
Action type that was executed (For example, quarantine). |
|
|
createTime |
String |
Timestamp when the action was performed. |
|
|
relatedEntityId |
String |
Returns the security event that triggered the action (quarentine). |
Response Sample
A valid response from the service:
{
"responseEnvelope":
{
"responseCode": 0,
"responseTest": "Success",
"additionalText": "",
"recordsNumber": 1,
"totalRecordsNumber": 1,
"scrollId": "34234345454353343"
},
"responseData":
{
"eventId": "7ded0371a3e1475c9a877e452f23a049",
"customerId": "us:customername",
"saas": "office365_emails",
"entityId": "639c16e1aaa3affd5d3fa4fda5e75765",
"state": "dismissed",
"type": "dlp",
"confidenceIndicator": "malicious",
"eventCreated": "2020-07-24T20:58:27.073355+00:00",
"severity": "Low",
"data": "",
"description": "DLP Engine has detected a leak in ‘please see my credit data’ from user@customer.com",
"additionalData": "some links here and additional parameters",
"availableEventActions": [
{
"actionName": "dismiss",
"actionParameter": {"eventId":"7ded0371a3e1475c9a877e452f23a049"}
},
{
"actionName": "severityChange",
"actionParameter": {"newSeverity":"Low"}
},
{
"actionName": "severityChange",
"actionParameter": {"newSeverity":"Medium"}
},
{
"actionName": "severityChange",
"actionParameter": {"newSeverity":"High"}
},
{
"actionName": "severityChange",
"actionParameter": {"newSeverity":"Highest"}
},
]
}
}