IBM Security QRadar Suite audit inventory

Audit messages are generated and sent to the platform for all API requests to the IBM® Security QRadar® Suite applications. For every user action on the user interface, an audit logging message is generated. The Audit messages are logged to a centralized location and forwarded to your SIEM where they are retained. Audit logging is disabled by default.

Auditing can help to detect and prioritize security threats and data breaches. Auditing provides accountability, traceability, and regulatory compliance by tracking any activity or observation that directly or indirectly returns, manages, or manipulates sensitive data or access to sensitive data.

The audit logs from IBM Security QRadar Suite are generated in Cloud Auditing Data Federation (CADF) format and include the following properties about the request:

The time of request, logged as eventTime.
The request method, such as put or post, logged as action.
The request URL, logged as target>typeUri.
The response code, logged as reason>reasonCode.
The user associated with request, the JWT token sub value, logged as initiator>id and initiator>name.

For more information, see Cloud Auditing Data Federation

The following example shows a raw event log from the IBM Security QRadar Suite in CADF format:

<13>1 2023-10-18T14:38:44.641868+00:00 audit-logs-cp4s fluentd - - - {"version":"1.0","typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event","outcome":"SUCCESS","eventType":"ACTIVITY","eventTime":"2023-10-18T14:38.40+0000","action":"READ","severity":"NORMAL","initiator":{"id":"SERVICE.edgegateway.controller-manager","name":"SERVICE.edgegateway.controller-manager","typeURI":"clientid","host":{"agent":"Apache-HttpClient/4.5.13 (Java/11.0.20)","address":"10.254.18.87"},"credential":{"type":"token"}},"target":{"id":"/manager/tenants/cd766d47-4ecd-4910-8f48-5024202259b2/controllers","name":"isc-app-manager","typeURI":"ibm-cp-security/isc-app-manager"},"observer":{"name":"CommonAuditService","id":"userActivity"},"reason":{"reasonCode":200},"attachments":[{"contentType":"http://schemas.ibm.com/cloud/content/1.0/cloudpak","name":"ibm-cp-security","content":{"message":"read [success]","sourceCrn":"crn:v1:ocp:private:content::::ibm-cp-security","kubernetes":{"namespace":"cp4s","pod":"isc-app-manager"}}},{"contentType":"kubernetes","name":"kubernetes_metadata","content":{"namespace":"cp4s","pod":"isc-app-manager"}}]}

The following tables describe the components and services that support audit logging. If a service supports audit logging, all user activities specific to the services that are enabled are recorded. Events related to Optional Services are generated only when the services are installed.

Login, Logout, Session, Authentication, and Authorisation

Table 1. Service name: Authsvc
Action	Description	URL
create	Authenticate a user.	/api/introspect

Table 2. Service name: CLX
Action	Description	URL
read	Read user entitlements from the entitlements service.	/shell/v1/userShellData
update	Renew or generate a new JWT for the user.	/shell/jwt/renew
delete	User log out. Clear a user session and revoke JWT.	/shell/logout
create	User log in via IDP. A JWT is issued, and a new session is created.	/shell/oidc/callback
update	User switches account. A new JWT is issued.	/shell/jwt/account/{account-id}

Table 3. Service name: Notifications
Action	Description	URL
read	Read notifications from the notifications service	/notifications/events

Table 4. Service name: Entitlements
Action	Description	URL
create	Create an account.	/api/entitlements/v2.0/accounts
update	Modify an account.	/api/entitlements/v1.0/accounts/{account_id}
update	Suspend an account.	/api/entitlements/v1.0/accounts/{account_id}/status
delete	Delete and account.	/api/entitlements/v1.0/accounts/{account_id}
create	Add IDP directory to the account.	/api/entitlements/v1.0/accounts/{account_id}
create	Add a user.	/api/entitlements/v1.0/accounts/{account_id}/users
delete	Delete a user.	/api/entitlements/v1.0/accounts/{account_id}/users/{user_id}
update	Change the user role.	/api/entitlements/v1.0/application/user
create	Add an offering.	/api/entitlements/v1.0/subscriptions
update	Change an offering.	/api/entitlements/v1.0/subscriptions/{subscription_id}
delete	Delete an offering.	/api/entitlements/v1.0/subscriptions/{subscription_id}

Dashboards

Table 5. Service name: Pulse
Action	Description	URL
create	Create a dashboard.	/pulse/api/dashboard
update	Update a dashboard.	/pulse/api/dashboards/{id}
delete	Delete a dashboard.	/pulse/api/dashboards/{id}
update	Update a specific dashboard's user privileges.	/pulse/api/dashboard/{id}/privileges
create	Import a dashboard.	/pulse/api/dashboards/import_file
create	Create a view.	/pulse/api/dashboards/{id}/views
update	Update a view.	/pulse/api/dashboards/{id}/views
create	Create an item.	/pulse/api/items
update	Update an item.	/pulse/api/items/{id}
delete	Delete an item.	/pulse/api/items/{id}
create	Create a search.	/pulse/api/search
delete	Delete a search. Cleans up the search from QRadar by using the QRadar delete search API.	/pulse/api/searches/{searchkey}
create	Create a parameter.	/pulse/api/parameters
update	Update a parameter.	/pulse/api/parameters
delete	Delete a parameter.	/pulse/api/parameters

Data Sources, Connections and Searches

Table 6. Service name: UDI
Action	Description	URL
create	Create a new search.	/api/uds/v3/queries
update	Cancel a single query.	/api/uds/v3/queries/:id/cancel
update	Cancel all queries.	/api/uds/v3/queries/cancel
read	Get query results.	/api/uds/v3/queries/:id/results/:page
create	Create a datasource connection.	/api/uds/v3/connections
update	Update a datasource connection.	/api/uds/v3/connections
delete	Delete a datasource connection.	/api/uds/v3/connections
read	Retrieve a datasource connection.	/api/uds/v3/connections
read	Retrieve a datasource connection.	/api/uds/v3/connections/{id}
create	Create a datasource connection.	/api/uds/v3/configurations
update	Update a datasource connection.	/api/uds/v3/configurations
delete	Delete a datasource connection.	/api/uds/v3/configurations
read	Retrieve a datasource connection.	/api/uds/v3/configurations
read	Retrieve a datasource connection.	/api/uds/v3/configurations/{id}

Table 7. Service name: QProxy
Action	Description	URL
create	Create a QRadar/QROC connection configuration	/app/qproxy/server_settings
update	Update a QRadar/QROC connection configuration	/app/qproxy/server_settings
delete	Delete a QRadar/QROC connection configuration	/app/qproxy/server_settings
create	Proxy from QRadar (or QRoC)	/app/qproxy/proxy/
read	Validate connection	/app/qproxy/qconfig/validatebackground, /app/qproxy/qconfig/validate, /app/qproxy/qconfig/validateui
read	Display QProxy configuration	/app/qproxy/server_settings

Table 8. Service name: Edge Gateway
Action	Description	URL
read, update	Get, update UI's log download timeout	/api/edgegateway/settings
read	Get list of tenants	/api/app_manager/tenants
create	Create new tenant	/api/app_manager/tenants
read, update, delete	Get, update, delete specific tenant	/api/app_manager/tenants/{tenant_id}
read	Get list of controllers for specific tenant	/api/app_manager/tenants/{tenant_id}/controllers
read	Get list of apps for specific tenant	/api/app_manager/tenants/{tenant_id}/apps
read	Get specific app for specific tenant	/api/app_manager/tenants/{tenant_id}/apps/{app_name}
read	Get list of jobs for specific tenant	/api/app_manager/tenants/{tenant_id}/jobs
create	Create new controller	/api/app_manager/controllers
read, update, delete	Get, update, delete specific controller	/api/app_manager/controllers/{controller_id}
read	Get list of apps for specific controller	/api/app_manager/controllers/{controller_id}/apps
read	Get list of app_tests for specific controller	/api/app_manager/controllers/{controller_id}/app_tests
create	Create new key pair for specific controller	/api/app_manager/controllers/{controller_id}/keypair
create	Create new heartbeat record for specific controller	/api/app_manager/controllers/{controller_id}/heartbeat, /api/app_manager/controllers/{controller_id}/heartbeat_ex
read, update	Get, update status for specific controller	/api/app_manager/controllers/{controller_id}/status
read	Get list of commands for specific controller	/api/app_manager/controllers/{controller_id}/commands
read	Get list of jobs for specific controller	/api/app_manager/controllers/{controller_id}/jobs
read	Get logs for specific controller	/api/app_manager/controllers/{controller_id}/logs/query
read	Get logs for specific controller	/api/app_manager/controllers/{controller_id}/logs
create	Create new jwt for specific controller	/api/app_manager/controllers/{controller_id}/jwt
create	Create new app	/api/app_manager/apps
read, update, delete	Get, update, delete specific app	/api/app_manager/apps/{app_id}
read	Get list of files for specific app	/api/app_manager/apps/{app_id}/files
read	Get list of app tests for specific app	/api/app_manager/apps/{app_id}/tests
read	Get last app test for specific app	/api/app_manager/apps/{app_id}/last_test
read	Get logs for specific app	/api/app_manager/apps/{app_id}/logs/query
read	Get logs for specific app	/api/app_manager/apps/{app_id}/logs
read	Get list of secrets for specific app	/api/app_manager/apps/{app_id}/secrets
read, update	Get deployment status for specific app	/api/app_manager/apps/{app_id}/deployment_status
read, update	Get deployment for specific app	/api/app_manager/apps/{app_id}/deployment
create	Create new app file	/api/app_manager/app_files
read, update, delete	Get, update, delete app file	/api/app_manager/app_files/{af_id}
create	Create new app test	/api/app_manager/app_tests
read, update	Get, update specific app test	/api/app_manager/app_tests/{at_id}
read, update	Get, update specific app test status	/api/app_manager/app_tests/{at_id}/status
update	Update command	/api/app_manager/commands/{command_id}
create	Create new app secret	/api/app_manager/app_secrets
update, delete	Update, delete specific app secret	/api/app_manager/app_secrets/{as_id}
read	Get system version	/api/app_manager/system/version
read	Get system health	/api/app_manager/system/health, Get /system/health/all
create	Create new job	/api/app_manager/jobs
read, update, delete	Get, update, delete specific job	/api/app_manager/jobs/{job_id}
read, update	Get, update status for specific job	/api/app_manager/jobs/{job_id}/status
read	Get list of executions for specific job	/api/app_manager/jobs/{job_id}/executions
create	Create new job execution	/api/app_manager/job_executions
read, update	Get, update specific job execution	/api/app_manager/job_executions/{jobexe_id}

Table 9. Service name: DLC
Action	Description	URL
Create	Create a record in the dlc table	/api/datalake/dlc/v0/disconnected_log_collectors/
Update	Update a record in the dlc table	/api/datalake/dlc/v0/disconnected_log_collectors/
delete	Delete a record in the dlc table	/api/datalake/dlc/v0/disconnected_log_collectors/{id}
read	Read list of all registered DCs	/api/datalake/dlc/v0/disconnected_log_collectors
read	Read one record for a registered DC	/api/datalake/dlc/v0/disconnected_log_collectors/{id}/connection_bundle
read	Download a connection bundle for a registered DC	/api/datalake/dlc/v0/disconnected_log_collectors/{id}/connection_bundle

Table 10. Service name: Data Explorer
Action	Description	URL
create	Create a search record in Data Explorer database	/investigate/api/v1/searches
read	Read a search record in Data Explorer database	/investigate/api/v1/searches
update	Update a search record in Data Explorer database	/investigate/api/v1/searches
delete	Delete a search record from Data Explorer database	/investigate/api/v1/searches
create	Add a new enrichment job to the search record in Data Explorer database	/investigate/api/v1/enrichments
create	Create an user preferences record in Data Explorer database	/investigate/api/v1/userPreferences
read	Get an user preferences record in Data Explorer database	/investigate/api/v1/userPreferences
update	Update an user preferences record in Data Explorer database	/investigate/api/v1/userPreferences
delete	Delete an user preferences record in Data Explorer database	/investigate/api/v1/userPreferences
read	Get an user's search export file from ATK	/investigate/api/v1/results/{object_id}/object

Table 11. Service name: CAR
Action	Description	URL
create	Import assets	/api/car/v2/imports
update	Modify assest object	/api/car/v3/query
create	Create extension schema	/api/car/v3/carSchema
delete	Delete extension schema	/api/car/v3/carSchema/{key}
update	Update retention policy	/api/car/v3/DataRetentionPolicy

Table 12. Service name: ATK
Action	Description	URL
create	Create a new hunt	/api/atk/v1/hunts
update	Update hunt.	/api/atk/v1/hunts/{hunt_id}
delete	Delete hunt.	/api/atk/v1/hunts/{hunt_id}
create	Create a new step in hunt.	/api/atk/v1/hunts/{hunt_id}/steps
update	Update step.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}
delete	Delete a step.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}
create	Create huntbook.	/api/atk/v1/huntbook/import/file
read	Get error codes.	/api/atk/v1/errcodes
read	Get list of Hunts.	/api/atk/v1/hunts
read	Get hunt by id.	/api/atk/v1/hunts/{hunt_id}
read	Get the status of step executions under your account.	/api/atk/v1/executions
read	Get the list of steps in hunt.	/api/atk/v1/hunts/{hunt_id}/steps
read	Get RQ status of step from hunt to check if started.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}/status
read	Get the actual output of the executed THL statement from step.	/api/atk/v1/hunts/{hunt_id}/steps/{step_id}/output
read	Get the list of variables in hunt.	/api/atk/v1/hunts/{hunt_id}/variables
read	Gets the actual value of the variable from hunt.	/api/atk/v1/hunts/{hunt_id}/variables/{variable_name}
read	Get list of available analytics for apply.	/api/atk/v1/analytics
read	Get details of a specific analytic (i.e. what data type it expects and will return)	/api/atk/v1/analytics/{analytic_name}
read	Get search result features/columns/properties.	/api/atk/v1/searches/{query_id}/columns
read	Get a single search result export.	/api/atk/v1/searches/{query_id}/exports/{tracking_id}
read	Get enrichment status via tracking_id.	/api/atk/v1/searches/{query_id}/enrichments/{tracking_id}
create	Export search data.	/api/atk/v1/searches/{query_id}/exports
delete	Delete account.	/api/atk/v1/account/{accountid}
delete	Delete configuration.	/api/atk/v1/{task}/{configid}
create	Start a new workflow.	/api/atk/v1/workflow/{configid}
delete	Delete a job.	/api/atk/v1/job/{jobid}
delete	Delete all jobs.	/api/atk/v1/jobs/all
read	List all registered tasks.	/api/atk/v1/{task}
read	Return list of parameters for task.	/api/atk/v1{task}/{configid}
read	Return job status.	/api/atk/v1/job/{jobid}/status
read	Return job result.	/api/atk/v1/job/{jobid}/result
read	Return service job.	/api/atk/v1/job/{jobid}/service/{path:path}
read	Return status.	/api/atk/v1/status

Case Management, SOAR and Investigations

Table 13. Service name: SOAR
Action	Description	URL
read, create	Service for interacting with actions.	/orgs/{org_id}/actions
read, update	Service for interacting with actions.	/orgs/{org_id}/actions/action_order
read	Service for interacting with actions.	/orgs/{org_id}/actions/{handle}
delete, update	Service for interacting with actions.	/orgs/{org_id}/actions/{id}
read	Service for interacting with actions.	/orgs/{org_id}/actions/{id}/view
read, create	Endpoints for managing user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations
update	Endpoints for managing user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations/query_paged
read, delete, update	Endpoints for managing user invitations. Only master administrators are allowed to perform these operations.	/orgs/{org_id}/invitations/{invite_id}
create, read	Endpoints for retrieving and setting information about api keys.	/orgs/{org_id}/apikeys
update	Endpoints for retrieving and setting information about api keys.	/orgs/{org_id}/apikeys/query_paged
delete, update, read	Endpoints for retrieving and setting information about api keys.	/orgs/{org_id}/apikeys/{id}
read, create	Contains the endpoints for managing apps.	/orgs/{org_id}/apps
delete, read, update	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}
delete	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/current_installation
read	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/deletion_summary
create	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/installations
update	Contains the endpoints for managing apps.	/orgs/{org_id}/apps/{appHandle}/installations/{installationId}
create, update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts
update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/patch
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/query_paged
read, delete, update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}
read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/history
update	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/patch
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/hits/query_paged
create, read	Endpoints for managing artifacts.	/orgs/{org_id}/artifacts/{artifact_id}/related_incident_artifacts/query_paged
read, create	Service endpoints for managing automatic tasks. These are "template" tasks that used by rules to instantiate incident tasks.	/orgs/{org_id}/automatic_tasks
read, delete, update	Service endpoints for managing automatic tasks. These are "template" tasks that used by rules to instantiate incident tasks.	/orgs/{org_id}/automatic_tasks/{id}
create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports
create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports
create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push
read	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/history
create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/zip
read, create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/exports/{export_id}
read	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/history
update	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/{import_id}
read	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history
update	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/imports/{import_id}/status
read	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history/{push_id}
read, create	The endpoints for managing configuration import and export.	/orgs/{org_id}/configurations/push/history/{push_id}/exports
read, create	Endpoint for retrieving various constant information for this server.	/const
read, update	Endpoints for getting and setting information about the current user.	/users/{user_id}
read, update	Endpoints for getting and setting information about the current user.	/users/{user_id}/password
read	Endpoints for managing customization objects.	/orgs/{org_id}/customizations/{customization_type}/references
read	Endpoints for managing customization objects.	/orgs/{org_id}/customizations/{customization_type}/{customization_object_handle}/references
read	The endpoint for managing a data table's data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data
read	The endpoint for managing a data table's data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}
delete, create	The endpoint for managing a data table's data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}/row_data
delete, read, update	The endpoint for managing a data table's data for an incident.	/orgs/{org_id}/incidents/{inc_id}/table_data/{table_id}/row_data/{row_id}
create	Download the file generated by other IBM Security QRadar SOAR APIs.	/downloads/{uuid}/content
read, create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/messages/action_invocations
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/messages/download
create	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/connection_test
delete, read, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/{inbound_mailbox_id}
update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/delete
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/query_paged
delete	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/{email_message_id}
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbound/mailboxes/{inbound_mailbox_id}/certificates
read, create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/inbox/messages/{email_message_id}/original
create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/incidents/{id}/messages/query_paged
read, create, update	Manage email mailboxes and messages for an organization.	/orgs/{org_id}/email/incidents/{incident_id}/messages/{email_message_id}/original
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/explainability/query_paged
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings
read	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/count_by_severity
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/query_paged
read	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}
read	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/artifacts/count_by_severity
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/artifacts/query_paged
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/properties/query_paged
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/related_findings/query_paged
read	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/explainability/scores/count_by_severity
create, update	Base class for all REST services that are limited by an org.	/orgs/{org_id}/incidents/{inc_id}/findings/{finding_id}/explainability/scores/query_paged
read, create, update	Managing Functions	/orgs/{org_id}/functions
delete, read, update	Managing Functions	/orgs/{org_id}/functions/{functionHandle}
read, create, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups
create, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/query_paged
delete, read, update	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/{id}
read	Implementation for the /rest/groups REST methods.	/orgs/{org_id}/groups/{id}/has_assignments
read, create, update	Service for interacting with inbound destinations.	/orgs/{org_id}/inbound_destinations
delete, read, update	Service for interacting with inbound destinations.	/orgs/{org_id}/inbound_destinations/{handle}
read, create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts
read	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/count_by_severity
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/files
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/query_paged
delete, read, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}
read, HEAD, create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/contents
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/copy
read	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/history
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/hits
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/whois
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/enrichments/query_paged
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/findings/query_paged
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/generic_properties/query_paged
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/related_incidents/query_paged
read	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/explainability/scores/count_by_severity
create, update	Managing an incident's artifacts.	/orgs/{org_id}/incidents/{inc_id}/artifacts/{artifact_id}/explainability/scores/query_paged
read, create, update	Managing an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments
create, update	Managing an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/query
delete, read	Managing an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}
read, HEAD, create, update	Managing an incident's attachments.	/orgs/{org_id}/incidents/{inc_id}/attachments/{attach_id}/contents
read, create, update	Managing an incident's milestones.	/orgs/{org_id}/incidents/{inc_id}/milestones
delete, update	Managing an incident's milestones.	/orgs/{org_id}/incidents/{inc_id}/milestones/{id}
read, create, update	Managing an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments
create, update	Managing an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments/query
delete, read, update	Managing an incident's notes.	/orgs/{org_id}/incidents/{inc_id}/comments/{id}
read, update, create, update	Managing incidents.	/orgs/{org_id}/incidents
update	Managing incidents.	/orgs/{org_id}/incidents/delete
read	Managing incidents.	/orgs/{org_id}/incidents/open
update	Managing incidents.	/orgs/{org_id}/incidents/patch
create, update	Managing incidents.	/orgs/{org_id}/incidents/query
create, update	Managing incidents.	/orgs/{org_id}/incidents/query_paged
read	Managing incidents.	/orgs/{org_id}/incidents/simulations
delete, read, update, update	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}
update	Managing incidents.	/orgs/{org_id}/incidents/{id}/patch
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/due_soon
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/history
read, update	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/members
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/newsfeed
create, update	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/related
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/related_ex
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/related_ex_counts
read, create, update	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/tasks
read	Managing incidents.	/orgs/{org_id}/incidents/{inc_id}/workflow_instances
read	Managing incident statistics.	/orgs/{org_id}/incidents/{inc_id}/stats/tasks_by_owner
read	Managing incident statistics.	/orgs/{org_id}/incidents/{inc_id}/stats/tasks_over_time
read, create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/connection_test
delete, read, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_id}
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_handle}/certificates
create, update	Manage email mailboxes for an organization.	/orgs/{org_id}/email/mailboxes/inbound/{inbound_mailbox_handle}/proxy/certificates
read, create, update	Interacting with message destinations.	/orgs/{org_id}/message_destinations
read	Interacting with message destinations.	/orgs/{org_id}/message_destinations/{handle}
delete, update	Interacting with message destinations.	/orgs/{org_id}/message_destinations/{id}
delete, read	These services allow you to determine which notifications are available for a user, delete them, etc.	/orgs/{org_id}/notifications
read	These services allow you to determine which notifications are available for a user, delete them, etc.	/orgs/{org_id}/notifications/info
delete	These services allow you to determine which notifications are available for a user, delete them, etc.	/orgs/{org_id}/notifications/{id}
read, create, update	Allows orgs to customize settings about their incident artifact types.	/orgs/{org_id}/artifact_types
create, update	Allows orgs to customize settings about their incident artifact types.	/orgs/{org_id}/artifact_types/query_paged
delete, read, update	Allows orgs to customize settings about their incident artifact types.	/orgs/{org_id}/artifact_types/{type_id}
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}
delete, update	Retrieving and setting information about the organization.	/orgs/{org_id}/authldapgroup
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/data_types
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/geos
read, create, update	Retrieving and setting information about the organization.	/orgs/{org_id}/incident_types
read	Retrieving and setting information about the organization.	/orgs/{org_id}/newsfeed
read	Retrieving and setting information about the organization.	/orgs/{org_id}/permissions
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/regulators
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/settings
read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/timeframes
delete, read	Retrieving and setting information about the organization.	/orgs/{org_id}/twofactorauth
delete, read, update	Retrieving and setting information about the organization.	/orgs/{org_id}/incident_types/{id}
read	Retrieving and setting information about the organization.	/orgs/{org_id}/permissions/{perm_id}
update	Retrieving and setting information about the organization.	/orgs/{org_id}/twofactorauth/{id}
read	Retrieving high level statistics.	/orgs/{org_id}/stats/closed_incidents_by_duration
read	Retrieving high level statistics.	/orgs/{org_id}/stats/counts
read	Retrieving high level statistics.	/orgs/{org_id}/stats/incidents_by_category
read	Retrieving high level statistics.	/orgs/{org_id}/stats/incidents_by_severity
read	Retrieving high level statistics.	/orgs/{org_id}/stats/incidents_by_type_over_time
read	Retrieving high level statistics.	/orgs/{org_id}/stats/incidents_by_user
read	Retrieving high level statistics.	/orgs/{org_id}/stats/new_and_open_incidents
read	Retrieving high level statistics.	/orgs/{org_id}/stats/open_incidents_by_confirmed_unconfirmed
read	Retrieving high level statistics.	/orgs/{org_id}/stats/open_incidents_by_duration
read	Retrieving high level statistics.	/orgs/{org_id}/stats/open_incidents_by_phase
read	Retrieving high level statistics.	/orgs/{org_id}/stats/open_tasks_by_owner
read	Managing threat sources for the organization.	/orgs/{org_id}/threat_sources
read	Retrieving information about users in an organization.	/orgs/{org_id}/users
create, update	Retrieving information about users in an organization.	/orgs/{org_id}/users/query_paged
delete, read, update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}
update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/activateUser
update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/deactivateUser
read, create, update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/has_assignments
read	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/incidents
update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/reassign_assignments
read	Retrieving information about users in an organization.	/orgs/{org_id}/users/{id}/tasks
create, update	Retrieving information about users in an organization.	/orgs/{org_id}/users/{user_object_handle}/resetPassword
read, create, update	Managing Phases.	/orgs/{org_id}/phases
update	Managing Phases.	/orgs/{org_id}/phases/order
delete, read, update	Managing Phases.	/orgs/{org_id}/phases/{phaseId}
create, update	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/cancel
create, update	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/query_paged
read	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/statistics
create, update	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/activities
read	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/playbook
update	Managing instances of executing or previously-executed playbooks.	/orgs/{org_id}/playbooks/execution/{execution_id}/status
create, update	Managing playbooks.	/orgs/{org_id}/playbooks
create, update	Managing playbooks.	/orgs/{org_id}/playbooks/exports
create, update	Managing playbooks.	/orgs/{org_id}/playbooks/imports
create, update	Managing playbooks.	/orgs/{org_id}/playbooks/query_paged
delete, read, create, update, update	Managing playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}
create, update	Managing playbooks.	/orgs/{org_id}/playbooks/exports/{export_id}
create, update	Managing playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/clone
read	Managing playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/manual_input_form
read	Managing playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/schema
update	Managing playbooks.	/orgs/{org_id}/playbooks/imports/{import_id}/status
read	Managing playbooks.	/orgs/{org_id}/playbooks/{playbook_object_handle}/inputs/schema
create, update	Perform actions on principals.	/orgs/{org_id}/principals/search
read	Retrieving privacy data.	/privacy/data_type_categories
read	Retrieving privacy data.	/privacy/regulator_categories
create, update	Generating downloadable reports.	/orgs/{org_id}/reports/incident_history_detail/{inc_id}
read, create, update	Manage roles for an organization.	/orgs/{org_id}/roles
delete, read, update	Manage roles for an organization.	/orgs/{org_id}/roles/{role_id}
read, create, update	Managing the invokable scripts for an Org.	/orgs/{org_id}/scripts
create, update	Managing the invokable scripts for an Org.	/orgs/{org_id}/scripts/query_paged
delete, read, update	Managing the invokable scripts for an Org.	/orgs/{org_id}/scripts/{script_id}
create, update	Performing full text searches through incidents and incident child objects (tasks, incident comments, task comments, milestones, artifacts, incident attachments, task attachments, and data tables).	/search_ex
delete, read, create, update	Authentication.	/session
read, create, update	Authentication.	/session/twofactor
read	Authentication.	/session/{org_id}/acl
read, update	Performing system health related operations across all orgs.	/system/diagnostics/functional_area_logging
read, update	Performing system health related operations across all orgs.	/system/diagnostics/trace_settings
read	Performing system health related operations across all orgs.	/system/diagnostics/functional_area_logging/areas
read	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/ip_bans
read, update	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/principal_permissions
create, update	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/usage
delete	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/ip_bans/{ip_address}
create, update	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/principals/search
create, update	Performing system related operations, such as search users across all orgs, list users with system permissions, assign system permissions to users, and retrieve license usage information.	/system/usage/report
read, create, update	Managing tags.	/orgs/{org_id}/tags/{tagType}
create, update	Managing tags.	/orgs/{org_id}/tags/{tagType}/query_paged
delete, read, update	Managing tags.	/orgs/{org_id}/tags/{tagType}/{tagHandle}
read, create, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/attachments
create, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/attachments/query
delete, read	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}
read, HEAD, create, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}/contents
update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/attachments/{attach_id}/move
read, create, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/comments
create, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/comments/query
delete, read, update	Managing tasks notes.	/orgs/{org_id}/tasks/{task_id}/comments/{id}
read, update	Managing tasks.	/orgs/{org_id}/tasks
update	Managing tasks.	/orgs/{org_id}/tasks/delete
read	Managing tasks.	/orgs/{org_id}/tasks/due_soon
delete, read, update	Managing tasks.	/orgs/{org_id}/tasks/{task_id}
delete, read, update	Managing tasks.	/orgs/{org_id}/tasks/{id}/members
read	Managing tasks.	/orgs/{org_id}/tasks/{task_id}/instructions
read	Managing tasks.	/orgs/{org_id}/tasks/{task_id}/instructions_ex
read	Managing tasks.	/orgs/{org_id}/tasks/{task_id}/sources
create, update	Retrieving timer data.	/orgs/{org_id}/timers
read, create, update	Viewing and editing built-in types and fields.	/orgs/{org_id}/types
delete, read, update	Viewing and editing built-in types and fields.	/orgs/{org_id}/types/{type}
read, create, update	Viewing and editing built-in types and fields.	/orgs/{org_id}/types/{type}/fields
read	Viewing and editing built-in types and fields.	/orgs/{org_id}/types/{type}/schema
delete, read, update	Viewing and editing built-in types and fields.	/orgs/{org_id}/types/{type}/fields/{field}
read, create, update	Create, read, update, and delete wiki pages.	/orgs/{org_id}/wikis
update	Create, read, update, and delete wiki pages.	/orgs/{org_id}/wikis/order
delete, read, update	Create, read, update, and delete wiki pages.	/orgs/{org_id}/wikis/{id}
read, update	Managing an incident's workflow instances.	/orgs/{org_id}/workflow_instances/{wi_id}
read	Managing workflows.	/orgs/{org_id}/workflows
read, create, update	Manage workspaces for an organization	/orgs/{org_id}/workspaces
delete, read, update	Manage workspaces for an organization	/orgs/{org_id}/workspaces/{workspace_id}

Table 14. Service name: Threat Investigator
Action	Description	URL
read	Get information about the app	/api/advisor/v1/about
read	Get app config information for the current account	/api/advisor/v1/account
create	Start changelog processing immediately	/api/advisor/v1/account/changelog/trigger
create	Submit a request to register Advisor analytics	/api/advisor/v1/analytics/
delete	Deprovisions the investigator app for the caller's account	/api/advisor/v1/config/auto_investigation
read	Get the auto-investigation configuration	/api/advisor/v1/config/auto_investigation
update	Update the auto-investigation configuration	/api/advisor/v1/config/auto_investigation
read	Get the retention policy	/api/advisor/v1/config/retention_policy
update	Update the retention policy	/api/advisor/v1/config/retention_policy
create	Start investigation purge immediately	/api/advisor/v1/config/retention_policy/trigger
create	Start stuck investigation purge immediately	/api/advisor/v1/config/retention_policy/trigger/stuck
read	Get all tuning parameters	/api/advisor/v1/config/tuning
create, update	Add or update tuning parameter	/api/advisor/v1/config/tuning
delete	Remove tuning parameter	/api/advisor/v1/config/tuning/{name}
create	Start auto investigation immediately	/api/advisor/v1/investigation/auto/trigger
delete	Cancel the case investigation	/api/advisor/v1/investigation/case/{int:case_id}
read	Get the status of a case investigation	/api/advisor/v1/investigation/case/{int:case_id}
create	Submit a case investigation	/api/advisor/v1/investigation/case/{int:case_id}
create	Delete activity from the timeline	/api/advisor/v1/investigation/case/{int:case_id}/deleted_activity
read	Get responses for an investigation	/api/advisor/v1/investigation/case/{int:case_id}/responses
delete	Reject the response	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
read	Get details of the response	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
create	Accept the response	/api/advisor/v1/investigation/case/{int:case_id}/responses/{string:response_id}
delete	Remove the investigation of a case	/api/advisor/v1/investigation/case/{int:case_id}/results
read	Get the attack assets and attack links results for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/assetslinks
read	Get the attack chain results for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/attackchain
read	Get findings for an investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/findings
create	Attach findings to case	/api/advisor/v1/investigation/case/{int:case_id}/results/findings
read	Get the attack metadata results for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/metadata
create	Return the investigation observable information	/api/advisor/v1/investigation/case/{int:case_id}/results/observable/query
read	Get only the attack assets results for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/overview
read	Get information about the specified process and asset in the investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/process_info
read	Get a process tree for the specified asset in the investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/process_tree
create	Search the investigation by search term	/api/advisor/v1/investigation/case/{int:case_id}/results/search
read	Return the classification and investigation statistics for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/stats
read	Get the requested STIX observed data object for a case investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/stix/\{string:stix_id}
read	Get related threat intel for the requested stix observed data	/api/advisor/v1/investigation/case/{int:case_id}/results/ti/\{string:stix_id}
read	Get walkthrough for an investigation	/api/advisor/v1/investigation/case/{int:case_id}/results/walkthrough
read	Get status of task adding findings to a case	/api/advisor/v1/investigation/case/{int:case_id}/save_status
delete	Unstar the timeline investigation activity	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
read	Get the timeline investigation activity	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
create	Star the timeline investigation activity	/api/advisor/v1/investigation/case/{int:case_id}/starred_activity
read	Get tags for a investigation	/api/advisor/v1/investigation/case/{int:case_id}/tagging
create	Extract and update tags for a investigation	/api/advisor/v1/investigation/case/{int:case_id}/tagging
read	Return a page of the investigation summaries and corresponding case metadata	/api/advisor/v1/investigation/cases
read	Get the metrics for case investigations	/api/advisor/v1/investigation/metrics

Detection and Response Center

Table 15. Service name: DRC
Action	Description	URL
read	Get tactic and techniques list	/api/drc/v1/mitre/tactics_and_techniques
read	Get reference list in your account	/api/drc/v1/{account_id}/reference_lists
read	Get reference list by uuid in your account	/api/drc/v1/{account_id}/reference_lists/{uuid}
read	Get elements of a reference list in your account	/api/drc/v1/{account_id}/reference_lists/{uuid}/elements
read	Get rules list (old version Investigtor is using)	/api/drc/v1/rules
read	Get rules list in your account	/api/drc/v1/{account_id}/rules
read	Get a rule by id in your account	/api/drc/v1/{account_id}/rules/{rule_id}
create	Create a job	/app/drc/api/jobs/{jobType}
read	Get configurations	/app/drc/api/configurations
create	Create configurations	/app/drc/api/configurations
read	Get enabled features of current user	/app/drc/api/enabled_features
read	Get filtes of current user	/app/drc/api/use_case_explorer/filters
read	Get all MITRE ATT&CK rule mappings.	/app/drc/api/mappings
create	Create mire mappings	/app/drc/api/mappings
update	Update mitre mappings	/app/drc/api/mappings
read	Get IBM default mapping by rule	/app/drc/api/mappings/default/by_name
read	Get all tactics and techniques	/app/drc/api/mitre/tactics_and_techniques
read	Get all reference list	/app/drc/api/reference_lists
read	Get reference list by id	/app/drc/api/reference_lists/{id}
read	Get elements of a reference list	/app/drc/api/reference_lists/{rl_id}/elements
update	Update elements of a reference list	/app/drc/api/reference_lists/{rl_id}/elements
delete	Delete elements of a reference list	/app/drc/api/reference_lists/{rl_id}/elements
read	Get rule groups	/app/drc/api/rule_groups
read	Get rule groups of rules	/app/drc/api/rule_groups/ids
create	Create rule groups	/app/drc/api/rule_groups
update	Assign rules to groups	/app/drc/api/rule_groups/rules/set
update	Update group parent	/app/drc/api/rule_groups/{group_id}/parent
delete	Delete rule groups	/app/drc/api/rule_groups/{group_id}/rules
read	Generate a Use Case Explorer report	/app/drc/api/use_case_explorer
read	Get status of a report	/app/drc/api/use_case_explorer/{reportId}/status
read	Get result of a report	/app/drc/api/use_case_explorer/{reportId}/result
read	Get all tactics and techniques from rules in the selected report	/app/drc/api/use_case_explorer/{reportId}/tactics_and_techniques
read	Start a job to download Use Case Explorer report as a CSV file	/app/drc/api/use_case_explorer/{reportId}/download_csv
read	Get the results of the Use Case Explorer download CSV job	/app/drc/api/use_case_explorer/download_csv/{jobId}/result
read	Get the results of the Use Case Explorer export scheduled rules job	/app/drc/api/use_case_explorer/export_scheduled_rules/{jobId}/result
create	Start a job to export scheduled rules file	/app/drc/api/use_case_explorer/export_scheduled_rules
delete	Delete Use Case Explorer report	/app/drc/api/use_case_explorer/{reportId}
read	Get all Use Case Explorer available templates	/app/drc/api/use_case_explorer/templates
read	Get correlation key guide	/app/drc/api/rule_wizard/correlation_key_guide
read	Check if mappings are missing or not	/app/drc/api/rule_wizard/check_mappings
create	Create kql query report	/app/drc/api/rule_wizard/kql
read	Check kql query report status	/app/drc/api/rule_wizard/kql/{queryId}
read	Get kql query report result	/app/drc/api/rule_wizard/kql/{queryId}/results
create	Save a Rule Wizard query in DRC	/app/drc/api/rule_wizard/cached_query
read	Retrieve a saved query	/app/drc/api/rule_wizard/cached_query/{queryId}
read	Get domain entity mapping	/app/drc/api/rule_wizard/entity_mapping
read	Get available extensions	/app/drc/api/available_extensions
read	Get installed extensions	/app/drc/api/installed_extensions
create	Sync xdr rules with XFE	/app/drc/api/sync_xdr
create	Ensure XDRCC has the latest rules	/app/drc/api/force_xdrcc_sync
create	Upload xdr contents file	/app/drc/api/xdr/file
read	Check sync xdr rules with xfe status	/app/drc/api/sync_xdr/{jobId}/status
create	Create rules	/app/drc/api/rules
read	Get details of a rule	/app/drc/api/rules/{ruleId}
update	Enable/disable a rule	/app/drc/api/rules/{ruleId}
udpate	Update a rule	/app/drc/api/rules/{ruleId}
restore	Revert a rule to previous version	/app/drc/api/rules/{ruleId}
delete	Delete a rule	/app/drc/api/rules/{ruleId}
read	Get the log source types of a rule	/app/drc/api/rules/{ruleId}/log_source_types
read	Get rule history	/app/drc/api/rules/{ruleId}/history
read	Get history rule by id	/app/drc/api/rules/history/{historyRuleId}
read	Get the rule notification settings of a rule	/app/drc/api/rules/{ruleId}/notifications/settings
update	Update rule notification settings	/app/drc/api/rules/{ruleId}/notifications/settings
delete	Delete rule notification settings	/app/drc/api/rules/{ruleId}/notifications/settings
read	Get rule notifications	/app/drc/api/rules/{ruleId}/notifications
delete	Clear rule notifications	/app/drc/api/rules/{ruleId}/notifications
create	Create a rule draft	/app/drc/api/rulesDraft

Threat Intelligent Insights

Table 16. Service name: TII
Action	Description	URL
create	User creates a new threat.	/api/tii/v1/threats/user, /api/tii/v1/threats/indicators.
update	User updates previously created threat.	/api/tii/v1/threats/user/{threatId}, /api/tii/v1/threats/indicators, /api/tii/v1/threats/indicators/remove
update	User shares a threat they created with another user on the same cp4s account	/api/tii/v1/{threatId}/acl
delete	User deletes threat they created	/api/tii/v1/threats/user/{threatId}
create, update	User runs AIA scan	tis/xfe/api/v1/latestScanHistories, /tis/xfe/api/v1/updateScanResult
update	User enables XFE data plan	/api/tii/v1/audit/xfe
update	User disables a previously enabled X-Force data plan	api/audit/xfe, /tis/xfe/api/v1/dataplan/free, /tis/xfe/api/v1/dataplan/none, /tis/xfe/api/v1/dataplan/reset
create, update	User enables one or more third party sources and inputs access credentials	/api/audit/tis, /api/audit/xfe/
update	User disables a previously enable third party source	/api/audit/tis, /api/audit/xfe/
create, update	User changes their organization's industry	/api/configstore/v1/config/config-service/isc-common-xfeplus-settings-service/${iscAccountId}
create, update	User can change their organization's location	/api/configstore/v1/config/config-service/isc-common-xfeplus-settings-service, /api/tis/v2/user/update
create	User can create an api key	api/apikey/create, api/apikey/sync
delete	User can delete a previously created api key	api/apikey/delete, api/apikey/check, api/apikey/clear

Table 17. Service name: TIS
Action	Description	URL
create	User starts AIA scans	/tis/v2/am-i-affected
delete	User cancels an AIA scan	/tis/v2/am-i-affected/cancel/{cursor_id}
create	User with connected threat intel feeds enrich IOCs	/tis/v2/enrich