API Reference

Cloudforce One

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Threat Events

Filter and list events

GET/accounts/{account_id}/cloudforce-one/events

Reads an event

Deprecated

GET/accounts/{account_id}/cloudforce-one/events/{event_id}

Creates a new event

POST/accounts/{account_id}/cloudforce-one/events/create

Updates an event

PATCH/accounts/{account_id}/cloudforce-one/events/{event_id}

Creates bulk events

POST/accounts/{account_id}/cloudforce-one/events/create/bulk

ModelsExpand Collapse

ThreatEventListResponse = array of object { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventGetResponse = object { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventCreateResponse = object { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventEditResponse = object { attacker, attackerCountry, category, 24 more }

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: array of string

mitreCapec: array of string

numReferenced: number

numReferences: number

rawId: string

referenced: array of string

referencedIds: array of number

references: array of string

referencesIds: array of number

tags: array of string

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight: optional string

releasabilityId: optional string

ThreatEventBulkCreateResponse = object { createdEventsCount, createdTagsCount, errorCount, 4 more }

Detailed result of bulk event creation with auto-tag management

createdEventsCount: number

Number of events created

createdTagsCount: number

Number of new tags created in SoT

errorCount: number

Number of errors encountered

queuedIndicatorsCount: number

Number of indicators queued for async processing

createBulkEventsRequestId: optional string

Correlation ID for async indicator processing

formatuuid

createdEvents: optional array of object { eventIndex, shardId, uuid }

Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true

eventIndex: number

Original index in the input data array

shardId: string

Dataset ID of the shard where the event was created

uuid: string

UUID of the created event

formatuuid

errors: optional array of object { error, eventIndex }

Array of error details

error: string

Error message

eventIndex: number

Index of the event that caused the error

Threat EventsAttackers

Lists attackers across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/attackers

ModelsExpand Collapse

AttackerListResponse = object { items, type }

items: object { type }

type: string

type: string

Threat EventsCategories

Lists categories across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/categories

Reads a category

GET/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

Creates a new category

POST/accounts/{account_id}/cloudforce-one/events/categories/create

Updates a category

PATCH/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

Deletes a category

DELETE/accounts/{account_id}/cloudforce-one/events/categories/{category_id}

ModelsExpand Collapse

CategoryListResponse = array of object { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryGetResponse = object { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryCreateResponse = object { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryEditResponse = object { killChain, name, uuid, 3 more }

killChain: number

name: string

uuid: string

mitreAttack: optional array of string

mitreCapec: optional array of string

shortname: optional string

CategoryDeleteResponse = object { uuid }

uuid: string

Threat EventsCountries

Retrieves countries information for all countries

GET/accounts/{account_id}/cloudforce-one/events/countries

ModelsExpand Collapse

CountryListResponse = array of object { result, success }

result: array of object { alpha3, name }

alpha3: string

name: string

success: string

Threat EventsCrons

Threat EventsDatasets

Lists all datasets in an account

GET/accounts/{account_id}/cloudforce-one/events/dataset

Reads a dataset

GET/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}

Creates a dataset

POST/accounts/{account_id}/cloudforce-one/events/dataset/create

Updates an existing dataset

PATCH/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}

Reads raw data for an event by UUID

GET/accounts/{account_id}/cloudforce-one/events/raw/{dataset_id}/{event_id}

ModelsExpand Collapse

DatasetListResponse = array of object { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetGetResponse = object { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetCreateResponse = object { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetEditResponse = object { isPublic, name, uuid }

isPublic: boolean

name: string

uuid: string

DatasetRawResponse = object { id, accountId, created, 3 more }

id: number

accountId: number

created: string

data: string

source: string

tlp: string

Threat EventsDatasetsHealth

Threat EventsIndicator Types

Lists all indicator types

Deprecated

GET/accounts/{account_id}/cloudforce-one/events/indicatorTypes

ModelsExpand Collapse

IndicatorTypeListResponse = object { items, type }

items: object { type }

type: string

type: string

Threat EventsRaw

Reads data for a raw event

GET/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}

Updates a raw event

PATCH/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}

ModelsExpand Collapse

RawGetResponse = object { id, accountId, created, 3 more }

id: string

accountId: number

created: string

data: unknown

source: string

tlp: string

RawEditResponse = object { id, data }

id: string

data: unknown

Threat EventsRelate

Removes an event reference

DELETE/accounts/{account_id}/cloudforce-one/events/relate/{event_id}

ModelsExpand Collapse

RelateDeleteResponse = object { success }

success: boolean

Threat EventsTags

Creates a new tag

POST/accounts/{account_id}/cloudforce-one/events/tags/create

ModelsExpand Collapse

TagCreateResponse = object { uuid, value, activeDuration, 15 more }

uuid: string

value: string

activeDuration: optional string

actorCategory: optional string

aliasGroupNames: optional array of string

aliasGroupNamesInternal: optional array of string

analyticPriority: optional number

attributionConfidence: optional string

attributionOrganization: optional string

categoryName: optional string

categoryUuid: optional string

externalReferenceLinks: optional array of string

internalDescription: optional string

motive: optional string

opsecLevel: optional string

originCountryISO: optional string

priority: optional number

sophisticationLevel: optional string

Threat EventsEvent Tags

Adds a tag to an event

POST/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}/create

Removes a tag from an event

DELETE/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}

ModelsExpand Collapse

EventTagCreateResponse = object { success }

success: boolean

EventTagDeleteResponse = object { success }

success: boolean

Threat EventsTarget Industries

Lists target industries across multiple datasets

GET/accounts/{account_id}/cloudforce-one/events/targetIndustries

ModelsExpand Collapse

TargetIndustryListResponse = object { items, type }

items: object { type }

type: string

type: string

Threat EventsInsights