Ctrlk

Posture Management APIs

You can use the posture management APIs to search posture events, fetch posture events and also event details. Additionally, you can also view details of the user (actor) whose actions triggered an event, and details of the asset that triggered an event.

Search posture events

get

Fetch a list of posture events based on some filters

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -180 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:
querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

termvalue
clauseuser_email:"[email protected]"
fielduser_email
operator:
value[email protected]

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

  • a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAXUSAGEDESCRIPTIONEXAMPLES
:field:valueExact match operator (case insensitive)state:"pending" returns records where the currency is exactly "PENDING" in a case-insensitive comparison
(space)field1:value1 field2:value2The query returns only records that match both clausesstate:active slack.channel_name:general
ORfield:(value1 OR value2)The query returns records that match either of the values (case insensitive)state:(active OR pending)

Query Fields

paramdescription
event_idthe unique identifier of the posture event to filter on
integration_namethe name of the integration to filter on
statethe state of the event to filter on (active, pending, resolved, expired)
event_typethe type of posture event to filter on
actor_namethe name of the actor who performed the action to filter on
actor_emailthe email of the actor who performed the action to filter on
user_namethe username of the user to filter on (backward compatibility)
user_emailthe email of the user to filter on (backward compatibility)
notesthe comment or notes associated with the event to filter on
policy_idthe unique identifier of the policy to filter on
policy_namethe name of the policy to filter on
resource_idthe identifier of the resource to filter on
resource_namethe name of the resource to filter on
resource_owner_namethe name of the resource owner to filter on
resource_owner_emailthe email of the resource owner to filter on
resource_content_typethe content type of the resource to filter on
endpoint.device_idthe device identifier for endpoint events to filter on
endpoint.machine_namethe machine name for endpoint events to filter on
gdrive.permissionthe permission setting for Google Drive files to filter on
gdrive.shared_internal_emailthe internal emails with which the file is shared to filter on
gdrive.shared_external_emailthe external emails with which the file is shared to filter on
gdrive.drivethe Google Drive name to filter on
gdrive.file_ownerthe owner of the Google Drive file to filter on
gdrive.label_namethe label name applied to Google Drive files to filter on
salesforce.report.scopethe scope of the Salesforce report to filter on
salesforce.report.event_sourcethe event source of the Salesforce report to filter on
salesforce.report.source_ipthe source IP address of the Salesforce report to filter on
salesforce.report.session_levelthe session level of the Salesforce report to filter on
salesforce.report.operationthe operation type of the Salesforce report to filter on
salesforce.report.descriptionthe description of the Salesforce report to filter on
salesforce.file.source_ipthe source IP address for Salesforce file events to filter on
salesforce.file.session_levelthe session level for Salesforce file events to filter on
Responses
get
/events/search

Fetch posture events

get

Fetch a list of posture events for a period

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

Responses
get
/events

Fetch posture event details

get

Fetch an posture event details by ID

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
eventIdstring · uuidRequired

The UUID of the event to fetch

Responses
get
/events/{eventId}

Fetch posture event activity feed

get

Fetch the activity feed for a specific posture event

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
eventIdstring · uuidRequired

The UUID of the posture event

Query parameters
limitinteger · int32 · max: 100Optional

Number of activity items to fetch in one page

Default: 50
createdAfterintegerOptional

Unix timestamp in seconds, filters activity created > the value

createdBeforeintegerOptional

Unix timestamp in seconds, filters activity created < the value

descendingbooleanOptional

Whether to sort results in descending order (default false)

Default: false
pageTokenstringOptional

Cursor for getting the next page of results

Responses
get
/events/{eventId}/activity

Fetch asset activity

get

Fetch the activity history for a specific asset

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
assetIDstringRequired

The ID of the asset to fetch activities for

rangeStartintegerRequired

Unix timestamp in seconds, filters activities created ≥ the value

rangeEndintegerRequired

Unix timestamp in seconds, filters activities created < the value

pageTokenstringOptional

Cursor for getting the next page of results

Responses
get
/asset/activity

Fetch actor activity

get

Fetch the activity history for a specific actor

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
actorIDstringRequired

The Nightfall ID of the actor to fetch activities for

rangeStartintegerRequired

Unix timestamp in seconds, filters activities created ≥ the value

rangeEndintegerRequired

Unix timestamp in seconds, filters activities created < the value

pageTokenstringOptional

Cursor for getting the next page of results

Responses
get
/actor/activity
PreviousExfiltration Prevention APIsNextSaaS App and Device Management APIs

Last updated

Was this helpful?