Data Format
Common Data
Values in JSON response are in types of string, integer, date, boolean or array.
Date Format
The Picus Rest API uses epoch time. It is also known as unix time. The Unix epoch is 00:00:00 UTC on 1 January 1970 (an arbitrary date).
{
"created_at": 1611131624037 //GMT: Wednesday, 20 January 2021 08:33:44.037
}
Both request and response are used in epoch time.
Date Format
Request and response date format is unix epoch.
Threats & Actions
Related to Threats, which are components of the Threat Library, and their subcomponents, Actions.
| Param | Type | Description |
|---|---|---|
| action_id | int64 | Unique identifier for the actions that form the threats used in attack simulations, and these action IDs are employed in the backend of Picus systems. |
| action_display_id | int64 | Unique identifer for the actions that form the threats used in attack simulations, and these action display ids are used in the user interface of Picus. |
Simulation
Simulation is an instant or scheduled run of a template on an agent. Each simulation has a simulation name and a schedule for running.
| Param | Type | Description |
|---|---|---|
| simulation_id | uint64 | Simulation identifier. |
| simulation_name | string | Simulation name. |
| status | string | Simulation run status. |
| agent | object | Agent that simulation is running on. |
| prevention_security_score | int64 | Simulation prevention security score. |
| detection_security_score | int64 | Simulation detection security score. |
| has_detection_analysis | bool | If simulation is enriched with detection analysis, it will be true. |
| detection_analysis | object | If simulation has detection analysis, this field display a list of integration s. |
Simulation status
- WAITING FOR THE FIRST RUN: The simulation is created but hasn't run yet.
- RUNNING: The simulation is currently running but is not yet complete.
- COMPLETED: The simulation is completed successfully.
- STOPPED: The simulation is stopped by user.
- FAILED: The simulation is not completed successfully.
- SCHEDULED: The simulation is scheduled to run.
Simulation Run
One simulation can involve one or more instances (runs) that are made or scheduled at different times.
Simulation Run contains similar data as Simulation, referenced above.
| Param | Type | Description |
|---|---|---|
| simulation_run_id | uint64 | Simulation run identifier. (For simulations executed more than once). |
| simulation_id | uint64 | Simulation identifier. |
| started_at | uint64 | Time simulation run is started. |
| completed_at | uint64 | Time simulation run is completed. |
Result Details
Security scores, threat/attacker objectives, and prevention/detection results are given.
| Param | Type | Description |
|---|---|---|
| prevention.security_score | int64 | Prevention Security score. |
| prevention.blocked_count | int64 | How many threats are blocked. |
| prevention.not_blocked_count | int64 | How many threats are not blocked. |
| prevention.not_tested_count | int64 | How many threats are not tested. |
| prevention.achived_count | int64 | How many attacker objectives are achived. |
| prevention.unachived_count | int64 | How many attacker objectives are unachived. |
| has_detection_analysis | bool | Has detection analysis (SIEM&EDR) |
| detection_analysis. has_log_analysis | bool | SIEM/EDR Integration log analysis enabled. |
| detection_analysis. has_alert_analysis | bool | SIEM/EDR Integration alert analysis enabled. |
| detection_analysis.logged_threat_count | int64 | How many threats are logged |
| detection_analysis.not_logged_threat_count | int64 | How many threats are not logged |
| detection_analysis. alerted_threat_count | int64 | How many threats are alerted |
| detection_analysis. not_alerted_threat_count | int64 | How many threats are not alerted |
| detection_analysis.score | int64 | Detection Security Score |
Agent
Different agents can be used to run simulations.
| Param | Type | Description |
|---|---|---|
| id | uint64 | Agent identifier. |
| name | string | Agent name. |
| type | string | QuickEmail | Browser | Installable Agent | Windows | Linux | MacOS. |
| version | string | Agent version. |
| platform_name / platform_architecture | string | Example: Windows 10 / 64-bit. |
| status | string | alive | dead | expired. |
Detection Analytics
SIEM/EDR Integration log and alert analysis results are provided.
| Param | Type | Description |
|---|---|---|
| has_log_analysis | bool | SIEM/EDR Integration log analysis enabled. |
| has_alert_analysis | bool | SIEM/EDR Integration alert analysis enabled. |
| log_result | string | Logged / Not logged. |
| alert_result | string | Alerted / Not alerted. |
| integrations.id | int64 | Integration Identification: It is given when the integration is configured. |
| integrations.product_name | string | Integrated product name. |
| integrations.type | string | SIEM, EDR etc. |
| integrations.health_status | object | Detailed health status for integration. |
| integration_agent_id | int64 | Integration Agent Identifier which works as an agent in detection analytics on the SIEM/EDR. |
| integration_agent_name | string | Integration agent name. |
Updated about 1 year ago