Back to top

The ProtectWise API provides access to your ProtectWise accounts and data.

The request URL will always begin with https://api.protectwise.com/api/v1.

All API requests, except as noted, require an authentication header. To authenticate, add a header

X-Access-Token: youraccess@@tokenrandomstring

Getting Started

If this is your first time using the ProtectWise API, there is a Getting Started guide available that describes the basic process to access the API and get threat data.

Access Token 

Generate an access token associated with your account login that you can use for future API requests

This API does not require an access token header for authentication.

Token 

Generate Token
/token

To create or replace your access token, provide a JSON hash of your email address and password.

Example:

curl -H "Content-Type: application/json" -d '{"email":"john.doe@protectwise.com","password":"@ProtectWise1"}' https://api.protectwise.com/api/v1/token
  • Headers
    Content-Type: application/json
    Body
    {
      "email": "john.doe@protectwise.com",
      "password": "@ProtectWise1"
    }
  • Headers
    Content-Type: application/json
    Body
    {
      "token": "yourtoken@@randomtokenstring"
    }

Sensor-Set 

Sensor-set related resources

Sensor-Set Collection 

Collection of all available sensor-sets

List all sensor-sets
/sensor-sets

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensor-sets
  • Body
    [
      {
        "id": "42",
        "name": "Display name",
        "customer_id": "1",
        "default_set": false
      }
    ]

Sensor-Set 

Retrieve a single sensor-set
/sensor-sets/{id}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensor-sets/775
  • Parameters
  • id
    string (required) Example: 775

    the id of the sensor set

  • Headers
    Content-Type: application/json
    Body
    {
      "id": 775,
      "name": "Display name",
      "customer_id": "1",
      "default_set": false
    }

Sensor 

Sensor related resources

Sensors Collection 

Collection of all available sensors

List all sensors
/sensors

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensors
  • Body
    [
      {
        "id": 513,
        "uuid": "69e82447-d3b2-4e7f-a9ec-20e531a03f84",
        "customer_id": 1,
        "agent_set_id": 775,
        "friendly_name": "sensor name",
        "enabled": true,
        "updated_at": "2014-02-22T09:30:08.371Z",
        "last_seen": "2014-02-22T09:30:08.371Z",
        "is_active": true,
        "downloaded": false
      }
    ]

Sensor 

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensors/513
Retrieve a single sensor
/sensors/{id}
  • Parameters
  • id
    string (required) Example: 513

    the id of the individual sensor

  • Headers
    Content-Type: application/json
    Body
    {
      "id": 513,
      "uuid": "69e82447-d3b2-4e7f-a9ec-20e531a03f84",
      "customer_id": 1,
      "agent_set_id": 775,
      "friendly_name": "bens computer1377-active",
      "enabled": true,
      "updated_at": "2014-02-22T09:30:08.371Z",
      "last_seen": "2014-02-22T09:30:08.371Z",
      "is_active": true,
      "downloaded": false
    }

Sensor Install token 

Generate token
/sensors/{id}/generate-token

Generate an install token for a sensor

  • Parameters
  • id
    string (required) Example: 301

    the ID or UUID of the sensor

  • Body
    {
      "installToken": "production:zawi55ien1n8i7c3dmxndfaoksuzq6p4zscte10deoaq2pt15d3bw9ar9"
    }

Counter 

Query for counts of past events.

See Counter Details for a detailed explanation of the query parameters.

Counter Summary 

Get counter summary
/counters?{sensorId,counterType,start,end,interval,aggregate}

Sum all sensors and counter types into a single value

  • Parameters
  • sensorId
    number (required) Example: 513

    the sensor id. May supply a comma seperated list.

    counterType
    string (required) Example: eventsLow

    the type of counter. May supply a comma seperated list. Details

    start
    number (required) Example: 1408069629555

    the start observed time

    end
    number (required) Example: 1408069659555

    the end observed time

    interval
    string (required) Example: 3HOURS

    the interval multiple and unit Details

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Headers
    Content-Type: application/json
    Body
    [
      {
        "timestamp": 1408069659555,
        "value": 43
      }
    ]

Counters by Type 

List
/counters?stackBy=type&{sensorId,counterType,start,end,interval,aggregate}

To include counters for specified counter types as a separate property, provide stackBy=type in the query string.

  • Parameters
  • sensorId
    number (required) Example: 1314,1315,1316

    A comma-delimited list of sensor ids

    counterType
    string (required) Example: eventsLow,eventsMedium,eventsHigh

    a comma-delimited list of counter types to stack

    start
    number (required) Example: 1408069629555

    the start observed time

    end
    number (required) Example: 1408069659555

    the end observed time

    interval
    string (required) Example: 3HOURS

    the interval multiple and unit Details

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Headers
    Content-Type: application/json
    Body
    [
      {
        "timestamp": 1408069659555,
        "eventsLow": 30,
        "eventsMedium": 10,
        "eventsHigh": 3,
        "value": 43
      }
    ]

Counters by Sensor 

List
/counters?stackBy=sensor&{sensorId,counterType,start,end,interval,aggregate}

To include counters for specified sensors as a separate property, provide stackBy=sensor in the query string.

  • Parameters
  • sensorId
    number (required) Example: 1314,1315,1316

    include a comma seperated list of sensor ids

    counterType
    string (required) Example: eventsLow,eventsMedium,eventsHigh

    a comma seperated list of counter types to stack

    start
    number (required) Example: 1408069629555

    the start observed time

    end
    number (required) Example: 1408069659555

    the end observed time

    interval
    string (required) Example: 3HOURS

    the interval multiple and unit Details

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Headers
    Content-Type: application/json
    Body
    [
      {
        "1314": 20,
        "1315": 15,
        "1316": 8,
        "timestamp": 1408069659555,
        "value": 43
      }
    ]

Summary 

Counters summary 

Get counter summary
/summaries/counters?{sensorId,counterType,start,end,interval}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/counters
  • Parameters
  • sensorId
    number (required) Example: 513

    the sensor id. May supply a comma seperated list.

    counterType
    string (required) Example: eventsLow

    the type of counter. May supply a comma seperated list. Details

    start
    number (required) Example: 1408069629555

    the start (inclusive) of the observed time range to find

    end
    number (required) Example: 1408069659555

    the end (exclusive) of the observed time range to find

    interval
    string (required) Example: 3HOURS

    the interval multiple and unit Details

Top Hosts summary 

Get a top-hosts summary.

Get top hosts summary
/summaries/top-hosts?{sensorId,type,start,end}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/top-hosts?sensorId=1&type=observation.external,protocol&start=1477447688583&end=1477534088583
  • Parameters
  • sensorId
    number (required) Example: 513

    the sensor id. May supply a comma seperated list.

    type
    string (required) Example: protocol,observation.external

    the type(s) of counter. One or more of observation.internal, observation.external, event.internal, event.external, protocol, protocol_family, bandwidth, internal.severity, external.severity

    start
    number (required) Example: 1408069629555

    the start observed time

    end
    number (required) Example: 1408069659555

    the end observed time

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Body
    [
      {
        "type": "observation.external",
        "hosts": [
          {
            "ip": "8.8.8.8",
            "count": 25749
          },
          {
            "ip": "1.0.63.78",
            "count": 2743
          }
        ]
      },
      {
        "type": "protocol",
        "hosts": [
          {
            "ip": "0.0.0.2",
            "count": 505566729
          },
          {
            "ip": "0.0.0.0",
            "count": 214629048
          }
        ]
      }
    ]

Unique Hosts summary 

Get a unique-hosts summary.

Get unique hosts summary
/summaries/unique-hosts?{sensorId,type,start,end}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/top-hosts?sensorId=1&type=observation.external,protocol&start=1477447688583&end=1477534088583
  • Parameters
  • sensorId
    number (required) Example: 513

    the sensor id. May supply a comma seperated list.

    type
    string (required) Example: all

    the type(s) of counter. One or more of all,external,internal,threat.high

    start
    number (required) Example: 1408069629555

    the start observed time

    end
    number (required) Example: 1408069659555

    the end observed time

Event 

Events are resources that describe a threat and contains a collection of observations.

Event Collection 

Search for events
/events?{start,end,eventType,killChainStage,threatLevel,threatCategory,observationStage,ip,expandDetails,minLimit,maxLimit,nextPage,reverseOrder}

Get a collection of events by start time and optional filters.

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/events?start=1407962796988&end=1407963396988&ip=205.32.56.14&maxLimit=30"
  • Parameters
  • start
    number (required) Example: 1401451200000

    unix timestamp with milliseconds for the start time of the search (inclusive)

    end
    number (required) Example: 1401451500000

    unix timestamp with milliseconds for the end time of the search (exclusive)

    eventType
    string (optional) Example: KillChainEscalation

    Filter by one or more event types Details

    killChainStage
    string (optional) Example: Delivery

    Filter by killchain stage Details

    threatLevel
    string (optional) Example: High

    Filter by Low, Medium, or High threats Details

    threatCategory
    string (optional) Example: Malicious_Webpage

    Filter by threat category Details

    observationStage
    string (optional) Example: Retrospective

    Filter by Realtime or Retrospective Details

    ip
    string (optional) Example: 162.202.10.4

    Filter by events that are affected by a specific IP address

    expandDetails
    boolean (optional) Example: false

    Include observation records

    minLimit
    number (optional) Example: 30

    Try to return at least this many results per page

    maxLimit
    number (optional) Example: 100

    Do not return more than this many results

    reverseOrder
    boolean (optional) Example: true

    Return results sorted by descending timestamp (default = TRUE)

    nextPage
    string (optional) Example: ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2

    An identifier to fetch the next page in the result set

  • Headers
    Content-Type: application/json
    Body
    {
      "events": [
        {
          "cid": 1,
          "agentId": 1770,
          "id": "dccf25a8b3923e1c233220fe4ec57aa1",
          "type": "KillChainEscalation",
          "message": "Remote Buffer Overflow Exploit",
          "observations": [],
          "netflows": [],
          "confidence": 80,
          "threatScore": 50,
          "threatLevel": "Medium",
          "killChainStage": "CnC",
          "category": "Malware",
          "threatSubCategory": "MalwareURL",
          "observedStage": "Retrospective",
          "startedAt": 1408400860770,
          "endedAt": 1408400971436,
          "observedAt": 1412630707730,
          "isUpdate": false,
          "observationCount": 4,
          "netflowCount": 4
        }
      ],
      "nextPage": "ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2"
    }

Event 

Retrieve a single event
/events/{id}

Lookup a single event and its associated observations

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/events/dccf25a8b3923e1c233220fe4ec57aa1"
  • Parameters
  • id
    string (required) Example: dccf25a8b3923e1c233220fe4ec57aa1

    The event id

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Type: application/json
    Body
    {
            "cid": 1,
            "agentId": 1770,
            "id": "dccf25a8b3923e1c233220fe4ec57aa1",
            "type": "KillChainEscalation",
            "message": "`Data Loss via Poison Ivy`",
            "observations": [ { /* observation data */ } ],
            "netflows": [ { /* netflow data */ } ],
            "confidence": 80,
            "threatScore": 50,
            "threatLevel": "Medium",
            "killChainStage": "CnC",
            "category": "Malware",
            "threatSubCategory": "None",
            "observedStage": "Retrospective",
            "startedAt": 1408400860770,
            "endedAt": 1408400971436,
            "observedAt": 1412630707730,
            "isUpdate": false,
            "observationCount": 4,
            "netflowCount": 4
        }

Tag Events 

Add a tag, or remove one from an event

Modify tags
/events/{id}/tags

Observation 

Observation related resources

Observation Collection 

Collection of all available observations

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/observations?sensorId=1743,1744&start=1407962796988&end=1407963396988&hasKillChain=true"
List all observations
/observations?{start,end,sensorId,hasKillChain,killChainStage,ip,type,threatLevel,threatCategory,signatureId,expandDetails,minLimit,maxLimit,reverseOrder,nextPage}

See Details for the data property to see the structure of the data property in the response

  • Parameters
  • sensorId
    string (required) Example: 513

    the sensor id or a comma-separated list of sensor ids

    start
    number (required) Example: 1407962796988

    unix timestamp with milliseconds for the start time of the search (inclusive)

    end
    number (required) Example: 1407963396988

    unix timestamp with milliseconds for the end time of the search (exclusive)

    hasKillChain
    boolean (optional) Example: true

    Search for observations in every kill chain stage

    killChainStage
    string (optional) Example: DELIVERY,EXPLOIT

    A comma separated list of kill chain stages Details

    ip
    string (optional) Example: 10.0.0.1

    Filter observations by IP address in the src/dst fields

    type
    string (optional) Example: ids

    Filter by observation type Details

    threatLevel
    string (optional) Example: HIGH

    Filter by categories threat level Details

    threatCategory
    string (optional) Example: MaliciousWebpage

    Filter by threat category Details

    signatureId
    number (optional) Example: 69020504

    Filter by threat signature (find observations of the same type of threat)

    expandDetails
    boolean (optional) Example: true

    Include expanded netflow information in the response

    minLimit
    number (optional) Example: 30

    Try to return at least this many results per page

    maxLimit
    number (optional) Example: 100

    Do not return more than this many results

    reverseOrder
    boolean (optional) Example: true

    Return results sorted by descending timestamp

    nextPage
    string (optional) Example: ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2

    An identifier to fetch the next page in the result set

  • Body
    {
      "observations": [
        {
          "id": "cf62aef82f40ccc49b2572b702bd4ffe",
          "agentId": 1713,
          "cid": 1,
          "data": {
            "idsEvent": null,
            "protocol": null,
            "ipReputation": null,
            "httpRequest": null,
            "urlReputation": {
              "url": "Url(89.253.247.168,/fortification,,80)",
              "category": 101,
              "partnerCategory": "Malware Sites",
              "urlData": null
            },
            "fileReputation": null,
            "file": null,
            "dns": null,
            "dnsReputation": null,
            "httpTransaction": null
          },
          "threatLevel": "Low",
          "killChainStage": "Recon",
          "category": "Malicious_Webpage",
          "threatSubCategory": "None",
          "observedStage": "Realtime",
          "source": "Webroot",
          "occurredAt": 1411419661265,
          "observedAt": 1411419748829,
          "confidence": 85,
          "threatScore": 25,
          "severity": 20
        }
      ]
    }

Observation File 

Get observation file
/observations/{id}/file/download?{sensorId}

Download extracted file data for an observation with associated file reputation data.

  • Parameters
  • id
    string (required) Example: 70031a003503180129246f2a4f1e576e

    the id of the observation

    sensorId
    number (required) Example: 513

    the sensor id or comma-separated list of ids

  • Headers
    Content-Disposition: attachment; filename=threaty-file.exe
    Content-Type: application/x-msdownload
    Transfer-Encoding: chunked

Observation 

Retrieve a single observation
/observations/{id}?{sensorId,type}
  • Parameters
  • id
    string (required) Example: 70031a003503180129246f2a4f1e576e

    the id of the observation

    sensorId
    number (required) Example: 513

    the sensor id or comma-separated list of ids

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Headers
    Content-Type: application/json
    Body
    {
      "agentId": 1713,
      "data": {
        "idsEvent": null,
        "protocol": null,
        "ipReputation": null,
        "httpRequest": null,
        "urlReputation": {
          "url": "Url(a.triggit.com,/px,fast=true&u=fF&tpuid=df6877b71995ac8f9b62d808eae3f051538638a9398a65dabce39da5c299782a82fc461902db816a,-1)",
          "category": "zDEPRECATEDMaliciousHost_MalwareURL",
          "partnerCategory": "Malware Sites",
          "urlData": null
        },
        "fileReputation": null,
        "file": null
      },
      "occurredAt": 1412630707730,
      "observedAt": 1408400861651,
      "threatLevel": "None",
      "confidence": 93,
      "killChainStage": "Recon",
      "severity": 20,
      "category": "Malicious_webpage",
      "threatScore": null,
      "cid": -1,
      "observedStage": "Realtime",
      "source": "Webroot",
      "id": "dccf25a8b3922e1c233220fe4ec57aa0",
      "threatSubCategory": "None",
      "netflow": {
        "agentId": 1713,
        "id": {
          "srcMac": "00:50:56:3A:6D:D7",
          "dstMac": "00:50:56:EC:5B:38",
          "srcIp": "192.168.70.128",
          "dstIp": "63.131.141.97",
          "srcPort": 59714,
          "dstPort": 80,
          "proto": "TCP/IPv4"
        },
        "key": "0df55eec05a4d784dce70c50e078d9c0",
        "details": {
          "startTime": 1408400860770,
          "tos": 0,
          "tcpFlags": null,
          "vlan": null,
          "classId": null,
          "srcAsn": null,
          "dstAsn": null,
          "endTime": 1408400971436,
          "applicationProtocols": []
        },
        "stats": {
          "bytesSrc": 3273,
          "bytesDst": 3490,
          "bytesSrcIncluded": 2698,
          "bytesDstIncluded": 3490,
          "packetsSrc": 12,
          "packetsDst": 11,
          "packetsSrcIncluded": 11,
          "packetsDstIncluded": 11,
          "updatedTime": 1408400860770
        },
        "state": "New",
        "cid": 1713
      },
      "geo": {
        "dst": {
          "continent": {
            "confidence": 0,
            "code": "NA",
            "name": "North America"
          },
          "country": {
            "confidence": 0,
            "isoCode": null,
            "name": "United States"
          },
          "location": {
            "accuracyRadius": 0,
            "latitude": 40.7209,
            "longitude": -74.0468,
            "timeZone": null
          },
          "postal": {
            "code": "07302",
            "confidence": 0
          },
          "city": {
            "confidence": 0,
            "isoCode": null,
            "name": "Jersey City"
          },
          "organization": "DataPipe"
        }
      }
    }

Tag Observations 

Add or delete a tag for an observation

Modify tags
/observations/{id}/tags

Reputations 

Reputation endpoints allow retrieval of threat data about IP addresses, domain names, and files.

Notes:

  • These endpoints behave similarly, but have subtle differences. Be sure you’re looking at the documentation for the correct endpoint.

  • Arrays of objects within sample response bodies have been dramatically abbreviated.

IP Reputation 

Get IP Reputation information
/reputations/ips/{ips}?{start,end,details,include,sources}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/ips/8.8.8.8?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"
  • Parameters
  • ips
    number (required) Example: 8.8.8.8

    the IP about which to retrieve threat details. May supply a comma seperated list.

    start
    number (optional) Example: 1408069629555

    the start observed time. Required when details contains threat.

    end
    number (optional) Example: 1408069659555

    the end observed time. Required when details contains threat.

    details
    string (optional) Example: threat,ip

    a comma-delimited list of threat properties to retrieve about this IP. May contain one or more of threat, ip, device, domain, and geo. Defaults to ip.

    include
    string (optional) Example: netflows

    A comma-delimited list of sub-resources to retrieve and include in the response. Only netflows is supported.

    sources
    string (required) Example: hostInfo

    A list of internal source names to query for this request.

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Body
    {
      "threat": {
        "observations": {
          "maxThreatLevel": "Medium",
          "maxThreatScore": 50,
          "types": {
            "Ids": 93659,
            "CertReputation": 4999,
            "DnsReputation": 896
          },
          "timeSeries": {
            "timeRange": {
              "interval": "Day",
              "intervalSize": 1,
              "start": 1476057600000,
              "end": 1476316800000
            },
            "values": [
              {
                "timestamp": 1476057600000,
                "count": 14852
              },
              {
                "timestamp": 1476144000000,
                "count": 29248
              },
              {
                "timestamp": 1476230400000,
                "count": 27354
              }
            ]
          },
          "top": [
            {
              "tags": null,
              "sensorId": 1,
              "agentId": 1,
              "flowId": null,
              "netflowId": "000001578cfc85c0939468d6f3c986df",
              "associatedId": {
                "flowId": {
                  "key": "000001578cfc85c0939468d6f3c986df",
                  "startTime": 1475539142080,
                  "srcGeo": null,
                  "dstGeo": {
                    "lat": 37.386,
                    "lon": -122.0838
                  },
                  "direction": "None",
                  "flowStates": [],
                  "srcDeviceId": null,
                  "dstDeviceId": null,
                  "ip": {
                    "srcMac": "",
                    "dstMac": "",
                    "srcIp": "10.169.59.5",
                    "dstIp": "8.8.8.8",
                    "srcPort": 57953,
                    "dstPort": 53,
                    "proto": "UDP",
                    "layer3Proto": "IPv4",
                    "layer4Proto": "Udp"
                  }
                }
              },
              "data": {
                "idsEvent": {
                  "timestampSeconds": 0,
                  "timestampMicros": 0,
                  "signatureId": 68114153,
                  "generatorId": 0,
                  "revision": 2,
                  "classification": "trojan-activity",
                  "priorityId": 1,
                  "description": "Exploit Test Observation"
                }
              },
              "occurredAt": 1475539142080,
              "observedAt": 1475539151103,
              "threatLevel": "Medium",
              "confidence": 100,
              "killChainStage": "Exploit",
              "severity": 50,
              "category": "Malware",
              "threatScore": 50,
              "cid": 1,
              "observedStage": "Realtime",
              "source": "Surricata",
              "id": "000001578cfc85c0939468d6f3c986df809d4f2c0000",
              "threatSubCategory": null,
              "netflow": null,
              "srcGeo": null,
              "dstGeo": {
                "lat": 37.386,
                "lon": -122.0838
              },
              "analysisId": null,
              "observationDirection": null,
              "endedAt": null,
              "info": {
                "ips": [
                  "8.8.8.8",
                  "10.169.59.5"
                ],
                "ports": [
                  53,
                  57953
                ],
                "coordinates": [
                  {
                    "lat": 37.386,
                    "lon": -122.0838
                  }
                ],
                "protocols": [],
                "properties": {},
                "hostIds": []
              },
              "connectionInfo": {
                "srcMac": "",
                "dstMac": "",
                "srcIp": "10.169.59.5",
                "dstIp": "8.8.8.8",
                "srcPort": 57953,
                "dstPort": 53,
                "proto": "UDP",
                "layer3Proto": "IPv4",
                "layer4Proto": "Udp"
              }
            },
            {
              "tags": null,
              "sensorId": 1,
              "agentId": 1,
              "flowId": null,
              "netflowId": "000001578cfc85c00cc0473a32b7b79c",
              "associatedId": {
                "flowId": {
                  "key": "000001578cfc85c00cc0473a32b7b79c",
                  "startTime": 1475539142080,
                  "srcGeo": null,
                  "dstGeo": {
                    "lat": 37.386,
                    "lon": -122.0838
                  },
                  "direction": "None",
                  "flowStates": [],
                  "srcDeviceId": null,
                  "dstDeviceId": null,
                  "ip": {
                    "srcMac": "",
                    "dstMac": "",
                    "srcIp": "10.169.59.5",
                    "dstIp": "8.8.8.8",
                    "srcPort": 45702,
                    "dstPort": 53,
                    "proto": "UDP",
                    "layer3Proto": "IPv4",
                    "layer4Proto": "Udp"
                  }
                }
              },
              "data": {
                "idsEvent": {
                  "timestampSeconds": 0,
                  "timestampMicros": 0,
                  "signatureId": 68114153,
                  "generatorId": 0,
                  "revision": 2,
                  "classification": "trojan-activity",
                  "priorityId": 1,
                  "description": "Exploit Test Observation"
                }
              },
              "occurredAt": 1475539142080,
              "observedAt": 1475539151103,
              "threatLevel": "Medium",
              "confidence": 100,
              "killChainStage": "Exploit",
              "severity": 50,
              "category": "Malware",
              "threatScore": 50,
              "cid": 1,
              "observedStage": "Realtime",
              "source": "Surricata",
              "id": "000001578cfc85c00cc0473a32b7b79c271e52870000",
              "threatSubCategory": "None",
              "netflow": null,
              "srcGeo": null,
              "dstGeo": {
                "lat": 37.386,
                "lon": -122.0838
              },
              "analysisId": null,
              "observationDirection": "None",
              "endedAt": null,
              "info": {
                "ips": [
                  "8.8.8.8",
                  "10.169.59.5"
                ],
                "ports": [
                  53,
                  45702
                ],
                "coordinates": [
                  {
                    "lat": 37.386,
                    "lon": -122.0838
                  }
                ],
                "protocols": [],
                "properties": {},
                "hostIds": []
              },
              "connectionInfo": {
                "srcMac": "",
                "dstMac": "",
                "srcIp": "10.169.59.5",
                "dstIp": "8.8.8.8",
                "srcPort": 45702,
                "dstPort": 53,
                "proto": "UDP",
                "layer3Proto": "IPv4",
                "layer4Proto": "Udp"
              }
            }
          ]
        }
      },
      "device": {
        "deviceType": null,
        "deviceCategory": null,
        "deviceOs": null,
        "extendedInfo": {
          "cbDeviceInfo": {
            "networkAdapters": {
              "10.1.1.214": "60:f8:1d:b3:6d:8c",
              "10.1.1.217": "ac:87:a3:11:14:62",
              "192.168.169.1": "00:50:56:c0:00:01",
              "192.168.183.1": "00:50:56:c0:00:08",
              "192.168.251.38": "00:00:00:00:00:00"
            },
            "computerName": "Johns-MacBook-Pro.local",
            "firstName": "John",
            "hostName": "davids-macbook-pro.local",
            "lastName": "Doe",
            "physicalMemorySize": 17179869184,
            "systemFreeSize": 73624133632,
            "systemTotalSize": 499080364032,
            "userName": "admin"
          }
        },
        "intelSource": "CarbonBlack",
        "lastUpdated": null
      },
      "ip": {
        "host": "8.8.8.8",
        "organization": "Google",
        "isp": null,
        "asName": null,
        "asNumber": null
      },
      "domain": {
        "registrar": null,
        "organization": null,
        "firstSeen": null,
        "lastSeen": null,
        "resolveData": [
          {
            "resolvesTo": "gigabad.de.",
            "firstSeen": 1474560069000,
            "lastSeen": 1476952710000
          },
          {
            "resolvesTo": "uslock.cn.",
            "firstSeen": 1415621353000,
            "lastSeen": 1456379387000
          }
        ]
      },
      "geo": {
        "country": "US",
        "region": null,
        "city": null,
        "latitude": 37.751,
        "longitude": -97.822,
        "isp": null,
        "organization": "Google"
      }
    }

Domain Reputation 

Get Domain Reputation info
/reputations/domains/{domain}?{start,end,details,include,sources}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/domains/www.protectwise.com?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"
  • Parameters
  • domain
    string (required) Example: www.protectwise.com

    A lower-case domain name to retrieve reputation information about.

    start
    number (optional) Example: 1408069629555

    the start observed time. Required when details contains threat.

    end
    number (optional) Example: 1408069659555

    the end observed time. Required when details contains threat.

    details
    string (optional) Example: threat,domain

    a comma-delimited list of threat properties to retrieve about this IP. May contain one or more of threat, device, domain, and geo. Defaults to domain.

    include
    string (optional) Example: netflows

    A comma-delimited list of sub-resources to retrieve and include in the response. Only netflows is supported.

    sources
    string (required) Example: hostInfo

    A list of internal source names to query for this request.

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Body
    {
      "threat": {
        "ipAddresses": [
          "192.254.190.20"
        ],
        "observations": {
          "maxThreatLevel": "Medium",
          "maxThreatScore": 35,
          "types": {
            "Ids": 21868
          },
          "timeSeries": {
            "timeRange": {
              "interval": "Day",
              "intervalSize": 1,
              "start": 1474761600000,
              "end": 1477353600000
            },
            "values": [
              {
                "timestamp": 1474761600000,
                "count": 272
              },
              {
                "timestamp": 1474848000000,
                "count": 280
              },
              {
                "timestamp": 1474934400000,
                "count": 328
              }
            ]
          },
          "top": [
            {
              "state": null,
              "resolvedReason": null,
              "assignee": null,
              "priority": false,
              "tags": null,
              "sensorId": 16,
              "sensorIds": [
                16
              ],
              "cid": 1,
              "agentId": 16,
              "id": "00053d57843741002d825aba03c3d940a1664a0e47fbbb98c246fed0",
              "type": "KillChainEscalation",
              "message": "Attack Progression on Host: 10.166.72.249",
              "observations": [],
              "netflows": [],
              "confidence": 100,
              "threatScore": 55,
              "threatLevel": "Medium",
              "killChainStage": "Beacon",
              "category": "MaliciousHost",
              "startedAt": 1474820973216,
              "endedAt": 1474821070658,
              "observedAt": 1474821100357,
              "observedStage": "Realtime",
              "isUpdate": true,
              "threatSubCategory": "None",
              "observationCount": 14,
              "netflowCount": 11,
              "analysisId": null
            },
            {
              "state": null,
              "resolvedReason": null,
              "assignee": null,
              "priority": false,
              "tags": null,
              "sensorId": 16,
              "sensorIds": [
                16
              ],
              "cid": 1,
              "agentId": 16,
              "id": "00053d63ca337d70ad3ed4a360a9bea0da295642e88fe19b13a08b2e",
              "type": "KillChainEscalation",
              "message": "Attack Progression on Host: 10.118.220.181",
              "observations": [],
              "netflows": [],
              "confidence": 100,
              "threatScore": 55,
              "threatLevel": "Medium",
              "killChainStage": "Beacon",
              "category": "MaliciousHost",
              "startedAt": 1474873686982,
              "endedAt": 1474873784968,
              "observedAt": 1474873812021,
              "observedStage": "Realtime",
              "isUpdate": true,
              "threatSubCategory": "None",
              "observationCount": 14,
              "netflowCount": 11,
              "analysisId": null
            }
          ]
        }
      },
      "device": {
        "deviceType": null,
        "deviceCategory": null,
        "deviceOs": null,
        "extendedInfo": {
          "cbDeviceInfo": {
            "networkAdapters": {
              "10.1.1.214": "60:f8:1d:b3:6d:8c",
              "10.1.1.217": "ac:87:a3:11:14:62",
              "192.168.169.1": "00:50:56:c0:00:01",
              "192.168.183.1": "00:50:56:c0:00:08",
              "192.168.251.38": "00:00:00:00:00:00"
            },
            "computerName": "Johns-MacBook-Pro.local",
            "firstName": "John",
            "hostName": "davids-macbook-pro.local",
            "lastName": "Doe",
            "physicalMemorySize":17179869184,
            "systemFreeSize":73624133632,
            "systemTotalSize":499080364032,
            "userName": "admin"
          }
        },
        "intelSource": "CarbonBlack",
        "lastUpdated": null
      },
      "domain": {
        "registrar": null,
        "organization": null,
        "firstSeen": null,
        "lastSeen": null,
        "resolveData": [
          {
            "resolvesTo": "174.132.162.187",
            "firstSeen": 1308426845000,
            "lastSeen": 1337411175000
          },
          {
            "resolvesTo": "192.254.190.20",
            "firstSeen": 1414296315000,
            "lastSeen": 1477302081000
          }
        ]
      },
      "geo": {
        country: 'United States',
        region: 'VIRGINIA',
        city: 'Ashburn',
        latitude: 39.0437,
        longitude: 0,
        isp: 'Amazon.Com Inc.',
        organization: 'Amazon.Com Inc.'
      }
    }

File Reputation 

Get File Reputation info
/reputations/files/{hash}?{start,end,sources}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/files/4a26a57b87f21e2dc3bb417d9c24be18?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"
  • Parameters
  • hash
    string (required) Example: 4a26a57b87f21e2dc3bb417d9c24be18

    An MD5, SHA-1, SHA-256 or SHA-512 hash of the file about which to retrieve reputation information.

    start
    number (optional) Example: 1408069629555

    The earliest occurred time of observations to retrieve. Only valid when sources contains observations.

    end
    number (optional) Example: 1408069629555

    The latest occurred time of observations to retrieve. Only valid when sources contains observations.

    sources
    string (optional) Example: observations,behavior,info

    What types of details to retrieve about the file. Defaults to all.

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenrandomstring
  • Body
    {
      "behavior": {
        "network": {
          "http": [
            {
              "body": "data=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
              "uri": "http://drlarrybenovitz.com/qhcka/templates/binarystings.php",
              "user-agent": "Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko",
              "method": "POST",
              "host": "drlarrybenovitz.com",
              "version": "1.1",
              "path": "/qhcka/templates/binarystings.php",
              "data": "POST /qhcka/templates/binarystings.php HTTP/1.1\r\nAccept: \\xf0, xw\\x98, , , , , , , , , , , , , , , , , , , , \r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko\r\nHost: drlarrybenovitz.com\r\nContent-Length: 645\r\nCache-Control: no-cache\r\n\r\ndata=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
              "port": 80
            },
            {
              "body": "data=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
              "uri": "http://holishit.in/wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php",
              "user-agent": "Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko",
              "method": "POST",
              "host": "holishit.in",
              "version": "1.1",
              "path": "/wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php",
              "data": "POST /wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php HTTP/1.1\r\nAccept: \\xf0, 8x\\x98, , , , , , , , , , , , , , , , , , , , \r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko\r\nHost: holishit.in\r\nContent-Length: 645\r\nCache-Control: no-cache\r\n\r\ndata=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
              "port": 80
            }
          ],
          "udp": [
            {
              "dport": 67,
              "src": "0.0.0.0",
              "dst": "255.255.255.255",
              "sport": 68
            },
            {
              "dport": 68,
              "src": "10.0.2.2",
              "dst": "10.0.2.15",
              "sport": 67
            },
            {
              "dport": 67,
              "src": "0.0.0.0",
              "dst": "255.255.255.255",
              "sport": 68
            },
            {
              "dport": 68,
              "src": "10.0.2.2",
              "dst": "10.0.2.15",
              "sport": 67
            }
          ],
          "hosts": [
            "0.0.0.0",
            "255.255.255.255",
            "10.0.2.2",
            "10.0.2.15",
            "239.255.255.250",
            "8.8.8.8",
            "224.0.0.22",
            "191.233.81.105",
            "10.0.2.255",
            "23.229.240.164",
            "160.153.63.4",
            "166.62.28.102",
            "67.169.109.82",
            "107.180.34.199"
          ],
          "dns": [
            {
              "ip": "23.229.240.164",
              "hostname": "drlarrybenovitz.com"
            },
            {
              "ip": "160.153.63.4",
              "hostname": "holishit.in"
            },
            {
              "ip": "166.62.28.102",
              "hostname": "starsoftheworld.org"
            },
            {
              "ip": "67.169.109.82",
              "hostname": "hknsjsu.org"
            },
            {
              "ip": "107.180.34.199",
              "hostname": "vtc360.com"
            }
          ],
          "tcp": [
            {
              "dport": 80,
              "src": "10.0.2.15",
              "dst": "23.229.240.164",
              "sport": 1045
            },
            {
              "dport": 1045,
              "src": "23.229.240.164",
              "dst": "10.0.2.15",
              "sport": 80
            },
            {
              "dport": 80,
              "src": "10.0.2.15",
              "dst": "107.180.34.199",
              "sport": 1053
            },
            {
              "dport": 1053,
              "src": "107.180.34.199",
              "dst": "10.0.2.15",
              "sport": 80
            }
          ]
        }
      },
      "info": {
        "id": "d5ccdd04f3ac06e83f4aa008a6c9d4f92db2dd83",
        "detectedType": "application/x-dosexec",
        "detectedFileSize": 225792,
        "hashes": {
          "md5": "4a26a57b87f21e2dc3bb417d9c24be18",
          "sha1": "3e84f1d77d09e221789e3c29c456809b42d42dd7",
          "sha256": "3a3f80700786fa89575d2f4cdc73ae57566ba0368620eaa8882ba59bd48b6071",
          "sha512": "eb1a084e67871ab46372f5b47ea20507d58f57335c30b1bdc0cd9e38d358cec879b275206d7869d249ebe0389d0d96c41eda1fcc6cd054d0da640295684ab0ba",
          "additionalHashes": {}
        },
        "type": "PE",
        "isArchive": false,
        "isEncrypted": false,
        "detectedDescription": null,
        "recapInfo": null
      },
      "observations": {
        "results": [
          {
            "tags": null,
            "sensorId": 16,
            "agentId": 16,
            "flowId": null,
            "netflowId": "00000157682f62728a715fd0420fbde8",
            "associatedId": {
              "flowId": {
                "key": "00000157682f62728a715fd0420fbde8",
                "startTime": 1474921718386,
                "srcGeo": null,
                "dstGeo": {
                  "lat": 42.9864,
                  "lon": -78.7279
                },
                "direction": "None",
                "flowStates": [],
                "srcDeviceId": null,
                "dstDeviceId": null,
                "ip": {
                  "srcMac": "",
                  "dstMac": "",
                  "srcIp": "10.3.81.112",
                  "dstIp": "192.227.172.136",
                  "srcPort": 50786,
                  "dstPort": 80,
                  "proto": "TCP",
                  "layer3Proto": "IPv4",
                  "layer4Proto": "Tcp"
                }
              }
            },
            "data": {
              "fileReputation": {
                "transportProtocol": "Http",
                "isTruncated": false,
                "advertisedType": "application/octet-stream",
                "isTypeMismatched": true,
                "extractedName": "23.exe",
                "extractedPath": "/",
                "advertisedSize": null,
                "id": "d5ccdd04f3ac06e83f4aa008a6c9d4f92db2dd83",
                "detectedType": "application/x-dosexec",
                "detectedFileSize": 225792,
                "hashes": {
                  "md5": "4a26a57b87f21e2dc3bb417d9c24be18",
                  "sha1": "3e84f1d77d09e221789e3c29c456809b42d42dd7",
                  "sha256": "3a3f80700786fa89575d2f4cdc73ae57566ba0368620eaa8882ba59bd48b6071",
                  "sha512": "eb1a084e67871ab46372f5b47ea20507d58f57335c30b1bdc0cd9e38d358cec879b275206d7869d249ebe0389d0d96c41eda1fcc6cd054d0da640295684ab0ba",
                  "additionalHashes": {}
                },
                "type": "PE",
                "isArchive": false,
                "isEncrypted": false,
                "detectedDescription": null,
                "recapInfo": null,
                "start": 1474921721137,
                "end": 1474921721137,
                "serviceType": "Static",
                "category": "Malware",
                "finding": {
                  "score": 0
                },
                "findings": []
              }
            },
            "occurredAt": 1474921721137,
            "observedAt": 1474921795377,
            "threatLevel": "Medium",
            "confidence": 99,
            "killChainStage": "Delivery",
            "severity": 55,
            "category": "Malware",
            "threatScore": 55,
            "cid": 1,
            "observedStage": "Realtime",
            "source": "Cylance",
            "id": "00000157682f62728a715fd0420fbde85f94f7eb0007",
            "threatSubCategory": "MaliciousFile",
            "netflow": null,
            "srcGeo": null,
            "dstGeo": {
              "lat": 42.9864,
              "lon": -78.7279
            },
            "analysisId": null,
            "observationDirection": "Dst_to_src",
            "endedAt": null,
            "info": {
              "ips": [
                "10.3.81.112",
                "192.227.172.136"
              ],
              "ports": [
                80,
                50786
              ],
              "coordinates": [
                {
                  "lat": 42.9864,
                  "lon": -78.7279
                }
              ],
              "protocols": [],
              "properties": {},
              "hostIds": []
            },
            "connectionInfo": {
              "srcMac": "",
              "dstMac": "",
              "srcIp": "10.3.81.112",
              "dstIp": "192.227.172.136",
              "srcPort": 50786,
              "dstPort": 80,
              "proto": "TCP",
              "layer3Proto": "IPv4",
              "layer4Proto": "Tcp"
            }
          }
        ],
        "nextOffset": "c1b470d4aebe2c91",
        "count": 3007,
        "facets": {
          "fields": {
            "fileExtractedName": {
              "23.exe": 3007
            }
          },
          "results": []
        }
      }
    }

Tag 

Tag collection 

Collection of tags belonging to your account.

List all tags
/tags

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags"
  • Body
    [
      {
        "id": 1,
        "customer_id": 1,
        "name": "tag_1",
        "count": 10,
        "created_at": "2016-10-26T22:38:06.879Z",
        "updated_at": "2016-10-26T22:38:06.879Z"
      },
      {
        "id": 2,
        "customer_id": 1,
        "name": "tag_2",
        "count": 5,
        "created_at": "2016-10-26T23:38:05.224Z",
        "updated_at": "2016-10-26T23:42:02.119Z"
      }
    ]
Add a Tag
/tags

Creates a tag. Multiple spaces and colons are not allowed in tag names.

Example:

curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "tag_1" }' "https://api.protectwise.com/api/v1/tags"
  • Body
    {
      "id": 3,
      "customer_id": 1,
      "name": "tag_1",
      "count": 0,
      "created_at": "2016-10-26T23:47:53.921Z",
      "updated_at": "2016-10-26T23:47:53.921Z"
    }

Single tag 

Retrieve a single tag
/tags/{id}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags/123"
  • Body
    {
      "id": 123,
      "customer_id": 1,
      "name": "tag_1",
      "count": 0,
      "created_at": "2016-10-26T22:38:06.879Z",
      "updated_at": "2016-10-27T03:28:24.021Z"
    }
Delete a tag
/tags/{id}

Example:

curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags/123"
  • Response  204

Packet Captures 

Event Pcap Download 

Retrieve an event's packet capture
/pcaps/events/{id}?{filename}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" -O -J "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c"
  • Parameters
  • id
    string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c

    The event ID

    filename
    string (optional) Example: download.pcap

    Optionally provide a filename for the download

  • Headers
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Disposition: attachment; filename=event-00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c.pcap
    Content-Type: application/vnd.tcpdump.pcap
    Transfer-Encoding: chunked

Event Pcap Information 

Retrieve information about an event packet capture
/pcaps/events/{id}/info

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c/info"
  • Parameters
  • id
    string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c

    The event id

  • Headers
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Type: application/json
    Body
    {
      "id": "00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c",
      "estimatedSize": 9206,
      "netflows": [
        {
          "flowId": "00000149535bdc6019076c9779dab34d",
          "startTime": 1414442769504,
          "endTime": 1414442783762,
          "sensorId": 1713
        }
      ]
    }

Observation Pcap Download 

Retrieve an observation's packet capture
/pcaps/observations/{sensorId}/{id}?{filename}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" -O -J "https://api.protectwise.com/api/v1/pcaps/observations/00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743b"
  • Parameters
  • sensorId
    string (required) Example: 1713

    The sensor ID

    id
    string (required) Example: 00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743b

    The observation ID

    filename
    string (optional) Example: download.pcap

    Optionally provide a filename for the download

  • Headers
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Disposition: attachment; filename=observation-00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743b.pcap
    Content-Type: application/vnd.tcpdump.pcap
    Transfer-Encoding: chunked

Observation Pcap Information 

Retrieve information about an observation packet capture
/pcaps/observations/{sensorId}/{id}/info

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c/info"
  • Parameters
  • sensorId
    string (required) Example: 1713

    The sensor id

    id
    string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c

    The observation id

  • Headers
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Type: application/json
    Body
    {
      "id": "00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c",
      "estimatedSize": 9206,
      "netflows": [
        {
          "flowId": "00000149535bdc6019076c9779dab34d",
          "startTime": 1414442769504,
          "endTime": 1414442783762,
          "sensorId": 1713
        }
      ]
    }

Protocol 

The sensor can be configured what and how to process data. This API provides a list of protocols that the sensor can recognize and filter.

Protocols are assigned to families.

Protocol 

Get the name of a protocol by id

Get a single protocol
/protocols/{id}?{include}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols/2?include=families
  • Parameters
  • id
    number (required) Example: 2

    The id of the protocol

    include
    string (optional) Example: families

    Embed the protocol’s family in the response

  • Body
    {
      "id": 2,
      "protocol_family_id": 15,
      "name": "POP3",
      "display": "POP3",
      "family": {
        "id": 15,
        "name": "Mail",
        "description": "Email exchange protocols"
      }
    }

Protocol Collection 

Collection of all available capture protocols

List all protocols
/protocols?{family_id,include}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols?family_id=2&inclue=families"
  • Parameters
  • family_id
    number (optional) Example: 2

    Only show protocols that are assigned to a specific family

    include
    string (optional) Example: families

    Embed the protocol’s family in the response

  • Body
    [
      {
        "id": 12,
        "name": "SSDP",
        "display": "SSDP",
        "protocol_family_id": 2,
        "family": {
          "id": 2,
          "name": "Application Service",
          "description": "Background services"
        }
      },
      {
        "id": 17,
        "name": "Syslog",
        "display": "Syslog",
        "protocol_family_id": 2,
        "family": {
          "id": 2,
          "name": "Application Service",
          "description": "Background services"
        }
      }
    ]

Protocol Family 

Get a single protocol family record and optionally include child protocols

Get a protocol family
/protocol-families/{id}?{include}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols/families/1?include=protocols"
  • Parameters
  • id
    number (required) Example: 2

    The id of the protocol family

    include
    string (optional) Example: protocols

    Embed the protocols associated the family

  • Headers
    Content-Type: application/json
    Body
    {
      "id": 2,
      "name": "Application Service",
      "description": "Background services",
      "protocols": [
        {
          "id": 12,
          "name": "SSDP",
          "display": "SSDP",
          "protocol_family_id": 2
        },
        {
          "id": 17,
          "name": "Syslog",
          "display": "Syslog",
          "protocol_family_id": 2
        },
        {
          "id": 112,
          "name": "LDAP",
          "display": "LDAP",
          "protocol_family_id": 2
        },
        {
          "id": 143,
          "name": "AppleiCloud",
          "display": "AppleiCloud",
          "protocol_family_id": 2
        }
      ]
    }

Protocol Family Collection 

Collection of available protocol families

List all protocol families
/protocol-families?{include}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocol-families?include=protocols"
  • Parameters
  • include
    string (optional) Example: protocols

    Embed the protocols associated with each family

  • Body
    [
        {
            "id": 2,
            "name": "Application Service",
            "description": "Background services",
            "protocols": [
                {
                    "id": 12,
                    "name": "SSDP",
                    "display": "SSDP",
                    "protocol_family_id": 2
                },
                {
                    "id": 17,
                    "name": "Syslog",
                    "display": "Syslog",
                    "protocol_family_id": 2
                }
            ]
        },
        {
            "id": 3,
            "name": "Audio/Video",
            "description": "Application/Protocols used to transport audio or video content",
            "protocols": [
                {
                    "id": 24,
                    "name": "AppleJuice",
                    "display": "AppleJuice",
                    "protocol_family_id": 3
                },
                {
                    "id": 32,
                    "name": "Kontiki",
                    "display": "Kontiki",
                    "protocol_family_id": 3
                }
            ]
    ]
    

Capture-Profile 

Capture-Profile 

A capture profile applies the default_mode capture mode to every available protocol. Create exceptions records to change the capture mode for a specific protocol

Retrieve a single capture profile
/capture-profiles/{id}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1"
  • Parameters
  • id
    number (required) Example: 1

    The id of the capture profile

  • Headers
    Content-Type: application/json
    Body
    {
      "id": 1,
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "id": 1,
          "protocol_id": 1,
          "family_id": null,
          "capture_mode": "netflow"
        },
        {
          "id": 2,
          "protocol_id": 3,
          "family_id": null,
          "capture_mode": "none"
        }
      ]
    }
Update a capture profile
/capture-profiles/{id}

Update the capture profile name, default capture mode, and/or exceptions. Note: If you supply an exceptions property, it will REPLACE all existing exceptions

Example:

curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Default Profile", "default_mode": "packet", "exceptions": [] }' "https://api.protectwise.com/api/v1/capture-profiles/1"
  • Parameters
  • id
    number (required) Example: 1

    The id of the capture profile

  • Body
    {
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "protocol_id": 1,
          "capture_mode": "netflow"
        },
        {
          "protocol_id": 3,
          "capture_mode": "none"
        }
      ]
    }
  • Headers
    Content-Type: application/json
    Body
    {
      "id": 1,
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "id": 1,
          "protocol_id": 1,
          "family_id": null,
          "capture_mode": "netflow"
        },
        {
          "id": 2,
          "protocol_id": 3,
          "family_id": null,
          "capture_mode": "none"
        }
      ]
    }
Remove a capture profile
/capture-profiles/{id}

A capture profile MUST NOT be associated with any sensors in order to be eligible for deletion

Example:

curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1"
  • Parameters
  • id
    number (required) Example: 1

    The id of the capture profile

  • Response  204

Capture-Profile Collection 

List all available capture profiles
/capture-profiles

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles"
  • Headers
    Content-Type: application/json
    Body
    [
      {
        "id": 1,
        "customer_id": 1,
        "name": "Default Profile",
        "default_mode": "packet"
      },
      {
        "id": 2,
        "customer_id": 1,
        "name": "Stream Heads",
        "default_mode": "head"
      }
    ]
Create a new capture profile
/capture-profiles

Example:

curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Default Profile", "default_mode": "packet" }' "https://api.protectwise.com/api/v1/capture-profiles"
  • Headers
    Content-Type: application/json
    Body
    {
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "protocol_id": 1,
          "capture_mode": "netflow"
        },
        {
          "protocol_id": 3,
          "capture_mode": "none"
        }
      ]
    }
  • Body
    {
      "id": 1,
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "id": 1,
          "protocol_id": 1,
          "family_id": null,
          "capture_mode": "netflow"
        },
        {
          "id": 2,
          "protocol_id": 3,
          "family_id": null,
          "capture_mode": "none"
        }
      ]
    }

Exception 

The capture profile applies its default capture mode to all available protocols on the sensor. An exception defines a different capture mode for a specific protocol or protocol family.

Get a single capture profile exception
/capture-profiles/{id}/exceptions/{eid}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions/5"
  • Parameters
  • id
    number (required) Example: 1

    The id value for the capture profile

    eid
    number (required) Example: 5

    The id of the capture profile’s exception

  • Headers
    Content-Type: application/json
    Body
    {
      "id": 5,
      "protocol_id": 13,
      "capture_mode": "none"
    }
Update a capture profile exception
/capture-profiles/{id}/exceptions/{eid}

Example:

curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "capture_mode": "netflow" }' "https://api.protectwise.com/api/v1/capture-profiles/13/exceptions/5"
  • Parameters
  • id
    number (required) Example: 1

    The id value for the capture profile

    eid
    number (required) Example: 5

    The id of the capture profile’s exception

  • Headers
    Content-Type: application/json
    Body
    {
      "capture_mode": "netflow"
    }
  • Headers
    Content-Type: application/json
    Body
    {
      "id": 5,
      "protocol_id": 13,
      "capture_mode": "netflow"
    }
Delete a protocol exception from a capture profile
/capture-profiles/{id}/exceptions/{eid}

Example:

curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions/5"
  • Parameters
  • id
    number (required) Example: 1

    The id value for the capture profile

    eid
    number (required) Example: 5

    The id of the capture profile’s exception

  • Response  204

Exceptions Collection 

Collection of exceptions to the capture profile defaults

List all exceptions for the capture profile
/capture-profiles/{id}/exceptions?{protocol_id,family_id,capture_mode}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"
  • Parameters
  • protocol_id
    number (optional) Example: 1

    Only show exceptions that apply to a specific protocol

    family_id
    number (optional) Example: 1

    Only show exceptions that apply to a specific protocol family

    capture_mode
    string (optional) Example: packet

    Only show exceptions that are set to specific capture mode

  • Body
    [
      {
        "id": 1,
        "protocol_id": 1,
        "family_id": null,
        "capture_mode": "netflow"
      },
      {
        "id": 2,
        "protocol_id": null,
        "family_id": 1,
        "capture_mode": "none"
      }
    ]
Create a new capture profile exception
/capture-profiles/{id}/exceptions?{protocol_id,family_id,capture_mode}

Example:

curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "mode": "packet", "protocol_id": 11 }' "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"
  • Headers
    Content-Type: application/json
    Body
    {
      "mode": "packet",
      "protocol_id": 1
    }
  • Body
    {
      "id": 1,
      "name": "Default Profile",
      "default_mode": "packet",
      "exceptions": [
        {
          "id": 1,
          "protocol_id": 1,
          "family_id": null,
          "capture_mode": "netflow"
        },
        {
          "id": 2,
          "protocol_id": 3,
          "family_id": null,
          "capture_mode": "none"
        }
      ]
    }
  • Headers
    Content-Type: application/json
    Body
    {
      "mode": "packet",
      "family_id": 2
    }
  • Body
    [
        {
            "capture_profile_id": 1,
            "mode": "packet",
            "protocol_id": 12
        },
        {
            "capture_profile_id": 1,
            "mode": "packet",
            "protocol_id": 17
        },
        {
            "capture_profile_id": 1,
            "mode": "packet",
            "protocol_id": 112
        },
        {
            "capture_profile_id": 1,
            "mode": "packet",
            "protocol_id": 143
        },
    ]
Delete capture profile exceptions by protocol family
/capture-profiles/{id}/exceptions?{protocol_id,family_id,capture_mode}

Example:

curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "family_id": 2 }' "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"
  • Headers
    Content-Type: application/json
    Body
    {
      "family_id": 2
    }
  • Response  204

Notification 

Notifications are a mechanism to receive alerts outside of the web interface, such as receiving an email when a new event is generated.

Notification 

Get a notification profile by id

Get a single protocol
/notifications/{id}

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications/1
  • Parameters
  • id
    number (required) Example: 2

    The id of the notification profile

  • Body
    {
      "id": 1,
      "customer_id": 1,
      "user_id": null,
      "name": "Email Event",
      "source": "events",
      "options": {
        "threatLevel": "high"
      },
      "enabled": true,
      "transports": [
        {
          "id": 1,
          "notification_id": 1,
          "name": "Email",
          "type": "email",
          "options": {
            "subject": "[ProtectWise Event Alert] {{message}}",
            "body": "{{message}}\n{{urlLink}}",
            "additionalEmails": [
              "Alerts <alerts@protectwise.com>"
            ]
          },
          "users": [
            {
              "id": 1,
              "email": "john.doe@protectwise.com",
              "customer_id": 1,
              "firstname": "John",
              "lastname": "Doe"
            }
          ]
        }
      ]
    }
Update a notification
/notifications/{id}

Update a notification profile.

NOTE: transports and users define the final state after the update. For example, if you want to add just one transport you have to include all existing transports in your PUT request or the previous requests will be deleted.

Example:

curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "enabled": false }' "https://api.protectwise.com/api/v1/notifications/1"
  • Parameters
  • id
    number (required) Example: 2

    The id of the notification profile

  • Body
    {
            "name": "Email Event Renamed",
            "transports": [
                {
                    // Update an existing transport using the "id" property
                    "id": 1,
                    "options": {
                        "subject": "[Changed Subject] {{message}}",
                        "body": "{{message}}\n{{urlLink}}"
                    },
                    "users": [1]
                },
                {
                    // Create a new transport
                    "name": "Daily email",
                    "type": "email",
                    "options": {
                        "subject": "[ProtectWise Daily Email] {{message}}",
                        "body": "{{message}}\n{{urlLink}}",
                        "additionalEmails": [ "alerts@protectwise.com" ]
                    },
                    "users": [1]
                }
            ]
        }
  • Headers
    Content-Type: application/json
    Body
    {
      "id": 1,
      "customer_id": 1,
      "user_id": null,
      "name": "Email Event",
      "source": "events",
      "options": {
        "threatLevel": "high"
      },
      "enabled": true,
      "transports": [
        {
          "id": 1,
          "notification_id": 1,
          "name": "Email",
          "type": "email",
          "options": {
            "subject": "[ProtectWise Event Alert] {{message}}",
            "body": "{{message}}\n{{urlLink}}",
            "additionalEmails": [
              "Alerts <alerts@protectwise.com>"
            ]
          },
          "users": [
            {
              "id": 1,
              "email": "john.doe@protectwise.com",
              "customer_id": 1,
              "firstname": "John",
              "lastname": "Doe"
            }
          ]
        }
      ]
    }
Remove a notification
/notifications/{id}

Delete a notification

Example:

curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications/1"
  • Parameters
  • id
    number (required) Example: 2

    The id of the notification profile

  • Response  204

Notification Collection 

List all available notifications
/notifications

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications"
  • Headers
    Content-Type: application/json
    Body
    [
      {
        "id": 1,
        "customer_id": 1,
        "user_id": null,
        "name": "Email Event",
        "source": "events",
        "options": {
          "threatLevel": "high"
        },
        "enabled": true,
        "transports": [
          {
            "id": 1,
            "notification_id": 1,
            "name": "Email",
            "type": "email",
            "options": {
              "subject": "[ProtectWise Event Alert] {{message}}",
              "body": "{{message}}\n{{urlLink}}",
              "additionalEmails": [
                "Alerts <alerts@protectwise.com>"
              ]
            },
            "users": [
              {
                "id": 1,
                "email": "john.doe@protectwise.com",
                "customer_id": 1,
                "firstname": "John",
                "lastname": "Doe"
              }
            ]
          }
        ]
      }
    ]
Create a new notification
/notifications

Create a new notification and create subscriptions

Schema

options - An event property and a value. Currently supported: { "threatLevel": "high" }

transports.options

  • subject - The text to use as the subject of the email

  • body - The body of the email. This is repeated for all events included in the email. Supports variable substitution.

  • additionalEmails - An array of arbitrary email addresses to include in the notification

Example:

curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Email Event", "source": "events", "transports": [ { "name": "Email", "type": "email", "users": [1] } ] }' "https://api.protectwise.com/api/v1/notifications"
  • Headers
    Content-Type: application/json
    Body
    {
      "name": "Email Event",
      "source": "events",
      "options": {
        "threatLevel": "high"
      },
      "transports": [
        {
          "name": "Email",
          "type": "email",
          "options": {
            "subject": "[ProtectWise Event Alert] {{message}}",
            "body": "{{message}}\n{{urlLink}}",
            "additionalEmails": [
              "Alerts <alerts@protectwise.com>"
            ]
          },
          "users": [
            1,
            2,
            3
          ]
        }
      ]
    }
  • Body
    {
      "id": 1,
      "customer_id": 1,
      "user_id": null,
      "name": "Email Event",
      "source": "events",
      "options": {
        "threatLevel": "high"
      },
      "enabled": true,
      "transports": [
        {
          "id": 1,
          "notification_id": 1,
          "name": "Email",
          "type": "email",
          "options": {
            "subject": "[ProtectWise Event Alert] {{message}}",
            "body": "{{message}}\n{{urlLink}}",
            "additionalEmails": [
              "Alerts <alerts@protectwise.com>"
            ]
          },
          "users": [
            {
              "id": 1,
              "email": "john.doe@protectwise.com",
              "customer_id": 1,
              "firstname": "John",
              "lastname": "Doe"
            }
          ]
        }
      ]
    }

Customer-Settings 

Customer-Settings 

A customer settings object maintains various customer specific settings

Retrieve customer settings
/customers/{id}/settings

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/customers/1770/settings"
  • Parameters
  • id
    number (required) Example: 1

    The customer id

  • Headers
    Content-Type: application/json
    Body
    {
      "customer_id": 1770,
      "login_ip_whitelist": [
        "216.58.216.0/24",
        "204.79.0.0/16"
      ],
      "require_mfa": false,
      "retention_days": 90,
      "eula_accepted": "v1.1",
      "updated_at": "2015-05-24T17:23:40.622Z"
    }
Update customer settings
/customers/{id}/settings

Update customer specific settings

You do not need to include id or customer_id in the PUT body.

Example:

curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{"login_ip_whitelist": ["216.58.216.0/24", "204.79.0.0/16"], "require_mfa": true, "retention_days": 90}' "https://api.protectwise.com/api/v1/customers/1770/settings"
  • Parameters
  • id
    number (required) Example: 1

    The customer id

  • Body
    {
        "login_ip_whitelist": ["216.58.216.0/24", "204.79.0.0/16"],
        "require_mfa": true,
        "retention_days": 90,
    }
  • Headers
    Content-Type: application/json
    Body
    {
      "customer_id": 1770,
      "login_ip_whitelist": [
        "216.58.216.0/24",
        "204.79.0.0/16"
      ],
      "require_mfa": false,
      "retention_days": 90,
      "eula_accepted": "v1.1",
      "updated_at": "2015-05-24T17:23:40.622Z"
    }

Audits 

Audit logs are a history of actions taken by users that had a material impact on customer data

Audit Collection 

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/audits?user_id=503&sort=-timestamp&page=2"
Search for audits
/audits?{id,timestamp,uuid,user_id,auth_method,ip,resource,action,page,per_page,fields,sort}
  • Parameters
  • id
    number (optional) Example: 142..250

    Filter by audit ID

    timestamp
    number (optional) Example: 1401451500000

    Timestamp of when the action occurred

    uuid
    string (optional) Example: b6807bd9-bc74-4a44-b798-c635619e52b5

    Filter by request UUID

    user_id
    number (optional) Example: 16

    Filter by user

    auth_method
    string (optional) Example: token

    Filter by authentication method (no-auth, token, session)

    ip
    string (optional) Example: 162.202.10.4

    Filter by IP address from which the request was made

    resource
    string (optional) Example: sensors

    Filter by the resource that was effected (login, sensors, sensor-sets)

    action
    string (optional) Example: update

    Filter by the action that was taken (create, update, delete, retrieve)

    page
    number (optional) Example: 1

    Get a certain page from the result set (default is page 1)

    per_page
    number (optional) Example: 25

    Set the number of audits returned per page (default is 25)

    fields
    string (optional) Example: id,resource,action,details

    Return only the specified resource fields (by default, GET /audits excludes details for brevity, but you can use this parameter to include it)

    sort
    string (optional) Example: -timestamp

    Sort by a field (add - for descending sort)

  • Headers
    Content-Type: application/json
    Body
    [
        {
            id: 193401,
            timestamp: '2014-01-01T07:00:00.000Z',
            uuid: 'a5807bd9-bc74-4a44-b798-c635619e52b5',
            customer_id: 1,
            user_id: 1,
            auth_method: 'token',
            ip: '127.0.0.1',
            resource: 'sensor-sets',
            action: 'create'
        },
        {
            id: 193445,
            timestamp: '2014-01-01T07:01:00.000Z',
            uuid: 'b6807bd9-bc74-4a44-b798-c635619e52b5',
            customer_id: 1,
            user_id: 1,
            auth_method: 'token',
            ip: '127.0.0.1',
            resource: 'sensors',
            action: 'update'
        },
        {
            id: 193497,
            timestamp: '2014-01-01T07:03:00.000Z',
            uuid: 'd8807bd9-bc74-4a44-b798-c635619e52b5',
            customer_id: 1,
            user_id: 3,
            auth_method: 'sensors',
            ip: '127.0.0.2',
            resource: 'sensors',
            action: 'delete'
        }
    ]

Audit 

Example:

curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/audits/193401"
Retrieve a single audit record
/audits/{id}

Lookup a single audit record

  • Parameters
  • id
    string (required) Example: 193401

    The audit id

  • Headers
    Content-Type: application/json
    X-Access-Token: youraccess@@tokenstring
  • Headers
    Content-Type: application/json
    Body
    {
            id: 193401,
            timestamp: '2014-01-01T07:00:00.000Z',
            uuid: 'a5807bd9-bc74-4a44-b798-c635619e52b5',
            customer_id: 1,
            user_id: 1,
            auth_method: 'token',
            ip: '127.0.0.1',
            resource: 'sensor-sets',
            action: 'update',
            details: {
                previous: {
                    id: 775,
                    name: "Display name",
                    customer_id: 1,
                    default_set: false
                },
                current: {
                    id: 775,
                    name: "Denver Sensors",
                    customer_id: 1,
                    default_set: false
                }
            }
        }

Generated by aglio on 19 Oct 2020