symantec-logo-top
Symantec Endpoint Protection Cloud

Symantec Endpoint Protection Cloud REST API Reference

1. Overview

1.1. About Symantec Endpoint Protection Cloud REST APIs

Symantec Endpoint Protection Cloud (SEP Cloud) offers a set of REST APIs that are useful for integration with various third-party applications to perform SEP Cloud operations. For example, Incident Response, Security Information and Event Management (SIEM) solutions, Managed Service Provider (MSP) custom consoles, and integration with Remote Monitoring and Management (RMM) tools.

This document is intended as a reference for developers who want to integrate their products with SEP Cloud or write applications that interact with SEP Cloud. It also provides an overview of the different functions that the API supports.

1.1.1. Version information

The Symantec Endpoint Protection Cloud API version is 1.0.

1.2. Required components

To customize a REST API call, you use the following required components with various third-party applications or with a programming language, such as Java.

Component

Descriptions

URI

Schemes: https://

Host: usea1.r3.securitycloud.symantec.com

BasePath: /r3_epmp_i

All APIs exposed by Symantec Endpoint Protection Cloud carry authorization token and other privileged data. To ensure the confidentiality of the data, the REST APIs are only available over a secure connection.

Method

The method that you use to make the call to the service. Which method you use depends on the call and what you want to accomplish with the call. Methods include GET, POST.

Headers

Symantec Endpoint Protection Cloud REST API calls require the following HTTP headers:

Authorization: Bearer UserToken

UserToken represents the token response that the authenticate command returns. The authenticate command itself does not require this header.

x-epmp-customer-id: Customer ID for authorization.

x-epmp-domain-id: Domain ID for authorization.

Request parameters

The request parameters that are appropriate for the call that you want to use.

1.3. Token-based authorization

To use the API calls documented here, you need to first register your application in the SEP Cloud portal and generate an access token to get the required privileges. You must add this authorization token in your application to work with the APIs. The token is valid for 60 minutes only.

For more information, refer to the detailed steps in the Generate OAuth 2 Token section below.

Note

This token and the associated account credentials such as Customer Id and Domain Id must never be shared and must always be stored in a secure location with very few users having access to them.

2. Events service

2.1. About events service

The Events service provides REST APIs for managing events that occur in your environment. The events are represented as JSON objects - collections of attributes that are represented as “name”: “value” pairs. An event object can represent a Simple, Aggregate, or Composite event.

2.1.1. Simple event

A simple event represents a single notable occurrence. For example, the following event describes a device scan status event:

{
type_id: 4128, // Scan event
id: 1, // Scan Status
severity_id: 1, // Informational
device_time: "2013-10-18T19:20:31.01-08:00",
device_uid: "7FB619F0-3C07-FFE3-AB6E-0800212C9A66",
scan_guid: "7F0616F0-3C07-11E3-AA6E-9347200C9A56",
status_id: 1, // Complete
scan_type_id: 1, // Scheduled
files: 2341,
risks_detected: 0,
risks_resolved: 0,
risks_attention: 0
}

2.1.2. Aggregate Event

Applications that generate large amounts of data are likely to aggregate a number of events over a predefined time period before reporting them. An aggregate event describes multiple occurrences of the same event and includes event count and duration information. For example, firewall applications or event rules engines send aggregated events when a number of identical events have occurred within a specified time interval.

An aggregate event is defined by the presence of the of the count attribute. The count attribute specifies the number of events that have been aggregated over a time period defined by device_time and device_end_time.

For example, the following event describes 120 occurrences of a firewall connection dropped event:

{
type_id: 4160, // Firewall
id: 3, // Connection Dropped
severity_id: 2, // Warning
device_time: "2013-10-18T19:20:31.01-08:00",
device_end_time: "2013-10-18T19:20:31.46-08:00",
count: 120,
// other firewall event attributes
}

2.1.3. Composite Event

A composite event combines multiple events into a single event (with optional common attributes) and includes an array of embedded events (perhaps of different types). It is defined by the presence of the composite and the events [] attributes. The composite attribute indicates how the composite events are processed by the event service.

If the composite attribute is 1 (INTACT), the event is simply stored, as-is, in the event store. The event and its composites are available for query. Alert events make use of the INTACT composite events.

If the composite value is 2 (UNPACK), the composite events are unpacked, the attributes in the main event are added to each composite event, and each composite event is stored as an individual event in the event store; the original packaging event is ignored. The UNPACK composite event is used to send a batch of events with a header event that carries all common fields.

Example - Composite INTACT [1] event

The following INTACT composite event reports system performance statistics for the SEP Cloud rules engine:

{
type_id: 4,
uuid : "7F0616F0-3C07-11E3-AA6E-0800200C9A67",
id: 3,
severity_id: 1,
category_id: 1,
composite: 1, // INTACT
message: "Periodic system statistics report",
time: "2013-10-18T19:20:30.45-07:00",
device_time: "2013-10-18T19:20:31.01-00:00",
device_name: "epmp-server-01.symantec.com",
device_ip: "10.0.0.17",
product_name: "EPMP",
product_ver: "0.1.1",
feature_name: "Rule Service",
feature_ver: "0.1.2",
events: [
{
type_id: 101,
id: 1,
severity_id: 3,
message: "User time usage is high",
time: "2013-10-18T19:20:30.45-07:00",
device_time: "2013-10-18T19:20:30.45-07:00"
value: 98.69
},
{
type_id: 101,
id: 2,
severity_id: 1,
message: "System time usage is normal",
time: "2013-10-18T19:20:30.45-07:00",
device_time: "2013-10-18T19:20:30.45-07:00"
value: 0.95
},
{
type_id: 101,
id: 3,
severity_id: 4,
message: "System is overloaded",
time: "2013-10-18T19:20:30.45-07:00",
device_time: "2013-10-18T19:20:30.45-07:00"
value: 0.35
},
{
type_id: 102,
id: 1,
severity_id : 1,
message: "Memory used",
time: "2013-10-18T19:20:30.45-07:00",
device_time : "2013-10-18T19:20:30.45-07:00"
value: 6.77,
units: "GB"
},
{
type_id: 102,
id: 2,
severity_id: 1,
message: "Memory installed",
time: "2013-10-18T19:20:30.45-07:00",
device_time: "2013-10-18T19:20:30.45-07:00"
value: 16,
units: "GB"
}]
}

Example - Composite UNPACK [2]

The following UNPACK composite event reports three events from different features on the same device:

{
device_name: "test device",
device_ip: "1.2.3.4",
device_uid: "1234567890",
severity_id: 4,
composite: 2, // UNPACK
events:
[
{
type_id: 1234,
id: 1,
device_time: "2013-10-18T19:20:31.01-00:00"
},
{
type_id: 4567,
id: 1,
device_time: "2013-10-18T19:20:32.01-00:00"
},
{
type_id: 1234,
id: 2,
device_time: "2013-10-18T19:20:33.01-00:00"
}
]
}
}

As the composite event is unpacked, each of the attributes in the main event (with the exception of composite, device_end_time, and events attributes) are added to each of the embedded events, and each embedded event is stored as an individual event. Note if an attribute already exists in the embedded event then it will not be overwritten. Resulting in the following three events being stored by the event service:

{
device_name: "test device",
device_ip: "1.2.3.4",
device_uid: "1234567890",
severity_id: 4,
type_id: 1234,
id: 1,
device_time: "2013-10-18T19:20:31.01-00:00"
}
{
device_name: "test device",
device_ip: "1.2.3.4",
device_uid: "1234567890",
severity_id: 4,
type_id: 4567,
id: 1,
device_time: "2013-10-18T19:20:32.01-00:00"
}
{
device_name: "test device",
device_ip: "1.2.3.4",
device_uid: "1234567890",
severity_id: 4,
type_id: 1234,
id: 2,
device_time: "2013-10-18T19:20:33.01-00:00"

2.1.4. Response Codes

The Event service returns standard HTTP status codes. Any additional information is included in the body of the response, which is encoded as a single JSON document.

Code

Description

200

OK: The request was received, understood, accepted, and processed successfully.

204

No Content: The server has fulfilled the request but does not need to return an entity-body. This status code is also used as EOS marker when streaming events.

400

Bad Request: The request cannot be fulfilled due to bad syntax. Note that sending the same request again will not fix the problem.

401

Unauthorized: Bad or expired token. To fix, you should re-authenticate the user.

403

Forbidden: The request was valid, and the provided credentials were successfully authenticated; however, the credentials do not grant the client permission to access the resource. Unlike a 401 Unauthorized response, authenticating will make no difference.

404

Not Found: The requested resource could not be found but may be available again in the future. Subsequent requests by the client are permissible.

408

Timeout- Request Timeout error messages: The server did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time.

500

Internal Server Error: A generic server error message. For example, unable to parse a JSON object or unhandled java exception.

2.2. Available event service request methods

You can use the following request methods to work with the event service:

3. Device service

3.1. About device service

The Device service API lets you get a list of all the devices in your environment that are enrolled in SEP Cloud. You can also collect associated device details, such as status, group and users details of a specific device.

In SEP Cloud all users are associated with a group, and all devices are associated either with a user or directly with a group. Shared resources such as servers are added directly to a group.

Benefits of device association to a user or a group:

  • Irrespective of whether the device is directly associated to group or to a user, the device always gets the policy assigned to the group.

  • If a user-specific policy is applied on a device, such as email access policy, then the device must be associated to a user. If the device is directly associated to a group, it will not receive the email access policy settings.

3.2. Available device service request methods

You can use the following request methods to work with the device service:

4. API Listing

4.1. Generate oAuth2 Token

POST /oauth2/tokens

4.1.1. Description

To generate the authorization token required for all calls listed in the SEP Cloud Public API, a Client ID, and Client Secret is needed. To create a Client ID and Client Secret, do the following:

  1. Log in as an admin to the SEP Cloud portal.

  2. Go to the Settings > Client Application Management page.

  3. Make a note of the Customer Id and Domain Id that is listed on this page. These Ids are required headers for all the calls documented here.

  4. Click Add Client Application.

  5. Select Others from the drop-down list.

  6. Enter an application name.

  7. Click Add. The requested client application of type Others is created with its Client ID and Client Secret. Make a copy of this Client ID and Client Secret for getting the token.

Note
This token and the associated account credentials such as Customer Id and Domain Id must never be shared and must always be stored in a secure location with very few users having access to them.

4.1.2. Parameters

Type Name Description Schema Default

Header

Accept
required

Use value "application/json".

string

"application/json"

Header

Authorization
required

Value for the header is of the form "Basic «ClientId:ClientSecret»" where "ClientId:ClientSecret" is base64 encoded.

string

Header

Content-Type
required

Use value "application/x-www-form-urlencoded".

string

"application/x-www-form-urlencoded"

FormData

grant_type
optional

Form definition for the call body.

string

"client_credentials"

4.1.3. Responses

HTTP Code Description Schema

200

OAuth2 token generation request successful.

Response 200

Response 200

Name Description Schema

access_token
optional

The token required to access SEP Cloud API.

string

expires_in
optional

Expiry time.

integer

token_type
optional

Token type.

string

4.1.4. Consumes

  • application/x-www-form-urlencoded

4.1.5. Produces

  • application/json

4.1.6. Example HTTP response

Response 200
{
  "access_token" : "eyJraWQiOiJGY2Z1aDhXNFFQT01OLTRFWWtRMlFRIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ7XCJkb21haW5faWRcIjpcImVHQ2lnV0NHVERhamo3dVNXNTIyQ2dcIixcIm93bmVyX3VyaVwiOlwiXC92MVwvbWRyXC91c2Vyc1wvOHQxbDNna3FTYXlYckR3WkxvRlJa3BRV1dZdkJxMjBoeERUZ1wiLFwidXJpXCI6XCJcL29hdXRoMlwvY2xpZW50c1wvTzJJRC5ISnRxdXZrcFFXV1l2QnEyMGh4RFRnLmVHQ2lnV0NHVERhamo3dVNXNTIyQ2cuOWZjYTFsbTNkcDNmMHY2MGhyYjVsanB1cuOWZjYTFsbTNkcDNmMHY2MGhyYjVsanB1Mm1cIn0iLCJ2ZXIiOjEsImlzcyI6ImlkX2VwbXBfaV8yLTE5My05MCIsImV4cCI6MTUxMDE3NjA3NywiaWF0IjoxNTEwMTcyNDc3LCJqdGkiOiI0SDIzeVJBRFFNLWV2UWxpQ29uOE5nIn0.FAsDNpzNPQKri_Rs4BksW5GuiHwpg8-KzqIDMaYxn-4d-hNjkCNMiHogKONmjEYLQ411YZFzfUFMDryeAjyfQ6lylhVbxvi07BTSLDy9-gLkqSeJd-LWYFBWf0fr0E9eG9kgaR6enzGcZJLbj72aAWr1CtYnFEwtBsZOFHvXFG5ZQx-8xbrd1Z9yB28M-bhLFnRlwF9PoO8I2bRS0_76N26PE_jLUEWGzk_wk9DnkOZkoFZbPqQ4DVmkuxYxxi44fS555dSMAaBBp3Tj9zWJ5lUgzeT9p_MuDyPEM0-uMcUOsHWbYgCvCIM7K7954CBGWPtLwYIQ1Scq2MkuAwPHBg",
  "token_type" : "Bearer",
  "expires_in" : 3600
}

4.2. Get Devices

GET /sepcloud/v1/devices

4.2.1. Description

Get a list of devices with optional search criteria.

4.2.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Query

include
optional

Additional documents to be returned.

string

Query

inventory
optional

If true, results will also return device inventory.

boolean

Query

limit
optional

Maximum number of records to be returned, e.g. 25.

integer

Query

offset
optional

Index of first record to be returned, e.g. 50

integer

Query

sort
optional

Column on which to sort, e.g. name.

string

Query

where
optional

Conditions for query, e.g. name="gumby".

string

4.2.3. Responses

HTTP Code Description Schema

200

A list of information for multiple devices based on search criteria.

Response 200

Response 200

Name Description Schema

count
optional

integer

results
optional

A list of Symantec managed devices.

< device > array

4.2.4. Produces

  • application/json

4.2.5. Security

Type Name

apiKey

Authorization

4.2.6. Example HTTP response

Response 200
{
  "count" : 2,
  "results" : [ {
    "id" : "OP3r3CbPSUK4IMv3wtnoBQ",
    "name" : "Galaxy S6",
    "olp-endpoint-id" : "0A3C36B30A4046410BA335870FCA7D22",
    "created" : "2017-10-04T08:29:39.944Z",
    "modified" : "2017-10-05T09:11:34.358Z",
    "hardware" : {
      "serial-number" : "R58G41N6TCV",
      "uuid" : "0501000086722D015D5B0FACAABAA83C575A66E3",
      "model-name" : "SM-G920F",
      "model-vendor" : "samsung",
      "cpu-type" : "arm64-v8a"
    },
    "operating-system" : {
      "name" : "Android",
      "type" : "Android",
      "friendlyname" : "Android 7.0",
      "version" : "7.0",
      "technical-version" : "7.0",
      "edition" : ""
    },
    "network-adapters" : [ {
      "name" : "WiFi",
      "addr" : "E8:50:AD:65:D9:C8"
    } ],
    "dedicated" : [ "Mobile User Device" ],
    "ownership-type" : "CYOD",
    "device-status" : "UNENROLLED",
    "device-status-reason" : [ "NONE" ],
    "mdm-installed" : false,
    "security-client-install-date" : "2017-10-04T08:30:31.125Z",
    "last-enrollment-date" : "2017-10-04T08:30:31.125Z",
    "mdm-provider" : "SYMANTEC",
    "health-attestation-status" : "SECURE",
    "enrollment-data" : {
      "is-self-enrollment" : true,
      "transaction-id" : "",
      "mdm-installed" : false,
      "security-client-install-date" : "2017-10-04T08:30:31.125Z"
    }
  }, {
    "id" : "begOSXwQQeC1XxfUo99vug",
    "name" : "Symc Apps (Galaxy Note4)",
    "olp-endpoint-id" : "06A5BC66017DBF5406CB3E750551229A",
    "created" : "2017-10-04T21:22:09.100Z",
    "modified" : "2017-10-09T19:44:58.677Z",
    "hardware" : {
      "serial-number" : "R21FC2M8FKA",
      "uuid" : "05010000230C3159334052E086BA1C6718AB03D4",
      "model-name" : "SM-N910H",
      "model-vendor" : "samsung",
      "cpu-type" : "armeabi-v7a"
    },
    "operating-system" : {
      "name" : "Android",
      "type" : "Android",
      "friendlyname" : "Android 6.0",
      "version" : "6.0.1",
      "technical-version" : "6.0.1",
      "edition" : ""
    },
    "network-adapters" : [ {
      "name" : "WiFi",
      "addr" : "C0:BD:D7:30:44:A0"
    } ],
    "dedicated" : [ "Mobile User Device" ],
    "ownership-type" : "CYOD",
    "device-status" : "UNENROLLED",
    "device-status-reason" : [ "NONE" ],
    "mdm-installed" : false,
    "security-client-install-date" : "2017-10-09T19:26:45.430Z",
    "last-enrollment-date" : "2017-10-09T19:26:45.430Z",
    "mdm-provider" : "SYMANTEC",
    "health-attestation-status" : "SECURE",
    "enrollment-data" : {
      "is-self-enrollment" : true,
      "transaction-id" : "",
      "mdm-installed" : false,
      "security-client-install-date" : "2017-10-09T19:26:45.430Z"
    }
  } ]
}

4.3. Get Single Device

GET /sepcloud/v1/devices/{deviceId}

4.3.1. Description

Get details for a device by specifying the device’s ID.

4.3.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Path

deviceId
required

The deviceId of the device to be retrieved.

string

Query

additionalFields
optional

Additional fields to search for.

string

Query

inventory
optional

If true, results will also return device inventory.

boolean

4.3.3. Responses

HTTP Code Description Schema

200

Information for a single device based on the ID.

device

4.3.4. Produces

  • application/json

4.3.5. Security

Type Name

apiKey

Authorization

4.3.6. Example HTTP response

Response 200
{
  "id" : "OP3r3CbPSUK4IMv3wtnoBQ",
  "name" : "Galaxy S6",
  "olp-endpoint-id" : "0A3C36B30A4046410BA335870FCA7D22",
  "created" : "2017-10-04T08:29:39.944Z",
  "modified" : "2017-10-05T09:11:34.358Z",
  "hardware" : {
    "serial-number" : "R58G41N6TCV",
    "uuid" : "0501000086722D015D5B0FACAABAA83C575A66E3",
    "model-name" : "SM-G920F",
    "model-vendor" : "samsung",
    "cpu-type" : "arm64-v8a"
  },
  "operating-system" : {
    "name" : "Android",
    "type" : "Android",
    "friendlyname" : "Android 7.0",
    "version" : "7.0",
    "technical-version" : "7.0",
    "edition" : ""
  },
  "network-adapters" : [ {
    "name" : "WiFi",
    "addr" : "E8:50:8C:71:D3:C2"
  } ],
  "dedicated" : [ "Mobile User Device" ],
  "ownership-type" : "CYOD",
  "device-status" : "UNENROLLED",
  "device-status-reason" : [ "NONE" ],
  "mdm-installed" : false,
  "security-client-install-date" : "2017-10-04T08:30:31.125Z",
  "last-enrollment-date" : "2017-10-04T08:30:31.125Z",
  "mdm-provider" : "SYMANTEC",
  "health-attestation-status" : "SECURE",
  "enrollment-data" : {
    "is-self-enrollment" : true,
    "transaction-id" : "",
    "mdm-installed" : false,
    "security-client-install-date" : "2017-10-04T08:30:31.125Z"
  }
}

4.4. Get Static Group

GET /sepcloud/v1/devices/{deviceId}/staticgroup

4.4.1. Description

Get information about the static group to which the device belongs.

4.4.2. Parameters

Type Name Description Schema

Path

deviceId
required

The device ID

string

4.4.3. Responses

HTTP Code Description Schema

200

Information describing the static group to which the device belongs.

staticGroup

4.4.4. Produces

  • application/json

4.4.5. Security

Type Name

apiKey

Authorization

4.4.6. Example HTTP response

Response 200
{
  "id" : "8jnnxcYIRUuRFAi5KTzKSg",
  "name" : "Test Group",
  "caption" : "Static group",
  "description" : "A group to test with",
  "priority" : 1,
  "created" : "2017-11-06T13:42:31.779Z",
  "modified" : "2017-11-06T13:42:31.779Z",
  "policies" : [ ],
  "user-ids" : [ ],
  "device-ids" : [ ],
  "devices" : [ ],
  "products" : [ ]
}

4.5. Get Device User

GET /sepcloud/v1/devices/{deviceId}/user

4.5.1. Description

Get the user of a specific device.

4.5.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Path

deviceId
required

The device ID

string

4.5.3. Responses

HTTP Code Description Schema

200

Device user request successful.

user

4.5.4. Produces

  • application/json

4.5.5. Security

Type Name

apiKey

Authorization

4.5.6. Example HTTP response

Response 200
{
  "props" : { },
  "id" : "8t1l3gkqSayXrDwZLoFRZw",
  "given_name" : "Egoc",
  "surname" : "Lohokih",
  "email" : "Egoc.Lohokih@scsemtest.com",
  "olp_account_id" : "-42876642595684586830769253762839365",
  "olp_user_allocation_id" : "140621142599584754250559508646481982",
  "email_verified" : "2017-10-04T08:25:17.696Z",
  "scsem_status" : "COMPLETE",
  "enrollment_status" : "COMPLETE"
}

4.6. Get Event Details

GET /sepcloud/v1/events

4.6.1. Description

The Get event request retrieves a single event using an event UUID. Use the uuid attribute found in event data returned by a search results that contains events, for example the Events Search request. The uuid attribute is always available in the event data and cannot be excluded even if it is not listed in the fields parameter.

Note
If no event matching the UUID is found, then the search result is an empty message (no data) with a status code of 204- No Content.

4.6.2. Parameters

Type Name Description Schema

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Query

uuid
required

Identifier of the event to be searched.

string

4.6.3. Responses

HTTP Code Description Schema

200

Event request successful.

Response 200

Response 200

Name Description Schema

category_id
optional

The event category id: Unknown (0), Security (1), Licensing (2), System (3), Audit (4), Policy (5)

Events can be tagged with a category at event log time, and then a category or list of categories can be used to query events at event search time.

integer

customer_uid
optional

customer_uid

device_name
optional

Required, if available. The device_name is the name of the device that originated the event. The device_name is ordinarily the host name, but could be any other name that helps to identify the device such as phone number. For example, computer.domain. The recommended maximum string length is 256.

string

device_time
required

time

direction_id
optional

Required if available. The direction of the email relative to the scanning host or to the organization. If present, one of: [1] INBOUND [2] OUTBOUND Email scanned at an internet gateway might be characterized as inbound to the organization (from the internet) or outbound from the organization (to the internet). Email scanned at a workstation might be characterized as inbound to or outbound from the workstation.

integer

domain_uid
optional

domain_uid

epmp_session_id
optional

Session Id which can be used for identifying an event trial in the logs.

string

id
optional

The event id uniquely identifies the event within the type classification.

integer

log_name
optional

log_name

log_time
optional

time

message
optional

Optional, but highly recommended to be added to all event. The message provides a detailed description of the event. The recommended maximum string length is 2K.

string

outcome_id
optional

outcome_id

seq_num
required

seq_num

severity_id
optional

The severity indicates the importance of the event, one of: [0] UNKOWN [1] INFORMATIONAL - Purely informational , no action needed [2] WARNING – User decides if action is needed [3] MINOR – Action is required but the situation is not serious at this time [4] MAJOR - Action is required immediately [5] CRITICAL - Action is required immediately and the scope is broad [6] FATAL – An error occurred but it is too late to take remedial action.

integer

time
optional

time

timezone
optional

timezone

type_id
required

type_id

uuid
required

uuid

4.6.4. Produces

  • application/json

4.6.5. Security

Type Name

apiKey

Authorization

4.6.6. Example HTTP response

Response 200
{
  "customer_uid" : "HJtquvkpQWWYvBq20hxDTg",
  "outcome_id" : "3",
  "log_name" : "epmp_events-2017-10-16/4192",
  "type_id" : "4192",
  "timezone" : 0,
  "message" : "Not Prevented: high-risk intrusion attempt",
  "seq_num" : 1,
  "uuid" : "4192:6bfe4ad0-b298-11e7-da07-0000000051cf",
  "log_time" : "2017-10-16T17:35:37.474Z",
  "epmp_session_id" : "WkhIc1w6RY-zkU0LP18jeg",
  "device_name" : "ENUMAC108X64.local",
  "direction_id" : "1",
  "category_id" : 1,
  "domain_uid" : "eGCigWCGTDajj7uSW522Cg",
  "id" : "1",
  "severity_id" : "4",
  "time" : "2017-10-16T17:35:37.469Z",
  "device_time" : "2017-10-16T17:35:37.469Z"
}

4.7. Get Event Count

POST /sepcloud/v1/events/count

4.7.1. Description

Get a count of events using search criteria.

4.7.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Body

body
optional

Example:

{

"startDate": null,

"endDate": null,

"additionalFilters": "",

"searchWindowInDays": 10,

"pageSize": 10,

"pageNumber": 10,

"objectType": "None",

"eventTypeToQuery": 0,

"eventCategory": null,

"eventSeverity": null,

"searchFilter": null,

"eventCategories": null,

"eventSeverities": null,

"objectId": null

}

body

body

Name Description Schema

additionalFilters
optional

Parameter to set any additional filters that are not supported directly in the query object.

string

eventTypeToQuery
optional

Type of the events to be queried. Supported values are All(0), Audit(4), Alert(16), ApplicationNetworkAccess(4161), THREAT_DETECTED(4353), IPS(4192), PHISING(4320), THREAT_RESPONSE(4354);

integer

objectType
optional

Parameter needs to be set when events have to be fetched in context of an object. Supported values are - None - Device - Policy

string

pageNumber
optional

Compute the index starting which events will be searched

integer

pageSize
optional

Number of events to be returned

integer

searchWindowInDays
optional

Determines the window in which events will be searched in the event store relative to the current time datetime. When the value for this attribute is greater than 0, startDate and endDate parameters are ignored.

integer

4.7.3. Responses

HTTP Code Description Schema

200

Count request successful.

integer

4.7.4. Consumes

  • application/json

4.7.5. Produces

  • application/json

4.7.6. Security

Type Name

apiKey

Authorization

4.7.7. Example HTTP response

Response 200
45

4.8. Get List of Events Based On a Search

POST /sepcloud/v1/events/search

4.8.1. Description

Get a list of events given a search request.

NOTES: 

  • If no event matching the UUID is found, then the search result is an empty message (no data) with a status code of 204- No Content.

  • The fields parameter is used to specify a subset of event fields to be returned.

4.8.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Body

body
optional

Example:

{

"searchWindowInDays": 2,

"pageSize": "10",

"pageNumber": 0,

"eventTypeToQuery": 16,

"eventCategory":1,

"additionalFilters": "events.uuid like ‘8031’"

}

body

body

Name Description Schema

additionalFilters
optional

Parameter to set any additional filters that are not supported directly in the query object.

string

eventTypeToQuery
optional

Type of the events to be queried. Supported values are All(0), Audit(4), Alert(16), ApplicationNetworkAccess(4161), THREAT_DETECTED(4353), IPS(4192), PHISHING(4320), THREAT_RESPONSE(4354);

integer

pageNumber
optional

Compute the index starting which events will be searched

integer

pageSize
required

Number of events to be returned

integer

searchWindowInDays
optional

Determines the window in which events will be searched in the event store relative to the current time datetime.

integer

4.8.3. Responses

HTTP Code Description Schema

200

Search request successful.

< Response 200 > array

Response 200

Name Description Schema

category_id
optional

category_id

customer_uid
optional

customer_uid

days_remaining
optional

Days remaining in license after which the license will expire.

integer

device_name
optional

Required if available. The device_name is the name of the device that originated the event. The device_name is ordinarily the host name, but could be any other name that helps to identify the device such as phone number. For example, computer.domain. The recommended maximum string length is 256.

string

device_os_name
required

Required. The name of the OS running on the device that originated the event. For example Windows 7 Home Basic, Mac OS X, iOS, Android. The recommended maximum string length is 64.

string

device_time
required

time

device_type
required

Required. The type of the device that originated the event. For example unknown, server, desktop, laptop, tablet, mobile, virtual, browser, other. The recommended maximum string length is 32. Recommended to use the values as defined by EPMP MDR model in object_class_device.json.

string

direction_id
optional

Required if available. The direction of the email relative to the scanning host or to the organization. If present, one of: • [1] INBOUND • [2] OUTBOUND Email scanned at an internet gateway might be characterized as inbound to the organization (from the internet) or outbound from the organization (to the internet). Email scanned at a workstation might be characterized as inbound to or outbound from the workstation.

integer

domain_uid
optional

domain_uid

epmp_session_id
optional

Session Id which can be used for identifying an event trial in the logs.

string

feature_name
optional

Required if Available. The feature_name is the name of the feature that originated the event. The feature_name is ordinarily as defined by the product SKU, but it could be any other name that identifies the software component that originated the event. For example,"Live Update". The recommended maximum string length is 64.

string

feature_ver
optional

Required if Available. The feature_ver is the version of the feature, as defined by the product SKU that originated the event. For example, "2014.1.3.64". The recommended maximum string length is 32.

string

group_name
optional

Group name

string

id
optional

The event id uniquely identifies the event within the type classification.

integer

license_type
optional

Type of the license that user has bought. Trial, Paid or Beta.

string

license_type_id
optional

License type Identifier with type_id of [8] LICENSE. This has the following event IDs associated with it: [1] INSTALL: Subscription added by external request. Event is logged to successful product addition. [2] REMOVE: Subscription removed by external request. Product is disabled. [3] UPDATE [4] EXPIRE: Subscription expired. [5] EXCEED: More users added than subscription supports. [6] REPORT [7] LOW_COUNT: Subscription running low on licenses. [8] EXPIRING: Subscription expires soon. EXPIRING: log event every day until expired EXPIRED: log event only once LOW_COUNT: log event once. If condition goes away and comes back, log again. OVERAGE: log event every day until overage condition exists.

integer

log_name
optional

log_name

log_time
optional

time

message
optional

Optional, but highly recommended to be added to all events. The message provides a detailed description of the event. The recommended maximum string length is 2K.

string

message_id
optional

Used internally for message localization on the UI.

integer

outcome_id
optional

outcome_id

product_name
optional

Required if Available. The product_name is the name of the product that originated the event. The product_name is ordinarily as defined by the product SKU, but it could be any other name that identifies the product. For example, "Norton Internet Security" or "Norton Mobile Security" The recommended maximum string length is 64.

string

product_uid
optional

Required if available. The product is the unique identifier of the product that originated the event. If the product is known to the EPMP-I Asset service, the product_uid is the Asset service assigned identifier and correlates events with InstalledProduct objects in the EPMP MDR. Otherwise, the product_uid is simply a unique identifier.

string

product_ver
optional

Required if Available. The product_ver is the version of the product, as defined by the product SKU that originated the event. For example, "2013.1.3-beta". The recommended maximum string length is 32.

string

seq_num
required

seq_num

serial_number
optional

Serial number of the subscription.

string

severity_id
optional

The severity indicates the importance of the event, one of: • [0] UNKOWN • [1] INFORMATIONAL - Purely informational , no action needed • [2] WARNING – User decides if action is needed • [3] MINOR – Action is required but the situation is not serious at this time • [4] MAJOR - Action is required immediately • [5] CRITICAL - Action is required immediately and the scope is broad • [6] FATAL – An error occurred but it is too late to take remedial action.

integer

subscription_end_date
optional

Date when subscription expires.

string

time
optional

time

timezone
optional

timezone

type_id
required

type_id

user_name
optional

Required if available. The user_name is the name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred. Usually this is the user name in the EPMP Asset service and it is closely related to the user_uid field above. The recommended maximum string length is 64.

string

user_uid
optional

Required if available. The user is the unique identifier of the user that originated the event. If the user is known to the EPMP Asset service, the user_uid identifier is the Asset service assigned identifier and used to correlate events with User objects in the EPMP MDR. These users are ordinarily EPMP console or Norton Zone users (not users at a managed endpoint). Otherwise, the user_uid is simply a unique identifier.

string

uuid
required

uuid

4.8.4. Consumes

  • application/json

4.8.5. Produces

  • application/json

4.8.6. Example HTTP response

Response 200
[ {
  "customer_uid" : "HJtquvkpQWWYvBq20hxDTg",
  "outcome_id" : "3",
  "log_name" : "epmp_events-2017-10-16/4192",
  "type_id" : "4192",
  "timezone" : 0,
  "message" : "Not Prevented: high-risk intrusion attempt",
  "seq_num" : 1,
  "uuid" : "4192:4661b0f0-b298-11e7-c484-00000000538f",
  "log_time" : "2017-10-16T17:34:34.369Z",
  "epmp_session_id" : "TWHi0GnvQu6eW5tpfdt5JQ",
  "device_name" : "ENUMAC108X64.local",
  "direction_id" : "1",
  "category_id" : 1,
  "domain_uid" : "eGCigWCGTDajj7uSW522Cg",
  "id" : "1",
  "severity_id" : "4",
  "time" : "2017-10-16T17:34:34.367Z",
  "device_time" : "2017-10-16T17:34:34.367Z"
}, {
  "customer_uid" : "HJtquvkpQWWYvBq20hxDTg",
  "license_type_id" : 2,
  "user_name" : "System",
  "timezone" : 0,
  "device_type" : "Not applicable",
  "seq_num" : 1,
  "uuid" : "8:656d1630-b282-11e7-dbe6-0000000045a8",
  "product_ver" : "Not applicable",
  "device_name" : "System",
  "category_id" : 2,
  "feature_ver" : "v1.0",
  "id" : 8,
  "days_remaining" : 18,
  "product_uid" : "E0CD35AC-7326-4139-98F4-98CC77B9D442",
  "device_time" : "2017-10-16T14:57:57.523Z",
  "feature_name" : "Licensing",
  "device_os_name" : "Not applicable",
  "group_name" : "Not applicable",
  "log_name" : "epmp_events-2017-10-16/8",
  "type_id" : 8,
  "license_type" : "TRIAL",
  "message_id" : 20003,
  "serial_number" : "JV2WBRHWJ37P",
  "message" : "Subscription expires soon.",
  "product_name" : "Not applicable",
  "log_time" : "2017-10-16T14:57:57.526Z",
  "epmp_session_id" : "91764e30-0100-4707-92c3-1fe40c3a1181",
  "subscription_end_date" : "2017-11-03T00:00:00Z",
  "domain_uid" : "eGCigWCGTDajj7uSW522Cg",
  "severity_id" : 1,
  "time" : "2017-10-16T14:57:57.523Z",
  "user_uid" : "Not applicable"
}, {
  "customer_uid" : "HJtquvkpQWWYvBq20hxDTg",
  "license_type_id" : 2,
  "user_name" : "System",
  "timezone" : 0,
  "device_type" : "Not applicable",
  "seq_num" : 1,
  "uuid" : "8:656cef20-b282-11e7-fbc1-000000004584",
  "product_ver" : "Not applicable",
  "device_name" : "System",
  "category_id" : 2,
  "feature_ver" : "v1.0",
  "id" : 8,
  "days_remaining" : 18,
  "product_uid" : "E0CD35AC-7326-4139-98F4-98CC77B9D442",
  "device_time" : "2017-10-16T14:57:57.522Z",
  "feature_name" : "Licensing",
  "device_os_name" : "Not applicable",
  "group_name" : "Not applicable",
  "log_name" : "epmp_events-2017-10-16/8",
  "type_id" : 8,
  "license_type" : "TRIAL",
  "message_id" : 20003,
  "serial_number" : "8P7RD223GHVP",
  "message" : "Subscription expires soon.",
  "product_name" : "Not applicable",
  "log_time" : "2017-10-16T14:57:57.530Z",
  "epmp_session_id" : "91764e30-0100-4707-92c3-1fe40c3a1181",
  "subscription_end_date" : "2017-11-03T00:00:00Z",
  "domain_uid" : "eGCigWCGTDajj7uSW522Cg",
  "severity_id" : 1,
  "time" : "2017-10-16T14:57:57.522Z",
  "user_uid" : "Not applicable"
} ]

4.9. Get Events Based On a Search Into a Histogram

POST /sepcloud/v1/events/search/histogram

4.9.1. Description

Get number of events that matched search conditions and then collects groups of events based on a time field into date/time buckets of a specific interval. Returns a list of document(key,value) with computed results for each group of events.

4.9.2. Parameters

Type Name Description Schema Default

Header

Authorization
required

OAuth2 Authorization Token obtained using the client id and client secret that has the required privileges to access this API.

string

Header

Content-Type
optional

Used to describe the mime-type of the data encoding. 

All requests use JSON encoding, so it is a good practice to set this property to: application/json.

string

"application/json"

Header

x-epmp-customer-id
required

Customer Id

string

Header

x-epmp-domain-id
required

Domain Id

string

Body

body
optional

body

body

Name Description Schema

additionalFilters
optional

Search conditions, e.g. "user=root"

string

end
required

End time (exclusive), specify the ending of the search time frame.

string

field
optional

Event field name to group the events, e.g. "device_uid"

string

searchFilter
optional

searchFilter

start
required

Start time (inclusive), specify the beginning of the search time frame.

string

timeField
optional

The event field name to use for the date/time histogram group

string

timeInterval
optional

The interval to use for the date/time buckets. Legal values include "1h" and "1d".

string

timeZone
optional

Time zone in which events are being queried.

string

searchFilter

Name Description Schema

searchQuery
optional

Search query string

string

4.9.3. Responses

HTTP Code Description Schema

200

Histogram request successful.

< Response 200 > array

Response 200

Name Schema

count
optional

integer

groups
optional

< groups > array

svalue
optional

string

value
optional

integer

groups

Name Schema

count
optional

integer

value
optional

integer

4.9.4. Consumes

  • application/json

4.9.5. Produces

  • application/json

4.9.6. Security

Type Name

apiKey

Authorization

4.9.7. Example HTTP response

Response 200
[ {
  "value" : 1507075200000,
  "svalue" : "2017-10-04T00:00:00.000+00:00",
  "count" : 16,
  "groups" : [ {
    "value" : 2,
    "count" : 3
  }, {
    "value" : 1,
    "count" : 13
  } ]
}, {
  "value" : 1507161600000,
  "svalue" : "2017-10-05T00:00:00.000+00:00",
  "count" : 17,
  "groups" : [ {
    "value" : 2,
    "count" : 5
  }, {
    "value" : 1,
    "count" : 12
  } ]
}, {
  "value" : 1507248000000,
  "svalue" : "2017-10-06T00:00:00.000+00:00",
  "count" : 4,
  "groups" : [ {
    "value" : 1,
    "count" : 4
  } ]
} ]
{
  "application/json" : [ {
    "value" : 1507075200000,
    "svalue" : "2017-10-04T00:00:00.000+00:00",
    "count" : 16,
    "groups" : [ {
      "value" : 2,
      "count" : 3
    }, {
      "value" : 1,
      "count" : 13
    } ]
  }, {
    "value" : 1507161600000,
    "svalue" : "2017-10-05T00:00:00.000+00:00",
    "count" : 17,
    "groups" : [ {
      "value" : 2,
      "count" : 5
    }, {
      "value" : 1,
      "count" : 12
    } ]
  }, {
    "value" : 1507248000000,
    "svalue" : "2017-10-06T00:00:00.000+00:00",
    "count" : 4,
    "groups" : [ {
      "value" : 1,
      "count" : 4
    } ]
  } ],
  "trythisout" : [ {
    "value" : 41918258,
    "svalue" : "id",
    "count" : -62607222,
    "groups" : [ {
      "value" : -43060595,
      "count" : -66645390
    } ]
  } ],
  "trymeout" : [ {
    "value" : -51694911,
    "svalue" : "cupidatat elit ea sit",
    "count" : -20981099,
    "groups" : [ {
      "value" : 555783,
      "count" : -93454086
    }, {
      "value" : 20813086,
      "count" : 92170521
    }, {
      "value" : 92653823,
      "count" : -31591374
    } ]
  } ]
}

5. Definitions

5.1. category_id

Also defined as eventCategory in event search requests. Event categories are used to combine events of multiple types.

Events can be tagged with a category at event log time, and then a category or list of categories can be used to query events at event search time.

Following are the event categories:

[0] Unknown - Event whose category is not defined.

[1] Security - Events related to end point, device and network protection.

[2] Licensing - Events related to licensing and activation.

[3] System - Events that are system specific such as account lockout etc.

[4] Audit - Events related to capturing changes to entities.

[5] Policy - Events related to policy command and policy compliance.

[6] User Behavior - Events that lead to user risk. This is only relevant for Alerts.

Type : integer

5.2. customer_uid

Same as the Customer ID defined in the header

Type : string

5.3. device

Name Description Schema

created
optional

The date the device record was created.

string

dedicated
optional

A list of users for the device.

< string > array

device-status
optional

The device’s status.

string

device-status-reason
optional

The reason for the device’s status.

< string > array

enrollment-data
optional

Details of the device’s MDM enrollment status.

enrollment-data

hardware
optional

Details of the device’s hardware.

hardware

id
optional

The unique identifier of the device.

string

inventory
optional

Inventory collected from the device.

inventory

last-enrollment-date
optional

The last date that the device was enrolled in MDM.

string

mdm-installed
optional

Indicates whether or not MDM is enabled.

boolean

mdm-provider
optional

The name of the company or product providing MDM service.

string

modified
optional

The date the device record was last modified.

string

name
optional

The name of the device.

string

network-adapters
optional

A list of the device’s network adapters.

< network-adapters > array

olp-endpoint-id
optional

The OLP endpoint ID of the device.

string

operating-system
optional

Details of the device’s operating system.

operating-system

ownership-type
optional

The device’s ownership type.

string

enrollment-data

Name Schema

is-self-enrollment
optional

boolean

mdm-installed
optional

boolean

transaction-id
optional

string

hardware

Name Description Schema

model-name
optional

The device’s model name.

string

model-vendor
optional

The device’s vendor.

string

model-version
optional

The device’s model version.

string

serial-number
optional

The device’s serial number.

string

uuid
optional

The device’s UUID.

string

inventory

Name Schema

application
optional

object

certificate
optional

certificate

device
optional

device

profile
optional

profile

provisioning_profile
optional

provisioning_profile

restriction
optional

restriction

security
optional

security

token_update
optional

token_update

update_time
optional

string

certificate

Name Schema

Certificates
optional

< Certificates > array

DeviceID
optional

string

InformationType
optional

string

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

Certificates

Name Schema

Base64
optional

string

CommonName
optional

string

IsIdentity
optional

boolean

device

Name Schema

AppleTVDeviceID
optional

string

AvailableDeviceCapacity
optional

number

BatteryLevel
optional

number

BluetoothMAC
optional

string

BuildVersion
optional

string

CarrierSettingsVersion
optional

string

CellularTechnology
optional

string

CurrentMCC
optional

string

DeviceCapacity
optional

number

DeviceID
optional

string

DeviceName
optional

string

EASDeviceIdentifier
optional

string

HostName
optional

string

ICCID
optional

string

IMEI
optional

string

ITunesStoreAccountHash
optional

string

InformationType
optional

string

IsActivationLockEnabled
optional

boolean

IsCloudBackupEnabled
optional

boolean

IsDataRoamingEnabled
optional

boolean

IsDeviceLocatorServiceEnabled
optional

boolean

IsDoNotDisturbInEffect
optional

boolean

IsITunesStoreAccountActive
optional

boolean

IsPersonalHotspotEnabled
optional

boolean

IsSupervised
optional

boolean

IsVoiceRoamingEnabled
optional

boolean

LastCloudBackupDate
optional

string

LocalHostName
optional

string

MEID
optional

string

Model
optional

string

ModelName
optional

string

ModemFirmwareVersion
optional

string

OSVersion
optional

string

ProductName
optional

string

SIMCarrierNetwork
optional

string

SIMMCC
optional

string

SIMMNC
optional

string

SerialNumber
optional

string

Status
optional

string

SubscriberCarrierNetwork
optional

string

SubscriberMCC
optional

string

SubscriberMNC
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

WifiMAC
optional

string

profile

Name Schema

ConfigurationProfiles
optional

< ConfigurationProfiles > array

DeviceID
optional

string

InformationType
optional

string

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

ConfigurationProfiles

Name Schema

HasRemovalPasscode
optional

boolean

IsEncrypted
optional

boolean

IsManaged
optional

boolean

IsPayloadRemovalDisallowed
optional

boolean

PayloadDescription
optional

string

PayloadDisplayName
optional

string

PayloadIdentifier
optional

string

PayloadOrganization
optional

string

PayloadType
optional

string

PayloadUUID
optional

string

PayloadVersion
optional

integer

Payloads
optional

< object > array

SignerCertificates
optional

< SignerCertificates > array

SignerCertificates

Name Schema

Base64
optional

string

provisioning_profile

Name Schema

DeviceID
optional

string

InformationType
optional

string

ProvisioningProfiles
optional

< object > array

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

restriction

Name Schema

DeviceID
optional

string

InformationType
optional

string

Restrictions
optional

< Restrictions > array

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

Restrictions

Name Schema

AcceptSafariCookies
optional

integer

AllowAccountModification
optional

boolean

AllowActivityContinuation
optional

boolean

AllowAddingGameCenterFriends
optional

boolean

AllowAirDrop
optional

boolean

AllowAppCellularDataModitication
optional

boolean

AllowAppInstallation
optional

boolean

AllowAppRemoval
optional

boolean

AllowAssistant
optional

boolean

AllowAssistantUserGeneratedContent
optional

boolean

AllowAssistantWhileLocked
optional

boolean

AllowAutoCorrection
optional

boolean

AllowAutomaticAppDownloads
optional

boolean

AllowBookstore
optional

boolean

AllowBookstoreErotica
optional

boolean

AllowCamera
optional

boolean

AllowChat
optional

boolean

AllowCloudBackup
optional

boolean

AllowCloudDocumentSync
optional

boolean

AllowCloudKeyValueSync
optional

boolean

AllowCloudKeychainSync
optional

boolean

AllowCloudPhotoLibrary
optional

boolean

AllowDefinitionLookup
optional

boolean

AllowDeviceNameModification
optional

boolean

AllowDiagnosticSubmission
optional

boolean

AllowEnablingRestrictions
optional

boolean

AllowEnterpriseAppTrust
optional

boolean

AllowEnterpriseBookBackup
optional

boolean

AllowEnterpriseBookMetadataSync
optional

boolean

AllowEraseContentAndSettings
optional

boolean

AllowExplicitContent
optional

boolean

AllowFindMyFriendsModification
optional

boolean

AllowFingerprintForUnlock
optional

boolean

AllowFingerprintModification
optional

boolean

AllowGameCenter
optional

boolean

AllowGlobalBackgroundFetchWhenRoaming
optional

boolean

AllowHostPairing
optional

boolean

AllowInAppPurchases
optional

boolean

AllowKeyboardShortcuts
optional

boolean

AllowLocationServices
optional

boolean

AllowLockScreenControlCenter
optional

boolean

AllowLockScreenNotificationsView
optional

boolean

AllowLockScreenTodayView
optional

boolean

AllowLockScreenWiFiModification
optional

boolean

AllowManagedAppsCloudSync
optional

boolean

AllowMultiplayerGaming
optional

boolean

AllowMusicService
optional

boolean

AllowNews
optional

boolean

AllowOTAPKIUpdates
optional

boolean

AllowOpenFromManagedToUnmanaged
optional

boolean

AllowOpenFromUnmanagedToManaged
optional

boolean

AllowPairedWatch
optional

boolean

AllowPassbookWhileLocked
optional

boolean

AllowPasscodeModification
optional

boolean

AllowPhotoStream
optional

boolean

AllowPredictiveKeyboard
optional

boolean

AllowSafari
optional

boolean

AllowSafariAutoFill
optional

boolean

AllowSafariJavaScript
optional

boolean

AllowSafariPopups
optional

boolean

AllowScreenShot
optional

boolean

AllowSharedStream
optional

boolean

AllowSharedStreamReceiveInvitation
optional

boolean

AllowSharedStreamSendInvitation
optional

boolean

AllowSimple
optional

boolean

AllowSpellCheck
optional

boolean

AllowSpotlightInternetResults
optional

boolean

AllowTextDefine
optional

boolean

AllowUIAppInstallation
optional

boolean

AllowUIConfigurationProfileInstallation
optional

boolean

AllowUntrustedTLSPrompt
optional

boolean

AllowVideoConferencing
optional

boolean

AllowVoiceDialing
optional

boolean

AllowWallpaperModification
optional

boolean

AllowYouTube
optional

boolean

AllowiTunes
optional

boolean

AppRating
optional

integer

ForceAirDropUnmanaged
optional

boolean

ForceAirPlayIncomingRequestsPairingPassword
optional

boolean

ForceAirPlayOutgoingRequestsPairingPassword
optional

boolean

ForceAssistantProfanityFilter
optional

boolean

ForceEncryptedBackup
optional

boolean

ForceFIPSVerification
optional

boolean

ForceLimitAdTracking
optional

boolean

ForcePIN
optional

boolean

ForceSafariFraudWarning
optional

boolean

ForceWatchWristDetection
optional

boolean

ForceiTunesStorePasswordEntry
optional

boolean

Identifier
optional

string

MaxFailedAttempts
optional

integer

MaxGracePeriod
optional

integer

MaxInactivity
optional

integer

MaxPINAgeInDays
optional

integer

MinComplexCharacters
optional

integer

MinLength
optional

integer

MovieRating
optional

integer

PINHistory
optional

integer

RequireAlphanumeric
optional

boolean

TVRating
optional

integer

security

Name Schema

DeviceID
optional

string

HardwareEncryptionCaps
optional

string

InformationType
optional

string

IsPasscodeCompliant
optional

boolean

IsPasscodeCompliantWithProfiles
optional

boolean

IsPasscodePresent
optional

boolean

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

token_update

Name Schema

DeviceID
optional

string

InformationType
optional

string

Status
optional

string

Type
optional

string

UDID
optional

string

UserId
optional

string

UserLongName
optional

string

UserShortName
optional

string

network-adapters

Name Description Schema

addr
optional

The address of the network adapter.

string

name
optional

The name of the network adapter.

string

operating-system

Name Description Schema

edition
optional

The edition of the device’s operating system.

string

friendlyname
optional

The friendly name of the device’s operating system.

string

name
optional

The name of the device’s operating system.

string

technical-version
optional

The technical version of the device’s operating system.

string

type
optional

The type of the device’s operating system.

string

version
optional

The version of the device’s operating system.

string

5.4. domain_uid

Same as the Domain ID field defined in the header.

Type : string

5.5. log_name

The name of the log where the event has been logged (written) by the Event service. Use this attribute as an opaque value.

Type : string

5.6. outcome_id

Outcome of the event whether it’s Failed or Prevented. This is dependent on the type_id.

Possible values for Intrusion Prevention System (IPS) event (type_id 4192): 0 = Unknown 1 = Other 2 = Succeeded 3 = Failed 4 = Prevented

Possible values for Phishing event type (type_id 4320): 0 = Unknown 1 = Other 1 = Succeeded 2 = Deleted 3 = Prevented

Type : integer

5.7. seq_num

The seq_num is a 32-bit positive number that indicates the order of events that are sent by the client. The first event that a client sends has a seq_num of 1 and the client increments the seq_num with each subsequent event. For UNPACK (2) composite events, each event in the events array must have an unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. Note when the sequence number wraps around, java.lang.Integer.MAX_VALUE, it must start from 1.

The event service monitors sequence numbers to detect lost events.

Type : integer

5.8. staticGroup

Name Description Schema

caption
optional

The caption for the static group

string

created
optional

The date the static group was created.

string

description
optional

The description of the static group.

string

device-ids
optional

A list of device IDs assigned to the static group.

< object > array

devices
optional

A list of devices assigned to the static group

< object > array

id
optional

The unique identifier for the static group.

string

modified
optional

The date the static group was last modified.

string

name
optional

The name of the static group.

string

policies
optional

A list of policies applied to the static group.

< object > array

priority
optional

The static group’s priority in relation to other groups.

integer

products
optional

A list of products assigned to the static group.

< object > array

user-ids
optional

A list of user IDs assigned to the static group.

< object > array

5.9. time

The local time and time zone offset represented as a string in the ISO 8601 format "YYYY-MM-DDThh:mm.ss.SSSTZD", where:

  • YYYY : year

  • MM : month (01-12)

  • DD : day (01-31)

  • hh : hours (00-23)

  • mm : minutes (00-59)

  • ss : seconds (00-59)

  • SSS: milliseconds (000-999)

  • TZD: 6 character  time zone designator in the form +hh:mm or –hh:mm. The time zone indicates how many hours and minutes the reported time is ahead or behind UTC. For example, 1997-07-16T19:20:30.045+01:30.

Type : object

5.10. timezone

The time offset from the Greenwich/UTC time-zone, applicable to the time and end_time fields.

Type : integer

5.11. type_id

The event type_id specifies the event classification and the structure of any additional event attributes. SEP Cloud reserves type_id ranges for platform event types and domain specific event types. Listed below are these reserved type_id ranges:

EPMP: 0 – 4095

Advanced Threat Protection: 4096 – 4127

Scan: 4128 – 4159

Firewall: 4160 – 4191

Intrusion Prevention: 4192 – 4223

Compliance: 4224 – 4255

Backup: 4256 – 4287

Device Control: 4288 – 4319

Phishing: 4320 – 4351

Threat Detection & Response: 4352 - 4383

Beachhead Management: 4384 - 4415

Endpoint Detection & Response: 4416 - 4447

Type : integer

5.12. user

Name Description Schema

email
optional

The email address of the user.

string

email_verified
optional

The date that the user’s email address was verified.

string

enrollment_status
optional

The user’s enrollment status.

string

given_name
optional

The first name of the user.

string

id
optional

The unique identifier for the user.

string

olp_account_id
optional

The OLP account ID for the user.

string

olp_user_allocation_id
optional

The OLP user allocation ID for the user.

string

props
optional

Additional properties for the user.

props

scsem_status
optional

The user’s product status.

string

surname
optional

The last name of the user.

string

props

Name Schema

products
optional

< string > array

5.13. uuid

A 128-bit GUID or UUID value represented as a string of 32 lower-case hexadecimal digits that are displayed in five groups separated by hyphens, with the number of digits in each group being 8, 4, 4, 4, and 12. For example, "ebac5ef7-b920-402c-b1b4-853c18b990f6".

Type : string