Report column codes for report APIs
Use the report column codes in the tables in the following APIs: POST /api/use_case_explorer/{reportId}/download_csv, POST /api/use_case_explorer/{reportId}/download_json, or GET /api/use_case_explorer/{reportId}/result.
Rule attribute columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| Rule_ID | ID |
| Rule_UUID | uuid Important: Must be lowercase.
|
| Attribute_Name | N |
| Attribute_Rule | R |
| Attribute_Enabled | EN |
| Attribute_Action | A |
| Attribute_Response | RE |
| Attribute_Creation_Date | CD |
| Attribute_Modification_Date | MD |
| Attribute_Group | GR |
| Attribute_Type | T |
| Attribute_Notes | NO |
| Attribute_Offense_Type | OT |
| Attribute_Triggered | TG |
| Attribute_First_Triggered | FTG |
| Attribute_Last_Triggered | LTG |
| Test_Definition | TD |
| Event_Name | E |
| Event_Description | ED |
| Low_Level_Category | LLC |
| Rule_Category | RC |
| Rule_Origin | RO |
| Response_Details | RED |
| Action_Details | AD |
| UBA_Risk | URSK |
Content extension columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| Not_Installed_CE | NI |
| Content_Extension_name | CEN |
| Content_Extension_Category | CEG |
Test columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| Log_Source_Type | LST |
| IP | IPC |
| Port | PR |
| Reference_Set | RS |
| Reference_Set_With_Number_Of_Elements | RSS |
| Xforce | XF |
| Network_Hierarchy | NH |
| Network_Hierarchy_And_Context | NHC |
| Network | NT |
| End_Point | EP |
| Custom_Property | CP |
| Domain | DOM |
| Reference_Data | RD |
| Log_Source | LS |
| QID_IDs | QID |
| Category_IDs | CAT |
| Errors | ER |
| GEO | GEO |
| Ariel_Search | ARL |
| Threshold | THR |
| Log_Source_Group | LSG |
| Log_Source_Type_ID | LST_ID |
| Log_Source_Type_RO | LST_RO |
MITRE columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| Tactic | TAC |
| Technique | TEC |
| Sub_Technique | STEC |
| Tactic_RO | TAC_RO |
| Sub_Technique_RO | STEC_RO |
| Mapping_Enabled | MAP_EN |
| Mapping_Confidence | MAP_C |
| Tactic_ID | TAC_ID |
| Technique_ID | TEC_ID |
| Sub_Technique_ID | STEC_ID |
| Mapping_Source | MAP${SOURCE_COLUMN_SUFFIX} |
Offense columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| Description | OD |
| Type | TP |
| Type_Value | TV |
| Status | ST |
| Event_Count | EC |
| Offense_ID | OID |
Rule activity columns
The following table describes the codes to use in the API for each report column.
| Report column name | Code |
|---|---|
| First_Triggered | FTG |
| Last_Triggered | LTG |