0% found this document useful (0 votes)

50 views149 pages

98 - Network - Application Programmers Interface Guide

The Fidelis Network Application Programmers Interface Guide, version 9.8, provides comprehensive instructions for users on utilizing the API, including data access, user management, and sensor management. It contains detailed information on various functions, access controls, and guidelines for API programmers. The document is intended for developers and technical users, ensuring they have the necessary resources to effectively implement and manage the API functionalities.

Uploaded by

Andrew Kupiec

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

50 views149 pages

98 - Network - Application Programmers Interface Guide

Uploaded by

Andrew Kupiec

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 149

Fidelis Network®

Application Programmers Interface Guide

Fidelis Security LLC

871 Marlborough Ave
Suite 100
Riverside, CA, 92507

Fidelis Network®, version 9.8

Fidelis Network Application Programmers Interface Guide, version 9.8

October 2024 v01-20241016

Source: Engineering

Users are granted permission to copy and/or distribute this document in its original electronic form and
print copies for personal use. This document cannot be modified or converted to any other electronic or
machine-readable form in whole or in part without prior written approval of Fidelis Security LLC.

While we have done our best to ensure that the material found in this document is accurate, Fidelis
Security LLC makes no guarantee that the information contained herein is error free.

Fidelis Network includes GeoLite data created by MaxMind

2 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Table of Contents
PREFACE ...................................................................................................................................................... 13
Intended Audience .................................................................................................................................. 13
Available Guides ..................................................................................................................................... 13
Technical Support ................................................................................................................................... 14
CHAPTER 1 INTRODUCTION ............................................................................................................................ 15
Using the API .......................................................................................................................................... 15
Document Conventions .......................................................................................................................... 16
Deprecated Functions............................................................................................................................. 17
Available Logs for the API Programmer ................................................................................................. 18
Guidelines for the API Programmer ........................................................................................................ 18
CHAPTER 1 DATA ACCESS ............................................................................................................................ 19
Search & Filter ........................................................................................................................................ 19
Preamble ........................................................................................................................................... 19
Options .............................................................................................................................................. 21
Access Controls ...................................................................................................................................... 27
alerts_change_group ........................................................................................................................ 27
groupadm_list .................................................................................................................................... 28
groupadm_edit .................................................................................................................................. 28
groupadm_del ................................................................................................................................... 28
group_list ........................................................................................................................................... 29
user_perms ....................................................................................................................................... 29
roleadm_list ....................................................................................................................................... 29
roleadm_edit...................................................................................................................................... 30
roleadm_del....................................................................................................................................... 30
Alerts ....................................................................................................................................................... 30
aac_alerts .......................................................................................................................................... 30
aac_alert_session ............................................................................................................................. 31
aac_groupby ...................................................................................................................................... 31
aac_groupby_dist .............................................................................................................................. 32
aac_ids .............................................................................................................................................. 32
alert_data .......................................................................................................................................... 33
alert_highlight .................................................................................................................................... 33
alert_size ........................................................................................................................................... 34
Alertdetailsreport ............................................................................................................................... 34

3 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_threatgrid .................................................................................................................................. 35
alert_trend ......................................................................................................................................... 36
aprotolist ............................................................................................................................................ 36
categorylist ........................................................................................................................................ 36
eventreport ........................................................................................................................................ 36
filetypelist ........................................................................................................................................... 37
get_meta_fields ................................................................................................................................. 37
longreport .......................................................................................................................................... 37
messages .......................................................................................................................................... 37
msglist ............................................................................................................................................... 38
packet ................................................................................................................................................ 38
priorities ............................................................................................................................................. 38
purge_data ........................................................................................................................................ 39
related_alerts ..................................................................................................................................... 40
srcaddr .............................................................................................................................................. 40
dstaddr .............................................................................................................................................. 40
alert_auth_users................................................................................................................................ 41
quarantine_auth_users ..................................................................................................................... 41
session_alerts ................................................................................................................................... 41
collector_analytics_alert_transactions .............................................................................................. 42
collector_analytics_alert_detail ......................................................................................................... 42
check_alert_flags .............................................................................................................................. 42
alert_update_vtinfo ............................................................................................................................ 43
Archive .................................................................................................................................................... 43
export_alert ....................................................................................................................................... 43
import_alert ....................................................................................................................................... 44
test_archive ....................................................................................................................................... 44
archive_list ........................................................................................................................................ 44
archive_contents ............................................................................................................................... 45
archive_locations............................................................................................................................... 45
Mailer ...................................................................................................................................................... 46
mailer_list .......................................................................................................................................... 46
mailer_alerts ...................................................................................................................................... 47
mailer_quarantine_deliver ................................................................................................................. 47
mailer_quarantine_discard ................................................................................................................ 47
mailer_quarantine_details ................................................................................................................. 48

4 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

mailer_quarantine_sensor ................................................................................................................. 48
mailer_raw_quarantine_sensor ......................................................................................................... 48
Policies.................................................................................................................................................... 49
container_add.................................................................................................................................... 49
container_data................................................................................................................................... 49
container_del ..................................................................................................................................... 49
container_list ..................................................................................................................................... 50
container_status ................................................................................................................................ 50
container_sync .................................................................................................................................. 50
fps_gen .............................................................................................................................................. 51
fps_test .............................................................................................................................................. 51
fps_testf ............................................................................................................................................. 51
fps_get ............................................................................................................................................... 52
fps_parameters_get .......................................................................................................................... 52
fps_patterns_get................................................................................................................................ 52
fps_types_get .................................................................................................................................... 53
sensor_getxml ................................................................................................................................... 53
prfm_status ........................................................................................................................................ 53
Conclusions ............................................................................................................................................ 54
rule_group_add ................................................................................................................................. 54
rule_group_del .................................................................................................................................. 54
rule_group_list ................................................................................................................................... 54
rule_agg_method_set ....................................................................................................................... 55
rule_agg_method_list ........................................................................................................................ 55
rule_agg_method_del ....................................................................................................................... 55
Radar ...................................................................................................................................................... 56
aac_list .............................................................................................................................................. 56
aac_radar_lo ..................................................................................................................................... 56
alert_count ......................................................................................................................................... 57
info ..................................................................................................................................................... 57
last ..................................................................................................................................................... 57
week_prio .......................................................................................................................................... 58
Reports ................................................................................................................................................... 58
alertsbyip ........................................................................................................................................... 58
alertsbypair ........................................................................................................................................ 58
alertsbycrit ......................................................................................................................................... 59

5 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alertsbypol ......................................................................................................................................... 59
polbytime ........................................................................................................................................... 60
report_list ........................................................................................................................................... 61
report_add ......................................................................................................................................... 62
report_del .......................................................................................................................................... 63
report_copy ....................................................................................................................................... 63
report_upd_sched ............................................................................................................................. 63
report_upd_sched_time .................................................................................................................... 64
report_schednow_list ........................................................................................................................ 64
report_clone ...................................................................................................................................... 64
report_export ..................................................................................................................................... 65
report_import ..................................................................................................................................... 65
ticket_status_avg............................................................................................................................... 66
ticket_status_dist ............................................................................................................................... 66
Sessions ................................................................................................................................................. 66
tcpses_exist....................................................................................................................................... 66
tcpses_info ........................................................................................................................................ 67
tcpses_c ............................................................................................................................................ 67
tcpses_dc .......................................................................................................................................... 67
tcpses_s ............................................................................................................................................ 68
tcpses_ds .......................................................................................................................................... 68
tcpses_getdpath ................................................................................................................................ 69
tcpses_getfile .................................................................................................................................... 69
evpkg_getfile ..................................................................................................................................... 69
Stats ........................................................................................................................................................ 70
stats ................................................................................................................................................... 70
stats_graph_pps ................................................................................................................................ 70
stats_graph_bps ................................................................................................................................ 71
stats_ipdefrag .................................................................................................................................... 71
stats_ipdefrag_graph ........................................................................................................................ 72
stats_tcps .......................................................................................................................................... 72
stats_tcps_graph ............................................................................................................................... 73
stats_tcpk .......................................................................................................................................... 73
stats_tcpk_graph ............................................................................................................................... 73
stats_iptrap ........................................................................................................................................ 74
stats_iptrap_graph............................................................................................................................. 74

6 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_ilm ............................................................................................................................................ 75
stats_ilm_graph_pps ......................................................................................................................... 75
stats_ilm_graph_bps ......................................................................................................................... 75
stats_icap .......................................................................................................................................... 76
stats_icap_graph ............................................................................................................................... 76
stats_mailer ....................................................................................................................................... 77
stats_mailer_graph ............................................................................................................................ 77
stats_ses ........................................................................................................................................... 78
stats_ses_graph ................................................................................................................................ 78
stats_dns ........................................................................................................................................... 79
stats_dns_graph ................................................................................................................................ 79
stats_ses_enabled ............................................................................................................................ 79
stats_avg_alerts_graph ..................................................................................................................... 80
stats_mded ........................................................................................................................................ 80
stats_mded_graph............................................................................................................................. 80
stats_sensor_metadata_sent ............................................................................................................ 81
stats_vertica_sys_resources ............................................................................................................. 81
collector_analytics_rule_statistics ..................................................................................................... 82
Tickets..................................................................................................................................................... 82
it_users .............................................................................................................................................. 82
it_status ............................................................................................................................................. 83
it_resolution ....................................................................................................................................... 83
it_get .................................................................................................................................................. 83
it_set .................................................................................................................................................. 84
it_history ............................................................................................................................................ 84
Investigations .......................................................................................................................................... 85
investigation_add .............................................................................................................................. 85
investigation_del................................................................................................................................ 85
investigation_update ......................................................................................................................... 85
investigation_list ................................................................................................................................ 86
investigation_item_add ..................................................................................................................... 86
investigation_item_del ....................................................................................................................... 86
investigation_item_update ................................................................................................................ 87
investigation_item_list ....................................................................................................................... 87
investigation_user ............................................................................................................................. 87
Collector_Failover ................................................................................................................................... 88

7 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collectorcontrollermgr_rmtok ............................................................................................................. 88
collectorip_for_sensorip .................................................................................................................... 88
failoverip_for_collectorip ................................................................................................................... 88
primaryname_for_collectorip ............................................................................................................. 88
Collector_DR .......................................................................................................................................... 89
collector_dr_clear .............................................................................................................................. 89
collector_dr_create ............................................................................................................................ 89
collector_dr_switch ............................................................................................................................ 89
collector_dr_set_switch_wait_minutes .............................................................................................. 90
collector_dr_get_switch_wait_minutes.............................................................................................. 90
collector_dr_set_sync_wait_minutes ................................................................................................ 90
collector_dr_get_candidates ............................................................................................................. 90
collector_dr_get ................................................................................................................................. 91
Collector_Analytics ................................................................................................................................. 91
collector_analytics_rule_add ............................................................................................................. 91
collector_analytics_rule_update ........................................................................................................ 92
collector_analytics_rule_del .............................................................................................................. 92
collector_analytics_rule_list .............................................................................................................. 93
collector_analytics_rule_import ......................................................................................................... 93
collector_analytics_rule_export ......................................................................................................... 93
collector_analytics_label_add ........................................................................................................... 94
collector_analytics_label_del ............................................................................................................ 94
collector_analytics_label_update ...................................................................................................... 94
collector_analytics_label_list ............................................................................................................. 95
collector_analytics_label_rule_id_list ................................................................................................ 95
collector_analytics_label_rule_add ................................................................................................... 95
collector_analytics_label_rule_del .................................................................................................... 95
collector_analytics_label_rule_list ..................................................................................................... 96
collector_analytics_job_add .............................................................................................................. 96
collector_analytics_job_list ................................................................................................................ 97
collector_analytics_job_cancel .......................................................................................................... 97
collector_analytics_job_modify ......................................................................................................... 97
collector_analytics_job_enable ......................................................................................................... 98
collector_analytics_job_disable ......................................................................................................... 98
collector_analytics_job_del ............................................................................................................... 98
collector_analytics_rule_change_push ............................................................................................. 98

8 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_feeds .................................................................................................................................. 99
Metadata ................................................................................................................................................. 99
metadata_checksearch ..................................................................................................................... 99
metadata_refine .............................................................................................................................. 100
metadata_results ............................................................................................................................. 100
metadata_session ........................................................................................................................... 101
metadata_support ........................................................................................................................... 101
metadata_total................................................................................................................................. 102
metadata_timestamp ....................................................................................................................... 102
metadata_storage ........................................................................................................................... 102
metadata_printapi_results ............................................................................................................... 103
metadata_XAnodes ......................................................................................................................... 104
metadata_diskspace ....................................................................................................................... 104
metadata_new ................................................................................................................................. 105
metadata_percentile ........................................................................................................................ 105
metadata_outlier.............................................................................................................................. 106
metadata_groupby .......................................................................................................................... 106
metadata_analytic_rule_results ...................................................................................................... 107
metadata_analytic_rule_results_del................................................................................................ 107
metadata_analytic_rule_results_count ........................................................................................... 108
metadata_analytic_rule_results_query ........................................................................................... 108
metadata_queries............................................................................................................................ 108
metadata_throughput ...................................................................................................................... 109
metadata_ok .................................................................................................................................... 109
metadata_dr_status ........................................................................................................................ 109
metadata_throughput_limit .............................................................................................................. 109
metadata_projection_refresh_info................................................................................................... 110
Utilities .................................................................................................................................................. 110
audit_list .......................................................................................................................................... 110
config_add ....................................................................................................................................... 111
config_decrypt ................................................................................................................................. 111
config_del ........................................................................................................................................ 111
config_get ........................................................................................................................................ 112
config_set ........................................................................................................................................ 112
cp_config_list................................................................................................................................... 112
dictionary ......................................................................................................................................... 113

9 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

explain ............................................................................................................................................. 113
feedconfig_list ................................................................................................................................. 114
feedtest ............................................................................................................................................ 115
get_attrfeed_options ....................................................................................................................... 115
freqdata ........................................................................................................................................... 115
frequency ......................................................................................................................................... 116
get_udata ........................................................................................................................................ 116
set_udata ......................................................................................................................................... 116
getitemid .......................................................................................................................................... 117
getitemname.................................................................................................................................... 117
hourdata .......................................................................................................................................... 118
ipaddr_verifier .................................................................................................................................. 118
isexist .............................................................................................................................................. 119
jcheck_ip_range .............................................................................................................................. 119
jconfig_get ....................................................................................................................................... 119
mysql_info ....................................................................................................................................... 120
logger .............................................................................................................................................. 120
login ................................................................................................................................................. 120
logout ............................................................................................................................................... 121
prfm_verify ....................................................................................................................................... 121
ticker ................................................................................................................................................ 121
verifier .............................................................................................................................................. 121
whoami ............................................................................................................................................ 122
check_tables ................................................................................................................................... 122
countries_get ................................................................................................................................... 122
cphealth ........................................................................................................................................... 122
cphealth_clear ................................................................................................................................. 123
decoder_info_get............................................................................................................................. 123
dns_alert_data................................................................................................................................. 123
pcap_getalertinfo ............................................................................................................................. 124
pcap_getfile ..................................................................................................................................... 124
pcap_parse...................................................................................................................................... 124
repair_tables .................................................................................................................................... 125
repair_status .................................................................................................................................... 125
retention_add .................................................................................................................................. 126
retention_del.................................................................................................................................... 126

10 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

retention_list .................................................................................................................................... 126
sconf_compat_decrypt .................................................................................................................... 127
sconf_compat_encrypt .................................................................................................................... 127
about_info ........................................................................................................................................ 127
malware_types_get ......................................................................................................................... 127
file_malware_check ......................................................................................................................... 128
diskspace ........................................................................................................................................ 128
gui_usage ........................................................................................................................................ 128
taxii_discovery ................................................................................................................................. 129
tip_discovery ................................................................................................................................... 130
CHAPTER 2 USER MANAGEMENT ................................................................................................................. 132
useradm_list .................................................................................................................................... 132
useradm_edit................................................................................................................................... 132
useradm_del.................................................................................................................................... 133
ldap_profile_adm_list ...................................................................................................................... 133
ldap_profile_adm_edit ..................................................................................................................... 133
ldap_profile_adm_del ...................................................................................................................... 134
rt_profile_adm_list ........................................................................................................................... 134
rt_profile_adm_edit.......................................................................................................................... 134
rt_profile_adm_del........................................................................................................................... 135
license_user .................................................................................................................................... 135
user_list ........................................................................................................................................... 135
update_account ............................................................................................................................... 136
pw_expire_warning ......................................................................................................................... 136
useradm_group_edit ....................................................................................................................... 136
CHAPTER 4 SENSOR MANAGEMENT ............................................................................................................. 137
sensoradm_list ................................................................................................................................ 137
sensoradm_edit ............................................................................................................................... 137
sensoradm_del ................................................................................................................................ 138
sensoradm_linkcollector .................................................................................................................. 138
sensoradm_cp_ip ............................................................................................................................ 138
sensormgr_addtok........................................................................................................................... 139
sensormgr_rmtok ............................................................................................................................ 139
sensormgr_gettok............................................................................................................................ 139
sensormgr_setlicmode .................................................................................................................... 140
sensormgr_update .......................................................................................................................... 140

11 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

sensor_alert_count .......................................................................................................................... 140
sandbox_list .................................................................................................................................... 141
sandbox_info ................................................................................................................................... 141
CHAPTER 5 COLLECTOR MANAGEMENT ....................................................................................................... 142
collectoradm_list.............................................................................................................................. 142
collector_failover_create ................................................................................................................. 142
collector_failover_get ...................................................................................................................... 142
CHAPTER 6 HIERARCHICAL MANAGER ......................................................................................................... 143
mom_add_cp................................................................................................................................... 143
mom_reg_cp ................................................................................................................................... 143
mom_unreg_cp ............................................................................................................................... 143
mom_rm_cp .................................................................................................................................... 144
mom_update_cp.............................................................................................................................. 144
mom_config_cp ............................................................................................................................... 144
mom_list_cps .................................................................................................................................. 145
mom_add_task ................................................................................................................................ 145
mom_get_logs ................................................................................................................................. 145
mom_get_stat.................................................................................................................................. 146
CHAPTER 7 MISCELLANEOUS....................................................................................................................... 147
Configuration Backup and Restore ....................................................................................................... 147
backup ............................................................................................................................................. 147
backup_download ........................................................................................................................... 147
restore ............................................................................................................................................. 148
restore_check .................................................................................................................................. 148
restore_sync .................................................................................................................................... 149

12 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Preface
This guide describes a programmer’s interface to the Fidelis Network® CommandPost console to monitor
and manage security alerts, to configure sensors, and to create and maintain users

This guide contains the following chapters:

• Chapter 1 Introduction provides an overview of the Fidelis Network API and describes
conventions and guidelines for application programmers.

• Chapter 2 Data Access describes the API specification that affects data.

• Chapter 3 User Management describes the user API.

• Chapter 4 Sensor Management describes the sensor API.

• Chapter 5 Collector Management describes the Collector API

• Chapter 6 Hierarchical Management describes the API for Master and Subordinate
CommandPosts.

• Chapter 7 Miscellaneous describes the API for configuration options.

Intended Audience
This guide is intended for application programmers who want to create an external programmatic
interface to data stored by CommandPost. The guide assumes that the programmer is familiar with
CommandPost operations and capabilities.

Available Guides
In addition to this Application Programmer’s Interface, the following guides are also available:

• The User Guide describes the CommandPost console and how to use it to configure sensors
and to manage alerts by the included GUI. This guide also provides instructions on managing
users and their credentials.

• The Guide to Creating Policies describes how to define policies and the rules and fingerprints
that policies contain.

• The Enterprise Setup and Configuration Guide describes how to install and configure Fidelis
Network hardware.

• Release Notes are updated with each release to provide information about new features, major
changes, and corrected bugs.

13 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Technical Support
For all technical support related to this product, check with your site administrator to determine support
contract details. Contact your reseller or if you have a direct support contract, contact Fidelis Security
Technical Support at:

Web: https://support.fidelissecurity.com
Email: [email protected]

14 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Chapter 1 Introduction
The Fidelis API provides an interface for integrating CommandPost with external systems. By using this
API, a programmer can perform all data access and manipulation functions that are available through the
GUI. For information on the GUI capabilities, refer to the User Guide.

Using the API

The API presented here is used by Fidelis CommandPost internal communications between the data
storage subsystem and the Graphical User Interface (GUI). External systems may access the functions
presented here by secure http access to the CommandPost using a structured URL:

https://<commandpost>/query/<cgi_name>.cgi?user=<username>&pass=<password>&<param>=<value
>&<param>=<value>&.....&<param>=<value>

where:
<commandpost> is replaced by the host name or IP address of your local CommandPost.
<cgi_name> is replaced by the CGI function name presented in this document.
<param> is replaced by a function parameter name.
<value> is replaced by the appropriate value for the parameter.

Every CGI call requires authentication, as described in Authentication.

The output of each CGI is an ASCII text stream. A header is provided along with tab-separated data. The
data is provided per function.

Authentication
Each CGI call must include user authentication. There are two methods available to provide user
credentials:
• user name - password pair: as shown in the example above. The user name must match a valid
CommandPost user. All user roles and assignments affecting access rights will be enforced.

• uid: You may provide user name and password to the login function, which will return a unique
value for the user. This value will remain valid as long as the user name and password remain
valid. Once this uid is retrieved, it may be used instead of the user name – password pair.

Each CGI call requires permission to execute, as described in this document. The permissions are tied to
the user whose credentials are provided. Using the default admin user credentials will provide full access
to the API functions. Other users may be created by using the default user, which may have restrictions
applied per API.

Usage Notes
All CGI calls will be tracked by the CommandPost Audit function. Programmers and auditors may track
the actions of external accesses by monitoring the Audit page on CommandPost.

15 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Extr
Alert ID: Alerts are enumerated two ways in CommandPost, by alert ID and by alert UUID. The UUID is a
unique identifier of alerts while the alert ID is a shorter and easier to use autoincrement number that is
only unique on a single CommandPost. The UUID is preserved across export and import of alerts while
the alert ID is not. For convenience reasons, all API calls that accept Alert ID, using the --alert_id
parameter, will also accept an alert UUID instead of an alert ID as the provided value for the --alert_id
parameter.

The CGI output will be URL encoded, as specified in the description of each function.

An external script may utilize command-line http functions to perform CommandPost access. For
example, curl or wget may be utilized within Linux scripts. The choice of function and securing the
interface between CommandPost and the external system, is left to the API developer.

Example: wget -d --secure-protocol=auto --no-check-certificate

"https://hostname/query/fps_put.cgi?user=username&pass=password&name=TestLanguage&data=%23+
FSS+Keyword-
in-Context%0A%23+name%3A+TestLanguage%0A%23+comments%3A+Test+Language%0A%23+thres
hold%3A+9%0A%0A%23score++maxrepeat+++string%0Anc++5+++2+++'%2C.40%23%24%25%5E%26
*()%2C%5Ct%5Cn" -O test

Note that the data field is a urlencoded string to handle special characters.

Document Conventions
The Fidelis API Specification is presented by functional group. Within each functional group, each CGI is
presented with all available options. The description is provided in four key sections, per CGI:

• SUMMARY: CGI summary description

• PERMISSIONS: permissions required, if any

Unless otherwise stated, all CGIs enforce authorized sensors and CGIs that retrieve alert
information enforce authorized groups. Further restrictions based on the user’s roles are
delineated on a per CGI basis.

• Restrictions are presented by system function and access rights, for example: tcklst >= MODIFY.

The API supports the following system functions: dshbrd, alrts, tcktlst, alrtq, qrntn, plcys, rprts,
sysadm, usradm, audit. Each function has a value of NONE (no access), VIEW (read-only
access), or MODIFY (full access). Values are enumerated such that MODIFY > VIEW > NONE.

Roles are defined with a value per system functions. Users are assigned to one role.

16 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

• OUTPUT: All CGI output is presented by a structured header providing meta-data information
about the type and amount of data, plus return codes. Following the header is an ordered, tab-
separated list of column names for formatted output, followed by tab-separated data.

Each CGI will present one of three possible headers:

‒ The standard header has the format:

Status: 200 OK
Content-type: text/tab-separated-values
Content-disposition: filename=”cgi_name.tsv”
x-rows: N

N is the number of rows in the result set.

‒ The summary header has the format:

Status: 200 OK
Content-type: text/tab-separated-values
Content-disposition: filename=”cgi_name.tsv”
x-rows: N
f-rows: X : Y

X is the ID of the source of the result (0 = an event list, 1 = a search result, 2 = a query
result). Y is the total number of rows found

‒ The error header has the format:

Status: 400 ERROR

Content-type: text/plain

Error Message (Ex. “Invalid Parameter”)

The description of each CGI provides the column names for the data that follows the header.

• DETAIL: additional details relevant to the use of the CGI.

Option 1 name Option 1 description

… …
Option x name Option x description

Deprecated Functions
Some functions are noted as deprecated. These functions are operational but have been replaced by
other functions. They will be functional in the current version of the API but are expected to be removed in
future releases.

17 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Available Logs for the API Programmer
CommandPost provides a log of all CGI functions performed. The FSS/log/ CGI.log file exists by default
and will log all of the CGI related calls without any additional user interaction.

The log file can be useful to understand the functions available. A common use is to perform functions by
using the GUI while monitoring the log file to note which functions are called.

Note: the log file does not include authentication (user name, password, and uid) inputs which must be
added. In addition, for security purposes, some input values are changed and the name of each
function lacks the necessary .cgi extension. Therefore, functions listed in the log cannot be executed
directly.

Guidelines for the API Programmer

Fidelis supports the described API for the noted software version only. Future releases of Fidelis software
and the API will include interface changes including, but not limited to, the addition or removal of
functions, changes to function outputs, and changes to input options and parameters.

Fidelis expects the API changes to be minor from one release to another, however, the API programmer
should review release notes and API descriptions before upgrading to a new release of Fidelis software.

18 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Chapter 1 Data Access
Search & Filter
Preamble
Description: Fidelis CGIs share a common interface for searching and filtering alerts. The options for
search/filter parameters are listed here. The CGIs utilizing this facility are noted in their respective details.

Searching for alert content is available in three modes: search, filter, and query. In all three modes text
matching is case-insensitive. Search provides an inexact match over a specific alert field. Filter provides
an exact match of a specific alert field. Query allows for the input of multiple fields where an inexact
match is applied to each. An alert must meet all specified fields to match the query.

Search: Inputs are --search_field and --search_text allowing the user to select a column over which the
data will be matched with the search_field parameter. The table below lists all possible search fields. The
data to match against is supplied with the search_text parameter. The search text supports single or
multiple search teams which can be simple or complex string matches. The format before URL encoding
is the same as in the web interface for searching alerts.

Metadata access differs from alert data access in the way the search_text parameter is used. Its behavior
is not modified by the search_field parameter, but by the metadata_json flag. If metadata_json is not
provided, the format is a space-delimited list of filters. Each filter consists of a column, operator, and
value. The following operators are supported: >, <, =, !=, !=~, ~, !~. These operators are described in the
Metadata > Explore > Advanced Search section of the Fidelis User's Guide.

To see how this is used, consider specifying all metadata since 09:50:32, Feb 10, 2015. Without the
metadata_json flag, this would be Timestamp>2015-02-10 09:50:32. Each value must then be URL
encoded. Additionally, to pass this filter to the search_text parameter, the entire parameter list must be
URL encoded. This results in the value portion of the filter being double-encoded:

search_text%3DTimestamp%3E2015-02-10%252009%253A50%253A32

To see all instances of the file notthere.html being transfered over HTTP from 09:50:32 to 13:00 on Feb
10, 2015, use spaces as the logical AND operator to join the filters together: Timestamp>2015-02-
10%2009%3A50%3A32 Timestamp<2015-02-10%2013%3A00%3A00 Filename=notthere.html
Protocol=HTTP. To pass all of these filters to the search_text parameter, they must be URL encoded
together so that the spaces no longer appear:

search_text%3DTimestamp%3E2015-02-09%252010%253A50%253A32%20Timestamp%3C2015-02-
10%252013%253A00%253A00%20Filename%3Dnotthere.html%20Protocol%3DHTTP

Searching without the metadata_json flag only allows filters to be joined together using the AND operator.
Combining filters with with the logical OR operator requires the use of the metadata_json flag. When the
flag is specified, the above searches become:

search_text={"composite":{"filters":[{"simple":{"column":"Timestamp","operator":">","value":"2015-02-
10%2009%3A50%3A32"}}]}}

with a URL encoding of

search_text%3D%7B%22composite%22%3A%7B%22filters%22%3A%5B%7B%22simple%22%3A%7B

19 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

%22column%22%3A%22Timestamp%22%2C%22operator%22%3A%22%3E%22%2C%22value%22%3
A%222015-02-10%252009%253A50%253A32%22%7D%7D%5D%7D%7D%0A

and

with a URL encoding of

search_text%3D%7B%22composite%22%3A%7B%22logic%22%3A%22and%22%2C%22filters%22%3A
%5B%7B%22simple%22%3A%7B%22column%22%3A%22Timestamp%22%2C%22operator%22%3A%
22%3E%22%2C%22value%22%3A%222015-02-
10%2B09%253A50%253A32%22%7D%7D%2C%7B%22simple%22%3A%7B%22column%22%3A%22T
imestamp%22%2C%22operator%22%3A%22%3C%22%2C%22value%22%3A%222015-02-
10%252013%253A00%253A00%22%7D%7D%2C%7B%22simple%22%3A%7B%22column%22%3A%2
2Protocol%22%2C%22operator%22%3A%22%3D%22%2C%22value%22%3A%22HTTP%22%7D%7D
%2C%7B%22simple%22%3A%7B%22column%22%3A%22Filename%22%2C%22operator%22%3A%2
2%3D%22%2C%22value%22%3A%22notthere.html%22%7D%7D%5D%7D%7D

Even in the simplest case, the root of the JSON object must be "composite", which consists of two
attributes: "logic" and "filters". The value of the "logic" attribute must be either "and" or "or", corresponding
to the logical operators AND and OR respectively. The default for "logic" is "and", so if it is omitted, the
filters will be combined using the AND operator as in the space-delimited search above without the
metadata_json flag. The value of the "filters" attribute must be a list consisting of elements that are either
"simple" or another "composite". A "simple" element consists of three attributes: "column", "operator", and
"value". These are the same as the column, operator, and value above without the metadata_json flag
except all operators listed in the Metadata > Explore > Advanced Search section of the Fidelis User's
Guide are supported.

With the JSON format, filters can be combined using arbitrary logical AND/OR combinations. This allows
for more flexible searches. For example, the following restricts the above search to transactions involving
the United States:

search_text={"composite":{"logic":"and","filters":[{"simple":{"column":"Timestamp","operator":">","value":"2
015-02-10+09%3A50%3A32"}},{"simple":{"column":"Timestamp","operator":"<","value":"2015-02-
10%2013%3A00%3A00"}},{"simple":{"column":"Protocol","operator":"=","value":"HTTP"}},{"simple":{"colu
mn":"Filename","operator":"=","value":"notthere.html"}},{"composite":{"logic":"or","filters":[{"simple":{"colum
n":"ClientCountry","operator":"=","value":"United%20States"}},{"simple":{"column":"ServerCountry","operat
or":"=","value":"United%20States"}}]}}]}}

with a URL encoding of

20 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

%22logic%22%3A%22or%22%2C%22filters%22%3A%5B%7B%22simple%22%3A%7B%22column%22
%3A%22ClientCountry%22%2C%22operator%22%3A%22%3D%22%2C%22value%22%3A%22United
%2520States%22%7D%7D%2C%7B%22simple%22%3A%7B%22column%22%3A%22ServerCountry%
22%2C%22operator%22%3A%22%3D%22%2C%22value%22%3A%22United%2520States%22%7D%7
D%5D%7D%7D%5D%7D%7D

Filter: Inputs are the column name and a value. For example: --aproto=http. The available columns for
filters are provided in the table below. For an alert to match the data must be an exact match of the value
provided to the CGI. In some cases an ID is provided in addition to a text field. For performance reasons,
it is always preferable to filter based on the ID and not the string.

Query: (or Advanced Search) Set --search_field=query, and supply data fields (query_data, query_extra,
msgtxt, query_to, query_from, query_src_resolved, query_dst_resolved, query_any_resolved,
query_ticket query_user, query_subject, query_filename, query_malware_name, query_malware_type,
query_owner, query_target). These will perform a case-insensitive partial-string match search. The
description of what the data field search string searches over can be found in the table below. If you
supply more than one field, the search will find alerts that match all conditions. Example: --
search_field=query --query_data="search string" --query_extr="attributes"

Limits: In all modes alerts can be further filtered based on dates and alert ID (or alert UUID) input values.
Refer to the Limits section of the table below.

Inputs for all modes can be supplied simultaneously. Therefore, you can perform exact match (filter) on
some fields, inexact match on others (search or query) and bound the results by alert or time-based limits.
For the case of filtering on IP addresses, there is a priority of what filters are actually used if multiple
parameters are specified. The order is as follows:

1. pairaddr1 and pairaddr2 2. anyip 3. srcaddr or dstaddr or hstaddr

Options
Search

search_field Set search field to a value list in this table

search_text Set search_text to the value to be searched. Any alert where the specified search_field
contains an inexact, case-sensitive match of the value will be returned. Refer to Fidelis
User's Guide for caveats in how search_text can be supplied

alert_id alert ID (or UUID) number

uuid alert Universally Unique ID number

action the alert action

data forensic data

metadata channel attributes

protocol protocol

rule rule name

21 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

policy policy name

msg alert summary

group group name

srcip Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

dstip Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

hstip Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

anyip Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

sport Source port

dport Destination port

anyport Either the source or destination port

resolved_src Search over fully qualified source domain names

resolved_dst Search over fully qualified destination domain names

src_country The country associated with the Source IP Address

dst_country The country associated with the Destination IP Address

any_country The country associated with the either the Source or Destination IP Address

fss_to email address To

fss_from email address From

subject email subject

proto_user user name extracted from decoders

22 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

filename filename that triggered the alert

filetype type of file that triggered the alert

target The target (destination) of the information.

tg_exist Execution Forensics exists. Accepts yes or no only.

owner user name of the Alert ticket owner

resolved search over fully qualified domain names for both source and destination

ticket The subject line and comments of Alert tickets

ticket_header The subject line of an Alert ticket

ticket_content The comments of an Alert ticket

malware_type malware type, see the list produced by malware_types_get.cgi

malware_name malware name

md5 MD5 of file

Filter

aac_id adaptive alert cluster ID number, as shown on Radar

alert_id alert ID (or UUID) number

uuid alert Universally Unique ID number

rule_name rule name

msg_id rule ID number

policy policy name

policy_id policy ID number

group group name

group_id group ID number

aproto application protocol

aproto_id application protocol ID number

23 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

filetype type of file that triggered the alert

filetype_id filetype ID number

action The alert action

fqdn fully qualified domain names

sensor_id sensor ID number

msg alert summary

msgtext_id alert summary ID number

srcaddr Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

dstaddr Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

hstaddr Formats:
list: 10.1.1.1,10.1.1.2,10.1.1.5
range: 10.1.1.1:10.1.1.7
subnet mask: 10.1.1.1/24
mask range: 10.1.1.1/10.1.1.7 (works same as range notation)

anyaddr Formats are same as shown for srcaddr and dstaddr. Using anyaddr for filtering will
search both the source and destination addresses fro the IP addresses specified.

pairaddr1 These two options are used in conjunction to search alerts for connections between two
pairaddr2 nodes, subnets, etc. The logic used in the search is as follows:

(srcaddr=pairaddr1 AND dstaddr=pairaddr2) OR (srcaddr=pairaddr2 AND

dstaddr=pairaddr1)

The fields contain IP addresses in the same formats as described for srcaddr and dstaddr,
so they can contain ranges, masks, etc. This can be used to find alerts that show
communication between two subnets but not within the subnets themselves as an
example.

sport Source port

dport Destination port

anyport Either the source or destination port

src_country The country associated with the Source IP Address

24 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

dst_country The country associated with the Destination IP Address

any_country The country associated with the either the Source or Destination IP Address

src_flag the country code associated with the source country

dst_flag the country code associated with the destination country

any_flag the country associated with the either the source or destination country

priority alert severity character 1 | 2 | 3 | 4 (low | medium | high | critical)

source_type iptrap | icap | mailer

fss_to email address To

fss_from email address From

subject email subject

proto_user user name extracted from decoders

filename filename that triggered the alert

compr alert compression value

target The target (destination) of the information.

tg_status Execution Forensics status. Accepts Received, NotSubmitted, Pending,

SubmissionFailed, Rejected.

tg_exist Execution Forensics exists. Accepts yes or no only.

tg_score Execution Forensic score.

cb_status Host Monitor status.

user_name user name of the alert ticket owner

user_id user ID number of the alert ticket owner

status status of an alert ticket: character C | N | O (closed | new | open)

resolution resolution of an alert ticket

malware_type malware type, see the list produced by malware_types_get.cgi

md5 MD5 of file

25 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Query

search_field =query

query_data the forensic data

query_extra the metadata, or channel attributes ('extra')

msgtxt the alert summary, or 'message'

query_to email address to

query_from email address from

query_src_resolved qualified source domain name

query_dst_resolved fully qualified destination domain name

query_any_resolved fully qualified source or destination domain name

query_user protocol user

query_subject email subject

query_filename filename that triggered the alert

query_malware_name malware name

query_target The target (destination) of the information.

query_ticket Ticket content

Limits

min_alert provide alerts with alert ID number greater than the provided number

max_alert provide alerts with alert ID number less than the provided number

malware provide alerts that have (yes) or don't have (no) associated malwares

sdate Retrieve data between the start and end time. Times are specified in unix timestamp (date
edate +%s) format.
Ex. --sdate 'date --date "2011-12-01" +%s' --edate `date --date "2011-12-12" +%s'

last retrieve data for time interval ending now, and starting days:hours:minutes:seconds in the
past
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

date Retrieve data for the given date. If combined with --last, retrieve data for the given time
interval ending at midnight on the given date.
YYYY-MM-DD (eg. 2012-04-04)

26 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

older_than retrieve data older than the specified time specified in days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

last_login provide alerts generated since the last time the user logged in to CommandPost

use_insert_time This is a flag that will make any time based filter (date, last, sdate, edate) apply to the alert
insertion time in the database rather than the alert timestamp. It will speed up the CGI
execution time significantly for large (multi-million) alert databases.

amount number of entries to return in the result set

commandpost IP address of CommandPost(s) that can be specified for retrieving data remotely. For CGI
functions that will allow it, commas separate each IP address

remote_val This is a flag that indicates that name or id values are remote (i.e., meaningful only on a
remote/subordinate component) and should not be translated.
Ignored if no --commandpost parameter is used.

start Starting index to retrieve data from results. If commandpost parameter is specified, then
this needs to be a comma separated list with the same number of entries as were
specified in the same order to match with the associated IP address.

Access Controls
Access to information is controlled by user access controls. The functions in list section are used to
retrieve and modify user access controls.

alerts_change_group
Description DEPRECATED Reassigns alerts to a group.

Parameters alert_id Command separated list of alert ID's

If alert ID not provided, then this CGI will use Search & Filter
parameters.

ch_group_id Group ID REQUIRED

yes REQUIRED

Permissions Requires tcktlst >= MODIFY

Header Format Standard Header

Output "OK" on success

27 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

groupadm_list
Description DEPRECATED Provides a list of groups, with users and rules assignments.

Permissions requires usradm >= VIEW or sysadm >= VIEW or cpadm >= VIEW or plcys >= VIEW or
tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(name), urlencoded(desc), urlencoded(email), urlencoded(tab

separated list of urlencoded(user)), num_alerts, urlencoded(tab separated list of
urlencoded(rule)), editable, deleteable

groupadm_edit
Description DEPRECATED Create or modify a group.

Parameters descr Group description

email Group email address

name Group name REQUIRED

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

groupadm_del
Description DEPRECATED Deletes a group, with user assignments.

Parameters name Group name REQUIRED

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

Details Cannot delete a group with alerts still assigned to it or rules still associated with it.

28 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

group_list
Description DEPRECATED Provides a list of group descriptions, succeeded by groupadm_list

Parameters user_name A value of "me" will return only groups associated with the current
user (optional)

Permissions usradm >= VIEW || sysadm >= VIEW || plcys >= VIEW || alrtq >= VIEW || qrntn >= VIEW
|| tcktlst >= VIEW || mtdts >= VIEW

Header Format Standard Header

Output Data Fields: group_id, group, group_email, group_desc

user_perms
Description DEPRECATED Retrieves permissions matrix for a user

Parameters user_id If user ID is not provided, then the operator's ID is assumed

Permissions Requires usradm >= VIEW

Header Format Standard Header

Output Data Fields: userID, user, tcktlst, alrtq, alrtd, qrntn, plcys, rprts, sysadm, cpadm, usradm,
audit, mtdts, endpt, decpt, decry

roleadm_list
Description DEPRECATED Provides a list of roles, with permission matrix and users assignments.

Permissions Requires usradm >= VIEW or cpadm >= VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(name), urlencoded(desc), tcktlst, alrtq, alrtd, qrntn, plcys,
rprts, sysadm, cpadm, usradm, audit, endpt, decpt, decry, urlencoded(tab separated list
of urlencoded(users)), system, editable, deleteable, mtdts

29 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

roleadm_edit
Description DEPRECATED Creates or modifies an existing role.

Parameters descr Role description

name Role name REQUIRED

params Comma separated list of name-value pairs representing

permissions
tcktlst=#,alrtq=#,qrntn=#,plcys=#,rprts
=#,sysadm=#,usradm=#,audit=#,mtdts=#,
endpt=#,decpt=#,decry=#
Omission of a permission will default it to 0.

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

roleadm_del
Description DEPRECATED Deletes an existing role with users assignments.

Parameters name Role name REQUIRED

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

Alerts
The Alerts interface provides access to all alert data, including summarized alert list information and alert
details.

aac_alerts
Description DEPRECATED Provides alert list and search, used by Alerts GUI screen

Parameters Refer to Search & Filter

Permissions alrtq >= VIEW

Header Format Summary Header

30 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Output Data Fields: alertID, fssUUID, userID, time, sensorID, sensor, msgtext_id, message,
msgID, rule, priority, compr, IP_src, srcsort, IP_dst, dstsort, aproto, aprotoID, filetype,
filetypeID, aac_id, sport, dport, srcFQDN, dstFQDN, policyID, policy, groupID, group,
action, src_country, src_country_sort, src_flag, dst_country, dst_country_sort, dst_flag,
fss_to, fss_from, subject, filename, proto_user, target, insert_time, user, status,
resolution, malwareType, malwareName, host_IP, md5, tg_score

Details aac_alerts is used to retrieve a list of alerts. It has three modes of operation: retrieve,
basic search, advanced search.

If no search options are provided, a simple retrieve is performed. For a basic search, the
field to be searched is set with search_field, and the search string is set with
search_text.

Setting search_field="query" triggers an advanced search. Determination of search type

is then performed by evaluating the srchq(query_data), srchex(query_extra),
srchmsg(msgtxt), srch_fss_to(query_to), srch_fss_from(query_from),
srch_subject(query_subject), srch_filename(query_filename),
srch_malware_name(query_malware_name), srch_srslv(query_src_resolved),
srch_drslv(query_dst_resolved), srch_anyrslvadr(query_any_resolved),
srch_ticket(query_ticket) and srch_puser(query_user). If any are populated, then an
advanced search is performed.

aac_alert_session
Description DEPRECATED Shows sesid and rel_sesid of the alert

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: AlertID, SesID, RelSesID

aac_groupby
Description DEPRECATED Provides alert list with counts of grouped columns

Parameters groupby column name(s) used to perform group by REQUIRED

valid options are: user_name, status, resolution, sen_name,
msg_text, rule_name,
priority, srcip6, dstip6, aproto, policy_name, group_name, action,
src_country, dst_country, fss_to, fss_from, proto_user, filename,
target, compr,
sport, dport, hourtime, daytime, weektime, monthtime, yeartime,
malware_type, malware_name, host_IP, md5, tg_score

type showextra (if specified, show extra columns like lastseen),

Refer to Search & Filter

Permissions alrtq >= VIEW

31 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Header Format Summary Header

Output Data Fields: The column(s) related to the groupby term and the count for each group,
and lastseen timestamp if --type=showextra specified.

Details Operates the same as aac_alerts, providing grouping by type, with counts, and lastseen
timestamp if --type=showextra specified

aac_groupby_dist
Description DEPRECATED Provides count distribution on fields provided, used in conjunction with
aac_groupby

Parameters params column name(s) used to perform group by REQUIRED

valid options are: fssUUID, user, status, resolution, sensor, message,
rule, priority,
IP_src, IP_dst, aproto, filetype, policy, group, action, src_country,
dst_country, fss_to, fss_from, proto_user, filename, filetype, target,
compr, sport, dport,
malwareType, malwareName, host_IP, md5, tg_score

Refer to Search & Filter

Permissions alrtq >= VIEW

Header Format Summary Header

Output Data Fields: The column(s) related to the params term

aac_ids
Description DEPRECATED Provides list of alert_ids using same search criteria as aac_alerts

Parameters Refer to Search & Filter

Permissions alrtq >= VIEW

Header Format Standard Header

Output Data Fields: alert_id

Details See aac_alerts.

32 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_data
Description DEPRECATED Decodes and shows the alert forensic data

Parameters alert_id Alert ID number REQUIRED

Permissions alrtd >= VIEW

Header Format Status: 200 OK

Content-type: text/plain
x-alert_data-length: N
(where N is the size in bytes)

Output Returns the forensic data associated with a particular alert.

alert_highlight
Description DEPRECATED Provides offset information in the alert that can be used for highlighting.

Parameters alert_id Comma separated list of alert ID's REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: alertid, offsets

The offsets field is in the format fp=group:start-stop; where fp = fingerprint name, group
is the area on the alerts page to be highlighted, start and stop are offsets to be
highlighted within the appropriate group. The groups recognized are:

1)forensic data 2)decoding path 3)attributes 4)source IP 5)dest IP 6)source port 7)dest
port 8)session length 9)session timeofday 10)session dayofweek 11)session duration
12)protocol 13)filename 14)source location 15)dest location 16)format data size
17)format type 18)transport client IP 19)transport server IP 20)transport client port
21)transport server port 22)transport client location 23)transport server location

33 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_size
Description DEPRECATED List/purge alerts sorted by data size, large to small

Parameters amount Limit the number of alerts in the results (default 10)

del_alert Purge the listed alerts and their related session and pcap data
(overwrites del_ses)

del_ses Purge only the related data of the listed alerts. Don't delete the
alerts.

kill_ses Purge session/pcap data even if not all alerts that point to it are
being deleted.
You should set this flag to make sure that deleting alerts always
results in removal of stored data.
Must be used with 'del_alert' (it's implied if 'del_ses' is set).

type <session | pcap> : sort by session (default) or pcap size

yes Needed if purging

Permissions Requires alrtq >= VIEW

Header Format Standard Header

Output Data Fields: alert_id, cli_len, srv_len, ses_len

Details Multiple alerts often share the same session/pcap data object.
Deleted data objects won't be reclaimed from the database table they were stored in
until database maintenance has run and 'optimized' that table.
For example, deleting a pcap object will only free up space for storing future pcap
objects until the pcap database table has been optimized.

Alertdetailsreport
Description DEPRECATED Prints alert details

Parameters alert_id Alert ID REQUIRED

params List of sections to output. Allowed values:

alertInfo,relatedAlerts,forensicData, violationInfo,
decodingPathandChannelAttributes, malwareInfo. Default: all.

Permissions alrtq >= VIEW || qrntn >= VIEW

Header Format Status: 200 OK

Content-type: application/force-download
Content-Disposition: attachment; filename="event_ID.log"

------------------ EVENT DETAILS (type) ----------------

(where ID is the alert_id, and type is the content data type, either bin or text.
The content data type is stored as alert_data_disptype in the data col of
userdata, which is GUI's user setting persistent storage)

34 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Output see example below

Example ---------------- EVENT DETAILS (text) ----------------

EVENT # 33
SESSION: recorded
TIME: 2006-08-08 15:12:25
PRIORITY: low
SENSOR: linux04
MESSAGE: name found
PROTOCOL: HTTP
SOURCE: 70.85.116.68 44.74.5546.static.theplanet.com
DESTINATION: 166.91.119.211
SOURCE PORT: 80 www
DEST PORT: 3050
ATTRIBUTES: Decoding Path :HTTP:html
HTTP: Url /
Command GET
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host www.addictinggames.com
Connection Keep-Alive
Server Apache
Connection close
Matched on: test_content_01 true
kw 1: count 1
keyword hunter
FORENSIC DATA:

Addicting Games - Free Flash and Java GamesDIRECTION: C->S

alert_threatgrid
Description Resubmit an alert to Sandbox for analysis

Parameters alert_id Alert ID number REQUIRED

params Extra parameter information, such as

'sandbox=192.168.1.100&network=isolated&os=windows11&password=pass123'

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output "OK" on success

35 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_trend
Description DEPRECATED Daily alert trend stats

Parameters type 0:alert count (default), 1:event count

Permissions Requires alrtq >= VIEW

Header Format Standard Header

Output Data Fields: date, prioC_cnt, prioH_cnt, prioM_cnt, prioL_cnt

aprotolist
Description DEPRECATED Lists current application protocol ID's/names

Permissions None

Header Format Standard Header

Output Data Fields: aprotoID, aproto

categorylist
DEPRECATED Lists current policy category ID's/names
Description

Requires plcys >= VIEW || qrntn >= VIEW || alrtq >= VIEW || mtdts >= VIEW
Permissions

Standard Header
Header Format

Data Fields: polID, policy

Output

eventreport
Description DEPRECATED Returns event's forensic data

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtq >= VIEW

Header Format Status: 200 OK

Content-type: application/binary
Content-Disposition: attachment; filename="event_ID.bin"
(where ID is the alert_id number)

Output Returns hex-encoded forensic data for the selected alert

36 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

filetypelist
Description DEPRECATED Lists current application filetype ID's/names

Permissions None

Header Format Standard Header

Output Data Fields: fitletypeID, filetype

get_meta_fields
Description DEPRECATED Returns unique field identifiers from the metadata search table

Permissions Requires alrtq >= VIEW

Header Format Standard Header

Output Data Fields: meta_fields

Details Returns all unique entries in the alert metadata, presented as :f the table name, then the
column names, column values without a delimiter of any kind in between.

longreport
Description DEPRECATED Prints long report

Parameters Refer to Search & Filter

Permissions Requires alrtq >= VIEW

Header Format Status: 200 OK

Content-type: application/force-download
Content-Disposition: attachment; filename="report.log"

Output TCP SESSION INFO & FORENSIC DATA

messages
Description DEPRECATED Returns information about messages

Parameters Refer to Search & Filter

Permissions Requires plcys >= VIEW || qrntn >= VIEW || alrtq >= VIEW

Header Format Standard Header

Output Data Fields: msgID, message, time, priority, alert_cnt, compr

37 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

msglist
Description DEPRECATED Lists current message ID's/names

Permissions Requires plcys >= VIEW || qrntn >= VIEW || alrtq >= VIEW || mtdts >= VIEW

Header Format Standard Header

Output Data Fields: msgID, message

packet
Description DEPRECATED Shows the majority of alert detail information

Parameters alert_id Alert ID number REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: alertID, alertUUID, compr, time, insert_time, sensorID, sensor, msgID,
message, rule, polID, policy, group_id, groupname, priorityaction, spool_type, aproto,
filename, filetype, filesize, IP_src, IP_dst, sport, dport, src_svc, dst_svc, ip_proto,
sourceFQDN, destFQDN, pcap_uuid, direction, host_IP, src_country, src_flag,
dst_country, dst_flag, src_region, src_city, dst_region, dst_city, extra, collector,
tg_status, tg_id, tg_score, src_country_code, dst_country_code, md5

priorities
Description DEPRECATED Returns statistic information about alert priorities

Parameters extra The extra field is a concatenation of 3 different elements:

The Decoding Path, the Channel Attributes and the Matched On violation
information.
The Decoding Path is always present and always the first row of the extra
field.
The Channel Attributes, if any, follow the Decoding Path.
The Matched On is always present and always the last row of the extra
fields.

The Decoding Path format:

The string "Decoding Path" followed by the '\t' separator followed by a colon
':' prepended list of protocols and file formats in the decoding path followed
by a newline '\n' separator.

The Channel Attributes format:

Protocol/Format name followed by the '\f' separator followed by Attribute
Name followed by the '\t' separator followed by the attribute value followed
by the newline '\n' separator.
There can be zero in many of these attribute rows.
Any of the sub-fields can be followed by the '\a' separator followed by one or
more characters that serve as flags representing an attribute applied to that
field. See the List of Attributes below.

38 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

The Matched on format:
The string "Matched on" followed by the '\f' separator followed by the
Fingerprint name that caused the alert followed by the '\t' separator followed
by the strings "true" or "false" indicating whether alert highlighting was
performed followed by newline '\n'
The subsequent lines describe a table in this manner:
<Table name>\f<Column name>\t<Value>\n
If a column name is repeated in a table that would indicate a new table row.
The 'Value' field can be followed by the '\a' separator followed by one or
more characters that serve as flags representing an attribute applied to that
field. See the List of Attributes below.

List of Attributes:
'C', capital letter C, indicates a safe URL that can be made clickable.

Refer to Search & Filter

Permissions Requires alrtq >= VIEW || qrntn >= VIEW

Header Format Standard Header

Output Data Fields: priority, time, alert_cnt, compr

purge_data
Description DEPRECATED Deletes alert records, session records, or both. You may delete
sessions only, but not alerts only (using del_alert flag assumes del_ses)

Parameters alert_id Comma separated list of alert ID's

Note: if alert_id not provided, then this CGI will use Search & Filter
parameters.

del_alert tells the CGI to delete alert entries

del_ses tells the CGI to delete sessions

kill_ses tells the CGI to delete sessions even if there are related alerts
(default is to preserve the sessions)

yes REQUIRED

Permissions Requires alrtq >= MODIFY

Header Format Standard Header

Output "OK" on success

39 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

related_alerts
Description DEPRECATED Shows alerts from the same and/or stage session(s) as the alert or the
malware specified

Parameters alert_id Alert ID REQUIRED

Permissions amount: Limit the number of alerts in the results (default 100)
Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: alertID, time, message, priority, viewable, with malware, relation

Details Returns an empty list if no related alerts are found.

srcaddr
Description DEPRECATED Returns information about source IP addresses

Parameters Refer to Search & Filter

Permissions Requires alrtq >= VIEW || qrntn >= VIEW

Header Format Standard Header

Output Data Fields: IP_src, ipsort, time, priority, alert_cnt, compr, sourceFQDN

Details The returned information contains: source IP address, last time this IP was seen,
highest priority of alerts, count of alerts, full qualified domain name

dstaddr
Description DEPRECATED Returns information about destination IP addresses

Parameters Refer to Search & Filter

Permissions Requires alrtq >= VIEW || qrntn >= VIEW

Header Format Standard Header

Output Data Fields: IP_src, ipsort, time, priority, alert_cnt, compr, sourceFQDN

Details The returned information contains: source IP address, last time this IP was seen,
highest priority of alerts, count of alerts, full qualified domain name

40 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_auth_users
Description DEPRECATED Provides a list of user names that have permission to view all of the
provided alert ID's

Parameters alert_id Comma separated list of alert ID's

Note: if alert_id not provided, then this CGI will use Search &
Filter parameters.

Permissions Requires alrtq >= VIEW || usradm >= VIEW

Header Format Standard Header

Output Data Fields: userID, user

quarantine_auth_users
Description DEPRECATED Returns users with sensor/group authorization to view a list of
quarantines

Parameters alert_id Comma separated list of alert ID's

params sen_name1.qid1,sen_name2.qid2,..., sne_namen.qidn REQUIRED

where each entry represents sensor name and quarantine message
ID number, delimited by period.

Permissions Requires alrtq >= VIEW || usradm >= VIEW || qrntn >= VIEW

Header Format Standard Header

Output Data Fields: userID, user

session_alerts
Description DEPRECATED List alert ID's for the specified session in a specified sensor and spool

Parameters rel_session_id Related session ID REQUIRED

sensor_name Sensor name REQUIRED

session_id Session ID REQUIRED

source_type Spool type: iptrap, icap, mailer, sniffer REQUIRED

uuid Sensor UUID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

41 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Output Data Fields: alertID

Details The following pairs of parameters need to have either one or the other specified:
session_id or rel_session_id
sensor_name or uuid

collector_analytics_alert_transactions
Description DEPRECATED Shows transactions associated with a collector analytics alert

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: Transaction, SensorUUID, Sensor, Spool, SessionID, RelSessionID,

SessionStart, Duration, ClientIP, ServerIP, ClientPort, ServerPort, Protocol,
DecodingPath, Filename, Action, ClientCountry, ServerCountry, ClientFlag, ServerFlag,
Direction, User, From, To, Subject, Host, URL, Referer, Tunnel, Transport, MD5,
Filetype, Filesize, Timestamp, Tag, UserAgent, XForwardedFor, Extra,UserID, User
Name,User Department,DeviceID, Device Name, Device Group, MAC Address

Details Returns an empty list if no related transactions are found.

collector_analytics_alert_detail
Description DEPRECATED Shows collector analytics alert detail

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: AlertID, ExecStartTime, RuleName, RuleType, Collector, GroupbyColumns,

GroupbyValues, Count, RuleResultExpr

Details Returns an empty list if no related alerts are found.

check_alert_flags
Description DEPRECATED Displays alerts' and their sessions' flags

Parameters alert_id Alert IDs

params nomd5

Permissions Requires alrtd >= VIEW

42 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

alert_update_vtinfo
Description DEPRECATED Refresh VirusTotal information for specified alerts or MD5s.

Parameters alert_id Comma separated list of alert IDs

md5 Comma separated list of MD5s

Permissions Requires alrtq >= MODIFY

Header Format Standard Header

Output "OK" on success

Details Only either alert_id or md5 is required, there is no need to specify both

Archive
The archive CGI's perform data and system archive functions.

export_alert
Description Exports alerts and sessions to specified storage, in Fidelis JSON Archive format

Parameters alert_id Comma separated list of alert ID's

If alert_id not provided, then this CGI will use Search & Filter
parameters.

edate end time

name|filename Remote directory or local filename REQUIRED

name: Remote directory
filename: Local filename

pcap No parameter, will export PCAP data if presented

sdate start time

session No parameter, will export sessions if presented

Permissions Requires alrtq >= MODIFY and alrtd >= MODIFY and cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: data

Details Requires configured connection to remote server.

43 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

import_alert
Description Imports alerts and sessions from specified storage, in Fidelis JSON Archive format

Parameters edate end time

name|filename File name or directory on specified storage REQUIRED

name: Remote directory or file name
filename: Local file name

params replace | ignore | restore

Default: ignore, will not overwrite alerts or sessions that are
already in the datastore

pcap No parameter, will import PCAP data if presented

sdate start time

session No parameter, will import sessions if presented

Permissions Requires alrtq >= MODIFY and alrtd >= MODIFY and cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: data

Details Requires configured connection to remote server.

test_archive
Description Tests configured connection to remote server for file transfer

Parameters name Directory on remote server REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

archive_list
Description List Fidelis JSON archives available on specified storage

Parameters edate end time

name Directory on remote server REQUIRED

sdate start time

44 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires alrtq >= MODIFY and alrtd >= MODIFY and cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: data

Details Requires configured connection to remote server.

archive_contents
Description List contents of Fidelis JSON archives available on specified storage

Parameters edate end time

name Directory on remote server REQUIRED

sdate start time

Permissions Requires alrtq >= MODIFY and alrtd >= MODIFY and cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: data

Details Requires configured connection to remote server.

archive_locations
Description List known Fidelis archive locations

Permissions Requires alrtq >= MODIFY and alrtd >= MODIFY and cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: data

45 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Mailer
The Mailer functions are associated with quarantined e-mail messages held by a Fidelis Mail sensor.
mailer_id refers to the sensor_id for the associated sensor.

mailer_list
Description Lists the quarantined emails, applying filters if specified.

Parameters amount Number of records to return. Default 100.

date Filter by an exact date

YYYY-MM-DD (eg. 2006-08-08)

edate Filter by an end date

fss_from Email User "From"

fss_to Email User "To"

justification_text Justification Text

last Retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

last_login .

mailer_id Mailer ID

max_q .

name Alert Group Name

qstatus Quarantine Status

sdate Filter by an start date

search Setting this equal to 1 converts filters above into a regex match
instead of exact match.

sensor_id Sensor ID

sensor_name Sensor Name

subject Email subject

type Determines which field is used for all date query searches. 0
means quarantined date, 1 means release date

Permissions Requires qrntn >= VIEW

Header Format Standard Header

Output Data Fields: message_id, sensor_name, sensorID, timestamp, fss_from, fss_to, subject,
qstatus

46 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

mailer_alerts
Description List of alerts associated with the provided mailer_id

Parameters mailer_id Mailer ID REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires qrntn >= VIEW

Header Format Standard Header

Output Data Fields: alertID, rule, timestamp, severity, quarantined, rerouted, sender_notified,
message_appended, message

mailer_quarantine_deliver
Description Delivers quarantined mails and deletes the entries, with associated alerts, from the
database.

Parameters mailer_id A comma separated list of mailer ID's REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires qrntn >= MODIFY

Header Format Standard Header

Output "OK" on success

mailer_quarantine_discard
Description Discards quarantined mails and deletes the entries, with associated alerts, from the
database.

Parameters mailer_id A comma separated list of mailer ID's REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires qrntn >= MODIFY

Header Format Standard Header

Output "OK" on success

47 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

mailer_quarantine_details
Description Retrieved a quarantined email

Parameters mailer_id Mailer ID REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires qrntn >= VIEW

Header Format Standard Header

Output Data Fields: Date, From, To, Cc, Bcc, Subject, Body, Filename, ContentType,
ContentEncoding, Data, qstatus, JustificationText, ReleaseTimestamp
Encoding: base64

mailer_quarantine_sensor
Description Retrieve quarantined email from sensor

Parameters mailer_id Mailer ID REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires qrntn >= VIEW

Header Format Standard Header

Output Data Fields: Date, From, To, Cc, Bcc, Subject, Body, Filename, ContentType,
ContentEncoding, Data, qstatus, JustificationText, ReleaseTimestamp
Encoding: base64

mailer_raw_quarantine_sensor
Description
Retrieve raw unparsed quarantined email from sensor

Parameters
mailer_id Mailer ID REQUIRED

sensor_id Sensor ID REQUIRED

Permissions
Requires qrntn >= VIEW

Header Format
Standard Header

Output
On success: quarantined message

48 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Policies
This section reviews functions associated with creating, modifying, retrieving, and removing policies and
policy components. PRFM refers to summarized Policy, Rule, Fingerprint, and Macro data.

container_add
Description DEPRECATED Add a new container to the database

Parameters data URL encoded data

filename File on the local system containing the data.

name Container Name REQUIRED

type kwlist | namedb | feeddb | iprange REQUIRED

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "OK" on success

Details Container data can be passed in directly using the data parameter or in a file using the
filename parameter.

container_data
Description DEPRECATED Fetches container data from the database

Parameters name Name of the container to fetch REQUIRED

type kwlist | namedb | feeddb | iprange REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output The data for the container

container_del
Description DEPRECATED Deletes a container from the database

Parameters name Name of the container to delete REQUIRED

type kwlist | namedb | feeddb | iprange REQUIRED

49 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "OK" on success

container_list
Description DEPRECATED Lists the containers

Parameters type kwlist | namedb | feeddb | iprange REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: Name, Comments, Date, Size, Info, Inuse

container_status
Description DEPRECATED Obtain the status of containers for a sensor

Parameters s_ipaddr IP address of the sensor REQUIRED

flags: Secondary CommandPost mode 0|1, default is 0

type kwlist | namedb | feeddb | iprange REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output "OK" if the sensor is fine or "nosynch" if the sensor needs to be synchronized

container_sync
Description DEPRECATED Sync's all keyword lists from the database to the sensor

Parameters s_ipaddr IP address of the sensor REQUIRED

flags: Secondary CommandPost mode 0|1, default is 0

type kwlist | namedb | feeddb | iprange REQUIRED

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "OK" on success

50 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

fps_gen
Description Generate indicator based on parameters

Parameters cookie The Fidelis designated type of indicator REQUIRED

delay Delay Analysis indication. Value is either 0 (off) or 1 (on). Only

supported for content indicator types

name Indicator name REQUIRED

threshold Threshold value

Remaining parameters are specific to the cookie. Refer to the Indicator API section.

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output Contents of the indicator

fps_test
Description Test specified indicator

Parameters data Indicator expression REQUIRED

name Indicator name REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output "Ok" on success

fps_testf
Description Test specified indicator

Parameters name Path to indicator file on the local file system REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output "Ok" on success

51 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

fps_get
Description Retrieve specified indicator

Parameters id Indicator id

name Indicator name

Requires either Indicator name or id. With name the latest version will be served.

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Contents of the fingerprint

fps_parameters_get
Description DEPRECATED Get a list of parameters and their associated display names

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: code, name

fps_patterns_get
Description DEPRECATED Get a list of predefined patterns or patterns used for a fingerprint

Parameters name If specified, pattern names for the fingerprint will be returned.
Otherwise, global predefined patterns are returned.

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: code, name, country_code, country_name

Details The country_code and country_name columns may be empty depending on the pattern.
They also may refer to data other than a country name.

52 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

fps_types_get
Description DEPRECATED Get a list of fingerprint cookie types and their associated display names

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: code, name

sensor_getxml
Description DEPRECATED Get XML for specified sensor

Parameters name Sensor name REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: xml

Details The XML data that is output is in a base64 format

prfm_status
Description Get a PRFM status for a specified sensor. Returns XML's MD5 and Indicator's ID

Parameters name Sensor name REQUIRED

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: col1, col2

53 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Conclusions
This section reviews functions associated with creating a group of rules, adding, retrieving, and removing
rules to the group of rules for conclusions, and assigning/changing the aggregation method to rules

rule_group_add
Description Add tab separated rule list to a rule group for conclusion, if the group not exist, create it

Parameters malware_name Tab separated malware names (each of them could be comma
separated) *If presented, size should be the same as rule_list's
size*

name Rule group name REQUIRED

rule_list Tab separated rule list REQUIRED

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "Ok\nOK" on success

rule_group_del
Description Delete rules from rule group, if all rules are deleted, the group is deleted

Parameters name Rule group name REQUIRED

rule_list Tab separated rule list, if the rule list is empty, the group is deleted

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "Ok\nOK" on success

rule_group_list
Description List rule groups and rules in them

Parameters name Rule group name, if empty, all rule groups will be listed

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output Data Fields: Rule_GROUP_NAME, Rule_Name

54 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

rule_agg_method_set
Description Set agg method of a rule for conclusion

Parameters action Rule agg method REQUIRED

One of:
0 (default),
1 (one alert per conclusion),
2 (threshold), or
3 (no conclusion)

name Rule name REQUIRED

threshold Threshold value REQUIRED for threshold method

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output "Ok\nOK" on success

rule_agg_method_list
Description List agg method of a rule/rules

Parameters name Rule name

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output Data Fields: Name, Method, Threshold

rule_agg_method_del
Description Delete rule agg method of a rule

Parameters name Rule name REQUIRED

Permissions Requires plcys >= MODIFY

Header Format Standard Header

Output Data Fields: Name, Method, Threshold

55 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Radar
This section provides functions used by the CommandPost dashboard (Radar) screen. They provide data
in a high-level summarized manner.

aac_list
Description Shows event groups

Parameters aac_id Adaptive alert cluster ID number

amount Number of entries to return in the result set

filter on | off disposition not honored

last Retrieve data for time interval ending now and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

sensor_id Sensor ID number. If not specified, all sensors used.

sortby Column name (as shown in the output, ex. sensorID, not sen_id or
sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

Permissions Authorized sensors & groups only

Header Format Standard Header

Output Data Fields: aac_id, val, time, duration, sensorID, sensor, plen, msgID, message,
priority, masks, alert_cnt

aac_radar_lo
Description Shows event clusters in list

Parameters amount Number of entries to return in the result set

filter on | off disposition not honored

last Retrieve data for time interval ending now and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

sensor_id Sensor ID number. If not specified, all sensors used.

sortby Column name (as shown in the output, ex. sensorID, not sen_id or
sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

56 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Authorized sensors & groups only

Header Format Standard Header

Output Data Fields: when, aac_id, duration, priority, alert_cnt, desc

(when : time in second from the occurrence of first alert in that cluster and the current
time)

alert_count
Description Retrieves the count of alerts stored on CommandPost

Permissions None

Header Format Standard Header

Output Data Fields: alert_cnt

info
Description Statistic information about sensor/alerts

Permissions None

Header Format Standard Header

Output Data Fields: sensor_cnt, alert_cnt

last
Description Shows the last event

Permissions Authorized sensors & groups only

Header Format Standard Header

Output Data Fields: alertID, sensor, time, message, priority

Details Retrieves the lastest alert on record (highest alert_id) for the set of sensors the user has
permission to view.

57 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

week_prio
Description Returns alert priority counts for the last week

Permissions Authorized sensors & groups only

Header Format Standard Header

Output Data Fields: date, dayname, prioC_cnt, prioH_cnt, prioM_cnt, prioL_cnt

Reports
The API provides several standard reports and a subsystem to schedule reports to be run at defined
times. The output is designed for integration with a graphical plotting tool.

alertsbyip
Description DEPRECATED Returns number of alerts per IP for a given time range

Parameters col Either srcip6 for the source IP address or dstip6 for the destination
IP address REQUIRED

edate End date/time in UNIX time format REQUIRED

params Number of IP addresses to include in report (eg. Top 10)

REQUIRED

sdate Start date/time in UNIX time format REQUIRED

sensor_id Sensor ID. Leaving this out or setting to 0 will return all sensors

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: ip, iphost, alert_cnt

Details IP addresses may be returned in either an IPv4 or IPv6 format.

alertsbypair
Description DEPRECATED Returns number of alerts per IP pair for a given time range

Parameters edate End date/time in UNIX time format REQUIRED

params Number of IP address pairs to include in report (eg. Top 10)

REQUIRED

sdate Start date/time in UNIX time format REQUIRED

sensor_id Sensor ID. Leaving this out or setting to 0 will return all sensors

58 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: ip1, iphost1, ip2, iphost2, alert_cnt

Details IP addresses may be returned in either an IPv4 or IPv6 format.

alertsbycrit
Description DEPRECATED Returns alert per criticality by time

Parameters last Retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

params comma separated time range in UNIX time format REQUIRED

sensor_id Sensor ID. Leaving this out or setting to 0 will return all sensors

type comma separated list of criticality values (maps to dictid in

dictionary) REQUIRED

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: critid, did, crit, alert_cnt, edate

alertsbypol
Description DEPRECATED Returns alert per policy and either protocol or rule by time

Parameters params comma separated time range in UNIX time format (start,end)
REQUIRED

pol_id Policy ID number REQUIRED

sensor_id Sensor ID. Leaving this out or setting to 0 will return all sensors

type protocol | rule REQUIRED

Permissions Requires rprts >= VIEW

59 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Header Format Standard Header

Output Data Fields:

type = protocol (ref. "Alerts by Channel" report)

polid, msgid, msgtext, alert_cnt, edate"

type = rule (ref. "Alerts by Channel" report)

polid, aprotoid, aproto, alert_cnt, edate

polbytime
Description DEPRECATED Returns alert per policy and either protocol or rule by time

Parameters amount number of entries to return in the result set

edate End date/time in UNIX time format REQUIRED

pol_id Policy ID number

sdate Start date/time in UNIX time format REQUIRED

sensor_id Sensor ID number

sortby column name (as shown in the output, ex. sensorID, not
sen_sensor_id).
Default disposition is descending, append ":a" or for ascending

start Number where 0 is the first entry in the result set

type protocol | rule REQUIRED

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields:

type = protocol
polid, pname, aprotoid, aproto, alert_cnt

type = rule
polid, pname, msgid, msgtext, alert_cnt

60 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

report_list
Description DEPRECATED Returns a list of reports. If optional parameters are used, the results are
filtered.

Parameters amount number of entries to return in the result set

columns semi-colon delimited list of alert columns for display layout in the
format of p1=a;p2=b;s1=a;s2=c

duration Duration

email Email address

filters semi-colon delimited list of alert filter options in the format of

key=urlencoded(value);key=urlencoded (value)...

flags Permission flags: 0: private, 1: public read, 2: public read/write

freqid Frequency ID

groups semi-colon delimited column names

(ex. alertId;sensorName)

grp_img semi-colon delimited group image information

hour acceptable value range on the interval <1, 24>

id Report ID

name Report name

searches semitcolon delimited list of alert search options in the format of

key=urlencoded(value);key=urlencoded (value)...

show_in_alert Flag(0/1) to treat this as alert report or not

sortby list of orderby columns in the format of column:A\ncolumn:D

A is ascending, D is descending

start number where 0 is the first entry in the result set

trend_img semi-colon delimited trend image information

type system | quick | custom

Permissions Requires rprts >= VIEW or alrtq >= VIEW

Header Format Standard Header

Output Data Fields: id, name, type, columns, filters, searches, groups, duration, sortby,
grp_img, trend_img, show_in_alert, amount, email, hour, freqid, freqname, freqtype,
lastsend, extra, uid, has_img, author, create_time, modify_time, flags

61 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

report_add
Description DEPRECATED Adds/updates report with schedule.

Parameters amount number of entries to return in the result set

columns semi-colon delimited list of alert columns for display layout in the
format of p1=a;p2=b;s1=a;s2=c

cp_names A comma separated list of CommandPost names

duration Duration

email Email address

filters semi-colon delimited list of alert filter options in the format of

key=urlencoded(value);key=urlencoded (value)...

flags Permission flags: 0: private, 1: public read, 2: public read/write

freqid Frequency ID

groups semi-colon delimited column names

(ex. alertId;sensorName)

grp_img semi-colon delimited group image information

hour acceptable value range on the interval <1, 24>

id Report ID REQUIRED

name Report name REQUIRED

searches semitcolon delimited list of alert search options in the format of

key=urlencoded(value);key=urlencoded (value)...

show_in_alert Flag(0/1) to treat this as alert report or not

sortby list of orderby columns in the format of column:A\ncolumn:D

A is ascending, D is descending

start number where 0 is the first entry in the result set

trend_img semi-colon delimited trend image information

type Report type REQUIRED

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

Details For new reports, id is blank and name and type are required. To update a report an id is
required.

62 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

report_del
Description DEPRECATED Deletes scheduled task

Parameters id Report ID REQUIRED

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

report_copy
Description DEPRECATED Copies report to another user

Parameters id Report ID REQUIRED

name New name for the report

user_id User ID REQUIRED

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

report_upd_sched
Description DEPRECATED Updates existing report with scheduling info

Parameters amount Number of results. Ranges for: Custom: 1-999, Quick: 1-99

email Email address

freqid Frequency ID

hour Acceptable value range on the interval <1, 24>

id Report ID REQUIRED

params semi-colon delimited name=value pairs

(ex. sensor_id=1;sensor_id=2)

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

63 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

report_upd_sched_time
Description DEPRECATED Updates report with current time stamp

Parameters id Report ID REQUIRED

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

report_schednow_list
Description DEPRECATED Returns a list of reports to be sent this hour

Permissions used by scheduler only

Header Format Standard Header

Output Data Fields: id, name, type, columns, filters, searches, groups, duration sortby, grp_img,
trend_img, show_in_alert, amount email, hour, freqid, freqname, freqtype, lastsend,
extra, uid, has_img

report_clone
Description DEPRECATED Make a copy of a report with a new name

Parameters id Report ID to copy REQUIRED

name New name for the report REQUIRED

Permissions Requires rprts >= MODIFY

Header Format Standard Header

Output "Ok" on success

Details The copy will be a newly created report, its type is set to 'custom'

64 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

report_export
Description DEPRECATED Export report definitions

Parameters filename If specified, save the export file to the local file system rather than
printing to standard output

flags 0:private,|1:public read-only|2:public r/w|3:all public|4:all reports

id Comma separated list of report ID's

Permissions Requires rprts >= VIEW

Header Format Status: 200 OK

Content-disposition:inline; filename="fidelis_reports_<date_time> .gz"
Content-type: application/force-download

Output "Ok" on success if a filename is specified, otherwise the output will be the export itself.

Details Export one or multiple reports to a file, by report id using 'id', permission type using
'flags',
or all reports that the user has read access to if neither 'flags' nor 'id' is provided.
Note that system reports are excluded from exports.
The exported file can then be used with 'report_import' to import the reports to any
CommandPost.

report_import
Description
DEPRECATED Import report definitions

Parameters
filename Path to the exported report file in the local file system REQUIRED

type Conflict management options: REQUIRED

keep: if there is a name collision, keep the exisiting report (reject

the imported one)3

overwrite: if there is a name collision, overwrite existing report

with the one being imported

Permissions
Requires rprts >= MODIFY

Header Format
Standard Header

Output Prints the number of reports inserted/rejected on success: "<X> reports inserted, <Y>
reports rejected"
Details If successful, each imported report becomes a newly created report. The user
performing the import becomes the author of all imported reports.

65 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

ticket_status_avg
Description DEPRECATED Provides average time-to-open (TTO) and time-to-close (TTC) for alerts
in OPEN/CLOSE status. Requires at least one available group by parameter

Parameters groupby Atleast one group by parameter required. Available parameters:

rule_name, policy_name, user_name, group_name REQUIRED

Refer to Search & Filter

Permissions Requires alertq >= VIEW and tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: [msgID, rule, userID, user, group_id, group, polID, policy], count,
avgTTO_<TS>, avgTTC_<TS>
where, TS is the time scale - hour/day/week/month/year
[ ] data fields depend on the group by parameter

ticket_status_dist
Description DEPRECATED Provides frequency distribution of time-to-open (TTO) and time-to-close
(TTC) for alerts in OPEN/CLOSE status

Parameters Refer to Search & Filter

Permissions Requires alertq >= VIEW and tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: class_<TS>, numTTO, numTTC

where, TS is the time scale - hour/day/week/month/year

Sessions
Sessions refer to stored TCP sessions associated with alerts. Note that sessions and alert data are
stored independently by CommandPost. Alert information is stored as soon as a violation is detected,
whereas session data is stored when the session completes. Therefore, session data may arrive long
after the alert data. In some cases, session data may never be recorded.

tcpses_exist
Description Returns yes if session exists for alert

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: a, type

66 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

tcpses_info
Description Returns TCP session info

Parameters alert_id Alert ID number

sensor_id Sensor ID number

session_id Session ID number

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: caddr, cport, saddr, sport, start_time, end_time, duration, cl, sl, extra,
cFQDN, sFQDN

Details Requires alert_id OR (session_id AND sensor_id) to properly identify the event.

tcpses_c
Description Returns client's stream

Parameters alert_id Alert ID number

amount number

sensor_id Sensor ID number

session_id Session ID number

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-type: text/plain

Output Session information printed in plain text

Details Requires alert_id OR (session_id AND sensor_id) to properly identify the event.

tcpses_dc
Description Returns binary client's stream

Parameters alert_id Alert ID number REQUIRED

amount number

sensor_id Sensor ID number

session_id Session ID number

67 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-Disposition: attachment; filename="client_ID.bin" (where ID = alert_id)
Content-type: application/force-download

Output session information printed

tcpses_s
Description Returns server's stream

Parameters alert_id Alert ID number

amount number

sensor_id Sensor ID number

session_id Session ID number

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-type: text/plain

Output Session information printed in plain text

tcpses_ds
Description Returns binary server's stream

Parameters alert_id Alert ID number REQUIRED

amount number

sensor_id Sensor ID number

session_id Session ID number

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-Disposition: attachment; filename="client_ID.bin" (where ID = alert_id)
Content-type: application/force-download

Output session information printed

68 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

tcpses_getdpath
Description Returns the closest decoding path possible for an alert

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output Data Fields: Decoding Path

tcpses_getfile
Description Sends the file context that corresponds to the decoding path provided

Parameters alert_id Alert ID REQUIRED

params Decoding path REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-disposition:inline; filename="filename"
Content-type: application/force-download

Output Returns the file data if the path is valid

evpkg_getfile
Description Gathers alert details and multiple files that correspond to the alert ID's into one package

Parameters alert_id Comma separated list of alert ID's

zip_pass Password for zip (optional)

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-disposition:inline; filename="name.tgz"
Content-type: application/force-download

Output If called locally, returns the archive file if the alert ids are valid.
If called remotely in HM environment, returns files in MIME multipart format.

Details Supports export of up to 25 evidence packages for matching alerts.

The list of alerts can either be specified via the --alert_id parameter
or by applying filters (Refer to Search & Filter).

69 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Stats
Network statistics are stored per sensor registered with CommandPost. The functions below are provided
to retrieve these statistics.

stats
Description Network statistics

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds

sensor_id Comma separated list of Sensor ID numbers REQUIRED

type detailed output mode if set (to any value), default output mode if
not provided
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, late, lasttime, total_processed, firsttime, currtime, lastts,
enabled, if_errors, dropped, captured, invalid

Details The data fields in detailed output mode are: device, starttime, late, lasttime,
total_processed, firsttime, currtime, lastts, enabled, secs, if_errors, dropped, captured,
invalid, size, tcp_cnt, tcp_siz, udp_cnt, udp_siz, icmp_cnt, icmp_siz, apr_cnt, arp_siz,
services, distribution

stats_graph_pps
Description packets per second graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Details see stats_graph_bps

70 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_graph_bps
Description bytes per second graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Example graph graph_vals

TCP,UDP,ICMP,ARP,other 247=295:70:0:8:0,547=310:70:0:6:0,847
=285:72:0:7:0,1147=273:68:0:5:0,1448=232 :75:0:8:0

stats_ipdefrag
Description ipdefrag module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, config, runtime
config data is comma separated list of name=value pairs (hash=X,descriptors=X,max.
datagram=X bytes, timeout=X sec,shared mem=X MB,conv mem=X MB)
runtime data is comma separated list of name=value pairs
(faults=X,frags=X,rebuilt=X,descriptors =X)

71 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_ipdefrag_graph
Description ipdefrag module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Example graph graph_vals

faults,frags,rebuilt 998=0:0:0,398=0:0:0

stats_tcps
Description TCP stream module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, config, runtime
wire is list of comma separated name=value pairs (if_errors=X,dropped=X,invalid=X,
captured=X)
config data is comma separated list of name=value pairs (hash=X,descriptors=X,max.
datagram=X bytes, timeout=X sec,shared mem=X MB,conv mem=X MB)
runtime data is comma separated list of name=value pairs
(faults=X,frags=X,rebuilt=X,descriptors =X)

72 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_tcps_graph
Description TCP stream module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

stats_tcpk
Description access module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, requests, resets, sent, history
wire is list of comma separated name=value pairs (if_errors=X,dropped=X,invalid=X,
captured=X)

stats_tcpk_graph
Description access module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

73 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

stats_iptrap
Description iptrap info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: name, count, lg(count)

stats_iptrap_graph
Description iptrap module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

74 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_ilm
Description throttling module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, throttleEnable, runtime_packet, runtime_byte

stats_ilm_graph_pps
Description throttling module graph packets per second

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Details see stats_graph_bps

stats_ilm_graph_bps
Description throttling module graph bytes per second

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

75 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Details see stats_graph_bps

stats_icap
Description icap module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, protocol_transaction, protocol_error, connection, traffic

stats_icap_graph
Description ICAP module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

76 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_mailer
Description mailer module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, secs,
total_processed, wire, enabled, runtime

stats_mailer_graph
Description Mailer module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Details see stats_graph_bps

77 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_ses
Description Returns number of violating sessions and the actions taken, for each supported protocol
(in alphabetical order) in the selected report period

Parameters aproto_id 0 = Return combined results for all protocols

edate End date in UNIX time format REQUIRED

sdate Start date in UNIX time format REQUIRED

sensor_id Comma separated list of sensor ID's REQUIRED

type Type of timescale (stats are kept longer for bigger types)
0:hour ,1:day, 2:week, 3:month,4:year
Default is 0

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: total, violate, act0, act1...act-N, aprotoid, aproto, edate

stats_ses_graph
Description Graph format output of violating sessions and the actions taken for each supported
protocol (in alphabetical order) in the selected report period

Parameters aproto_id 0 = Return combined results for all protocols

edate End date in UNIX time format REQUIRED

sdate Start date in UNIX time format REQUIRED

sensor_id Comma separated list of sensor ID's REQUIRED

type Type of timescale (stats are kept longer for bigger types)
0:hour ,1:day, 2:week, 3:month,4:year
Default is 0

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list of protocol-name:protocol-id
graph_vals field is comma-delimited list of index=value pairs, where the index is the
graph field time offset from the start date. The value is a colon-delimited list of values
that match the graph fields, each value is dash-separated for "total", "violate" and
"actions" counts. The action counts are further plus-sign-separated for each type of
action.

78 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_dns
Description DNS module info

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: device, starttime, lasttime, late, firsttime, currtime, lastts, total_processed,
wire, enabled, config, runtime

stats_dns_graph
Description DNS module graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

stats_ses_enabled
Description Get sensor collects session stats status

Parameters sensor_id Comma separated list of sensor ID's REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: sen_id, enabled

79 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

stats_avg_alerts_graph
Description average alerts insert rate graph

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:0:1

sensor_id Comma separated list of Sensor ID numbers

note: if unspecified, defaults to all sensors

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

Details see stats_graph_bps

stats_mded
Description Returns mded statistics in the selected report period

Parameters last retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours
note: if unspecified, defaults to 0:0:10:0type: Type of stats
(spoolc_drops, spf_writes, spf_reads, etc.)

sensor_id Sensor ID number REQUIRED

Permissions Requires rprts >= VIEW

Header Format Standard Header

Output Data Fields: Self-describing XML

stats_mded_graph
Description iptrap module graph

sensor_id Sensor ID number REQUIRED

80 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: graph, graph_vals

graph field is comma-delimited list
graph_vals field is comma-delimited list of name=value pairs, where the value is a colon-
delimited list of values that match the graph fields

stats_sensor_metadata_sent
Description Return metadata sent for each sensor in sessions

Parameters edate End date in UNIX time format

id Sensor id

last Retrieve data for time interval ending now, and starting
days:hours:minutes:seconds

sdate Start date in UNIX time format

Header Format Standard Header

Output OK for success

stats_vertica_sys_resources
Description Return vertica system resources

Parameters edate End date in UNIX time format

last Retrieve data for time interval ending now, and starting
days:hours:minutes:seconds

name Collector name

sdate Start date in UNIX time format

Header Format Standard Header

Output OK for success

81 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_analytics_rule_statistics
Description Returns statistics of collector analytic rules

Parameters amount A value between 1 and 100000

edate End time (epoch time) of exec start time

ids jComma separated job_id or rule_id depends on type

none_zero_alert_count The flag to show the alert count >0 record

none_zero_result_count The flag to show the reult count >0 records

sdate Start time (epoch time) of exec start time

start Start offset

type Query type, job or rule REQUIRED

Header Format Standard Header

Output OK for success

Tickets
The Fidelis API offers a built-in issue tracking system. The functions below are used to open, assign,
close, comment, and retrieve historical ticket information.

it_users
Description DEPRECATED Breakdown by users for issue tracking

Parameters Refer to Search & Filter

Permissions Requires tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: userID, user, priority, alert_cnt, compr

82 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

it_status
Description DEPRECATED Breakdown by status for issue tracking

Parameters Refer to Search & Filter

Permissions Requires tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: status, priority, alert_cnt, compr

it_resolution
Description DEPRECATED Breakdown by resolution for issue tracking

Parameters Refer to Search & Filter

Permissions Requires tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: resolution, priority, alert_cnt, compr

it_get
Description DEPRECATED Returns Issue Tracking user_id, user_name, status, resolution for
particular alert

Parameters alert_id Alert ID REQUIRED

Permissions Requires tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: userID, user, status, resolution

83 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

it_set
Description
DEPRECATED Sets Issue Tracking user_id, status, resolution for particular alert

Parameters
alert_id Alert ID

ch_group_id Group ID

it_action open | edit | close | unassign | chgroup REQUIRED

it_annot freeform text

it_header freeform text

it_resolution "Action taken" | "Allowed" | "False positive" | "No action taken"

it_user_id User ID

yes REQUIRED

Permissions
Requires tcktlst >= MODIFY

Header Format
None

Output
"Ok" on success

it_history
Description DEPRECATED Returns Issue Tracking history for an alert

Parameters alert_id Alert ID REQUIR3ED

Permissions Requires tcktlst >= VIEW

Header Format Standard Header

Output Data Fields: time, user, action, header, annotation

84 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Investigations
The API provides the functionalities to create, modify, delete, or update investigations and investigation
items in an investigation

investigation_add
Description DEPRECATED Addsinvestigation with schedule.

Parameters comment comment

flags investigation permission, private = 0, public_ro = 1, public_rw = 2

inv_name investigation name

status status, open=0, closed=1, archived=2

user_name investigation user name

Header Format Standard Header

Output "Ok" on success

investigation_del
Description DEPRECATED Deletes a investigation

Parameters inv_name investigation name

Header Format Standard Header

Output "Ok" on success

investigation_update
Description DEPRECATED Updates existing investigation

Parameters comment comment

flags investigation permission, private = 0, public_ro = 1, public_rw = 2

inv_name investigation name (for lookup)

name new investigation name (for update)user_name: investigation user

name

status status, open=0, closed=1, archived=2

Header Format Standard Header

Output "Ok" on success

85 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

investigation_list
Description DEPRECATED Returns a list of investigations. If optional parameters are used, the
results are filtered.

Parameters flags investigation permission, private = 0, public_ro = 1, public_rw = 2

status status, open=0, closed=1, archived=2

user_name investigation user name

Header Format Standard Header

Output Data Fields: name, user_name, timestamp, status, flags, modify_user,

update_timestamp

investigation_item_add
Description DEPRECATED Adds investigation item

Parameters inv_item_name investigation item name

inv_name investigation name

params investigation item bookmar, with key=value pairs separated by

comma

type investigation item type, alert=0, session=1, alert_search=2,

session_search=3, metadata_session=4

comment comment

Header Format Standard Header

Output Data Fields: id

investigation_item_del
Description DEPRECATED Deletes an investigation item

Parameters id investigation item id

Header Format Standard Header

Output "Ok" on success

86 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

investigation_item_update
Description DEPRECATED Updates an investigation itme

Parameters id investigation item ID

inv_item_name investigation item name

inv_name investigation name

comment comment

type investigation item type:

alert=0
session=1
alert_search=2
session_search = 3

Header Format Standard Header

Output "Ok" on success

investigation_item_list
Description DEPRECATED Returns a list of investigation items. If optional parameters are used, the
results are filtered.

Parameters inv_name investigation name

params investigation item bookmark, with key=value pairs separated by

comma

search_text search string for comments in investigation items

type investigation item type, alert=0, session=1, alert_search=2,

session_search = 3

Header Format Standard Header

Output Data Fields: name, inv_name, type, bookmark, comment, cre_user, cre_timestamp,
mod_user, mod_timestamp

investigation_user
Description DEPRECATED Returns a list of users (myself+users having public investigations).

Parameters status investigation status

Header Format Standard Header

Output Data Fields: user_name

87 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Collector_Failover
The API provides the functionalities for Collector failover.

collectorcontrollermgr_rmtok
Description DEPRECATED Removes token from the given collector controller

Parameters sensor_id Collector controller's sensor ID REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output "Ok\nyes" on success

collectorip_for_sensorip
Description Provides collector IP

Parameters s_ipaddr Collector controller's sensor IP REQUIRED

Permissions Requires sysadm >= NOPERM

Header Format Standard Header

Output "Ok\nyes" on success

failoverip_for_collectorip
Description Provides collector's failover IP

Parameters s_ipaddr Collector controller's sensor IP REQUIRED

Permissions Requires sysadm >= NOPERM

Header Format Standard Header

Output "Ok\nyes" on success

primaryname_for_collectorip
Description Provides primary collector's IP

Parameters s_ipaddr Collector controller's sensor IP REQUIRED

88 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires sysadm >= NOPERM

Header Format Standard Header

Output "Ok\nyes" on success

Collector_DR
The API provides the functionalities for Collector DR.

collector_dr_clear
Description Remove DR setup

Parameters s_ipaddr IP address of current DR source collector (REQUIRED)

Header Format Standard Header

Output OK on success

collector_dr_create
Description Setup DR with existing registered collectors.

Parameters source_ip IP address of registered collector source (REQUIRED)

target_ip IP address of registered but inactive collector (REQUIRED)

Header Format Standard Header

Output OK on success

collector_dr_switch
Description Switch a DR collector.

Parameters source_ip IP address of the current DR source collector (REQUIRED)

target_ip IP address of the current DR target collector (REQUIRED)

Header Format Standard Header

Output OK on success

89 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_dr_set_switch_wait_minutes
Description Modify switch_wait_minutes for DR by source or target collector IP address.

Parameters source_ip IP address of the current DR source collector

switch_wait_minutes minutes before switch REQUIRED, -1: no auto switch

target_ip IP address of the current DR target collector.

Header Format No Header

Output Ok on success.

collector_dr_get_switch_wait_minutes
Description Get switch_wait_minutes of DR setup of specific collector.

Parameters s_ipaddr Collector IP address. REQUIRED

Header Format No Header

Output Ok on success.

collector_dr_set_sync_wait_minutes
Description DEPRECATED Set sync_wait_minutes.

Parameters source_ip source collector ip (REQUIRED) if target_ip is not specified

sync_wait_minutes minutes before sync

target_ip DR collector. This parameter or source_ip is REQUIRED,

but not both.

Header Format No Header

Output Ok on success.

collector_dr_get_candidates
Description DEPRECATED Get DR collector candidates for specific collector.

Parameters s_ipaddr Collector IP address. REQUIRED

Header Format No Header

Output Get tab-delimited names and IP addresses of collectors that can be DR targets.

90 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_dr_get
Description Report the other collector in DR setup, by collector name or IP address.

Parameters collector collector name. .

s_ipaddr collector IP address

Header Format Standard Header

Output The DR collector linked to the functioning input collector.

Collector_Analytics
The API provides the functionalities to create, modify, delete, or update collector analytics rules, labels,
and automations.

collector_analytics_rule_add
Description Adds a collector analytic rule.

Parameters action action taken 1=alert, 2=save, REQUIRED

comment comment

expr Json format expression REQUIRED

fss_from where the rule from, gui or feed REQUIRED

group alert group name REQUIRED

name collector analytic rule name REQUIRED

severity collector analytic rule severity, integer: REQUIRED

1-low
2-med
3-high
4-critical

type collector analytic rule type, frequency or sequence REQUIRED

user_name user name

Header Format Standard Header

Output id for newly added rule

91 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_analytics_rule_update
Description Updates a existing collector analytic rule.

Parameters action action taken alert, mail, save

comment comment

expr Json format expression

fss_from where the rule from, gui or feed

group alert group name

id collector analytic rule id REQUIRED

name collector analytic rule name

severity collector analytic rule severity, integer:

1-low
2-med
3-high
4-critical

type collector analytic rule type, frequency or sequence

user_name user name

Header Format Standard Header

Output "Ok" on success

collector_analytics_rule_del
Description Deletes a collector analytic rule.

Parameters id collector analytic rule id REQUIRED

Header Format Standard Header

Output "Ok" on success

92 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_analytics_rule_list
Description Returns a list of collector analytic rules. If optional parameters are used, the results are
filtered.

Parameters action action taken alert, mail, save

fss_from where the rule from, gui or feed

group alert group name

id collector analytic rule id

name collector analytic rule name

severity collector analytic rule severity, integer:

1-low
2-med
3-high
4-critical

type collector analytic rule type, frequency or sequence

user_name user name

Header Format Standard Header

Output Data Fields: id, name, type, severity, actions, create_user, modify_user, create_time,
modify_time, from, group_name, version, expr, comment

collector_analytics_rule_import
Description Import rule(s) from a tgz file.

Parameters collector_list If the collector_list is specified, the rule will be scheduled on the
collectors as automatic

filename File name with full path of the rule to be imported REQUIRED

Header Format Standard Header

Output "Ok" on success

collector_analytics_rule_export
Description
Export rule(s) to a file.

Parameters
filename file to be exported, if the file name ends with .tgz, it will be tar-
gzipped, otherwise output as plain text, if empty, output to screen

id collector analytic rule id

name collector analytic rule name

93 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Header Format
Standard Header

Output
"Ok" on success

collector_analytics_label_add
Description Adds collector analytics label

Parameters label collector analytics label name REQUIRED

comment comment

user_name user name

Header Format Standard Header

Output "OK" on success

collector_analytics_label_del
Description Deletes a collector analytics label

Parameters label_id collector analytics label ID REQUIRED

Header Format Standard Header

Output "Ok" on success

collector_analytics_label_update
Description Updates a collector analytics label

Parameters label collector analytics label name

label_id collector analytics label ID REQUIRED

user_name user name

comment comment

Header Format Standard Header

Output "Ok" on success

94 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_analytics_label_list
Description Returns a list collector analytics labels. If optional parameters are used, the results are
filtered.

Parameters label collector analytics label name

label_id collector analytics label ID

user_name user name

Header Format Standard Header

Output Data Fields: id, name, create_user, modify_user, create_time, modify_time, comment

collector_analytics_label_rule_id_list
Description Returns a list of label rule id pairs. If optional parameters are used, the results are filtered.

Parameters id collector analytics rule id

label_id collector analytics label ID

user_name user name

Header Format Standard Header

Output Data Fields: rule_id, label_id

collector_analytics_label_rule_add
Description Adds a collector analytics rule to a label.

Parameters id rule id REQUIRED

label_id label id REQUIRED

Header Format Standard Header

Output "OK" for success

collector_analytics_label_rule_del
Description Deletes a collector analytics rule from a label.

Parameters id rule id REQUIRED

label_id label id REQUIRED

95 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Header Format Standard Header

Output "OK" for success

collector_analytics_label_rule_list
Description List collector analytics rules in a label.

Parameters label_id label id REQUIRED

Header Format Standard Header

Output "OK" for success

collector_analytics_job_add
Description Adds collector analytics job

Parameters collector_list list of collector name to run the job, comma separated
(REQUIRED unless type type=FEED, in which case the default is
all collectors)

edate timestamp to send scanning data (REQUIRED for oneTime)

feed_source The type of feed. For custom feeds this must be either omitted or
identical to the name

feed_type The type of feed, such as custom

first_run_time date and time for the first run (ignored for auto, 2 AM by default
for feeds)

frequency frequency to run the rule (oneTime/automatic/1 (hourly)/6

(hours)/12 (hours)/24 (daily)/168 (weekly)) REQUIRED

id collector analytics rule id to this job REQUIRED unless there is no

rule id.

name collector analytics job name REQUIRED if there is no rule id.

sdate timestamp to start scanning data (REQUIRED for oneTime)

status Enabled or Disabled REQUIRED

Header Format Standard Header

Output Data Fields: job_id

96 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_analytics_job_list
Description Return a list of collector analytics job.

Parameters id job id REQUIRED

Header Format Standard Header

Output Data Fields: job_id, rule_id,rule_name,frequency, first_run_time,sdate,edate,

collector_list,status

collector_analytics_job_cancel
Description Cancel a collector analytics job on a collector.

Parameters id job id REQUIRED

name collector name REQUIRED

Header Format Standard Header

Output "OK"

collector_analytics_job_modify
Description Modify a collector analytics job .

Parameters collector_list list of collector name to run the job, comma separated
REQUIRED

days_back_for_threats How far back for feeds to search

edate timestamp to send scanning data (REQUIRED for

oneTime)

feed_filter Filter criteria to be met before an alert will be generated on

a feed match. See the search_text parameter for
metadata_results and similar CGIs

first_run_time date and time for the first run (ignored for auto)

frequency frequency to run the rule (oneTime/automatic/1 (hourly)/6

(hours)/12 (hours)/24 (daily)/168 (weekly)) REQUIRED

id job id REQUIRED

rule_id collector analytics rule id to this job REQUIRED

sdate timestamp to start scanning data (REQUIRED for oneTime)

status Enabled or Disabled

97 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Header Format Standard Header

Output "OK"

collector_analytics_job_enable
Description Enable a collector analytics job.

Parameters id job id REQUIRED

Header Format Standard Header

Output "OK"

collector_analytics_job_disable
Description Disable a collector analytics job.

Parameters id job id REQUIRED

Header Format Standard Header

Output "OK"

collector_analytics_job_del
Description Delete a collector analytics job.

Parameters id job id REQUIRED

Header Format Standard Header

Output "OK"

collector_analytics_rule_change_push
Description Push rule change to collectors.

Parameters id rule id REQUIRED

Header Format Standard Header

Output "OK"

98 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

collector_feeds
Description List name of collector feeds.

Header Format Standard Header

Output Data Fields:name

Metadata
The API provides the functionalities to retrieve metadata information from Collectors.

metadata_checksearch
Description Returns parsed output of search conditions, should be used to verify input search text

Parameters edate End time

metadata_json If specified, the search_text is using json expression

sdate Start time

search_text Search conditions, if metadata_json is specified, the condition is

specified as json expression and must be URL encoded
for example --search_text%3D%7B%22composite%22%3A
%7B%22logic%22%3A%22and%22%2C%22filters
%22%3A%5B%7B%22simple%22%3A%7B%22column
%22%3A%22Protocol%22%2C%22operator%22%3A
%22%3E%22%2C%22value%22%3A%22HTTP%22%7D
%7D%5D%7D%7D%20%0A%0A

Permissions None

Header Format Summary Header

99 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

metadata_refine
Description Returns refine results for a given condition for a specific column

Parameters amount A value between 1 and 100000

edate End time

metadata_json If specified, the search_text is using json expression

s_ipaddr Collector IP REQUIRED

sdate Start time

search_text Search conditions, if metadata_json is specified, the condition is

sortby Column to refine on REQUIRED

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_results
Description Returns results (Search, Refine, Recent Transactions, Total transactions) for a given
search condition

Parameters amount A value between 1 and 100000

edate End time

extra_data Specify to print the complete attribute buffer as an extra column

max_q Total number of refines

metadata_json If specified, the search_text is using json expression

s_ipaddr Collector IP REQUIRED

sdate Start time

search_text Search conditions, if metadata_json is specified, the condition is

sortby Column to sort by

100 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

start Start offset

total If specified, calculate total, if not do not calculate total and show it
as -1

Permissions Requires mtdts >= VIEW

Header Format Summary Header

Output For data fields, see metadata_support

metadata_session
Description Returns session and transaction records for a specific session

Parameters edate End time

metadata_json If specified, the search_text is using json expression

rel_session_id Related session ID REQUIRED

s_ipaddr Collector IP REQUIRED

sdate Start time

search_text Search conditions (Timestamp only), if metadata_json is specified,

the condition is specified as json expression and must be URL
encoded

sensor_name Sensor name REQUIRED

session_id Session ID REQUIRED

source_type Source type REQUIRED

uuid Sensor UUID REQUIRED

Permissions Requires mtdts >= VIEW

metadata_support
Description Returns supported columns and their attributes.

101 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

metadata_total
Description Returns total number of results (Total transactions) for a given search condition

Parameters edate End time

metadata_json If specified, the search_text is using json expression

s_ipaddr Collector IP REQUIRED

sdate Start time

search_text Search conditions, if metadata_json is specified, the condition is

sortby Column to get total on

Permissions Requires mtdts >= VIEW

metadata_timestamp
Description Returns the earliest timestamp available at the current time

Parameters s_ipaddr Collector IP REQUIRED

type If last, the latest timestamp available is returned

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_storage
Description Returns the disk usage by day in Gigabytes

Parameters cutoff value in kilobytes such that any value less than it will be replaced
with 0. Default is 10

s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

102 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

metadata_printapi_results
Description Returns results for a given search condition

Parameters amount Maximum number of results to return. The default value is

1,000,000.

edate End time in number of seconds elapsed since 00:00:00 on

January 1, 1970.

metadata_json If specified, the search_text is using json expression

s_ipaddr Collector IP REQUIRED unless running directly logged into the

Collector device.

sdate Start time in number of seconds elapsed since 00:00:00 on

January 1, 1970.

search_text Search conditions. These must be URL encoded and

accompanied by a search field.
For example: --search_text Timestamp%3E%222013-08-
26%2B00%253A00 %253A00%22+ServerIP%3D10.3.1.83
If metadata_json is specified, the condition is specified as json
expression and must be URL encoded
for example --search_text%3D%7B%22composite%22%3A
%7B%22logic%22%3A%22and%22%2C%22filters
%22%3A%5B%7B%22simple%22%3A%7B%22column
%22%3A%22Protocol%22%2C%22operator%22%3A
%22%3E%22%2C%22value%22%3A%22HTTP%22%7D
%7D%5D%7D%7D%20%0A%0A

sortby Column to sort by. Note you cannot sort by the ExtraData column.
Format is column:<asc|desc>. For example: --sortby
Timestamp:asc

Permissions Requires mtdts >= VIEW

Header Format No HTML Headers

Output The output is Excel-readable, tab-delimited, ASCII text format of the following data
columns:
Result, Transaction, SensorUUID, Sensor, Source, SessionID, RelSessionID,
SessionStart, Duration,
ClientIP, ServerIP, ClientPort, ServerPort,Protocol, DecodingPath, Filename,
ClientCountry,
ServerCountry, ClientFlag, ServerFlag,Direction, AppUser, From, To, Subject, Host,
URL, Referer,
Tunnel, Transport, MD5, Filetype, Filesize, Timestamp, Tag, UserAgent,
XForwardedFor, Client, ExtraData

Details The following are valid search fields:

ClientIP, ServerIP, Protocol, ClientPort, ServerPort, Filename, AppUser, From,
To, Subject, SessionID, RelSessionID, DecodingPath, Timestamp, Action,
ClientCountry,
ServerCountry, Sensor, Source, Direction, Host, URL, Referer, Tunnel,
Transport, SensorUUID, Transaction, SessionStart, Duration, MD5, AnyIP, AnyPort,
AnyCountry, AnyString, AnyEmail, Filetype, Filesize, Tag, MalwareName,
MalwareType, MalwareSeverity, UserAgent, XForwardedFor, Client, HourOfDay,
DayOfWeek,

103 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

ServerFQDN, SubDomainDGAScore, AVPositives, AntivirusEngines, UserSessionID,
SHA256, Entropy, SessionSize, PacketCount, Mode, Type, Encrypted, Cipher,
Via, HeaderFooter, Authentication, Author, CertSHA1Hash, StatusCode, VLANId,
Version, Password, SNI, URLInEmail, UID, PCAPTimestamp, PCAPFilename,
ClientSessionSize,
ClientPacketCount, ServerSessionSize, ServerPacketCount, Proxy,
ProxyPort, ClientAssetID, ClientAssetName, ClientUserName, ClientAssetRole,
ClientAssetOS,
ClientAssetServices, ClientAssetType, ServerAssetID, ServerAssetName,
ServerUserName, ServerAssetRole, ServerAssetOS, ServerAssetServices,
ServerAssetType,
AnyAssetID, AnyAssetName, AnyAssetUserName, AnyAssetRole, AnyAssetOS,
AnyAssetServices, AnyAssetType, JA3Digest, CertRiskScore, JA3SDigest, TacticID,
TechniqueID, DomainName, SubDomain, DNSResponseCode, DomainAlexaRank,
SubDomainLength,
ClientFlags, ServerFlags, RecordTTL, Identifier, Quality, RecordType,
HashMethod, JA3S, Connection, Command, CipherSuite, ServerCNAME,
ServerAssetSubnetID,
ClientAssetSubnetID, AnyAssetSubnetID, EmailContentURLs, XHeader,
DomainNameDGAScore, SMTPFromDomain, MIMEFromDomain, CPID,
EmailContentURLDomains,
ClientASN, ClientASNName, ServerASN, ServerASNName
Non-indexed attribute searches:
Root, Server, Streamtype, ProxyConnection, Location, Database, Directory, DN,
RecordName,
SMBDomain, Share, ReadWrite, Midstream, Title, SQL, SourceProxy, CreationDate,
ModificationDate, OSFamily, BinaryType, Profile, CompressionMethod,
IssuerName, SubjectName, KeyLength, KeyUsage, ExtendedKeyUsage, StartDate,
EndDate,
Contact, CallID, Media, SigningTime, Malformed, Suspicious, EvasionTechnique,
Reassembly, Packed, ImpHash, ReplyTo, MessageID, Architecture, MailDirection,
ServerInfo, Received, ReturnPath, Volume, Reason, ResponseCode, RecordData,
ContentType, DataEntropy, SubjectAltName, MailOriginIP, MailOriginGeo, JA3,
requestedProtocol, selectedProtocol, HASSHClient, HASSHServer, RichSignature,
RichSignatureHash, RichSignaturePVHash, OuterVLANId, UserFullName, Probability,
ShareType, SMBSessionID

metadata_XAnodes
Description Returns the status of XA nodes

Parameters s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

metadata_diskspace
Description Returns the disk spaces Megabytes

Parameters s_ipaddr Collector IP REQUIRED

104 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Permissions Requires sysadm >= VIEW

Header Format Summary Header

metadata_new
Description Returns metadata list with counts of new values in a column; compares across two time
windows--Current and Past

Parameters amount A value between 1 and 100000; default value is 25

edate Two comma separated timestamp values (in epoch time), end
time for Current and Past time windows REQUIRED

groupby Column name used for search for new values REQUIRED

s_ipaddr Collector IP REQUIRED

sdate Two comma separated timestamp values (in epoch time), start
time for Current and Past time windows REQUIRED

sortby ASC or DESC; default ASC

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_percentile
Description Returns metadata list with values in a column whose count falls below the percentile
parameter

Parameters amount A value between 1 and 100 that specifies the percentile limit
REQUIRED

edate Two comma separated timestamp values (in epoch time), end
time for Current and Past time windows

groupby Column name used for search for new values REQUIRED

s_ipaddr Collector IP REQUIRED

sdate Two comma separated timestamp values (in epoch time), start
time for Current and Past time windows

sortby ASC = bottom percentile, DESC = top percentile REQUIRED

Permissions Requires mtdts >= VIEW

Header Format Summary Header

105 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

metadata_outlier
Description Returns metadata list with values in a column whose count are outliers

Parameters amount Parameter determining what is an outlier; default value is 2

edate Two comma separated timestamp values (in epoch time), end
time for Current and Past time windows

groupby Column name used for search for new values REQUIRED

s_ipaddr Collector IP REQUIRED

sdate Two comma separated timestamp values (in epoch time), start
time for Current and Past time windows

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_groupby
Description Returns metadata list with counts of grouped columns

Parameters amount A value between 1 and 100000

edate End time

groupby Column name(s) used to perform group by, can also be combined
with one of minute/hour/day/week/month to groupby time

metadata_json If specified, the search_text is using json expression

s_ipaddr Collector IP REQUIRED

sdate Start time

search_text Search conditions, if metadata_json is specified, the condition is

specified as json expression and must be URL encoded

sortby Columns sorted

start Start offset

Permissions Requires mtdts >= VIEW

Header Format Summary Header

106 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

metadata_analytic_rule_results
Description Returns results of collector analytic rules

Parameters amount A value between 1 and 100000

edate End time (epoch time) of exec start time

groupby Correlation columns

id Collector Analytic Job Id

rule_id Collector Analytic Rule Id

s_ipaddr Collector IP REQUIRED

sdate Start time (epoch time) of exec start time

sortby Order by, can be one of or comma separated of

ResultId/RuleStartTime/DetectTime/JobID
/RuleID/RuleName/RuleType/Count

start Start offset

value Correlation values

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_analytic_rule_results_del
Description Delete results of collector analytic rules

Parameters id jCollector Analytic Job Id REQUIRED

rule_id Collector Analytic Rule Id

s_ipaddr Collector IP REQUIRED

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_analytic_rule_results_count
Description Returns number of results and transactions

Parameters edate End time (epoch time) of exec start time

groupby Group by interval, minute/hour/day/week/month REQUIRED

id Collector Analytic Job Id

rule_id Collector Analytic Rule Id

s_ipaddr Collector IP REQUIRED

sdate Start time (epoch time) of exec start time

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_analytic_rule_results_query
Description Returns the json object to query the result detail)

Parameters expr Expression for the result; REQUIRED for alerts

id the result id; REQUIRED for saved results

s_ipaddr Collector IP REQUIRED

type the rule type; REQUIRED for alerts

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_queries
Description Return user queries and their running time

Parameters amount A value between 1 and 100000

edate End time (in epoch time)

s_ipaddr Collector IP REQUIRED

sdate Start time (in epoch time)

start Start offset

Permissions Requires mtdts >= VIEW

Header Format Summary Header

metadata_throughput
Description Show number of rows loaded into db

Parameters amount A value between 1 and 100000

edate End time (in epoch time)

s_ipaddr Collector IP REQUIRED

sdate Start time (in epoch time)

start Start offset

Permissions Requires mtdts >= VIEW

Output Summary Header

metadata_ok
Description Returns the connectivity status ('Ok' or 'ODBC connection error')

Parameters s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

metadata_dr_status
Description DEPRECATED Returns the DR copycluster status

Parameters s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

metadata_throughput_limit
Description Returns the throughput limit of the cluster, million rows/hour/node and Mbps/node

Parameters s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

metadata_projection_refresh_info
Description Report projection refresh info

Parameters s_ipaddr Collector IP REQUIRED

Permissions Requires sysadm >= VIEW

Header Format Summary Header

Utilities
This section of the API covers access to helper functions and miscellaneous data stored by
CommandPost.

audit_list
Description Returns a list of audit entries filtered by one of the parameters

Parameters amount Maximum number of audit entries to return

date Retrieve data for the given date YYYY-MM-DD (eg. 2006-08-08)

last Retrieve data for time interval ending now, and starting
days:hours:minutes:seconds
ex. 10:00:00:00 is 10 days, 00:10:00:00 is 10 hours

params One of the following parameters:

sortby Column name (as seen in the output Default disposition is

descending, append ":a" or ":A" for ascending)

Permissions Requires audit >= MODIFY

Header Format Standard Header

Output Data Fields: audit_id, timestamp, type, effect, actor, action, descr, sensor

config_add
Description Add Command Post configuration information, keys can be duplicate

Parameters check_perm Specify policy to validate (cpadm is used if not supplied).

filename File name along with path REQUIRED

Ex: filename=/FSS/etc/commandpost.cf

params Semicolon separated key value pairs REQUIRED

Ex: params=key1=value1;key2=value2

Permissions Requires check_perm >= MODIFY

Header Format Standard Header

Output "OK" on success

config_decrypt
Description Decrypt and encrypted string

Parameters crypt_params The value to decrypt REQUIRED

Permissions Requires cpadm >= MODIFY || alrtd >= MODIFY

Header Format Standard Header

Output Data Fields: value

config_del
Description Deletes keys from Command Post configuration information

Parameters check_perm Specify policy to validate (cpadm is used if not supplied).

filename File name along with path REQUIRED

Ex: filename=/FSS/etc/commandpost.cf

params Semicolon separated keys REQUIRED

Ex: params=key1;key2

Permissions Requires check_perm >= MODIFY

Header Format Standard Header

Output "OK" on success

config_get
Description Gets Command Post configuration information

Parameters crypt_params parameter to decrypt

Ex: crypt_params=pass

filename File name along with path REQUIRED

Ex: filename=/FSS/etc/commandpost.cf

Permissions Requires cpadm >= VIEW

Header Format None

Output Key value pairs

config_set
Description
Modifies the supplied key with new value in the configuration file.

Parameters
check_perm Specify policy to validate (cpadm is used if not supplied).

crypt_params Same as params except values are encrypted before they are
stored.

filename File name along with path REQUIRED

Ex: filename=/FSS/etc/commandpost.cf

params Semicolon separated key value pairs

Ex: params=key1=value1;key2=value2

Permissions
Requires check_perm >= MODIFY

Header Format
Standard Header

Output
"OK" on success

Details Either params or crypt_params needs to be specified.

If the key exists then it replaces the value.
If the key doesn't exists then it creates a new entry.

cp_config_list
Description Retrieves Command Post configuration information

Permissions None

Header Format Standard Header

Output Data Fields: Name, Value

dictionary
Description Returns list of dictionary records by type, and extra type, if specified

Parameters amount Number of entries to return in the result set

sortby Column name (as shown in the output, ex. sensorID, not sen_id
or sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

type Valid values are 0, 10, 40, 60, 80, 100, 390, 394 REQUIRED

typex If it is necessary to retrieve 2 groups of information, a second type

group ID can be specified with this parameter

Permissions None

Header Format Standard Header

Output Data Fields: dictid, name, sval

Details This cgi provides a convenient mapping of common values (hours, report names, decoder names)
to a dictionary ID for handling

explain
Description DEPRECATED Converts commandline name=value pairs to tab-separated values

Parameters alert_id Alert ID number

aproto_id Application protocol ID number

filetype_id File type ID number

msg_id Message ID number

priority Priority number

sensor_id Sensor ID number

user_id User ID number

Permissions None

Header Format Standard Header

Output Data Fields: param, what, value

Details Converts parameters in the for "sensor_id=1" into "sensor <TAB> <sensor_name>
returns the parameter, what the parameter stands for, and its value.

feedconfig_list
Description Lists feed configuration values for each feed type

Parameters params "summary" - Aggregated summary for fidelis feeds with all custom
feeds
"ip" - All fidelis feeds and custom feeds with feedcontent=ip
"url" - All fidelis feeds and custom feeds with feedcontent=url
"dns" - All fidelis feeds and custom feeds with feedcontent=dns
"email" - All fidelis feeds and custom feeds with feedcontent=email
"md5" - All fidelis feeds and custom feeds with feedcontent=md5

Permissions Requires cpadm >=VIEW and plcys >= VIEW

Header Format Standard Header

Output feedID: ID of feed

type: Feed type malware/phishing etc
source: Feed source
refresh_interval: Refresh interval in minutes. At every refresh interval, a new feed file is
fetched if fetch is enabled.
expiry_interval: Fetched feeds which were discovered or uploaded before # days in
expiry interval are ignored for matching/removed from memory.
enabled: If feed type is enabled
disable_fetch: Value is set to 1 if feed fetch is disabled
url: URL location of the feed file to be fetched
user: Username for configured server for a10(ip2id) feeds
pass: Password for configured server for a10(ip2id) feeds
format: Feed file format - XML/CSV/IP list for custom feeds to upload manually
iptag: Name of the IP tag in the feed file - for custom feeds
rowtag: Row tag in case of XML
csvheaders: semicolon separated column headers in case of CSV files
lastupdate: Date:time when the feed was updated last
min_refresh_interval: Minimum value for the refresh interval above
timeout: Timeout for manual upload of feed file
numrecords: Number of records currently being processed - can be found from number
of lines in feed file in feed directory on commandpost/sensor
useproxy: If this flag is set, fetch utility uses proxy server configuration to fetch feeds
active: One of these status message
"Dynamic" - Feed is enabled and fetch is enabled
"Static" - Feed is enabled and fetch is disabled
"Refresh Error" - Feed is dynamic but there is some error with fetching(communicating
with server) feeds
"No Records" - Feed is dynamic and there is no communication error but still there is no
data
feed_type: Can be "fidelis" / "ip2id"(A10) / "custom" / "custom_ip2id"
name: Feed name to display on GUI
description: Feed description to display on GUI
gui_name: Feed source name to display on GUI
feedcontent: Type of feed data, ip/url/email/md5/dns/mixed

Example 0 phishing cyveilance 15 60 1 0 2011-11-29:11-01-40 15 30 8498 0

1 malware cyveilance 15 60 1 0 2011-11-29:11-01-41 15 30 9998 0

feedtest
Description Fetches feeds for a given feed type, converts feeds into internal format and writes in the
CP directory for that feed.
--user --pass --params="feed=<feed>;url=<url>;user= <user>;pass=<pass>"

Parameters params Feed in the format "feed=<type_source>" e.g. botnet_umbra,

malware_cyveillance REQUIRED
URL - for feed file location - in case of custom/a10 feeds
User and pass - for feed server in case of a10 feeds

Permissions Requires cpadm >= VIEW

Header Format Standard Header

Output "Communications OK (created <feed> feed file with # records)" or error messge
accordingly

get_attrfeed_options
Description Fetches options of all attribute feed test types.

Parameters params none

Permissions Requires plcys >= VIEW

Header Format AttrFeedType Attr1 Attr2 Attr3 Attr4 Attr5

Output One line per attribute feed test type

freqdata
Description
Returns frequency data

Parameters
amount Number of entries to return in the result set

freqid Numeric value corresponding to freqid (frequency) REQUIRED

sortby Column name (as shown in the output, ex. sensorID, not sen_id
or sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

Permissions
None

Header Format
Standard Header

Output
Data Fields: freqtype, ival

Details
Returns possible scheduling intervals for tasks as numeric values.

frequency
Description Returns frequency list

Parameters amount Number of entries to return in the result set

sortby Column name (as shown in the output, ex. sensorID, not sen_id
or sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

Permissions None

Header Format Standard Header

Output Data Fields: freqid, freqname

get_udata
Description Retrieves user-specific data

Permissions None

Header Format Standard Header

Output Data Fields: data

Details Returns semi-colon delimited list of name=value pairs with data for particular user based
on the uid. This is generic storage for GUI parameters specific to the user.

set_udata
Description sets user-specific data

Parameters params semi-colon separated list of name=value pairs REQUIRED

this is persistent storage for user configuration settings in the GUI,
as such available options are subject to GUI control

Permissions None

Header Format Standard Header

Output "OK" on success

getitemid
Description Gets an item's ID number from the name

Parameters filetype File type

msg Summary

policy Policy

proto_name Protocol

rule_name Rule

sensor_name Sensor

sev_name Priority

Permissions None

Header Format Standard Header

Output Value printed, no header field

Details Only takes one of the available parameters.

getitemname
Description Gets an item's name from the ID number

Parameters aproto_id Protocol

filetype_id File type

msg_id Message

msgtext_id Summary

priority Priority

sensor_id Sensor

Permissions None

Header Format Standard Header

Output Value printed, no header field

Details Only takes one of the available parameters.

hourdata
Description Returns hour data

Parameters amount Number of entries to return in the result set

hour Acceptable value range on the interval <10, 32> (maps to dictid in
dictionary) REQUIRED

sortby Column name (as shown in the output, ex. sensorID, not sen_id
or sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

Permissions None

Header Format Standard Header

Output Data Fields: ival

Details Returns the ival for the provided dictid from the dictionary

ipaddr_verifier
Description Validates IP address strings

Parameters params Comma separated list of IP addresses REQUIRED

Permissions None

Header Format Standard Header

Output Data Fields: entity, type, result

isexist
Description check if the record existed (in general)

Parameters amount Number of entries to return in the result set

col Column name REQUIRED

name Record value REQUIRED

sortby Column name (as shown in the output, ex. sensorID, not sen_id or
sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

table Table name REQUIRED

Permissions None

Header Format Standard Header

Output Data Fields: return 1 if record exists

Details Returns boolean value whether a particular record exists, search is on any value, in any
column, on any table.

jcheck_ip_range
Description Verifies whether ip address is in the supplied ip range or not

Parameters params IP address and IP range REQUIRED

params=iprange=<ipaddress>:<iprange>

Permissions None

Header Format Standard Header

Output Data Fields: entity, result

Details The result will return "OK" if the value is correct, otherwise it will return a URL encoded
explanation.

jconfig_get
Description Gets Command Post configuration information

Parameters filename File name along with path REQUIRED

Ex: filename=/FSS/etc/commandpost .cfcrypt_params: parameter
to decrypt
Ex: crypt_params=pass

Permissions None

Header Format None

Output Key value pairs

mysql_info
Description Gets info about MySQL

Permissions None

Header Format Standard Header

Output Data Fields: variable, value

logger
Description Creates an audit entry.

Parameters action action name

descr a user defined string REQUIRED

params Formatted as "type=<type>,effect=<effect>" REQUIRED

type = users|sensors|policies|user_defined
effect = act|add|mod|del

Permissions none

Header Format none

Output none

Permissions None

Header Format Standard Header

Output Data Fields: uid, terms

Details UID represents a valid encrypted hash of the user name and password. It can be sent to
any API function in place of the username and password. Each function call will perform
full user authentication when it receives either the UID or the username/password,
hence they are equivalent. The UID will remain valid until the user is removed or the
password is changed.

logout
Description Clears cookies

Permissions None

Header Format Standard Header

Output "OK" on success

prfm_verify
Description DEPRECATED Validates the string input of certain policy creation fields

Parameters params key=value REQUIRED

possible keys are: asg_name, policy_name, rule_name, fp_name,
fp_keyword, macro_name, expr, xhdr

Permissions None

Header Format Standard Header

Output Data Fields: entity, result

ticker
Description Alert count for last hour and last day

Permissions None

Header Format Standard Header

Output Data Fields: lastHOUR, last24HOURS

verifier
Description Validates the string input of certain fields

Parameters params key=value REQUIRED

possible keys are: group, user, sensor, ipaddr, iprange, role,
subnet_config, border_direct, border_intranet, email, allow_list,
label, isprint, ldap_profile, port, report, export, rtn_plan, ascii, digit,
container_name, al_num, signame

Permissions None

Header Format Standard Header

Output Data Fields: entity, result

Details The result will return "OK" if the value is correct, otherwise it will return a URL encoded
explanation.

whoami
Description Retrieves basic information about the user

Permissions None

Header Format Standard Header

Output Data Fields: user, full_name, email, userflags

check_tables
Description Outputs a list of tables that are checked and if they need repair

Parameters type quick | medium | extendedfilename: name of the status file that
will be created REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: table, size, msg

countries_get
Description Return a list of known countries

Permissions None

Header Format Standard Header

Output Data Fields: country_code, country_name

cphealth
Description DEPRECATED Obtain the status of the commandpost

Permissions None

Header Format Standard Header

Output Data Fields: icon, text

cphealth_clear
Description
DEPRECATED Clears all health status for commandpost

Permissions
Requires cpadm >= MODIFY

Header Format
None

Output
None

decoder_info_get
Description Return decoder information

Parameters decoder_lib If specified, returns a list of attributes for a specific decoder.

params Indicates what general info to return based on the following:

standard_attributes - a list of all standard attributes
formats - a list of file/data decoders
protocols - a list of protocol decoders
dates - a list of decoders that support date attributes
date_attributes - a list of attributes for date decoders

Permissions None

Header Format Standard Header

Output A list of attributes

Details Either params or decoder_lib needs to be specified

dns_alert_data
Description DEPRECATED Provides DNS alert highlight and data information

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-type: text/plain
x-alert_data-length: <bytes>

Output The DNS alert highlight and data

pcap_getalertinfo
Description Output some alert info in xml format

Parameters alert_id Alert ID REQUIRED

Permissions Requires alrtd >= VIEW

Header Format Standard Header

Output XML data

pcap_getfile
Description
Provides the related pcap file if it is there

Parameters
alert_id Alert ID REQUIRED

Permissions
Requires alrtd >= VIEW

Header Format Status: 200 OK

Content-disposition:inline; filename="alert_<alert ID>.pcap"
Content-type: application/force-download
Output
The contents of the PCAP file

pcap_parse
Description Parse PCAP data and print extracted info or output a filtered pcap file in filter mode

Parameters alert_id Alert ID REQUIRED

aproto_id IP protocol number, e.g., 6 for TCP

dport Destination port

dstaddr Decimal IP address

dstaddr6 IPv6 address

edate End date in UNIX time format

filename Read PCAP data from the specified file

sdate Start date in UNIX time format

sport Source port

srcaddr Decimal IP address

srcaddr6 IPv6 address

type PCAP filter mode:
0 = XML output full file
1 = Raw output filtered file
2 = XML output time sliced file

uuid PCAP UUID REQUIRED

Permissions None

Header Format For type = 0 or 2: Standard Header

For type = 1:

Status: 200 OK
Content-disposition:inline; filename="alert_<alert ID>.pcap"
Content-type: application/force-download

Output The contents of the filtered PCAP file

Details Either the alert_id or uuid needs to be specified.

When type = 1, sdate and edate are required along with at least one of the following parameters:
srcaddr, dstaddr, srcaddr6, dstaddr6, sport, dport, aproto_id

repair_tables
Description Performs a repair of database tables

Parameters params Comma separated list of table names REQUIRED

filename: name of the status file that will be created REQUIRED

type quick | extended

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: table, size, msg

repair_status
Description Tell if any repair operations are in progress.

Header Format Standard Header

Output "Busy" when a repair is in progress, "OK" when it is not.

retention_add
Description DEPRECATED Adds retention plan to the database

Parameters archive_flag <0|1> - disable/enable archiving before delete REQUIRED

name Retention plan name REQUIRED

poptions <new|edit> - create a new plan or edit an existing plan

REQUIRED

query_str URL encoded query string for the plan

retain_days Number of days to retain alerts for. Must be a value between 1

and 999. REQUIRED

Permissions Requires cpadm >= MODIFY || alrtq >= MODIFY || alrtd >= MODIFY

Header Format Standard Header

Output "OK" on success

retention_del
Description DEPRECATED Deletes retention plan from the database

Parameters name Retention plan name REQUIRED

Permissions Requires cpadm >= MODIFY || alrtq >= MODIFY || alrtd >= MODIFY

Header Format Standard Header

Output "OK" on success

retention_list
Description DEPRECATED Lists saved retention plans

Permissions Requires alrtq >= VIEW || cpadm >= VIEW || alrtd >= VIEW

Header Format Standard Header

Output Data Fields: retentionID, query_str, time, archive_flag, retain_days, user

sconf_compat_decrypt
Description Decrypts value passed in using the Fidelis crypt function

Parameters params Value to decrypt REQUIRED

Permissions None

Header Format None

Output "OK\n" followed by the decrypted string

sconf_compat_encrypt
Description Encrypts value passed in using the Fidelis crypt function

Parameters params Value to encrypt REQUIRED

Permissions None

Header Format None

Output "OK\n" followed by the encrypted string

about_info
Description Return information that is used by the "About" page.

Parameters type 1 for serial number, otherwise it is set to 0.

Permissions None

Header Format Standard Header

Output Data Fields: current_version, patch_versions, update_available, available_version,

cpu_name, total_memory

malware_types_get
Description Return the list of known malware types

Permissions None

Header Format Standard Header

Output Data Fields: malwareType

file_malware_check
Description Create an alert from an uploaded file

Parameters filename File to upload REQUIRED

params Extra parameter information, such as

'sandbox=192.168.1.100&network=isolated&os=windows11&password=pass123'

Permissions Requires cpadm == MODIFY

Header Format Single Value

Output Alert ID

Details Without --filename, the data to be checked are provided via the web server with a POST
request

diskspace
Description Return the disk space usage in megabytes, percent of max fill and percent of total for
the command post

Permissions None

Header Format Standard Header

Output Data Fields: TotalDisk, MaxFile, UsedDisk, UsedDiskPercent, maxPercent,

usedPercent, bufferPercent

gui_usage
Description Insert gui usages to db

Parameters action The type of interaction (e.g. click) REQUIRED

category The object that was interacted with (e.g. button) REQUIRED

label For categorizing events (e.g. nav buttons)

value Value

Header Format Standard Header

Output OK for success

taxii_discovery
Description Add/Delete/Discover/List all ISAC provider feeds.

Parameters params "isac_id" - Name or identifier of the ISAC provider

"url" - URL of the ISAC provider
"user" - User name at the ISAC provider site
"pass" - Password at the ISAC provider site
"sslcertchk" - Whether to check SSL certificate
"ri" - Refresh interval in minutes
"useproxy" - Whether to use proxy
"description" - Description of the ISAC provider
"global" - Whether it's global

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output feedID: ID of feed

type: Feed type malware/phishing etc
source: Feed source
refresh_interval: Refresh interval in minutes. At every refresh interval, a new feed file is
fetched if fetch is enabled.
expiry_interval: Fetched feeds which were discovered or uploaded before # days in
expiry interval are ignored for matching/removed from memory.
enabled: If feed type is enabled
disable_fetch: Value is set to 1 if feed fetch is disabled
url: URL location of the feed file to be fetched
user: Username for configured server for a10(ip2id) feeds
pass: Password for configured server for a10(ip2id) feeds
format: Feed file format - XML/CSV/IP list for custom feeds to upload manually
iptag: Name of the IP tag in the feed file - for custom feeds
rowtag: Row tag in case of XML
csvheaders: semicolon separated column headers in case of CSV files
lastupdate: Date:time when the feed was updated last
min_refresh_interval: Minimum value for the refresh interval above
timeout: Timeout for manual upload of feed file
numrecords: Number of records currently being processed - can be found from number
of lines in feed file in feed directory on commandpost/sensor
useproxy: If this flag is set, fetch utility uses proxy server configuration to fetch feeds
active: One of these status message
"Dynamic" - Feed is enabled and fetch is enabled
"Static" - Feed is enabled and fetch is disabled
"Refresh Error" - Feed is dynamic but there is some error with fetching(communicating
with server) feeds
"No Records" - Feed is dynamic and there is no communication error but still there is no
data
feed_type: Can be "custom"
name: Feed name to display on GUI
description: Feed description to display on GUI
gui_name: Feed source name to display on GUI
feedcontent: Type of feed data, ip/url/email/md5/dns/mixed

Example --user=<user> --pass=<password> --mode=add --params="isac_id=<isac_id>;url=http://
<ip>/taxii-discovery-service/;user= <isac_user>;pass=<isac_pass>;sslcertchk
=1;ri=60;useproxy=0;"
--user=<user> --pass=<password> --mode=discover --params="isac_id=<isac_id>"
--user=<user> --pass=<password> --mode=delete --params="isac_id=<isac_id>"
--user=<user> --pass=<password> --mode=list

tip_discovery
Description Add/Delete/Discover/List all TIPs provider feeds.

Parameters params "tip_id" - Name or identifier of the TIPs provider

Permissions Requires plcys >= VIEW

Header Format Standard Header

Output feedID: ID of feed

type: Feed type malware/phishing etc
source: Feed source
refresh_interval: Refresh interval in minutes. At every refresh interval, a new feed file is
fetched if fetch is enabled.
expiry_interval: Fetched feeds which were discovered or uploaded before # days in
expiry interval are ignored for matching/removed from memory.
enabled: If feed type is enabled
disable_fetch: Value is set to 1 if feed fetch is disabled
url: URL location of the feed file to be fetched
user: Username for configured server for ThreatConnect feeds
pass: Password for configured server for ThreatConnect feeds
format: Feed file format - XML/CSV/IP list for custom feeds to upload manually
iptag: Name of the IP tag in the feed file - for custom feeds
rowtag: Row tag in case of XML
csvheaders: semicolon separated column headers in case of CSV files
lastupdate: Date:time when the feed was updated last
min_refresh_interval: Minimum value for the refresh interval above
timeout: Timeout for manual upload of feed file
numrecords: Number of records currently being processed - can be found from number
of lines in feed file in feed directory on commandpost/sensor
useproxy: If this flag is set, fetch utility uses proxy server configuration to fetch feeds
active: One of these status message
"Dynamic" - Feed is enabled and fetch is enabled
"Static" - Feed is enabled and fetch is disabled
"Refresh Error" - Feed is dynamic but there is some error with fetching(communicating
with server) feeds
"No Records" - Feed is dynamic and there is no communication error but still there is no
data
feed_type: Can be "custom"
name: Feed name to display on GUI
description: Feed description to display on GUI
gui_name: Feed source name to display on GUI
feedcontent: Type of feed data, ip/url/email/md5/dns/mixed

Example --user=<user> --pass=<password> --mode=add --params=tip_id=<tip_id>;url=http://<ip>
/path/to/;user=<threatconnect_user>;pass =<threatconnect_pass>;sslcertchk=1;ri=60;
useproxy=0;
--user=<user> --pass=<password> --mode=delete --params=tip_id=<tip_id>
--user=<user> --pass=<password> --mode=list

Chapter 2 User Management
The Users API provides functions to create, modify, and list CommandPost users. Note that, some
functionality, such as Version Control for the sensors, requires both a CommandPost user and an
Operating System user. The OS user management pieces are handled through a different API, thus
complete user management must be through CommandPost GUI. A CommandPost user, with
appropriate role assignment, is sufficient for Data Access functionality.

useradm_list
Description DEPRECATED Provides a list of users, with role, groups, and sensors assignments

Permissions Requires usradm >= VIEW

Header Format Standard Header

Output id, urlencoded(name), urlencoded(full_name), urlencoded(email), urlencoded(role),

urlencoded(tab separated list of urlencoded(group)), urlencoded(tab separated list of
urlencoded(sensor)), alert_count, editable, deleteable, userflags, disabled

useradm_edit
Description Create or modify user with role, groups & sensors.

Parameters email User email address

full_name Full name or other identifying information

group_id Comma delimited list of Group ID's assigned to user

Omission unassigns all groups

name User name REQUIRED

new_pass set/change password

require_reset Optional. Use with password change to force user to change

password at next login

role_id Role ID assigned to user

Omission defaults the user's role to none

sensor_id Comma delimited list of Sensor ID's assigned to user

Omission unassigns all sensors

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

Details admin user has limited edit capability

useradm_del
Description Deletes user and removes role, groups, and sensors assignments.

Parameters name User name to delete REQUIRED

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

ldap_profile_adm_list
Description Provides a list of ldap profiles

Permissions Requires cpadm >= VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(base), urlencoded(filter), urlencoded(role), urlencoded(tab

separated list of urlencoded(groups)), urlencoded(tab separated list of
urlencoded(sensors))

ldap_profile_adm_edit
Description Create or Update ldap profile with role, groups & sensors.

Parameters group_id Comma separated list of group ID's

name Base name REQUIRED

params filter="filter"

role_id Role ID

sensor_id Comma separated list of sensor ID's

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

ldap_profile_adm_del
Description Delete ldap profile.

Parameters name Base name REQUIRED

params filter="filter"

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

rt_profile_adm_list
Description Provides a list of rt profiles

Permissions Requires cpadm >= VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(base), urlencoded(filter), urlencoded(role), urlencoded(tab

separated list of urlencoded(groups)), urlencoded(tab separated list of
urlencoded(sensors))

rt_profile_adm_edit
Description Create or Update rt profile with role, groups & sensors.

Parameters group_id Comma separated list of group ID's

name Base name REQUIRED

params filter="filter"

role_id Role ID

sensor_id Comma separated list of sensor ID's

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

rt_profile_adm_del
Description Delete rt profile.

Parameters name Base name REQUIRED

params filter="filter"

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

license_user
Description DEPRECATED Adds user license acceptance

Parameters params "yes" accepts, "no" does not accept

Permissions None

Header Format Standard Header

Output "OK" on success

user_list
Description DEPRECATED Returns a list of users

Parameters amount number of entries to return in the result set

sensor_id Sensor ID number

sortby Column name (as shown in the output, ex. sensorID, not sen_id or
sensor_id)
Default disposition is descending, append ":a" or ":A" for
ascending

start Number where 0 is the first entry in the result set

Permissions None

Header Format Standard Header

Output Data Fields: userID, user

Details For this particular cgi, the sensor_id takes on a special meaning. When provided, the
sensor_id will return the list of users that have view permissions for that particular
sensor, as well as any users with Policy Authoring permissions.

update_account
Description DEPRECATED Changes password and account information for the current user

Parameters email Email address, must pass validation

full_name Full name

new_pass New password, must pass validation

old_pass Old password, REQUIRED if new_pass is provided

Permissions Must be the user

Header Format Standard Header

Output "OK" on success

pw_expire_warning
Description Tells whether or not a password is about to expire

Permissions None

Header Format Standard Header

Output Either returns "OK" or issues a password expiration warning

useradm_group_edit
Description DEPRECATED Modify user groups assignments

Parameters group_id Comma delimited list of all Group ID's assigned to user, including
the one to be added

name User name REQUIRED

params ID of the group added or removed by this action. The caller must be
assigned to this group REQUIRED

admin user cannot be modified

Permissions Requires usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

Chapter 4 Sensor Management
The sensor management API includes functions to register and unregister a sensor to CommandPost.
Note that these CGIs only manage sensor data stored in the database, and do not constitute full sensor
management functionality. Version Control, Licensing, and proper registration of the sensors must be
done at the CommandPost GUI.

sensoradm_list
Description List of sensors with users & policies.

Parameters params State of sensor: grn | ylw | red REQUIRED

Permissions Requires sysadm >= VIEW, usradm >= VIEW, alrtq >= VIEW, plcys >= VIEW, rprts >= VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(name), urlencoded(descr), urlencoded(ipaddr), urlencoded(tab

separated list of urlencoded(user)), urlencoded(tab separated list of urlencoded(policy)),
urlencoded(last_seen), urlencoded(expiry), num_alerts, registered, editable, deleteable, secure,
state, type, mode, sen_ver, os_ver, patch_ver, sen_time

Details At any time it will only report back then sensors assigned to the user regardless of other
permissions.

sensoradm_edit
Description Create or modify sensor.

Parameters descr Description of sensor. If not provided, description will be removed

name Sensor name REQUIRED

s_ipaddr Sensor IP address (follows dotted-decimal notation)

sensor_id To change the name of a sensor, the original sensor ID must be

provided

type Specify the sensor type during creation

Permissions Requires sysadm >= MODIFY, on edit: requires user_id > 1

Header Format Standard Header

Output "OK\nyes" on success

sensoradm_del
Description Delete sensor.

Parameters name Sensor name REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output "OK\nyes" on success

sensoradm_linkcollector
Description Links sensor to a collector.

Parameters ipaddr Collector ip address

name Collector name

s_ipaddr Sensor IP address REQUIRED

sensor_id Sensor id REQUIRED

sensor_name Sensor name REQUIRED

source_type Spool type REQUIRED

Permissions cp_ip: Command post ip address

Requires sysadm >= MODIFY

Header Format Standard Header

Output "OK\nyes" on success

sensoradm_cp_ip
Description Get command post ip address for the sensor, this cgi is used for finding alerts in
metadata session page for hierarchy management.

Parameters sensor_name Sensor name REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output Data Fields: cp_ip

sensormgr_addtok
Description Adds token to sensor entry during sensor registration

Parameters date UNIX timestamp

param Token string REQUIRED

sensor_id Sensor ID REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output "Ok\nyes" on success

sensormgr_rmtok
Description Removes token from the sensor

Parameters params Set params=no (for Collector unregister) to avoid resetting sensor
type to NULL

sensor_id Sensor ID REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output "Ok\nyes" on success

sensormgr_gettok
Description Returns token for the sensor

Parameters sensor_id Sensor ID REQUIRED

Permissions None

Header Format Standard Header

Output Data Fields: token

sensormgr_setlicmode
Description Updates the sensor license type

Parameters sensor_id Sensor ID REQUIRED

status string representing the sensor's licensed mode REQUIRED

Permissions Requires sysadm >= MODIFY

Header Format Standard Header

Output "OK" on success

sensormgr_update
Description Trigger a policy update on sensors

Parameters params A comma separated list of the following options:

list - formatted list output
force - force a sensor update, even if the sensor is already up-to-
date
nowait - don't wait for the sensor update to complete. Returns
quicker, but possibly with unknown status.

sensor_name Sensor to update. If excluded, all sensors assigned to the user

will be updated.

Permissions Requires plcys >= MODIFY

Header Format Status: 200 OK

Content-type: text/plain
Content-Disposition: attachment; filename="sensormgr_update.log"

Output Log of the results of the sensor updates

sensor_alert_count
Description Returns a list of sensors that are assigned to the user. Also returns the name, if the
sensor is registered and number of alerts assigned to user.

Parameters params State of sensor: grn | ylw | red REQUIRED

Permissions None

Header Format Standard Header

Output Data Fields: id , name, registered, sen_ip, num_alerts

sandbox_list
Description List of sandboxes.

Permissions Requires sysadm >= VIEW

Header Format Standard Header

Output Data Fields: id, name, urlencoded(descr), ipaddr, registered, last_seen

sandbox_info
Description Return info about the sandbox

Permissions None

Header Format Standard Header

Output service: threatgrid|sandbox|disabled

connection_status: connected|commerr|invalidkey|unknown

Chapter 5 Collector Management
The collector management API includes functions to register and unregister a collector to CommandPost.
Note that these CGIs do not constitute full collector management functionality. Version Control, Licensing,
and proper registration of the collector must be done at the CommandPost GUI.

collectoradm_list
Description List of collectors with users & policies.

Parameters params State of collector: grn | ylw | red REQUIRED

s_ipaddr Sensor IP address (follows dotted-decimal notation) to provide

context

Permissions Requires sysadm >= VIEW, usradm >= VIEW, alrtq >= VIEW, plcys >= VIEW, rprts >=
VIEW

Header Format Standard Header

Output Data Fields: id, urlencoded(name), urlencoded(descr), urlencoded(ipaddr),

urlencoded(tab separated list of urlencoded(user)), urlencoded(tab separated list of
urlencoded(policy)), urlencoded(last_seen), urlencoded(expiry), num_alerts, registered,
editable, deleteable, secure, state, type, mode, sen_ver, os_ver, patch_ver, sen_time

Details At anytime it will only report back then collectors assigned to the user regardless of
other permissions.

collector_failover_create
Description Add a failover controller to registered collector controller.

Parameters collector Name of the primary controller (REQUIRED)

failover Name of the failover controller (REQUIRED)

Header Format Standard Header

Output OK on success

collector_failover_get
Description Get a failover controller of a specific collector by name or ip address.

Parameters collector name of registered primary collector controller

ipaddr ip address of registered primary collector controller

Header Format Standard Header

Output The failover linked to the functioning input collector.

Chapter 6 Hierarchical Manager
This section of the API covers functions needed to setup Hierarchical Management of CommandPosts.

mom_add_cp
Description add a CommandPost for MoM

Parameters descr optional description

ipaddr unique IP address: REQUIRED

name unique name: REQUIRED

type Master|Subordinate: REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

mom_reg_cp
Description Attempt a Manual registration of a Subordinate CommandPost

Parameters name name of CP: REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

mom_unreg_cp
Description Un-registration a Subordinate CommandPost

Parameters name name of CP: REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

mom_rm_cp
Description removes CommandPost by name

Parameters name name of CP: REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

mom_update_cp
Description modifies CP by name

Parameters descr new description. If not provided, description will be removed

ipaddr new unique IP address

name name of CP: REQUIRED

new_name new unique name

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

mom_config_cp
Description MoM related CommandPost configuration

Parameters flags config flags: REQUIRED

if type is 'master', bit 0: sync user password if set
1: assign synced users to all sensors
2: assign synced policy to all sensors
if type is 'Subordinate', bits 0: sync policy, 1: sync user, 2: sync
report

name CP name: REQUIRED

type Master|Subordinate: REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format "OK" on success

Example To configure Subordinate CommandPost 'cp1' to sync policy and reports but not users:
mom_config_cp.cgi --type Subordinate --name cp1 --flags 5

mom_list_cps
Description print a listing of MoM related CommandPosts

Parameters params red: list all CommandPosts even if unreachable

type master|slave

Permissions None

Header Format Standard Header

Output Data Fields: id, name, descr, ipaddr, last_seen, type, registered, alive, config

Details Listing of regsitered and alive subordinate CommandPosts depends on user

permissions on the subordinate

mom_add_task
Description create a new MoM task

Parameters action push|del: REQUIRED

filters list of URL encoded tab separated elements: REQUIRED

for user, elements are user names
for report, elements are report ids
for export, elements are export job names
for config, elements are configuration file name

type user|report|export|config: REQUIRED

Permissions Requires cpdam|usradm|rprts >= MODIFY depending on specified type

Header Format "OK" on success

Details Only 'push' action is currently supported.

mom_get_logs
Description print completed task status for each element in provided filters

Parameters action del: Optional

filters list of URL encoded tab separated elements: REQUIRED

for user, elements are user names
for report, elements are report ids

type user|report: REQUIRED

Permissions Requires usradm|rprts >= VIEW depending on specified type

Header Format Standard Header

Output Data Fields: elem, checked, cp, state, user, start_time, end_time, errors

Details If the task was synced to multiple CPs, output is a separate row for each CP
The Data fields are URL encoded

mom_get_stat
Description Get task state by task id or type and action (for latest task ids of specified type and
action)

Parameters action push|list|del: REQUIRED

id task id: REQUIRED

type user|report|register: REQUIRED

Permissions Requires usradm|rprts >= VIEW depending on specified type or the type of the provided
task id

Header Format Standard Header

Output Data Fields: task_id, cp, state, errors

Details Either type and action or id is required

Chapter 7 Miscellaneous
Configuration Backup and Restore
backup
Description Performs a backup of system configuration

Permissions Requires cpadm >= MODIFY and usradm >= VIEW and plcys >= VIEW and rprts >=
VIEW and sysadm >= VIEW

Header Format Standard Header

Output The file name and MD5 sum of the backup file.

Details The backup includes the configuration of any registered sensors

The resulting backup file is saved in the /var/fss_backup directory

backup_download
Description Downloads a backup file

Parameters filename Name of the backup file provided by backup.cgi REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format Status: 200 OK

Content-disposition:inline; filename="filename"
Content-type: application/force-download

Output The data contained in the backup file

Details Assumes that 'backup.cgi' has run and requires the filename output of that CGI as an
input.

restore
Description Restore configuration from a backup file

Parameters sensor_name Sensor name REQUIRED

type Restore type which is set to one of the following: REQUIRED

restore - Restores all CommandPost configuration from the

backup file.
If host ID's match, even the license is restored.
In addition to all system configuration, Network Report history is
also restored.
Note: you need to run 'restore_sync.cgi' next to complete the
restore process

replicate - Restores all CommandPost configuration from the

backup file excluding Sensors.
The intended use case is for easier deployment of multiple
CommandPosts which share users.
Note: you need to run 'restore_sync.cgi' next to complete the
restore process.

copy - Restores all 'common' CommandPost configurations from

the backup file.
Sensors, users and any configuration with user information, e.g.
reports or retention plans, are considered as unique and won't be
overwritten in copy mode.
The intended use case is for easier deployment of multiple
CommandPosts which do not share users

sensor - Restores sensor configuration files, requires

sensor_name.
A sensor with that name must exist and be registered before a
restore is attempted

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output "OK" on success

Details Assumes that restore_check has been run on the target backup file

restore_check
Description Verify and prepare a backup file for system restore

Parameters filename The backup file to check REQUIRED

Permissions Requires cpadm >= MODIFY

Header Format Standard Header

Output Data Fields: version, vercheck, md5pass, hostid, hostname, user, time, policy, sensors,
s_version, s_md5pass

restore_sync
Description Sync user information between database and Linux after a restore

Permissions Requires cpadm >= MODIFY and usradm >= MODIFY

Header Format Standard Header

Output "OK" on success

Details Required after running restore types 'restore' or 'replicate'

98 Network-And-Deception Guide To Creating Policies
No ratings yet
98 Network-And-Deception Guide To Creating Policies
225 pages
Administration Center v8.0.0 User's Guide
No ratings yet
Administration Center v8.0.0 User's Guide
254 pages
98 Network-And-Deception User Guide
No ratings yet
98 Network-And-Deception User Guide
606 pages
SPM Operation Guide
No ratings yet
SPM Operation Guide
54 pages
SSM10 Administrator's Guide
No ratings yet
SSM10 Administrator's Guide
62 pages
Access Essentials Guide
No ratings yet
Access Essentials Guide
66 pages
Citrix MetaFrame Web Interface Administrator's Guide
No ratings yet
Citrix MetaFrame Web Interface Administrator's Guide
141 pages
Salesforce Security Impl Guide
No ratings yet
Salesforce Security Impl Guide
303 pages
SAP Access Control™ 10.1 - Process Control™ 10.1 - Risk Management™ 10
No ratings yet
SAP Access Control™ 10.1 - Process Control™ 10.1 - Risk Management™ 10
40 pages
Web Interface Guide
No ratings yet
Web Interface Guide
145 pages
FireMon Solutions Expert Certification Guide v8.3
No ratings yet
FireMon Solutions Expert Certification Guide v8.3
262 pages
Salesforce Security Impl Guide
No ratings yet
Salesforce Security Impl Guide
356 pages
Veeam Security Best Practices 2022
No ratings yet
Veeam Security Best Practices 2022
32 pages
Salesforce Security Impl Guide
No ratings yet
Salesforce Security Impl Guide
309 pages
MDM 104 InfrastructurePlanningGuide en
No ratings yet
MDM 104 InfrastructurePlanningGuide en
31 pages
NSP 9.2 Product Guide Revm En-Us
No ratings yet
NSP 9.2 Product Guide Revm En-Us
1,997 pages
Building Distributed Applications Using The Progress Appserver
No ratings yet
Building Distributed Applications Using The Progress Appserver
248 pages
Management API Installation Guide
No ratings yet
Management API Installation Guide
8 pages
SAP GRC Operations Guide
No ratings yet
SAP GRC Operations Guide
52 pages
Node Dev PDF
No ratings yet
Node Dev PDF
275 pages
FF32B00 Administration Operation V1-0
No ratings yet
FF32B00 Administration Operation V1-0
326 pages
BPC Security Guide
No ratings yet
BPC Security Guide
42 pages
MKS Implementer User Guide v.5.3 PDF
No ratings yet
MKS Implementer User Guide v.5.3 PDF
456 pages
SG 248296
No ratings yet
SG 248296
404 pages
Isss
No ratings yet
Isss
4 pages
Access Control API
No ratings yet
Access Control API
13 pages
Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1
No ratings yet
Operations Guide For SAP Access Control 10.1, SAP Process Control 10.1, and SAP Risk Management 10.1
40 pages
CP R75.40 MobileAccess AdminGuide
No ratings yet
CP R75.40 MobileAccess AdminGuide
157 pages
Appsense Management Suite Architecture and Installation Guide PDF
No ratings yet
Appsense Management Suite Architecture and Installation Guide PDF
76 pages
Aveva™ Plant Scada Welcome To Aveva Plant Scada 2025-07-01-16-07-03
No ratings yet
Aveva™ Plant Scada Welcome To Aveva Plant Scada 2025-07-01-16-07-03
28 pages
Salesforce Security Impl Guide 250220 194102
No ratings yet
Salesforce Security Impl Guide 250220 194102
332 pages
Tm1 API Guide
No ratings yet
Tm1 API Guide
453 pages
OWASP SAMM: Software Security Guide
No ratings yet
OWASP SAMM: Software Security Guide
72 pages
VMW 10q3 White Paper Cloud Director Security PDF
No ratings yet
VMW 10q3 White Paper Cloud Director Security PDF
37 pages
CFMX Adv Admin PDF
No ratings yet
CFMX Adv Admin PDF
68 pages
Mobile Appsec Testing Checklist
No ratings yet
Mobile Appsec Testing Checklist
1 page
Networkadvisor 1401 Rest API
No ratings yet
Networkadvisor 1401 Rest API
200 pages
Salesforce Security Impl Guide
No ratings yet
Salesforce Security Impl Guide
320 pages
Getting Started Guide
No ratings yet
Getting Started Guide
102 pages
ITCAM Userguide
No ratings yet
ITCAM Userguide
232 pages
Network Management Card 4: Security Handbook, Firmware Version 6.x, 15.x and 18.x
No ratings yet
Network Management Card 4: Security Handbook, Firmware Version 6.x, 15.x and 18.x
29 pages
Akamai Information Security Management System Overview: Securing The Cloud
No ratings yet
Akamai Information Security Management System Overview: Securing The Cloud
12 pages
PC 811 AdministratorGuide
No ratings yet
PC 811 AdministratorGuide
494 pages
RM Operations Guide For SAP Risk Management 12.0 PDF
No ratings yet
RM Operations Guide For SAP Risk Management 12.0 PDF
36 pages
CRN Arch
No ratings yet
CRN Arch
149 pages
MDM 104 SecurityGuide en
No ratings yet
MDM 104 SecurityGuide en
62 pages
Progress Client Deployment Guide
No ratings yet
Progress Client Deployment Guide
206 pages
Administration Guide For SAP PaPM 3.0 SP26
No ratings yet
Administration Guide For SAP PaPM 3.0 SP26
74 pages
Alerta Monitoring System Documentation
No ratings yet
Alerta Monitoring System Documentation
123 pages
EBOOK API Strategy Best Practices Platform Engineering Leaders
No ratings yet
EBOOK API Strategy Best Practices Platform Engineering Leaders
57 pages
Certification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202
No ratings yet
Certification Study Guide IBM Tivoli Access Manager For E-Business 6.0 Sg247202
272 pages
FireMon - User Guide - Getting Started Guide 9.12
No ratings yet
FireMon - User Guide - Getting Started Guide 9.12
105 pages
FidelisUserGuide 60
No ratings yet
FidelisUserGuide 60
158 pages
IBM Informix
No ratings yet
IBM Informix
488 pages
Security API Developer Guide
No ratings yet
Security API Developer Guide
250 pages
CrowdStrike Training PDF
No ratings yet
CrowdStrike Training PDF
103 pages
2024 Q2 EFW Cisco Vtpahp
No ratings yet
2024 Q2 EFW Cisco Vtpahp
33 pages
98 - Fidelis Deception RESTful API Guide
No ratings yet
98 - Fidelis Deception RESTful API Guide
32 pages
FAIR Institute - Standards Booklet - V2
No ratings yet
FAIR Institute - Standards Booklet - V2
14 pages
VBDS Deployment Guide
No ratings yet
VBDS Deployment Guide
30 pages
Fidelis Vector User Guide 801
No ratings yet
Fidelis Vector User Guide 801
200 pages
Computer Knowledge - Basic General Computer Awareness
No ratings yet
Computer Knowledge - Basic General Computer Awareness
8 pages
Competition Guide - HSBC Malaysia Business Case Competition 2022
No ratings yet
Competition Guide - HSBC Malaysia Business Case Competition 2022
12 pages
Conti Ransomware Practical Study of Static and Dynamic Methedologies
100% (1)
Conti Ransomware Practical Study of Static and Dynamic Methedologies
15 pages
PC 3000 Express
No ratings yet
PC 3000 Express
1 page
Description: Tags: Appendix
No ratings yet
Description: Tags: Appendix
41 pages
GR 12 New Terminology by Sirantwi
No ratings yet
GR 12 New Terminology by Sirantwi
5 pages
24P01273 Shreenidhi C
No ratings yet
24P01273 Shreenidhi C
12 pages
Dynamic AES Encryption and Blockchain Key Management A Novel Solution For Cloud Data Security - Abstract
No ratings yet
Dynamic AES Encryption and Blockchain Key Management A Novel Solution For Cloud Data Security - Abstract
6 pages
IPC BIOS Update FirmwareManager DOC en
No ratings yet
IPC BIOS Update FirmwareManager DOC en
16 pages
Module 2 Assignment
No ratings yet
Module 2 Assignment
14 pages
Internship
No ratings yet
Internship
27 pages
Cisco Certification Path Poster
No ratings yet
Cisco Certification Path Poster
1 page
Unit-5 Notes (C.o.a)
No ratings yet
Unit-5 Notes (C.o.a)
4 pages
6 Myosystem 1400a v10
No ratings yet
6 Myosystem 1400a v10
3 pages
Iot & Web Technology
No ratings yet
Iot & Web Technology
36 pages
PartsCatalog IR 1020
No ratings yet
PartsCatalog IR 1020
82 pages
SPOS - Unit 1 (Introduction)
No ratings yet
SPOS - Unit 1 (Introduction)
95 pages
VMware Site Recovery Manager Install, Configure, Manage V8
No ratings yet
VMware Site Recovery Manager Install, Configure, Manage V8
3 pages
DX Diag
No ratings yet
DX Diag
32 pages
What Is Database
No ratings yet
What Is Database
24 pages
Cubase Pro 14 0 Operation Manual en Part 1
No ratings yet
Cubase Pro 14 0 Operation Manual en Part 1
69 pages
Hey Robot! Build Your Own AI Companion - Make
No ratings yet
Hey Robot! Build Your Own AI Companion - Make
21 pages
3D Hologram Fan Specs & Features
No ratings yet
3D Hologram Fan Specs & Features
7 pages
How To Hit PP Logs
100% (2)
How To Hit PP Logs
2 pages
Safety Validator
No ratings yet
Safety Validator
8 pages
Mycbseguide: Class 10 - Information Technology (402) Sample Paper - 01 (2024-25)
No ratings yet
Mycbseguide: Class 10 - Information Technology (402) Sample Paper - 01 (2024-25)
12 pages
Oracle RAC Process Management Guide
No ratings yet
Oracle RAC Process Management Guide
3 pages
Configuring Resilient Ethernet Protocol
No ratings yet
Configuring Resilient Ethernet Protocol
24 pages
Sentiment Classifier
No ratings yet
Sentiment Classifier
4 pages
Os Lab Sheets
No ratings yet
Os Lab Sheets
34 pages