Query parameters

• page number

  Page number to return (used for pagination). Defaults to 1.

• per_page number

  Number of Attack discovery schedules to return per page (used for pagination). Defaults to 10.

• sort_field string(nonempty)

  Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.

  Minimum length is 1.

• sort_direction string

  Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.

  Values are asc or desc.

Responses

• 200 application/json

  Successful response

  Hide response attributes Show response attributes object

  • data array[object] Required

    Array of matched Attack discovery schedule objects.

    An attack discovery schedule

    Hide data attributes Show data attributes object

    • actions array[object] Required

      The attack discovery schedule actions

      One of:

      Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object

      Hide attributes Show attributes

      • action_type_id string Required

        The action type used for sending notifications.

      • alerts_filter object

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object

        • notify_when string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string Required

          Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.

          Format should match the following pattern: ^[1-9]\d*[smhd]$.

      • group string Required

        Groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters.

        Minimum length is 1.

      Hide attributes Show attributes

      • action_type_id string Required

        The action type used for sending notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters.

        Minimum length is 1.

    • created_at string(date-time) Required

      The date the schedule was created

    • created_by string Required

      The name of the user that created the schedule

    • enabled boolean Required

      Indicates whether the schedule is enabled

    • id string Required

      UUID of attack discovery schedule

    • last_execution object

      An attack discovery schedule execution information

      Hide last_execution attributes Show last_execution attributes object

      • date string(date-time) Required

        Date of the execution

      • duration number

        Duration of the execution

      • message string
      • status string Required

        An attack discovery schedule execution status

        Values are ok, active, error, unknown, or warning.

    • name string Required

      The name of the schedule

    • params object Required

      An attack discovery schedule params

      Hide params attributes Show params attributes object

      • alerts_index_pattern string Required

        The index pattern to get alerts from

      • api_config object Required

        LLM API configuration.

        Hide api_config attributes Show api_config attributes object

        • actionTypeId string Required

          Action type ID

        • connectorId string Required

          Connector ID

        • defaultSystemPromptId string

          Default system prompt ID

        • model string

          Model

        • provider string

          Provider

          Values are OpenAI, Azure OpenAI, or Other.

        • name string Required

          The name of the connector

      • combined_filter object

        Additional properties are allowed.

      • end string
      • filters array

        The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

      • query object

        An query condition to filter alerts

        Hide query attributes Show query attributes object

        • language string Required

        • query string | object Required

          One of:

          string-1 string object-2 object

          Additional properties are allowed.

      • size number Required
      • start string
    • schedule object Required
      Hide schedule attribute Show schedule attribute object

      • interval string Required

        The schedule interval

    • updated_at string(date-time) Required

      The date the schedule was updated

    • updated_by string Required

      The name of the user that updated the schedule

  • page number Required

    Current page number of the paginated result set.

  • per_page number Required

    Number of items requested per page.

  • total number Required

    Total number of Attack discovery schedules matching the query (across all pages).

• 400 application/json

  Generic Error

  Hide response attributes Show response attributes object

  • error string

    Error type

  • message string

    Human-readable error message

  • status_code number

    HTTP status code