Skip to content
Start here

Posture

PostureFindings

List posture findings
GET/accounts/{account_id}/data-security/posture/findings
Get a finding type
GET/accounts/{account_id}/data-security/posture/findings/{finding_id}
Create new findings export request
POST/accounts/{account_id}/data-security/posture/findings/export
Mark a finding as ignored
POST/accounts/{account_id}/data-security/posture/findings/ignore
Remove ignore marker from a finding
POST/accounts/{account_id}/data-security/posture/findings/unignore
Update the severity for a finding
POST/accounts/{account_id}/data-security/posture/findings/{finding_id}/tune_finding_severity
Reset severity for a finding back to the default
POST/accounts/{account_id}/data-security/posture/findings/{finding_id}/reset_finding_severity
ModelsExpand Collapse
FindingListResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
FindingGetResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
FindingExportResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512
FindingIgnoreResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
FindingUnignoreResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
FindingTuneSeverityResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
FindingResetSeverityResponse object { id, active_count, archived_count, 6 more }

Aggregated finding information with counts and metadata. This is optimized for list API queries and represents a finding along with its instance statistics.

id: string

Base64 encoded identifier of the security finding.

formatbyte
active_count: number

Number of active problematic instances identified in the security finding.

archived_count: number

Number of archived instances identified in the security finding.

finding: object { id, category, name, 4 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

description: optional string

Detailed description of the finding.

remediation: optional object { id, frameworks, guide, 3 more }

Remediation guide information for a finding.

id: string

Remediation Id.

formatuuid
frameworks: array of string

Relevant Compliance Frameworks.

guide: string

Remediation guide text.

impact: string

Description of the potential impact.

locale: string

I18N Locale.

threat: string

Description of the threat.

ignored: boolean

Determines if finding is currently ignored.

instance_count: number

Number of total (Active or archived) problematic instances identified in the security finding.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Timestamp of the latest affliction date of an active finding.

formatdate-time
severity_override: optional object { created_by, severity }

Override information for finding severity.

created_by: string

User ID who created the override.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"

PostureFindingsInstances

List instances of a finding
GET/accounts/{account_id}/data-security/posture/findings/{finding_id}/instances
Get a finding instance using an instance ID
GET/accounts/{account_id}/data-security/posture/findings/{finding_id}/instances/{instance_id}
Create a finding instances export
POST/accounts/{account_id}/data-security/posture/findings/{storage_namespace_id}/instances/export
Archive a finding
POST/accounts/{account_id}/data-security/posture/findings/{finding_id}/instances/archive
Remove the archive marking from a finding instance
POST/accounts/{account_id}/data-security/posture/findings/{finding_id}/instances/unarchive
ModelsExpand Collapse
InstanceListResponse object { affliction_date, asset, dlp_contexts, 4 more }

A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.

affliction_date: string

When this specific instance was identified.

formatdate-time
asset: object { category, external_id, fields, 3 more }

Asset information including metadata and categorization.

category: object { service, type, vendor, id }

Category information for an asset.

service: string

The specific service within the vendor the asset is part of (often none). Example - AWS is the vendor, S3 is the service.

type: string

The type of asset.

vendor: string

The vendor the asset is part of.

id: optional string

Unique identifier for the asset category.

formatuuid
external_id: string

External identifier from the source system.

maxLength512
fields: array of object { name, value, link }

The fields associated with the asset.

name: string

The name of the field.

value: string

The value of the field.

name: string

Human-readable name of the asset.

id: optional string

Unique identifier for the asset.

formatuuid
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more }

DLP context information if this is a content finding.

created: string

When the DLP context was created.

formatdate-time
entry_ids: array of string

DLP Entry IDs.

profile_id: string

DLP Profile ID.

formatuuid
updated: string

When the DLP context was last updated.

formatdate-time
id: optional string

Unique identifier for the DLP context.

formatuuid
deleted: optional string

When the DLP context was deleted.

formatdate-time
match_context_max_extent: optional number

DLP Right Boundary of match context.

maximum2147483647
minimum0
match_context_min_extent: optional number

DLP Left Boundary of match context.

maximum2147483647
minimum0
match_context_payload: optional map[unknown]

DLP Match context payload that matched the profile in question.

remediations: array of object { id, created_at, stale, status }

A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.

id: string

Unique identifier for the remediation job.

formatuuid
created_at: string

When the remediation job was created.

formatdate-time
stale: boolean

Whether this remediation job is stale (created before the finding instance’s affliction_date).

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
webhooks: array of object { latest_job, webhook_id, webhook_label }

The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.

latest_job: object { id, created_at, stale, status }

The most recent webhook job for this webhook configuration.

id: string

Unique identifier for the webhook job.

formatuuid
created_at: string

When the webhook job was created.

formatdate-time
stale: boolean

Whether this webhook job is stale (created before the finding instance’s current affliction_date).

status: "pending" or "processing" or "completed"

Current status of the webhook job.

One of the following:
"pending"
"processing"
"completed"
webhook_id: string

Unique identifier for the webhook configuration.

formatuuid
webhook_label: string

Account-specified display label for the webhook configuration.

id: optional string

Unique identifier for the finding instance.

formatuuid
is_archived: optional boolean

Whether this finding instance has been archived.

InstanceGetResponse object { affliction_date, asset, dlp_contexts, 4 more }

A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.

affliction_date: string

When this specific instance was identified.

formatdate-time
asset: object { category, external_id, fields, 3 more }

Asset information including metadata and categorization.

category: object { service, type, vendor, id }

Category information for an asset.

service: string

The specific service within the vendor the asset is part of (often none). Example - AWS is the vendor, S3 is the service.

type: string

The type of asset.

vendor: string

The vendor the asset is part of.

id: optional string

Unique identifier for the asset category.

formatuuid
external_id: string

External identifier from the source system.

maxLength512
fields: array of object { name, value, link }

The fields associated with the asset.

name: string

The name of the field.

value: string

The value of the field.

name: string

Human-readable name of the asset.

id: optional string

Unique identifier for the asset.

formatuuid
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more }

DLP context information if this is a content finding.

created: string

When the DLP context was created.

formatdate-time
entry_ids: array of string

DLP Entry IDs.

profile_id: string

DLP Profile ID.

formatuuid
updated: string

When the DLP context was last updated.

formatdate-time
id: optional string

Unique identifier for the DLP context.

formatuuid
deleted: optional string

When the DLP context was deleted.

formatdate-time
match_context_max_extent: optional number

DLP Right Boundary of match context.

maximum2147483647
minimum0
match_context_min_extent: optional number

DLP Left Boundary of match context.

maximum2147483647
minimum0
match_context_payload: optional map[unknown]

DLP Match context payload that matched the profile in question.

remediations: array of object { id, created_at, stale, status }

A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.

id: string

Unique identifier for the remediation job.

formatuuid
created_at: string

When the remediation job was created.

formatdate-time
stale: boolean

Whether this remediation job is stale (created before the finding instance’s affliction_date).

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
webhooks: array of object { latest_job, webhook_id, webhook_label }

The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.

latest_job: object { id, created_at, stale, status }

The most recent webhook job for this webhook configuration.

id: string

Unique identifier for the webhook job.

formatuuid
created_at: string

When the webhook job was created.

formatdate-time
stale: boolean

Whether this webhook job is stale (created before the finding instance’s current affliction_date).

status: "pending" or "processing" or "completed"

Current status of the webhook job.

One of the following:
"pending"
"processing"
"completed"
webhook_id: string

Unique identifier for the webhook configuration.

formatuuid
webhook_label: string

Account-specified display label for the webhook configuration.

id: optional string

Unique identifier for the finding instance.

formatuuid
is_archived: optional boolean

Whether this finding instance has been archived.

InstanceExportResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512
InstanceArchiveResponse object { affliction_date, asset, dlp_contexts, 4 more }

A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.

affliction_date: string

When this specific instance was identified.

formatdate-time
asset: object { category, external_id, fields, 3 more }

Asset information including metadata and categorization.

category: object { service, type, vendor, id }

Category information for an asset.

service: string

The specific service within the vendor the asset is part of (often none). Example - AWS is the vendor, S3 is the service.

type: string

The type of asset.

vendor: string

The vendor the asset is part of.

id: optional string

Unique identifier for the asset category.

formatuuid
external_id: string

External identifier from the source system.

maxLength512
fields: array of object { name, value, link }

The fields associated with the asset.

name: string

The name of the field.

value: string

The value of the field.

name: string

Human-readable name of the asset.

id: optional string

Unique identifier for the asset.

formatuuid
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more }

DLP context information if this is a content finding.

created: string

When the DLP context was created.

formatdate-time
entry_ids: array of string

DLP Entry IDs.

profile_id: string

DLP Profile ID.

formatuuid
updated: string

When the DLP context was last updated.

formatdate-time
id: optional string

Unique identifier for the DLP context.

formatuuid
deleted: optional string

When the DLP context was deleted.

formatdate-time
match_context_max_extent: optional number

DLP Right Boundary of match context.

maximum2147483647
minimum0
match_context_min_extent: optional number

DLP Left Boundary of match context.

maximum2147483647
minimum0
match_context_payload: optional map[unknown]

DLP Match context payload that matched the profile in question.

remediations: array of object { id, created_at, stale, status }

A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.

id: string

Unique identifier for the remediation job.

formatuuid
created_at: string

When the remediation job was created.

formatdate-time
stale: boolean

Whether this remediation job is stale (created before the finding instance’s affliction_date).

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
webhooks: array of object { latest_job, webhook_id, webhook_label }

The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.

latest_job: object { id, created_at, stale, status }

The most recent webhook job for this webhook configuration.

id: string

Unique identifier for the webhook job.

formatuuid
created_at: string

When the webhook job was created.

formatdate-time
stale: boolean

Whether this webhook job is stale (created before the finding instance’s current affliction_date).

status: "pending" or "processing" or "completed"

Current status of the webhook job.

One of the following:
"pending"
"processing"
"completed"
webhook_id: string

Unique identifier for the webhook configuration.

formatuuid
webhook_label: string

Account-specified display label for the webhook configuration.

id: optional string

Unique identifier for the finding instance.

formatuuid
is_archived: optional boolean

Whether this finding instance has been archived.

InstanceUnarchiveResponse object { affliction_date, asset, dlp_contexts, 4 more }

A specific instance of a security finding. In the API interface, we refer to the ‘finding’ table in our DB as finding instances, optimized for the p99 use case.

affliction_date: string

When this specific instance was identified.

formatdate-time
asset: object { category, external_id, fields, 3 more }

Asset information including metadata and categorization.

category: object { service, type, vendor, id }

Category information for an asset.

service: string

The specific service within the vendor the asset is part of (often none). Example - AWS is the vendor, S3 is the service.

type: string

The type of asset.

vendor: string

The vendor the asset is part of.

id: optional string

Unique identifier for the asset category.

formatuuid
external_id: string

External identifier from the source system.

maxLength512
fields: array of object { name, value, link }

The fields associated with the asset.

name: string

The name of the field.

value: string

The value of the field.

name: string

Human-readable name of the asset.

id: optional string

Unique identifier for the asset.

formatuuid
dlp_contexts: array of object { created, entry_ids, profile_id, 6 more }

DLP context information if this is a content finding.

created: string

When the DLP context was created.

formatdate-time
entry_ids: array of string

DLP Entry IDs.

profile_id: string

DLP Profile ID.

formatuuid
updated: string

When the DLP context was last updated.

formatdate-time
id: optional string

Unique identifier for the DLP context.

formatuuid
deleted: optional string

When the DLP context was deleted.

formatdate-time
match_context_max_extent: optional number

DLP Right Boundary of match context.

maximum2147483647
minimum0
match_context_min_extent: optional number

DLP Left Boundary of match context.

maximum2147483647
minimum0
match_context_payload: optional map[unknown]

DLP Match context payload that matched the profile in question.

remediations: array of object { id, created_at, stale, status }

A list of the 10 most recent remediation jobs for this finding instance, ordered by creation time (most recent first). The ‘stale’ field indicates whether the remediation job was created before the finding instance’s affliction_date (true) or after it (false). If there has never been a remediation job for this finding instance, this field will be an empty array.

id: string

Unique identifier for the remediation job.

formatuuid
created_at: string

When the remediation job was created.

formatdate-time
stale: boolean

Whether this remediation job is stale (created before the finding instance’s affliction_date).

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
webhooks: array of object { latest_job, webhook_id, webhook_label }

The most recent webhook job invocation for each webhook configuration associated with this finding instance. Each entry represents the latest job (any status) per webhook config. The ‘stale’ field indicates whether the job was invoked before the finding instance’s current affliction_date. If no webhook jobs have been created, this field will be an empty array.

latest_job: object { id, created_at, stale, status }

The most recent webhook job for this webhook configuration.

id: string

Unique identifier for the webhook job.

formatuuid
created_at: string

When the webhook job was created.

formatdate-time
stale: boolean

Whether this webhook job is stale (created before the finding instance’s current affliction_date).

status: "pending" or "processing" or "completed"

Current status of the webhook job.

One of the following:
"pending"
"processing"
"completed"
webhook_id: string

Unique identifier for the webhook configuration.

formatuuid
webhook_label: string

Account-specified display label for the webhook configuration.

id: optional string

Unique identifier for the finding instance.

formatuuid
is_archived: optional boolean

Whether this finding instance has been archived.

PostureExports

List all export jobs
GET/accounts/{account_id}/data-security/posture/exports
Get a single export job
GET/accounts/{account_id}/data-security/posture/exports/{id}
ModelsExpand Collapse
ExportListResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512
ExportGetResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512

PostureFinding Types

List all finding types
GET/accounts/{account_id}/data-security/posture/finding_types
Get finding by ID
GET/accounts/{account_id}/data-security/posture/finding_types/{finding_type_id}
ModelsExpand Collapse
FindingTypeListResponse object { id, category, name, 2 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

FindingTypeGetResponse object { id, category, name, 2 more }

Basic finding type information.

id: string

The unique identifier of the finding.

formatuuid
category: object { observation, product, type }

Category information for a finding.

observation: "Issue" or "Insight" or "Activity"

The type of the observation.

One of the following:
"Issue"
"Insight"
"Activity"
product: "SaaS" or "Cloud"

The product category.

One of the following:
"SaaS"
"Cloud"
type: "Content" or "Posture"

The type of the finding category.

One of the following:
"Content"
"Posture"
name: string

The name of the finding.

severity: "Critical" or "High" or "Medium" or "Low"

The severity level of a finding.

One of the following:
"Critical"
"High"
"Medium"
"Low"
vendor: string

The SaaS/Cloud vendor of the platform with which the finding is associated.

PostureFinding TypesRemediation Types

List remediation types for a finding type
GET/accounts/{account_id}/data-security/posture/finding_types/{finding_type_id}/remediation_types
ModelsExpand Collapse
RemediationTypeListResponse object { id, description, display_name, 2 more }

Information about a remediation type.

id: string

The identifier for the remediation type.

formatuuid
description: string

A description of the action(s) taken by the remediation type.

display_name: string

The name of the remediation type as displayed in the cloudflare dashboard.

finding_type_id: string

The identifier of the finding_type which this remediation type should remediate.

formatuuid
remediation_type: string

The name of the remediation type.

PostureContent

List DLP content findings
GET/accounts/{account_id}/data-security/posture/content
Create a content export
POST/accounts/{account_id}/data-security/posture/content/export
ModelsExpand Collapse
ContentListResponse object { asset_id, asset_name, dlp_contexts, 4 more }

Content asset with DLP information.

asset_id: string

Unique identifier for the asset.

formatuuid
asset_name: string

Name of the asset.

dlp_contexts: array of object { created, entry_ids, profile_id, 6 more }

DLP context information for this asset.

created: string

When the DLP context was created.

formatdate-time
entry_ids: array of string

DLP Entry IDs.

profile_id: string

DLP Profile ID.

formatuuid
updated: string

When the DLP context was last updated.

formatdate-time
id: optional string

Unique identifier for the DLP context.

formatuuid
deleted: optional string

When the DLP context was deleted.

formatdate-time
match_context_max_extent: optional number

DLP Right Boundary of match context.

maximum2147483647
minimum0
match_context_min_extent: optional number

DLP Left Boundary of match context.

maximum2147483647
minimum0
match_context_payload: optional map[unknown]

DLP Match context payload that matched the profile in question.

dlp_profile_count: number

Number of DLP profiles that flagged this asset.

dlp_profile_ids: array of string

IDs of DLP profiles that flagged this asset.

integration: object { created, last_hydrated, name, 12 more }

Summary information about an integration.

created: string

When entity was created.

formatdate-time
last_hydrated: string

When were the integration credentials last updated.

formatdate-time
name: string

Name of the integration.

maxLength256
permissions: array of string

The vendor-specific permissions associated with the integration.

policy: object { id, client_id, compliance_level, 4 more }

Policy configuration for an integration.

id: optional string

Policy identifier.

formatuuid
client_id: optional string

OAuth client ID for the policy.

compliance_level: optional string

Compliance level for the policy.

dlp_enabled: optional boolean

Whether DLP is enabled for this policy.

name: optional string

Policy name.

permissions: optional array of string

List of permissions included in the policy.

status: string

Current status of the integration.

updated: string

Last entity was updated.

formatdate-time
upgradable: boolean

Whether the integrations permissions can be updated.

vendor: object { id, description, display_name, 5 more }

Information about a vendor/service provider.

id: string

The id of the vendor.

description: string

Detailed information about what kinds of issues are detected for this vendor.

display_name: string

The display name of the vendor.

name: string

The name of the vendor.

zt_enrollments: array of string

The vendor’s compatible Zero Trust products.

policies: optional array of map[unknown]

The policies related to the vendor.

zt_enrollments: array of object { id, description, display_name, enabled }

Zero Trust products associated with this integration.

id: optional string

The internal identifier of the Zero Trust Product.

description: optional string

Brief description of the Zero Trust Product.

display_name: optional string

The verbose name of the Zero Trust Product.

enabled: optional boolean

Flag to enable/disable access to the listed integration from the corresponding Cloudflare product.

id: optional string

Integration ID.

formatuuid
credential_health_status: optional "Initializing" or "Healthy" or "Unhealthy"

Health status of integration credentials.

One of the following:
"Initializing"
"Healthy"
"Unhealthy"
credentials_expiry: optional string

The date and time when the integration credentials will expire.

formatdate-time
is_paused: optional boolean

Whether the given integration is paused by the user.

upgrade_dismissed: optional boolean

UI State as to whether a potential permissions upgrade has been dismissed.

latest_affliction_date: string

Most recent date this asset was flagged.

formatdate-time
ContentExportResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512

PostureRemediations

PostureRemediationsJobs

List remediation jobs
GET/accounts/{account_id}/data-security/posture/remediations/jobs
Creates remediation jobs
POST/accounts/{account_id}/data-security/posture/remediations/jobs
Create a remediation jobs export
POST/accounts/{account_id}/data-security/posture/remediations/jobs/export
ModelsExpand Collapse
JobListResponse object { id, asset, created_at, 11 more }

Information about a remediation job.

id: string

Unique identifier for the remediation job.

formatuuid
asset: object { id, category, external_id, 3 more }

Asset information for a remediation job.

id: string

Unique identifier for the asset.

formatuuid
category: object { service, type, vendor }

Category information for a remediation job asset.

service: string

Specific service within the vendor.

type: string

Asset type.

vendor: "AWS" or "Anthropic" or "Bitbucket" or 16 more

Display names for vendor types.

One of the following:
"AWS"
"Anthropic"
"Bitbucket"
"Box"
"Confluence"
"Dropbox"
"GitHub"
"Google Cloud Platform"
"Google Workspace"
"Jira"
"Microsoft"
"Microsoft Internal"
"Okta"
"OpenAI"
"Slack"
"Salesforce"
"ServiceNow"
"Workday"
"Zoom"
external_id: string

External identifier from the source system.

fields: array of object { name, value, link }

Additional fields associated with the asset.

name: string

Field name.

value: string or number or boolean

Field value (can be string, number, or boolean).

One of the following:
string
number
boolean
name: string

Human-readable name of the asset.

created_at: string

When the remediation job was created.

formatdate-time
finding_id: string

Encoded finding ID.

finding_instance_id: string

ID of the finding instance being remediated.

formatuuid
finding_type_id: string

ID of the finding type.

formatuuid
finding_type_name: string

Name of the finding type.

integration_name: string

Name of the integration.

last_updated: string

When the remediation job was last updated.

formatdate-time
remediation_type: string

Type of remediation being performed.

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
triggered_by_user: string

Email of the user who triggered the remediation. For account-token actors this is the literal “Account API Token”; for policy actors this is empty.

triggered_by_actor: optional "user" or "account_token"

Type of actor that triggered the remediation job. Null on legacy rows created before this column was populated.

One of the following:
"user"
"account_token"
triggered_by_id: optional string

ID of the actor that triggered the job. Meaning depends on triggered_by_actor. Null on legacy rows.

JobCreateResponse object { created, failed }
created: array of object { id, asset, created_at, 11 more }

Successfully created remediation jobs.

id: string

Unique identifier for the remediation job.

formatuuid
asset: object { id, category, external_id, 3 more }

Asset information for a remediation job.

id: string

Unique identifier for the asset.

formatuuid
category: object { service, type, vendor }

Category information for a remediation job asset.

service: string

Specific service within the vendor.

type: string

Asset type.

vendor: "AWS" or "Anthropic" or "Bitbucket" or 16 more

Display names for vendor types.

One of the following:
"AWS"
"Anthropic"
"Bitbucket"
"Box"
"Confluence"
"Dropbox"
"GitHub"
"Google Cloud Platform"
"Google Workspace"
"Jira"
"Microsoft"
"Microsoft Internal"
"Okta"
"OpenAI"
"Slack"
"Salesforce"
"ServiceNow"
"Workday"
"Zoom"
external_id: string

External identifier from the source system.

fields: array of object { name, value, link }

Additional fields associated with the asset.

name: string

Field name.

value: string or number or boolean

Field value (can be string, number, or boolean).

One of the following:
string
number
boolean
name: string

Human-readable name of the asset.

created_at: string

When the remediation job was created.

formatdate-time
finding_id: string

Encoded finding ID.

finding_instance_id: string

ID of the finding instance being remediated.

formatuuid
finding_type_id: string

ID of the finding type.

formatuuid
finding_type_name: string

Name of the finding type.

integration_name: string

Name of the integration.

last_updated: string

When the remediation job was last updated.

formatdate-time
remediation_type: string

Type of remediation being performed.

status: "pending" or "processing" or "completed" or 2 more

Status of a remediation job.

One of the following:
"pending"
"processing"
"completed"
"failed"
"validating"
triggered_by_user: string

Email of the user who triggered the remediation. For account-token actors this is the literal “Account API Token”; for policy actors this is empty.

triggered_by_actor: optional "user" or "account_token"

Type of actor that triggered the remediation job. Null on legacy rows created before this column was populated.

One of the following:
"user"
"account_token"
triggered_by_id: optional string

ID of the actor that triggered the job. Meaning depends on triggered_by_actor. Null on legacy rows.

failed: array of object { error, finding_instance_id }

Failed remediation job creation attempts.

error: string

Error message describing the failure.

finding_instance_id: string

ID of the finding instance that failed to create a remediation job.

formatuuid
JobExportResponse object { id, status, type, 5 more }

Information about an export job.

id: string

Unique identifier for the export job.

formatuuid
status: "Pending" or "Success" or "Failure" or 2 more

Status of an export job.

One of the following:
"Pending"
"Success"
"Failure"
"Rescheduled"
"In-Progress"
type: "finding" or "findingInstance" or "content" or "remediationJob"

Type of export job.

One of the following:
"finding"
"findingInstance"
"content"
"remediationJob"
user_id: string

ID of the export-requesting user.

maxLength128
download_url: optional string

The URL by which the successfully created export can be downloaded by the end users.

formaturi
maxLength1024
errors: optional string

Contains information on errors which may have occurred during export creation.

file_name: optional string

The base name of the file that is/was generated by the export job.

maxLength256
file_path: optional string

The full path of the file that is stored within external storage (currently R2).

maxLength512

PostureWebhooks

List webhook configurations
GET/accounts/{account_id}/data-security/posture/webhooks
Create a new webhook configuration
POST/accounts/{account_id}/data-security/posture/webhooks
Get webhook configuration by ID
GET/accounts/{account_id}/data-security/posture/webhooks/{webhook_id}
Update an existing webhook configuration
PUT/accounts/{account_id}/data-security/posture/webhooks/{webhook_id}
Delete a webhook configuration
DELETE/accounts/{account_id}/data-security/posture/webhooks/{webhook_id}
Test a webhook configuration before creating it
POST/accounts/{account_id}/data-security/posture/webhooks/evaluate
Test an existing webhook configuration
POST/accounts/{account_id}/data-security/posture/webhooks/{webhook_id}/evaluate
ModelsExpand Collapse
WebhookListResponse object { id, authentication_type, created_at, 6 more }

Webhook configuration for sending finding notifications.

id: string

Unique identifier for the specific webhook configuration.

formatuuid
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 more

Type of authentication used for the webhook.

One of the following:
"Basic Auth"
"None"
"Bearer Auth"
"Static Headers"
"HMAC-Signing"
created_at: string

Timestamp when the webhook configuration was created.

formatdate-time
destination_url: string

Target URL for the webhook configuration. Where resulting data will be sent.

formaturi
label: string

Account-specified display label for the webhook configuration.

status: "enabled" or "disabled"

Current status of the webhook configuration. If disabled, data cannot be sent through this configuration.

One of the following:
"enabled"
"disabled"
updated_at: string

Timestamp when the webhook configuration was last updated.

formatdate-time
version: number

Version number of the configuration.

formatuint32
headers: optional array of object { key, value }

List of header keys configured for this webhook. Values are not included for security reasons.

key: optional string

Header key name (lowercase).

value: optional string

Header value. This field is never returned in API responses for security reasons.

WebhookCreateResponse object { id, authentication_type, created_at, 6 more }

Webhook configuration for sending finding notifications.

id: string

Unique identifier for the specific webhook configuration.

formatuuid
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 more

Type of authentication used for the webhook.

One of the following:
"Basic Auth"
"None"
"Bearer Auth"
"Static Headers"
"HMAC-Signing"
created_at: string

Timestamp when the webhook configuration was created.

formatdate-time
destination_url: string

Target URL for the webhook configuration. Where resulting data will be sent.

formaturi
label: string

Account-specified display label for the webhook configuration.

status: "enabled" or "disabled"

Current status of the webhook configuration. If disabled, data cannot be sent through this configuration.

One of the following:
"enabled"
"disabled"
updated_at: string

Timestamp when the webhook configuration was last updated.

formatdate-time
version: number

Version number of the configuration.

formatuint32
headers: optional array of object { key, value }

List of header keys configured for this webhook. Values are not included for security reasons.

key: optional string

Header key name (lowercase).

value: optional string

Header value. This field is never returned in API responses for security reasons.

WebhookGetResponse object { id, authentication_type, created_at, 6 more }

Webhook configuration for sending finding notifications.

id: string

Unique identifier for the specific webhook configuration.

formatuuid
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 more

Type of authentication used for the webhook.

One of the following:
"Basic Auth"
"None"
"Bearer Auth"
"Static Headers"
"HMAC-Signing"
created_at: string

Timestamp when the webhook configuration was created.

formatdate-time
destination_url: string

Target URL for the webhook configuration. Where resulting data will be sent.

formaturi
label: string

Account-specified display label for the webhook configuration.

status: "enabled" or "disabled"

Current status of the webhook configuration. If disabled, data cannot be sent through this configuration.

One of the following:
"enabled"
"disabled"
updated_at: string

Timestamp when the webhook configuration was last updated.

formatdate-time
version: number

Version number of the configuration.

formatuint32
headers: optional array of object { key, value }

List of header keys configured for this webhook. Values are not included for security reasons.

key: optional string

Header key name (lowercase).

value: optional string

Header value. This field is never returned in API responses for security reasons.

WebhookUpdateResponse object { id, authentication_type, created_at, 6 more }

Webhook configuration for sending finding notifications.

id: string

Unique identifier for the specific webhook configuration.

formatuuid
authentication_type: "Basic Auth" or "None" or "Bearer Auth" or 2 more

Type of authentication used for the webhook.

One of the following:
"Basic Auth"
"None"
"Bearer Auth"
"Static Headers"
"HMAC-Signing"
created_at: string

Timestamp when the webhook configuration was created.

formatdate-time
destination_url: string

Target URL for the webhook configuration. Where resulting data will be sent.

formaturi
label: string

Account-specified display label for the webhook configuration.

status: "enabled" or "disabled"

Current status of the webhook configuration. If disabled, data cannot be sent through this configuration.

One of the following:
"enabled"
"disabled"
updated_at: string

Timestamp when the webhook configuration was last updated.

formatdate-time
version: number

Version number of the configuration.

formatuint32
headers: optional array of object { key, value }

List of header keys configured for this webhook. Values are not included for security reasons.

key: optional string

Header key name (lowercase).

value: optional string

Header value. This field is never returned in API responses for security reasons.

WebhookDeleteResponse object { errors, messages, success }

Common response structure for all API endpoints.

errors: array of object { code, message, documentation_url, source }
code: number

Error or message code.

minimum1000
message: string

Human-readable message.

documentation_url: optional string

Link to relevant documentation.

formaturi
source: optional object { pointer }
pointer: optional string

JSON pointer to the source of the error.

messages: array of object { code, message, documentation_url, source }
code: number

Error or message code.

minimum1000
message: string

Human-readable message.

documentation_url: optional string

Link to relevant documentation.

formaturi
source: optional object { pointer }
pointer: optional string

JSON pointer to the source of the error.

success: boolean

Whether the API call was successful.

WebhookEvaluateResponse object { message, status_code, success }

Response body for webhook evaluation test results.

message: string

Human-readable message describing the test result.

status_code: number

HTTP status code returned by the webhook endpoint. 0 if connection failed.

success: boolean

Whether the webhook test was successful (received 2xx response).

WebhookEvaluateExistingResponse object { message, status_code, success }

Response body for webhook evaluation test results.

message: string

Human-readable message describing the test result.

status_code: number

HTTP status code returned by the webhook endpoint. 0 if connection failed.

success: boolean

Whether the webhook test was successful (received 2xx response).

PostureWebhooksJobs

Create webhook jobs
POST/accounts/{account_id}/data-security/posture/webhooks/jobs
ModelsExpand Collapse
JobCreateResponse object { created, failed }
created: array of object { id, asset_data, created_at, 9 more }

Successfully created webhook jobs.

id: string

Unique identifier for the webhook job.

formatuuid
asset_data: map[unknown]

Asset data associated with this webhook job.

created_at: string

When the webhook job was created.

formatdate-time
integration_id: string

ID of the integration.

formatuuid
last_updated_at: string

When the webhook job was last updated.

formatdate-time
parameters: object { finding_instance_id }

Parameters for a webhook job.

finding_instance_id: string

ID of the finding instance.

formatuuid
status: "pending" or "processing" or "completed" or "failed"

Status of a webhook job.

One of the following:
"pending"
"processing"
"completed"
"failed"
triggered_by_actor: "user" or "account_token"

Type of actor that triggered the webhook job.

One of the following:
"user"
"account_token"
triggered_by_id: string

ID of the actor that triggered the job.

webhook_id: string

ID of the webhook configuration.

formatuuid
failure_details: optional map[unknown]

Additional details about the failure.

failure_reason: optional "Permission Denied" or "Integration Unavailable" or "Service Temporarily Unavailable" or "System Error"

Reason for webhook job failure.

One of the following:
"Permission Denied"
"Integration Unavailable"
"Service Temporarily Unavailable"
"System Error"
failed: array of object { error, finding_instance_id, webhook_id }

Failed webhook job creation attempts.

error: string

Error message describing the failure.

finding_instance_id: string

ID of the finding instance that failed to create a webhook job.

formatuuid
webhook_id: string

ID of the webhook configuration.

formatuuid