Get Finding List
Description
Get all the findings of a specific resource in a custom date range.
URL
/api/v2/finding/list
Request Method: Post
Request Headers
Key |
Value |
Type |
Description |
---|---|---|---|
companyId | <12345> | Integer | Company ID in FortiCNP can be obtained through Get Resource Map |
roleId |
<12345> |
Long |
Login user identity, can be obtained through Get Resource Map |
Authorization | Bearer <Authorization Token> | String | Authorization credential generated by FortiCNP |
Content-Type | application/json | String |
Request Body Parameters
Name | Required | Type | Description |
---|---|---|---|
startTime | Required | Long | Starting time in of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond.To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/. |
endTime | Required | Long | Ending time of filtered open alerts in Unix Epoch timestamps. The timestamps needs to be in millisecond. To convert date and time to Unix Epoch timestamps, refer to https://www.epochconverter.com/. |
skip | Required | Integer | Indexes in a result set, used to exclude response from the first N items of a resource collection. |
limit | Required | Integer | Maximum number of returned items. |
objectId |
Required |
Integer |
The resource ID of the resource. The resource ID can be obtained through FortiCNP INSIGHTS > Risk > Resource Detail page. |
Resource ID
Look for a resource that has at least 1 finding in the Resource Detail page. Use the Resource ID as the objectId parameter in the request body.
Sample Request
Use the resource ID as the objectId parameter and convert the start time and end time of the requested resource into Epoch timestamps in milliseconds for startTime and endTime parameters.
Request URL |
POST https://www.forticnp.com/api/v2/finding/list |
Request Header |
Authorization: Bearer <Authorization_Token> roleId: 89145 companyId: 89146 Content-Type: application/json |
Request Body |
{ "skip" : 0, "limit" : 20, "endTime" : 1656201875000, "startTime" : 1655597075000, "objectId": 8368758 } |
Response Variables
Name | Required / Optional | Type | Description |
---|---|---|---|
buId | Required | integer | Business ID, one service ID per one buId |
companyId | Required | String | Company ID |
id | Required | String | Alert identity |
object | Optional | String | Object name that triggered the alert |
objectType | Required | String | Object type of alert |
objectId (File ID) | Required | String | Object ID is the resource ID of the reource. |
user | Optional | String | User information |
userName | Optional | String | User name |
severity | Required | String | Severity of the finding. |
serviceId | Required | String | ID to distinguish between different accounts of the same cloud service in forticnp. |
violationActivity | Required | String | Violating activity that triggered the alert |
displayOperation | Required | String | Operation that triggered the alert |
createTime | Required | long | Timestamp of when the alert is created |
updateTime | Required | long | Timestamp of when the alert is updated |
policyName | Required | String | Name of the policy that alert is triggered by |
policyId | Required | String | ID of the policy that alert is triggered by |
policyCode | Required | String | Policy code of the policy violation in alert |
contextName | Required | String | Context name of violation policy |
userId | Required | String | ID of the user who triggered the alert |
eventId | Required | String | Event ID |
eventIdList | Required | Array | List of the event IDs |
service | Required | Application | Cloud service (e.g. AWS, Google Cloud etc.) |
resultDesc | Required | String | Description for violation context |
geoLocationList | Required | Array | Place where the activity occurred. |
alertType | Required | String | Classification of the alert |
alertSubType | Required | String | Sub calcification of the alert |
defineType | Required | String | Type of policy, predefined or customized |
state | Required | String | Alert state |
resourceId |
Requried |
String |
The resource ID of the resource provided by the cloud vendor like AWS, Azure, etc. |
totalPage | Required | integer | Total page of searched alerts |
limit | Required | integer | Maximum number of return alerts in one page |
skip | Required | integer | Indexes in a result set, used to exclude a response from the first N items of a resource collection. |
totalCount | Required | integer | Total number of alerts |
Sample Response
{
"data": [
{
"buId": 8364327,
"companyId": "895146",
"timestampUUID": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",
"id": "8364327-AWS-1117262733534276-arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58",
"object": "ProxyVM",
"objectType": "RESOURCE",
"objectId": "8368758",
"user": "",
"userName": "",
"severity": "High",
"applicationId": "677383417454",
"violationActivity": "NONE",
"displayOperation": "NONE",
"createTime": 1655756680980,
"updateTime": 1656092259000,
"policyName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",
"policyId": "1117262733534276",
"policyCode": "1117262733534276",
"contextName": "TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS",
"eventIdList": [
null
],
"service": "AWS",
"description": "EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.",
"resultDesc": "{\"awsAccountId\":\"677383417454\",\"companyName\":\"Amazon\",\"createdAt\":\"2022-06-20T20:24:40.980Z\",\"description\":\"EC2 instance i-07d63da1e57a53ed0 is querying a domain name that is associated with Bitcoin-related activity.\",\"findingProviderFields\":{\"severity\":{\"label\":\"HIGH\"},\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"]},\"firstObservedAt\":\"2022-06-20T19:46:03.000Z\",\"generatorId\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114\",\"id\":\"arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\",\"lastObservedAt\":\"2022-06-24T16:50:49.000Z\",\"productArn\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty\",\"productFields\":{\"aws/guardduty/service/action/dnsRequestAction/blocked\":\"false\",\"aws/guardduty/service/additionalInfo/threatListName\":\"ProofPoint\",\"aws/guardduty/service/archived\":\"false\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatNames\":\"[]\",\"aws/guardduty/service/additionalInfo/value\":\"{\\\"threatListName\\\":\\\"ProofPoint\\\"}\",\"aws/guardduty/service/resourceRole\":\"TARGET\",\"aws/securityhub/ProductName\":\"GuardDuty\",\"aws/guardduty/service/count\":\"11\",\"aws/guardduty/service/action/dnsRequestAction/domain\":\"pool.minergate.com\",\"aws/guardduty/service/additionalInfo/type\":\"default\",\"aws/guardduty/service/serviceName\":\"guardduty\",\"aws/guardduty/service/action/dnsRequestAction/protocol\":\"UDP\",\"aws/guardduty/service/detectorId\":\"aabe29283493fbad8bb9b851b28c9114\",\"aws/securityhub/CompanyName\":\"Amazon\",\"aws/guardduty/service/eventFirstSeen\":\"2022-06-20T19:46:03.000Z\",\"aws/guardduty/service/eventLastSeen\":\"2022-06-24T16:50:49.000Z\",\"aws/guardduty/service/evidence/threatIntelligenceDetails.0_/threatListName\":\"ProofPoint\",\"aws/guardduty/service/action/actionType\":\"DNS_REQUEST\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:677383417454:detector/aabe29283493fbad8bb9b851b28c9114/finding/30c0c164f78a232c69b2a75f341e8e58\"},\"productName\":\"GuardDuty\",\"recordState\":\"ACTIVE\",\"region\":\"us-east-1\",\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::677383417454:instance-profile/ssm_role\",\"imageId\":\"ami-013f17f36f8b1fefb\",\"ipV4Addresses\":[\"3.238.202.145\",\"172.31.59.59\"],\"launchedAt\":\"2021-03-31T18:44:00.000Z\",\"subnetId\":\"subnet-0eccfc01\",\"type\":\"r5.large\",\"vpcId\":\"vpc-d64dc7ac\"}},\"id\":\"arn:aws:ec2:us-east-1:677383417454:instance/i-07d63da1e57a53ed0\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"tags\":{\"Name\":\"ProxyVM\"},\"type\":\"AwsEc2Instance\"}],\"sample\":false,\"schemaVersion\":\"2018-10-08\",\"severity\":{\"label\":\"HIGH\",\"normalized\":50,\"product\":8.0},\"sourceUrl\":\"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=30c0c164f78a232c69b2a75f341e8e58\",\"title\":\"Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.\",\"types\":[\"TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS\",\"Effects/Resource Consumption/CryptoCurrency:EC2-BitcoinTool.B!DNS\"],\"updatedAt\":\"2022-06-24T17:37:39.672Z\",\"workflow\":{\"status\":\"NEW\"},\"workflowState\":\"NEW\"}",
"matches": 0,
"region": "us-east-1",
"alertType": "Amazon GuardDuty",
"defineType": "Predefined",
"title": "Bitcoin-related domain name queried by EC2 instance i-07d63da1e57a53ed0.",
"nodeType": "EC2 Instance",
"port": "0",
"state": "Open",
"resourceId": "i-07d63da1e57a53ed0"
}
],
"totalPage": 6,
"limit": 1,
"skip": 0,
"totalCount": 6
}