IBM Security QRadar Suite audit inventory

Audit messages are generated and sent to the platform for all API requests to the IBM® Security QRadar® Suite applications. For every user action on the user interface, an audit logging message is generated. The Audit messages are logged to a centralized location and forwarded to your SIEM where they are retained. Audit logging is disabled by default.

Auditing can help to detect and prioritize security threats and data breaches. Auditing provides accountability, traceability, and regulatory compliance by tracking any activity or observation that directly or indirectly returns, manages, or manipulates sensitive data or access to sensitive data.

The audit logs from IBM Security QRadar Suite are generated in Cloud Auditing Data Federation (CADF) format and include the following properties about the request:

The time of request, logged as eventTime.
The request method, such as put or post, logged as action.
The request URL, logged as target>typeUri.
The response code, logged as reason>reasonCode.
The user associated with request, the JWT token sub value, logged as initiator>id and initiator>name.

For more information, see Cloud Auditing Data Federation

The following example shows a raw event log from the IBM Security QRadar Suite in CADF format:

<13>1 2023-10-18T14:38:44.641868+00:00 audit-logs-cp4s fluentd - - - {"version":"1.0","typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event","outcome":"SUCCESS","eventType":"ACTIVITY","eventTime":"2023-10-18T14:38.40+0000","action":"READ","severity":"NORMAL","initiator":{"id":"SERVICE.edgegateway.controller-manager","name":"SERVICE.edgegateway.controller-manager","typeURI":"clientid","host":{"agent":"Apache-HttpClient/4.5.13 (Java/11.0.20)","address":"10.254.18.87"},"credential":{"type":"token"}},"target":{"id":"/manager/tenants/cd766d47-4ecd-4910-8f48-5024202259b2/controllers","name":"isc-app-manager","typeURI":"ibm-cp-security/isc-app-manager"},"observer":{"name":"CommonAuditService","id":"userActivity"},"reason":{"reasonCode":200},"attachments":[{"contentType":"http://schemas.ibm.com/cloud/content/1.0/cloudpak","name":"ibm-cp-security","content":{"message":"read [success]","sourceCrn":"crn:v1:ocp:private:content::::ibm-cp-security","kubernetes":{"namespace":"cp4s","pod":"isc-app-manager"}}},{"contentType":"kubernetes","name":"kubernetes_metadata","content":{"namespace":"cp4s","pod":"isc-app-manager"}}]}

The following tables describe the components and services that support audit logging. If a service supports audit logging, all user activities specific to the services that are enabled are recorded. Events related to Optional Services are generated only when the services are installed.

Login, Logout, Session, Authentication, and Authorisation

Table 1. Service name: Authsvc
Action	Description	URL
create	Authenticate a user.	/api/introspect

Table 2. Service name: CLX
Action	Description	URL
read	Read user entitlements from the entitlements service.	/shell/v1/userShellData
update	Renew or generate a new JWT for the user.	/shell/jwt/renew
delete	User log out. Clear a user session and revoke JWT.	/shell/logout
create	User log in by using IDP. A JWT is issued, and a new session is created.	/shell/oidc/callback
update	User switches account. A new JWT is issued.	/shell/jwt/account/{account-id}

Table 3. Service name: Notifications
Action	Description	URL
read	Read notifications from the notifications service.	/notifications/events

Table 4. Service name: Entitlements
Action	Description	URL
create	Create an account.	/api/entitlements/v2.0/accounts
update	Modify an account.	/api/entitlements/v1.0/accounts/{account_id}
update	Suspend an account.	/api/entitlements/v1.0/accounts/{account_id}/status
delete	Delete and account.	/api/entitlements/v1.0/accounts/{account_id}
create	Add an IDP directory to the account.	/api/entitlements/v1.0/accounts/{account_id}
create	Add a user.	/api/entitlements/v1.0/accounts/{account_id}/users
delete	Delete a user.	/api/entitlements/v1.0/accounts/{account_id}/users/{user_id}
update	Change the user role.	/api/entitlements/v1.0/application/user
create	Add an offering.	/api/entitlements/v1.0/subscriptions
update	Change an offering.	/api/entitlements/v1.0/subscriptions/{subscription_id}
delete	Delete an offering.	/api/entitlements/v1.0/subscriptions/{subscription_id}

Dashboards

Table 5. Service name: Pulse
Action	Description	URL
create	Create a dashboard.	/pulse/api/dashboard
update	Update a dashboard.	/pulse/api/dashboards/{id}
delete	Delete a dashboard.	/pulse/api/dashboards/{id}
update	Update a specific dashboard's user privileges.	/pulse/api/dashboard/{id}/privileges
create	Import a dashboard.	/pulse/api/dashboards/import_file
create	Create a view.	/pulse/api/dashboards/{id}/views
update	Update a view.	/pulse/api/dashboards/{id}/views
create	Create an item.	/pulse/api/items
update	Update an item.	/pulse/api/items/{id}
delete	Delete an item.	/pulse/api/items/{id}
create	Create a search.	/pulse/api/search
delete	Delete a search. Cleans up the search from QRadar by using the QRadar delete search API.	/pulse/api/searches/{searchkey}
create	Create a parameter.	/pulse/api/parameters
update	Update a parameter.	/pulse/api/parameters
delete	Delete a parameter.	/pulse/api/parameters

Data sources, Connections, and Searches

Table 6. Service name: UDI
Action	Description	URL
create	Create a search.	/api/uds/v3/queries
update	Cancel a single query.	/api/uds/v3/queries/:id/cancel
update	Cancel all queries.	/api/uds/v3/queries/cancel
read	Get query results.	/api/uds/v3/queries/:id/results/:page
create	Create a data source connection.	/api/uds/v3/connections
update	Update a data source connection.	/api/uds/v3/connections
delete	Delete a data source connection.	/api/uds/v3/connections
read	Retrieve a data source connection.	/api/uds/v3/connections
read	Retrieve a data source connection.	/api/uds/v3/connections/{id}
create	Create a data source connection.	/api/uds/v3/configurations
update	Update a data source connection.	/api/uds/v3/configurations
delete	Delete a data source connection.	/api/uds/v3/configurations
read	Retrieve a data source connection.	/api/uds/v3/configurations
read	Retrieve a data source connection.	/api/uds/v3/configurations/{id}

Table 7. Service name: QProxy
Action	Description	URL
create	Create a QRadar or QROC connection configuration.	/app/qproxy/server_settings
update	Update a QRadar or QROC connection configuration.	/app/qproxy/server_settings
delete	Delete a QRadar or QROC connection configuration.	/app/qproxy/server_settings
create	Proxy from QRadar or QRoC.	/app/qproxy/proxy/
read	Validate a connection.	/app/qproxy/qconfig/validatebackground /app/qproxy/qconfig/validate /app/qproxy/qconfig/validateui
read	Display a QProxy configuration.	/app/qproxy/server_settings

Table 8. Service name: Edge Gateway
Action	Description	URL
read, update	Get or update the UI's log download timeout.	/api/edgegateway/settings
read	Get a list of tenants.	/api/app_manager/tenants
create	Create a new tenant.	/api/app_manager/tenants
read, update, delete	Get, update, or delete a specific tenant.	/api/app_manager/tenants/{tenant_id}
read	Get a list of controllers for a specific tenant.	/api/app_manager/tenants/{tenant_id}/controllers
read	Get a list of applications for a specific tenant.	/api/app_manager/tenants/{tenant_id}/apps
read	Get a specific application for a specific tenant.	/api/app_manager/tenants/{tenant_id}/apps/{app_name}
read	Get a list of jobs for a specific tenant.	/api/app_manager/tenants/{tenant_id}/jobs
create	Create a controller.	/api/app_manager/controllers
read, update, delete	Get, update, or delete a specific controller.	/api/app_manager/controllers/{controller_id}
read	Get a list of applications for a specific controller.	/api/app_manager/controllers/{controller_id}/apps
read	Get a list of app_tests for a specific controller.	/api/app_manager/controllers/{controller_id}/app_tests
create	Create a new key pair for a specific controller.	/api/app_manager/controllers/{controller_id}/keypair
create	Create a new heartbeat record for a specific controller.	/api/app_manager/controllers/{controller_id}/heartbeat /api/app_manager/controllers/{controller_id}/heartbeat_ex
read, update	Get or update the status for a specific controller.	/api/app_manager/controllers/{controller_id}/status
read	Get a list of commands for a specific controller.	/api/app_manager/controllers/{controller_id}/commands
read	Get a list of jobs for a specific controller.	/api/app_manager/controllers/{controller_id}/jobs
read	Get the logs for a specific controller.	/api/app_manager/controllers/{controller_id}/logs/query
read	Get the logs for a specific controller.	/api/app_manager/controllers/{controller_id}/logs
create	Create a new JWT for a specific controller.	/api/app_manager/controllers/{controller_id}/jwt
create	Create a new application.	/api/app_manager/apps
read, update, delete	Get, update, or delete a specific application.	/api/app_manager/apps/{app_id}
read	Get a list of files for a specific application.	/api/app_manager/apps/{app_id}/files
read	Get a list of application tests for a specific application.	/api/app_manager/apps/{app_id}/tests
read	Get the last application test for a specific application.	/api/app_manager/apps/{app_id}/last_test
read	Get the logs for a specific application.	/api/app_manager/apps/{app_id}/logs/query
read	Get the logs for a specific application.	/api/app_manager/apps/{app_id}/logs
read	Get a list of secrets for a specific application.	/api/app_manager/apps/{app_id}/secrets
read, update	Get the deployment status for a specific application.	/api/app_manager/apps/{app_id}/deployment_status
read, update	Get the deployment for a specific application.	/api/app_manager/apps/{app_id}/deployment
create	Create a new application file.	/api/app_manager/app_files
read, update, delete	Get, update, or delete an application file.	/api/app_manager/app_files/{af_id}
create	Create a new application test.	/api/app_manager/app_tests
read, update	Get or update a specific application test.	/api/app_manager/app_tests/{at_id}
read, update	Get or update a specific application test status.	/api/app_manager/app_tests/{at_id}/status
update	Update a command.	/api/app_manager/commands/{command_id}
create	Create a new application secret.	/api/app_manager/app_secrets
update, delete	Update or delete a specific application secret.	/api/app_manager/app_secrets/{as_id}
read	Get the system version.	/api/app_manager/system/version
read	Get the system health.	/api/app_manager/system/health Get /system/health/all
create	Create a new job.	/api/app_manager/jobs
read, update, delete	Get, update, or delete a specific job.	/api/app_manager/jobs/{job_id}
read, update	Get or update the status for a specific job.	/api/app_manager/jobs/{job_id}/status
read	Get a list of executions for a specific job.	/api/app_manager/jobs/{job_id}/executions
create	Create a new job execution.	/api/app_manager/job_executions
read, update	Get or update a specific job execution.	/api/app_manager/job_executions/{jobexe_id}

Table 9. Service name: DLC
Action	Description	URL
Create	Create a record in the DLC table.	/api/datalake/dlc/v0/disconnected_log_collectors/
Update	Update a record in the DLC table.	/api/datalake/dlc/v0/disconnected_log_collectors/
delete	Delete a record in the DLC table.	/api/datalake/dlc/v0/disconnected_log_collectors/{id}
read	Read a list of all registered DCs.	/api/datalake/dlc/v0/disconnected_log_collectors
read	Read one record for a registered DC.	/api/datalake/dlc/v0/disconnected_log_collectors/{id}/connection_bundle
read	Download a connection bundle for a registered DC.	/api/datalake/dlc/v0/disconnected_log_collectors/{id}/connection_bundle

Table 10. Service name: Data Explorer
Action	Description	URL
create	Create a search record in the Data Explorer database.	/investigate/api/v1/searches
read	Read a search record in the Data Explorer database.	/investigate/api/v1/searches
update	Update a search record in the Data Explorer database.	/investigate/api/v1/searches
delete	Delete a search record from the Data Explorer database.	/investigate/api/v1/searches
create	Add a new enrichment job to the search record in the Data Explorer database.	/investigate/api/v1/enrichments
create	Create a user preference record in the Data Explorer database.	/investigate/api/v1/userPreferences
read	Get a user preference record in the Data Explorer database.	/investigate/api/v1/userPreferences
update	Update a user preference record in the Data Explorer database.	/investigate/api/v1/userPreferences
delete	Delete a user preference record in the Data Explorer database.	/investigate/api/v1/userPreferences
read	Get a user's search export file from ATK.	/investigate/api/v1/results/{object_id}/object

Table 11. Service name: CAR
Action	Description	URL
create	Import an asset.	/api/car/v2/imports
update	Modify an asset object.	/api/car/v3/query
create	Create an extension schema.	/api/car/v3/carSchema
delete	Delete an extension schema.	/api/car/v3/carSchema/{key}
update	Update a retention policy.	/api/car/v3/DataRetentionPolicy

Table 12. Service name: ATK
Action	Description	URL
create	Create a new hunt.	/api/atk/v1/hunts
update	Update a hunt.	/api/atk/v1/hunts/{hunt_id}
delete	Delete a hunt.	/api/atk/v1/hunts/{hunt_id}
create	Create a new step in the hunt.	/api/atk/v1/hunts/{hunt_id}/steps
update	Update a step.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}
delete	Delete a step.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}
create	Create a hunt book.	/api/atk/v1/huntbook/import/file
read	Get the error codes.	/api/atk/v1/errcodes
read	Get a list of hunts.	/api/atk/v1/hunts
read	Get a hunt by ID.	/api/atk/v1/hunts/{hunt_id}
read	Get the status of step executions under your account.	/api/atk/v1/executions
read	Get the list of steps in a hunt.	/api/atk/v1/hunts/{hunt_id}/steps
read	Get the RQ status of steps from a hunt.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}/status
read	Get the actual output of the executed THL statement.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}/output
read	Get the list of variables in a hunt.	/api/atk/v1/hunts/{hunt_id}/variables
read	Get the actual value of the variable from a hunt.	/api/atk/v1/hunts/{hunt_id}/variables/{variable_name}
read	Get the list of available analytics to apply.	/api/atk/v1/analytics
read	Get the details of a specific analytic.	/api/atk/v1/analytics/{analytic_name}
read	Get the features, columns, and properties of a search result.	/api/atk/v1/searches/{query_id}/columns
read	Get a single search result export.	/api/atk/v1/searches/{query_id}/exports/{tracking_id}
read	Get the enrichment status by the tracking_id.	/api/atk/v1/searches/{query_id}/enrichments/{tracking_id}
create	Export a search data.	/api/atk/v1/searches/{query_id}/exports
delete	Delete an account.	/api/atk/v1/account/{accountid}
delete	Delete a configuration.	/api/atk/v1/{task}/{configid}
create	Start a new workflow.	/api/atk/v1/workflow/{configid}
delete	Delete a job.	/api/atk/v1/job/{jobid}
delete	Delete all jobs.	/api/atk/v1/jobs/all
read	List all the registered tasks.	/api/atk/v1/{task}
read	Return the list of parameters for a task.	/api/atk/v1{task}/{configid}
read	Return the job status.	/api/atk/v1/job/{jobid}/status
read	Return the job result.	/api/atk/v1/job/{jobid}/result
read	Return the service job.	/api/atk/v1/job/{jobid}/service/{path:path}
read	Return the status.	/api/atk/v1/status

Case management, SOAR and Investigations

Table 13. Service name: SOAR
Action	Description	URL
read, create	Retrieve a list of actions in an organization.	/orgs/{org_id}/actions
read, update	Retrieve a list of action orders in an organization.	/orgs/{org_id}/actions/action_order
read	Retrieve information about a specific user.	/orgs/{org_id}/actions/{handle}
delete, update	Retrieve information about a specific user ID.	/orgs/{org_id}/actions/{id}
read	View the details of a specific user or organization.	/orgs/{org_id}/actions/{id}/view
read, create	Endpoints to manage user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations
update	Endpoints to manage user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations/query_paged
read, delete, update	Endpoints to manage user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations/{invite_id}
create, read	Endpoints to retrieve and set information about API keys.	/orgs/{org_id}/apikeys
update	Endpoints to retrieve and set information about API keys.	/orgs/{org_id}/apikeys/query_paged
delete, update, read	Endpoints to retrieve and set information about API keys.	/orgs/{org_id}/apikeys/{id}
read, create	Contains the endpoints for managing apps.	/orgs/{org_id}/apps
delete, read, update	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}
delete	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/current_installation
read	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/deletion_summary
create	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/installations
update	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/installations/{installationId}
create, update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts
update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/patch
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/query_paged
read, delete, update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}
read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/history
update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/patch
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/hits/query_paged
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/related_incident_artifacts/query_paged
read, create	Service endpoints for managing automatic tasks. These are template tasks that are used by rules to instantiate incident tasks.	/orgs/{org_id}/automatic_tasks
read, delete, update	Service endpoints for managing automatic tasks. These are template tasks that are used by rules to instantiate incident tasks.	/orgs/{org_id}/automatic_tasks/{id}
create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports
create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports
create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push
read	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/history
create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/zip
read, create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/{export_id}
read	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/history
update	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/{import_id}
read	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history
update	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/{import_id}/status
read	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history/{push_id}
read, create	Endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history/{push_id}/exports
read, create	Endpoint for retrieving information for a specific server.	/const
read, update	Endpoints for getting and setting information about the current user.	/users/{user_id}
read, update	Endpoints for getting and setting information about the current user.	/users/{user_id}/password
read	Endpoints for managing customization objects.	/orgs/{org_id}/customizations/{customization_type}/references
read	Endpoints for managing customization objects.	/orgs/{org_id}/customizations/{customization_type}/{customization_object_handle}/references
read	Endpoint for managing the table data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data
read	Endpoint for managing the table data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}
delete, create	Endpoint for managing the table data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}/row_data
delete, read, update	Endpoint for managing the table data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}/row_data/{row_id}
create	Download the file generated by other IBM Security QRadar SOAR APIs.	/downloads/{uuid}/content
read, create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/messages/action_invocations
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/messages/download
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/connection_test
delete, read, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/{inbound_mailbox_id}
update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/delete
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/query_paged
delete	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/{email_message_id}
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/{inbound_mailbox_id}/certificates
read, create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/{email_message_id}/original
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/incidents/{id}/messages/query_paged
read, create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/incidents/{incident_id}/messages/{email_message_id}/original
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/explainability/query_paged
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings
read	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/count_by_severity
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/query_paged
read	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}
read	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/artifacts/count_by_severity
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/artifacts/query_paged
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/properties/query_paged
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/related_findings/query_paged
read	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/explainability/scores/count_by_severity
create, update	Base class for all the REST services that are limited by an organization.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/explainability/scores/query_paged
read, create, update	Manage functions.	/orgs/{org_id}/functions
delete, read, update	Manage functions.	/orgs/{org_id}/functions/{functionHandle}
read, create, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups
create, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/query_paged
delete, read, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/{id}
read	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/{id}/has_assignments
read, create, update	Service for interacting with inbound destinations.	/orgs/{org_id}/inbound_destinations
delete, read, update	Service for interacting with inbound destinations.	/orgs/{org_id}/inbound_destinations/{handle}
read, create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts
read	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/count_by_severity
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/files
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/query_paged
delete, read, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}
read, HEAD, create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/contents
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/copy
read	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/history
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/hits
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/whois
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/enrichments/query_paged
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/findings/query_paged
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/generic_properties/query_paged
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/related_incidents/query_paged
read	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/explainability/scores/count_by_severity
create, update	Manage an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/explainability/scores/query_paged
read, create, update	Manage an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments
create, update	Manage an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/query
delete, read	Manage an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}
read, HEAD, create, update	Manage an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}/contents
read, create, update	Manage an incident's milestones.	/orgs/{org_id}/incidents/{inc_id}/milestones
delete, update	Manage an incident's milestones.	/orgs/{org_id}/incidents/{inc_id}/milestones/{id}
read, create, update	Manage an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments
create, update	Manage an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments/query
delete, read, update	Manage an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments/{id}
read, update, create, update	Manage incidents.	/orgs/{org_id}/incidents
update	Manage incidents.	/orgs/{org_id}/incidents/delete
read	Manage incidents.	/orgs/{org_id}/incidents/open
update	Manage incidents.	/orgs/{org_id}/incidents/patch
create, update	Manage incidents.	/orgs/{org_id}/incidents/query
create, update	Manage incidents.	/orgs/{org_id}/incidents/query_paged
read	Manage incidents.	/orgs/{org_id}/incidents/simulations
delete, read, update, update	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}
update	Manage incidents.	/orgs/{org_id}/incidents/{id}/patch
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/due_soon
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/history
read, update	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/members
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/newsfeed
create, update	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/related
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/related_ex
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/related_ex_counts
read, create, update	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/tasks
read	Manage incidents.	/orgs/{org_id}/incidents/{inc_id}/workflow_instances
read	Manage incident statistics.	/orgs/{org_id}/incidents/{inc_id}/stats/tasks_by_owner
read	Manage incident statistics.	/orgs/{org_id}/incidents/{inc_id}/stats/tasks_over_time
read, create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/connection_test
delete, read, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_id}
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_handle}/certificates
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_handle}/proxy/certificates
read, create, update	Interact with message destinations.	/orgs/{org_id}/message_destinations
read	Interact with message destinations.	/orgs/{org_id}/message_destinations/{handle}
delete, update	Interact with message destinations.	/orgs/{org_id}/message_destinations/{id}
delete, read	Determine which notifications are available for a user and delete them.	/orgs/{org_id}/notifications
read	Determine which notifications are available for a user and delete them.	/orgs/{org_id}/notifications/info
delete	Determine which notifications are available for a user and delete them.	/orgs/{org_id}/notifications/{id}
read, create, update	Customize settings about an organization's incident artifact types.	/orgs/{org_id}/artifact_types
create, update	Customize settings about an organization's incident artifact types.	/orgs/{org_id}/artifact_types/query_paged
delete, read, update	Customize settings about an organization's incident artifact types.	/orgs/{org_id}/artifact_types/{type_id}
read, update	Retrieve and set information about the organization.	/orgs/{org_id}
delete, update	Retrieve and set information about the organization.	/orgs/{org_id}/authldapgroup
read, update	Retrieve and set information about the organization.	/orgs/{org_id}/data_types
read, update	Retrieve and set information about the organization.	/orgs/{org_id}/geos
read, create, update	Retrieve and set information about the organization.	/orgs/{org_id}/incident_types
read	Retrieve and set information about the organization.	/orgs/{org_id}/newsfeed
read	Retrieve and set information about the organization.	/orgs/{org_id}/permissions
read, update	Retrieve and set information about the organization.	/orgs/{org_id}/regulators
read, update	Retrieve and set information about the organization.	/orgs/{org_id}/settings
read, update	Retrieve and set information about the organization.	/orgs/{org_id}/timeframes
delete, read	Retrieve and set information about the organization.	/orgs/{org_id}/twofactorauth
delete, read, update	Retrieve and set information about the organization.	/orgs/{org_id}/incident_types/{id}
read	Retrieve and set information about the organization.	/orgs/{org_id}/permissions/{perm_id}
update	Retrieve and set information about the organization.	/orgs/{org_id}/twofactorauth/{id}
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/closed_incidents_by_duration
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/counts
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/incidents_by_category
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/incidents_by_severity
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/incidents_by_type_over_time
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/incidents_by_user
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/new_and_open_incidents
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/open_incidents_by_confirmed_unconfirmed
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/open_incidents_by_duration
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/open_incidents_by_phase
read	Retrieve the high level statistics.	/orgs/{org_id}/stats/open_tasks_by_owner
read	Manage the threat sources for the organization.	/orgs/{org_id}/threat_sources
read	Retrieve the information about users in an organization.	/orgs/{org_id}/users
create, update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/query_paged
delete, read, update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}
update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/activateUser
update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/deactivateUser
read, create, update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/has_assignments
read	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/incidents
update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/reassign_assignments
read	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{id}/tasks
create, update	Retrieve the information about users in an organization.	/orgs/{org_id}/users/{user_object_handle}/resetPassword
read, create, update	Manage phases.	/orgs/{org_id}/phases
update	Manage phases.	/orgs/{org_id}/phases/order
delete, read, update	Manage phases.	/orgs/{org_id}/phases/{phaseId}
create, update	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/cancel
create, update	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/query_paged
read	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/statistics
create, update	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/activities
read	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/playbook
update	Manage instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/status
create, update	Manage playbooks.	/orgs/{org_id}/playbooks
create, update	Manage playbooks.	/orgs/{org_id}/playbooks/exports
create, update	Manage playbooks.	/orgs/{org_id}/playbooks/imports
create, update	Manage playbooks.	/orgs/{org_id}/playbooks/query_paged
delete, read, create, update, update	Manage playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}
create, update	Manage playbooks.	/orgs/{org_id}/playbooks/exports/{export_id}
create, update	Manage playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/clone
read	Manage playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/manual_input_form
read	Manage playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/schema
update	Manage playbooks.	/orgs/{org_id}/playbooks/imports/{import_id}/status
read	Manage playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/inputs/schema
create, update	Perform actions on principals.	/orgs/{org_id}/principals/search
read	Retrieve privacy data.	/privacy/data_type_categories
read	Retrieve privacy data.	/privacy/regulator_categories
create, update	Generate reports that can be downloaded.	/orgs/{org_id}/reports/incident_history_detail/{inc_id}
read, create, update	Manage roles for an organization.	/orgs/{org_id}/roles
delete, read, update	Manage roles for an organization.	/orgs/{org_id}/roles/{role_id}
read, create, update	Manage the invokable scripts for an organization.	/orgs/{org_id}/scripts
create, update	Manage the invokable scripts for an organization.	/orgs/{org_id}/scripts/query_paged
delete, read, update	Manage the invokable scripts for an organization.	/orgs/{org_id}/scripts/{script_id}
create, update	Perform full text searches through incidents and incident child objects (tasks, incident comments, task comments, milestones, artifacts, incident attachments, task attachments, and data tables).	/search_ex
delete, read, create, update	Authentication.	/session
read, create, update	Authentication.	/session/twofactor
read	Authentication.	/session/{org_id}/acl
read, update	Perform system health related operations across all organizations.	/system/diagnostics/functional_area_logging
read, update	Perform system health related operations across all organizations.	/system/diagnostics/trace_settings
read	Perform system health related operations across all organizations.	/system/diagnostics/functional_area_logging/areas
read	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/ip_bans
read, update	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/principal_permissions
create, update	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/usage
delete	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/ip_bans/{ip_address}
create, update	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/principals/search
create, update	Perform system related operations, such as search users across all organizations, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/usage/report
read, create, update	Manage tags.	/orgs/{org_id}/tags/{tagType}
create, update	Manage tags.	/orgs/{org_id}/tags/{tagType}/query_paged
delete, read, update	Manage tags.	/orgs/{org_id}/tags/{tagType}/{tagHandle}
read, create, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/attachments
create, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/attachments/query
delete, read	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}
read, HEAD, create, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}/contents
update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}/move
read, create, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/comments
create, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/comments/query
delete, read, update	Manage task notes.	/orgs/{org_id}/tasks/{task_id}/comments/{id}
read, update	Manage tasks.	/orgs/{org_id}/tasks
update	Manage tasks.	/orgs/{org_id}/tasks/delete
read	Manage tasks.	/orgs/{org_id}/tasks/due_soon
delete, read, update	Manage tasks.	/orgs/{org_id}/tasks/{task_id}
delete, read, update	Manage tasks.	/orgs/{org_id}/tasks/{id}/members
read	Manage tasks.	/orgs/{org_id}/tasks/{task_id}/instructions
read	Manage tasks.	/orgs/{org_id}/tasks/{task_id}/instructions_ex
read	Manage tasks.	/orgs/{org_id}/tasks/{task_id}/sources
create, update	Retrieve the timer data.	/orgs/{org_id}/timers
read, create, update	View and edit built-in types and fields.	/orgs/{org_id}/types
delete, read, update	View and edit built-in types and fields.	/orgs/{org_id}/types/{type}
read, create, update	View and edit built-in types and fields.	/orgs/{org_id}/types/{type}/fields
read	View and edit built-in types and fields.	/orgs/{org_id}/types/{type}/schema
delete, read, update	View and edit built-in types and fields.	/orgs/{org_id}/types/{type}/fields/{field}
read, create, update	Create, read, update, or delete wiki pages.	/orgs/{org_id}/wikis
update	Create, read, update, or delete wiki pages.	/orgs/{org_id}/wikis/order
delete, read, update	Create, read, update, or delete wiki pages.	/orgs/{org_id}/wikis/{id}
read, update	Manage an incident's workflow instances.	/orgs/{org_id}/workflow_instances/{wi_id}
read	Manage workflows.	/orgs/{org_id}/workflows
read, create, update	Manage the workspaces for an organization.	/orgs/{org_id}/workspaces
delete, read, update	Manage the workspaces for an organization.	/orgs/{org_id}/workspaces/{workspace_id}

Table 14. Service name: Threat Investigator
Action	Description	URL
read	Get information about the application.	/api/advisor/v1/about
read	Get the application configuration information for the current account.	/api/advisor/v1/account
create	Start the changelog processing immediately.	/api/advisor/v1/account/changelog/trigger
create	Submit a request to register advisor analytics.	/api/advisor/v1/analytics/
delete	Deprovision the investigator application for the caller's account.	/api/advisor/v1/config/auto_investigation
read	Get the auto-investigation configuration.	/api/advisor/v1/config/auto_investigation
update	Update the auto-investigation configuration.	/api/advisor/v1/config/auto_investigation
read	Get the retention policy.	/api/advisor/v1/config/retention_policy
update	Update the retention policy.	/api/advisor/v1/config/retention_policy
create	Start an investigation purge immediately.	/api/advisor/v1/config/retention_policy/trigger
create	Start a stuck investigation purge immediately.	/api/advisor/v1/config/retention_policy/trigger/stuck
read	Get all tuning parameters.	/api/advisor/v1/config/tuning
create, update	Add or update a tuning parameter.	/api/advisor/v1/config/tuning
delete	Remove a tuning parameter.	/api/advisor/v1/config/tuning/{name}
create	Start an auto-investigation immediately.	/api/advisor/v1/investigation/auto/trigger
delete	Cancel the case investigation.	/api/advisor/v1/investigation/case/{int:case_id}
read	Get the status of a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}
create	Submit a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}
create	Delete an activity from the timeline.	/api/advisor/v1/investigation/case/{int:case_id}/deleted_activity
read	Get the responses for an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/responses
delete	Reject the response.	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
read	Get details of the response.	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
create	Accept the response.	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
delete	Remove the investigation of a case.	/api/advisor/v1/investigation/case/{int:case_id}/results
read	Get the attack assets and attack links results for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/assetslinks
read	Get the attack chain results for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/attackchain
read	Get the findings for an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/findings
create	Attach the findings to a case.	/api/advisor/v1/investigation/case/{int:case_id}/results/findings
read	Get the attack metadata results for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/metadata
create	Return the investigation observable information.	/api/advisor/v1/investigation/case/{int:case_id}/results/observable/query
read	Get only the attack assets results for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/overview
read	Get the information about the specified process and asset in the investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/process_info
read	Get a process tree for the specified asset in an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/process_tree
create	Search the investigation by search term.	/api/advisor/v1/investigation/case/{int:case_id}/results/search
read	Return the classification and investigation statistics for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/stats
read	Get the requested STIX observed data object for a case investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/stix/\{string:stix_id}
read	Get the related threat intelligence for the requested STIX observed data.	/api/advisor/v1/investigation/case/{int:case_id}/results/ti/\{string:stix_id}
read	Get a walk-through for an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/results/walkthrough
read	Get the status of the task to add findings to a case.	/api/advisor/v1/investigation/case/{int:case_id}/save_status
delete	Unstar the timeline investigation activity.	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
read	Get the timeline investigation activity,	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
create	Star the timeline investigation activity.	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
read	Get tags for an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/tagging
create	Extract and update tags for an investigation.	/api/advisor/v1/investigation/case/{int:case_id}/tagging
read	Return a page of the investigation summaries and corresponding case metadata.	/api/advisor/v1/investigation/cases
read	Get the metrics for the case investigations.	/api/advisor/v1/investigation/metrics

Detection and Response Center

Table 15. Service name: DRC
Action	Description	URL
read	Get a tactic and techniques list.	/api/drc/v1/mitre/tactics_and_techniques
read	Get a reference list in your account.	/api/drc/v1/{account_id}/reference_lists
read	Get a reference list by uuid in your account.	/api/drc/v1/{account_id}/reference_lists/{uuid}
read	Get elements of a reference list in your account.	/api/drc/v1/{account_id}/reference_lists/{uuid}/elements
read	Get a rules list.	/api/drc/v1/rules
read	Get a rules list in your account.	/api/drc/v1/{account_id}/rules
read	Get a rule by ID in your account.	/api/drc/v1/{account_id}/rules/{rule_id}
create	Create a job.	/app/drc/api/jobs/{jobType}
read	Get configurations.	/app/drc/api/configurations
create	Create configurations.	/app/drc/api/configurations
read	Get the enabled features of the current user.	/app/drc/api/enabled_features
read	Get the files of the current user.	/app/drc/api/use_case_explorer/filters
read	Get all MITRE ATT&CK rule mappings.	/app/drc/api/mappings
create	Create a MITRE mapping.	/app/drc/api/mappings
update	Update a MITRE mapping.	/app/drc/api/mappings
read	Get a default IBM mapping by rule.	/app/drc/api/mappings/default/by_name
read	Get all tactics and techniques.	/app/drc/api/mitre/tactics_and_techniques
read	Get a list of all references.	/app/drc/api/reference_lists
read	Get a reference list by id.	/app/drc/api/reference_lists/{id}
read	Get the elements of a reference list.	/app/drc/api/reference_lists/{rl_id}/elements
update	Update an element of a reference list.	/app/drc/api/reference_lists/{rl_id}/elements
delete	Delete an element of a reference list.	/app/drc/api/reference_lists/{rl_id}/elements
read	Get the rule groups.	/app/drc/api/rule_groups
read	Get the rule groups of rules.	/app/drc/api/rule_groups/ids
create	Create a rule group.	/app/drc/api/rule_groups
update	Assign a rule to groups.	/app/drc/api/rule_groups/rules/set
update	Update a group parent.	/app/drc/api/rule_groups/{group_id}/parent
delete	Delete a rule group.	/app/drc/api/rule_groups/{group_id}/rules
read	Generate a Use Case Explorer report.	/app/drc/api/use_case_explorer
read	Get the status of a report.	/app/drc/api/use_case_explorer/{reportId}/status
read	Get the result of a report.	/app/drc/api/use_case_explorer/{reportId}/result
read	Get all tactics and techniques from the rules in a selected report.	/app/drc/api/use_case_explorer/{reportId}/tactics_and_techniques
read	Download a Use Case Explorer report as a CSV file.	/app/drc/api/use_case_explorer/{reportId}/download_csv
read	Get the results of the Use Case Explorer CSV file download.	/app/drc/api/use_case_explorer/download_csv/{jobId}/result
read	Get the results of the Use Case Explorer export of a scheduled rules file.	/app/drc/api/use_case_explorer/export_scheduled_rules/{jobId}/result
create	Export a scheduled rules file.	/app/drc/api/use_case_explorer/export_scheduled_rules
delete	Delete a Use Case Explorer report.	/app/drc/api/use_case_explorer/{reportId}
read	Get all available templates in Use Case Explorer.	/app/drc/api/use_case_explorer/templates
read	Get a correlation key guide.	/app/drc/api/rule_wizard/correlation_key_guide
read	Check if the mappings are missing.	/app/drc/api/rule_wizard/check_mappings
create	Create a KQL query report.	/app/drc/api/rule_wizard/kql
read	Check the status of a KQL query report.	/app/drc/api/rule_wizard/kql/{queryId}
read	Get the result of a KQL query report.	/app/drc/api/rule_wizard/kql/{queryId}/results
create	Save a Rule Wizard query in DRC.	/app/drc/api/rule_wizard/cached_query
read	Retrieve a saved query.	/app/drc/api/rule_wizard/cached_query/{queryId}
read	Get a domain entity mapping.	/app/drc/api/rule_wizard/entity_mapping
read	Get the available extensions.	/app/drc/api/available_extensions
read	Get the installed extensions.	/app/drc/api/installed_extensions
create	Sync the XDR rules with XFE.	/app/drc/api/sync_xdr
create	Ensure that XDRCC has the latest rules.	/app/drc/api/force_xdrcc_sync
create	Upload the XDR contents file.	/app/drc/api/xdr/file
read	Check the status of the sync of XDR rules with XFE.	/app/drc/api/sync_xdr/{jobId}/status
create	Create a rule.	/app/drc/api/rules
read	Get the details of a rule.	/app/drc/api/rules/{ruleId}
update	Enable or disable a rule.	/app/drc/api/rules/{ruleId}
udpate	Update a rule.	/app/drc/api/rules/{ruleId}
restore	Revert a rule to the previous version.	/app/drc/api/rules/{ruleId}
delete	Delete a rule.	/app/drc/api/rules/{ruleId}
read	Get the log source types of a rule.	/app/drc/api/rules/{ruleId}/log_source_types
read	Get the history of a rule.	/app/drc/api/rules/{ruleId}/history
read	Get the history of a rule by ID.	/app/drc/api/rules/history/{historyRuleId}
read	Get the notification settings of a rule.	/app/drc/api/rules/{ruleId}/notifications/settings
update	Update the rule's notification settings.	/app/drc/api/rules/{ruleId}/notifications/settings
delete	Delete a rule's notification settings.	/app/drc/api/rules/{ruleId}/notifications/settings
read	Get the rule notifications.	/app/drc/api/rules/{ruleId}/notifications
delete	Clear the rule notifications.	/app/drc/api/rules/{ruleId}/notifications
create	Create a rule draft.	/app/drc/api/rulesDraft

Risk Management

Table 16. Service name: Risk Manager
Action	Description	URL
update	Enable or disable the UDI connections after importing them into Risk Manager.	/api/idrmingestion/update/connection
create, read, update, delete	Manage the risk profile.	/api/idrmingestion/restAPI/v1/save/risk/profile /api/idrmingestion/restAPI/v1/save/risk/profile/categoryList
create, read, update, delete	Manage the VMS enablement.	/api/idrmingestion/restAPI/v1/vms/enable

Threat Intelligent Insights

Table 17. Service name: TII
Action	Description	URL
create	Create a threat.	/api/tii/v1/threats/user /api/tii/v1/threats/indicators
update	Update a threat.	/api/tii/v1/threats/user/{threatId} /api/tii/v1/threats/indicators /api/tii/v1/threats/indicators/remove
update	Share a threat they that is created with another user on the same cp4s account.	/api/tii/v1/{threatId}/acl
delete	Delete a threat.	/api/tii/v1/threats/user/{threatId}
create, update	Run an AIA scan.	tis/xfe/api/v1/latestScanHistories /tis/xfe/api/v1/updateScanResult
update	Enable an XFE data plan.	/api/tii/v1/audit/xfe
update	Disable an enabled X-Force data plan.	api/audit/xfe /tis/xfe/api/v1/dataplan/free /tis/xfe/api/v1/dataplan/none /tis/xfe/api/v1/dataplan/reset
create, update	Enable one or more third party sources and input access credentials.	/api/audit/tis /api/audit/xfe/
update	Disable an enabled third party source.	/api/audit/tis /api/audit/xfe/
create, update	User changes their organization's industry	/api/configstore/v1/config/config-service/isc-common-xfeplus-settings-service/${iscAccountId}
create, update	User can change their organization's location	/api/configstore/v1/config/config-service/isc-common-xfeplus-settings-service /api/tis/v2/user/update
create	Create an API key.	api/apikey/create api/apikey/sync
delete	Delete an API key.	api/apikey/delete api/apikey/check api/apikey/clear

Table 18. Service name: TIS
Action	Description	URL
create	Starts an AIA scan.	/tis/v2/am-i-affected
delete	Cancel an AIA scan.	/tis/v2/am-i-affected/cancel/{cursor_id}
create	User with a connected threat intelligence feeds enrich IOCs.	/tis/v2/enrich