Posture
PostureFindings
List posture findings
Get a finding type
Create new findings export request
Mark a finding as ignored
Remove ignore marker from a finding
Update the severity for a finding
Reset severity for a finding back to the default
ModelsExpand Collapse
FindingListResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
FindingGetResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
FindingExportResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
FindingIgnoreResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
FindingUnignoreResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
FindingTuneSeverityResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
FindingResetSeverityResponse object { id, active_count, archived_count, 6 more } Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.
finding: object { id, category, name, 4 more } Basic finding type information.
Basic finding type information.
category: object { observation, product, type } Category information for a finding.
Category information for a finding.
Number of total (Active or archived) problematic instances identified in the security finding.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
PostureFindingsInstances
List instances of a finding
Get a finding instance using an instance ID
Create a finding instances export
Archive a finding
Remove the archive marking from a finding instance
ModelsExpand Collapse
InstanceListResponse object { affliction_date, asset, dlp_contexts, 4 more } A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
asset: object { category, external_id, fields, 3 more } Asset information including metadata and categorization.
Asset information including metadata and categorization.
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more } DLP context information if this is a content finding.
DLP context information if this is a content finding.
remediations: array of object { id, created_at, stale, status } A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
webhooks: array of object { latest_job, webhook_id, webhook_label } The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
InstanceGetResponse object { affliction_date, asset, dlp_contexts, 4 more } A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
asset: object { category, external_id, fields, 3 more } Asset information including metadata and categorization.
Asset information including metadata and categorization.
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more } DLP context information if this is a content finding.
DLP context information if this is a content finding.
remediations: array of object { id, created_at, stale, status } A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
webhooks: array of object { latest_job, webhook_id, webhook_label } The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
InstanceExportResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
InstanceArchiveResponse object { affliction_date, asset, dlp_contexts, 4 more } A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
asset: object { category, external_id, fields, 3 more } Asset information including metadata and categorization.
Asset information including metadata and categorization.
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more } DLP context information if this is a content finding.
DLP context information if this is a content finding.
remediations: array of object { id, created_at, stale, status } A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
webhooks: array of object { latest_job, webhook_id, webhook_label } The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
InstanceUnarchiveResponse object { affliction_date, asset, dlp_contexts, 4 more } A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.
asset: object { category, external_id, fields, 3 more } Asset information including metadata and categorization.
Asset information including metadata and categorization.
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more } DLP context information if this is a content finding.
DLP context information if this is a content finding.
remediations: array of object { id, created_at, stale, status } A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.
webhooks: array of object { latest_job, webhook_id, webhook_label } The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.
PostureExports
List all export jobs
Get a single export job
ModelsExpand Collapse
ExportListResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
ExportGetResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
PostureFinding Types
List all finding types
Get finding by ID
ModelsExpand Collapse
FindingTypeListResponse object { id, category, name, 2 more } Basic finding type information.
Basic finding type information.
FindingTypeGetResponse object { id, category, name, 2 more } Basic finding type information.
Basic finding type information.
PostureFinding TypesRemediation Types
List remediation types for a finding type
PostureContent
List DLP content findings
Create a content export
ModelsExpand Collapse
ContentListResponse object { asset_id, asset_name, dlp_contexts, 4 more } Content asset with DLP information.
Content asset with DLP information.
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more } DLP context information for this asset.
DLP context information for this asset.
integration: object { created, last_hydrated, name, 12 more } Summary information about an integration.
Summary information about an integration.
vendor: object { id, description, display_name, 5 more } Information about a vendor/service provider.
Information about a vendor/service provider.
zt_enrollments: array of object { id, description, display_name, enabled } Zero Trust products associated with this integration.
Zero Trust products associated with this integration.
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"Health status of integration credentials.
Health status of integration credentials.
ContentExportResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
PostureRemediations
PostureRemediationsJobs
List remediation jobs
Creates remediation jobs
Create a remediation jobs export
ModelsExpand Collapse
JobListResponse object { id, asset, created_at, 11 more } Information about a remediation job.
Information about a remediation job.
asset: object { id, category, external_id, 3 more } Asset information for a remediation job.
Asset information for a remediation job.
Email of the user who triggered the remediation. For account-token actors this is the literal “Account API Token”; for policy actors this is empty.
JobCreateResponse object { created, failed }
created: array of object { id, asset, created_at, 11 more } Successfully created remediation jobs.
Successfully created remediation jobs.
asset: object { id, category, external_id, 3 more } Asset information for a remediation job.
Asset information for a remediation job.
Email of the user who triggered the remediation. For account-token actors this is the literal “Account API Token”; for policy actors this is empty.
JobExportResponse object { id, status, type, 5 more } Information about an export job.
Information about an export job.
The URL by which the successfully created export can be downloaded by the end users.
Contains information on errors which may have occurred during export creation.
PostureWebhooks
List webhook configurations
Create a new webhook configuration
Get webhook configuration by ID
Update an existing webhook configuration
Delete a webhook configuration
Test a webhook configuration before creating it
Test an existing webhook configuration
ModelsExpand Collapse
WebhookListResponse object { id, authentication_type, created_at, 6 more } Webhook configuration for sending finding notifications.
Webhook configuration for sending finding notifications.
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 moreType of authentication used for the webhook.
Type of authentication used for the webhook.
Target URL for the webhook configuration. Where resulting data will be sent.
WebhookCreateResponse object { id, authentication_type, created_at, 6 more } Webhook configuration for sending finding notifications.
Webhook configuration for sending finding notifications.
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 moreType of authentication used for the webhook.
Type of authentication used for the webhook.
Target URL for the webhook configuration. Where resulting data will be sent.
WebhookGetResponse object { id, authentication_type, created_at, 6 more } Webhook configuration for sending finding notifications.
Webhook configuration for sending finding notifications.
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 moreType of authentication used for the webhook.
Type of authentication used for the webhook.
Target URL for the webhook configuration. Where resulting data will be sent.
WebhookUpdateResponse object { id, authentication_type, created_at, 6 more } Webhook configuration for sending finding notifications.
Webhook configuration for sending finding notifications.
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 moreType of authentication used for the webhook.
Type of authentication used for the webhook.
Target URL for the webhook configuration. Where resulting data will be sent.
PostureWebhooksJobs
Create webhook jobs
ModelsExpand Collapse
JobCreateResponse object { created, failed }
created: array of object { id, asset_data, created_at, 9 more } Successfully created webhook jobs.
Successfully created webhook jobs.