API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Cloudforce One

Cloudforce OneScans

Cloudforce OneScansResults

Get the Latest Scan Result

GET/accounts/{account_id}/cloudforce-one/scans/results/{config_id}

ModelsExpand Collapse

ScanResult { number, proto, status }

number: optional number

proto: optional string

status: optional string

ResultGetResponse { "1.1.1.1" }

"1.1.1.1": array of ScanResult { number, proto, status }

number: optional number

proto: optional string

status: optional string

Cloudforce OneScansConfig

List Scan Configs

GET/accounts/{account_id}/cloudforce-one/scans/config

Create a new Scan Config

POST/accounts/{account_id}/cloudforce-one/scans/config

Update an existing Scan Config

PATCH/accounts/{account_id}/cloudforce-one/scans/config/{config_id}

Delete a Scan Config

DELETE/accounts/{account_id}/cloudforce-one/scans/config/{config_id}

ModelsExpand Collapse

ConfigListResponse { id, account_id, frequency, 2 more }

id: string

Defines the Config ID.

account_id: string

frequency: number

Defines the number of days between each scan (0 = One-off scan).

ips: array of string

Defines a list of IP addresses or CIDR blocks to scan. The maximum number of total IP addresses allowed is 5000.

ports: array of string

Defines a list of ports to scan. Valid values are:“default”, “all”, or a comma-separated list of ports or range of ports (e.g. [“1-80”, “443”]). “default” scans the 100 most commonly open ports.

ConfigCreateResponse { id, account_id, frequency, 2 more }

id: string

Defines the Config ID.

account_id: string

frequency: number

Defines the number of days between each scan (0 = One-off scan).

ips: array of string

Defines a list of IP addresses or CIDR blocks to scan. The maximum number of total IP addresses allowed is 5000.

ports: array of string

Defines a list of ports to scan. Valid values are:“default”, “all”, or a comma-separated list of ports or range of ports (e.g. [“1-80”, “443”]). “default” scans the 100 most commonly open ports.

ConfigEditResponse { id, account_id, frequency, 2 more }

id: string

Defines the Config ID.

account_id: string

frequency: number

Defines the number of days between each scan (0 = One-off scan).

ips: array of string

Defines a list of IP addresses or CIDR blocks to scan. The maximum number of total IP addresses allowed is 5000.

ports: array of string

Defines a list of ports to scan. Valid values are:“default”, “all”, or a comma-separated list of ports or range of ports (e.g. [“1-80”, “443”]). “default” scans the 100 most commonly open ports.

ConfigDeleteResponse = unknown

Cloudforce OneBinary Storage

Retrieves a file from Binary Storage

GET/accounts/{account_id}/cloudforce-one/binary/{hash}

Posts a file to Binary Storage

POST/accounts/{account_id}/cloudforce-one/binary

ModelsExpand Collapse

BinaryStorageCreateResponse { content_type, md5, sha1, sha256 }

content_type: string

md5: string

sha1: string

sha256: string

Cloudforce OneRequests

List Requests

POST/accounts/{account_id}/cloudforce-one/requests

Get a Request

GET/accounts/{account_id}/cloudforce-one/requests/{request_id}

Create a New Request.

POST/accounts/{account_id}/cloudforce-one/requests/new

Update a Request

PUT/accounts/{account_id}/cloudforce-one/requests/{request_id}

Delete a Request

DELETE/accounts/{account_id}/cloudforce-one/requests/{request_id}

Get Request Quota

GET/accounts/{account_id}/cloudforce-one/requests/quota

Get Request Types

GET/accounts/{account_id}/cloudforce-one/requests/types

Get Request Priority, Status, and TLP constants

GET/accounts/{account_id}/cloudforce-one/requests/constants

ModelsExpand Collapse

Item { id, content, created, 10 more }

id: string

UUID.

maxLength36

content: string

Request content.

created: string

formatdate-time

priority: string

formatdate-time

request: string

Requested information from request.

summary: string

Brief description of the request.

tlp: "clear" or "amber" or "amber-strict" or 2 more

The CISA defined Traffic Light Protocol (TLP).

One of the following:

"clear"

"amber"

"amber-strict"

"green"

"red"

updated: string

formatdate-time

completed: optional string

formatdate-time

message_tokens: optional number

Tokens for the request messages.

readable_id: optional string

Readable Request ID.

status: optional "open" or "accepted" or "reported" or 3 more

Request Status.

One of the following:

"open"

"accepted"

"reported"

"approved"

"completed"

"declined"

tokens: optional number

Tokens for the request.

ListItem { id, created, priority, 9 more }

id: string

UUID.

maxLength36

created: string

Request creation time.

formatdate-time

priority: "routine" or "high" or "urgent"

One of the following:

"routine"

"high"

"urgent"

request: string

Requested information from request.

summary: string

Brief description of the request.

tlp: "clear" or "amber" or "amber-strict" or 2 more

The CISA defined Traffic Light Protocol (TLP).

One of the following:

"clear"

"amber"

"amber-strict"

"green"

"red"

updated: string

Request last updated time.

formatdate-time

completed: optional string

Request completion time.

formatdate-time

message_tokens: optional number

Tokens for the request messages.

readable_id: optional string

Readable Request ID.

status: optional "open" or "accepted" or "reported" or 3 more

Request Status.

One of the following:

"open"

"accepted"

"reported"

"approved"

"completed"

"declined"

tokens: optional number

Tokens for the request.

Quota { anniversary_date, quarter_anniversary_date, quota, remaining }

anniversary_date: optional string

Anniversary date is when annual quota limit is refreshed.

formatdate-time

quarter_anniversary_date: optional string

Quarter anniversary date is when quota limit is refreshed each quarter.

formatdate-time

quota: optional number

Tokens for the quarter.

remaining: optional number

Tokens remaining for the quarter.

RequestConstants { priority, status, tlp }

priority: optional array of "routine" or "high" or "urgent"

One of the following:

"routine"

"high"

"urgent"

status: optional array of "open" or "accepted" or "reported" or 3 more

One of the following:

"open"

"accepted"

"reported"

"approved"

"completed"

"declined"

tlp: optional array of "clear" or "amber" or "amber-strict" or 2 more

One of the following:

"clear"

"amber"

"amber-strict"

"green"

"red"

RequestTypes = array of string

RequestDeleteResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

RequestTypesResponse = string

Request Types.

Cloudforce OneRequestsMessage

List Request Messages

POST/accounts/{account_id}/cloudforce-one/requests/{request_id}/message

Create a New Request Message

POST/accounts/{account_id}/cloudforce-one/requests/{request_id}/message/new

Update a Request Message

PUT/accounts/{account_id}/cloudforce-one/requests/{request_id}/message/{message_id}

Delete a Request Message

DELETE/accounts/{account_id}/cloudforce-one/requests/{request_id}/message/{message_id}

ModelsExpand Collapse

Message { id, author, content, 3 more }

id: number

Message ID.

author: string

Author of message.

content: string

Content of message.

is_follow_on_request: boolean

Whether the message is a follow-on request.

updated: string

Defines the message last updated time.

formatdate-time

created: optional string

Defines the message creation time.

formatdate-time

MessageDeleteResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

Cloudforce OneRequestsPriority

Get a Priority Intelligence Requirement

GET/accounts/{account_id}/cloudforce-one/requests/priority/{priority_id}

Create a New Priority Intelligence Requirement

POST/accounts/{account_id}/cloudforce-one/requests/priority/new

Update a Priority Intelligence Requirement

PUT/accounts/{account_id}/cloudforce-one/requests/priority/{priority_id}

Delete a Priority Intelligence Requirement

DELETE/accounts/{account_id}/cloudforce-one/requests/priority/{priority_id}

Get Priority Intelligence Requirement Quota

GET/accounts/{account_id}/cloudforce-one/requests/priority/quota

ModelsExpand Collapse

Label = string

Priority { id, created, labels, 4 more }

id: string

UUID.

maxLength36

created: string

Priority creation time.

formatdate-time

labels: array of Label

List of labels.

priority: number

Priority.

requirement: string

Requirement.

tlp: "clear" or "amber" or "amber-strict" or 2 more

The CISA defined Traffic Light Protocol (TLP).

One of the following:

"clear"

"amber"

"amber-strict"

"green"

"red"

updated: string

Priority last updated time.

formatdate-time

PriorityEdit { labels, priority, requirement, tlp }

labels: array of Label

List of labels.

priority: number

Priority.

requirement: string

Requirement.

tlp: "clear" or "amber" or "amber-strict" or 2 more

The CISA defined Traffic Light Protocol (TLP).

One of the following:

"clear"

"amber"

"amber-strict"

"green"

"red"

PriorityDeleteResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

Cloudforce OneRequestsAssets

Get a Request Asset

GET/accounts/{account_id}/cloudforce-one/requests/{request_id}/asset/{asset_id}

List Request Assets

POST/accounts/{account_id}/cloudforce-one/requests/{request_id}/asset

Update a Request Asset

PUT/accounts/{account_id}/cloudforce-one/requests/{request_id}/asset/{asset_id}

Delete a Request Asset

DELETE/accounts/{account_id}/cloudforce-one/requests/{request_id}/asset/{asset_id}

ModelsExpand Collapse

AssetGetResponse { id, name, created, 2 more }

id: number

Asset ID.

name: string

Asset name.

created: optional string

Defines the asset creation time.

formatdate-time

description: optional string

Asset description.

file_type: optional string

Asset file type.

AssetCreateResponse { id, name, created, 2 more }

id: number

Asset ID.

name: string

Asset name.

created: optional string

Defines the asset creation time.

formatdate-time

description: optional string

Asset description.

file_type: optional string

Asset file type.

AssetUpdateResponse { id, name, created, 2 more }

id: number

Asset ID.

name: string

Asset name.

created: optional string

Defines the asset creation time.

formatdate-time

description: optional string

Asset description.

file_type: optional string

Asset file type.

AssetDeleteResponse { errors, messages, success }

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

Cloudforce OneThreat Events

Filter and list events

GET/accounts/{account_id}/cloudforce-one/events

Reads an event

Deprecated

GET/accounts/{account_id}/cloudforce-one/events/{event_id}

Creates a new event

POST/accounts/{account_id}/cloudforce-one/events/create

Updates an event

PATCH/accounts/{account_id}/cloudforce-one/events/{event_id}

Creates bulk events

POST/accounts/{account_id}/cloudforce-one/events/create/bulk

ModelsExpand Collapse

ThreatEventListResponse = array of { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventGetResponse { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventCreateResponse { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventEditResponse { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventBulkCreateResponse { createdEventsCount, createdTagsCount, errorCount, 4 more }

Detailed result of bulk event creation with auto-tag management

createdEventsCount: number

Number of events created

createdTagsCount: number

Number of new tags created in SoT

errorCount: number

Number of errors encountered

queuedIndicatorsCount: number

Number of indicators queued for async processing

createBulkEventsRequestId: optional string

Correlation ID for async indicator processing

formatuuid

createdEvents: optional array of { eventIndex, shardId, uuid }

Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true

eventIndex: number

Original index in the input data array

shardId: string

Dataset ID of the shard where the event was created

uuid: string

UUID of the created event

formatuuid

errors: optional array of { error, eventIndex }

Array of error details

error: string

Error message

eventIndex: number

Index of the event that caused the error

Cloudforce OneThreat EventsAttackers

Lists attackers across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/attackers

ModelsExpand Collapse

AttackerListResponse { items, type }

items: { type }

type: string

type: string

Cloudforce OneThreat EventsCategories

Lists categories across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/categories

Reads a category

GET/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

Creates a new category

POST/accounts/{account_id}/cloudforce-one/events/categories/create

Updates a category

PATCH/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

Deletes a category

DELETE/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

ModelsExpand Collapse

CategoryListResponse = array of { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryGetResponse { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryCreateResponse { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryEditResponse { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryDeleteResponse { uuid }

uuid: string

Cloudforce OneThreat EventsCountries

Retrieves countries information for all countries

GET/accounts/{account_id}/cloudforce-one/events/countries

ModelsExpand Collapse

CountryListResponse = array of { result, success }

result: array of { alpha3, name }

alpha3: string

name: string

success: string

Cloudforce OneThreat EventsCrons

Cloudforce OneThreat EventsDatasets

Lists all datasets in an account

GET/accounts/{account_id}/cloudforce-one/events/dataset

Reads a dataset

GET/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}

Creates a dataset

POST/accounts/{account_id}/cloudforce-one/events/dataset/create

Updates an existing dataset

PATCH/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}

Reads raw data for an event by UUID

GET/accounts/{account_id}/cloudforce-one/events/raw/{dataset_id}/{event_id}

ModelsExpand Collapse

DatasetListResponse = array of { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetGetResponse { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetCreateResponse { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetEditResponse { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetRawResponse { id, accountId, created, 3 more }

id: number

accountId: number

created: string

data: string

source: string

tlp: string

Cloudforce OneThreat EventsDatasetsHealth

Cloudforce OneThreat EventsIndicator Types

Lists all indicator types

Deprecated

GET/accounts/{account_id}/cloudforce-one/events/indicatorTypes

ModelsExpand Collapse

IndicatorTypeListResponse { items, type }

items: { type }

type: string

type: string

Cloudforce OneThreat EventsRaw

Reads data for a raw event

GET/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}

Updates a raw event

PATCH/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}

ModelsExpand Collapse

RawGetResponse { id, accountId, created, 3 more }

id: string

accountId: number

created: string

data: unknown

source: string

tlp: string

RawEditResponse { id, data }

id: string

data: unknown

Cloudforce OneThreat EventsRelate

Removes an event reference

DELETE/accounts/{account_id}/cloudforce-one/events/relate/{event_id}

ModelsExpand Collapse

RelateDeleteResponse { success }

success: boolean

Cloudforce OneThreat EventsTags

Creates a new tag

POST/accounts/{account_id}/cloudforce-one/events/tags/create

ModelsExpand Collapse

TagCreateResponse { uuid, value, activeDuration, 15 more }

uuid: string

value: string

activeDuration: optional string

actorCategory: optional string

aliasGroupNames: optional array of string

aliasGroupNamesInternal: optional array of string

analyticPriority: optional number

attributionConfidence: optional string

attributionOrganization: optional string

categoryName: optional string

categoryUuid: optional string

externalReferenceLinks: optional array of string

internalDescription: optional string

motive: optional string

opsecLevel: optional string

originCountryISO: optional string

priority: optional number

sophisticationLevel: optional string

Cloudforce OneThreat EventsEvent Tags

Adds a tag to an event

POST/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}/create

Removes a tag from an event

DELETE/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}

ModelsExpand Collapse

EventTagCreateResponse { success }

success: boolean

EventTagDeleteResponse { success }

success: boolean

Cloudforce OneThreat EventsTarget Industries

Lists target industries across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/targetIndustries

ModelsExpand Collapse

TargetIndustryListResponse { items, type }

items: { type }

type: string

type: string

Cloudforce OneThreat EventsInsights