Iris ¶

Table of Contents

Iris
- Client

Client ¶

class Iris.Client¶

A client object representing ‘Iris’ Service:

import almdrlib

client = almdrlib.client('iris')

Available methods:

add_feedback()
complete_incident()
get_associated_elaborations()
get_incident()
get_incident_filters()
get_incident_id_by_friendly()
incidents_by_time()
partner_account_incidents()
partner_incidents()
reopen_incident()

add_feedback(**kwargs)¶

Add feedback to incident

Request Syntax

response = client.add_feedback(
    account_id='string'
    customer_feedback='string'
    customer_feedback_reason='further_action'|'acceptable_risk'|'compensating_control'|'threat_not_valid'|'not_concluded'|'other'
    incident_id='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
customer_feedback (string) –
[REQUIRED]

Feedback to add to incident
customer_feedback_reason (string) –
[REQUIRED]

Reason for feedback

Valid values: further_action, acceptable_risk, compensating_control, threat_not_valid, not_concluded, other
incident_id (string) –
[REQUIRED]

IRIS incident ID can either be a length 16 alpha-numeric string e.g. e11111ee11111111 or a UUID e.g. XXXX0000-0000-0000-0000-0XXX00000000

Return type

dict

Returns

Response Syntax

{
    'feedback': 'string',
    'feedback_datetime': 'string',
    'feedback_reason': 'string',
    'feedback_uid': 'string',
    'feedback_user': 'string'
}

Response Definitions

feedback (string) –

feedback_datetime (string) –

feedback_reason (string) –

feedback_uid (string) –

feedback_user (string) –

complete_incident(**kwargs)¶

Complete/Close an incident

Request Syntax

response = client.complete_incident(
    account_id='string'
    incident_id='string'
    notes='string'
    reason_code='further_action'|'acceptable_risk'|'compensating_control'|'threat_not_valid'|'not_concluded'|'other'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
incident_id (string) –
[REQUIRED]

IRIS incident ID can either be a length 16 alpha-numeric string e.g. e11111ee11111111 or a UUID e.g. XXXX0000-0000-0000-0000-0XXX00000000
notes (string) –
[REQUIRED]

Notes about completion
reason_code (string) –
[REQUIRED]

Reason for completion

Valid values: further_action, acceptable_risk, compensating_control, threat_not_valid, not_concluded, other

Return type

dict

Returns

Response Syntax

{
    'new': {
        'notes': 'string',
        'reason_code': 'string',
        'status': 'string',
        'status_change_time': 'string'
    },
    'old': {
        'status': 'string',
        'status_change_time': 'string'
    }
}

Response Definitions

new (dict) – [REQUIRED]

notes (string) –

reason_code (string) –

status (string) –

status_change_time (string) –

old (dict) – [REQUIRED]

status (string) –

status_change_time (string) –

get_associated_elaborations(**kwargs)¶

Get associated logs/events for incident

Request Syntax

response = client.get_associated_elaborations(
    account_id='string'
    incident_id='string'
    limit='number'
    offset='number'
    returnSource='string'
    return_value='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
incident_id (string) –
[REQUIRED]

IRIS incident ID can either be a length 16 alpha-numeric string e.g. e11111ee11111111 or a UUID e.g. XXXX0000-0000-0000-0000-0XXX00000000
limit (number) – Maximum number of items in the result set
offset (number) – The (zero-based) offset of the first item in the result set to return
returnSource (string) – To filter by source type. Allowed values - log, event
return_value (string) – Comma delimited list of ‘dot-notation’ string names of desired properties in the result set. Use if you want only a subset of attributes from results

Return type

dict

Returns

Response Syntax

{
    'filter': {},
    'metadata': {},
    'returnVals': [
        {}
    ],
    'stats': {}
}

Response Definitions

filter (dict) –

metadata (dict) –

returnVals (list) –

(dict) –

Values returned by the query

stats (dict) –

get_incident(**kwargs)¶

Get incident

Request Syntax

response = client.get_incident(
    account_id='string'
    incident_id='string'
    return_value='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
incident_id (string) –
[REQUIRED]

IRIS incident ID can either be a length 16 alpha-numeric string e.g. e11111ee11111111 or a UUID e.g. XXXX0000-0000-0000-0000-0XXX00000000
return_value (string) – Comma delimited list of dot-notation string names of desired properties in the result set. Use if you want a subset of attributes from the incident

Return type

dict

Returns

Response Syntax

{
    'accountId': 'string',
    'all_assets': [
        {}
    ],
    'assets': {
        '__asset': {},
        '__source': 'string',
        'al__deployment': 'string'
    },
    'createTime': 'number',
    'createtime_str': 'string',
    'customer': 'string',
    'customer_status': {
        'status': 'string',
        'status_change_time': 'string'
    },
    'desc': 'string',
    'humanFriendlyId': 'string',
    'incident': {
        'description': 'string',
        'summary': 'string',
        'threatRating': 'string'
    },
    'incidentId': 'string',
    'incident_attack_class': 'string',
    'incident_class': 'string',
    'incident_type': 'string',
    'snooze_status': {
        'period_ms': 'number',
        'reason_code': 'string',
        'snoozed': 'False|True'
    },
    'summary': 'string',
    'updateTime': 'number',
    'updatetime_str': 'string'
}

Response Definitions

accountId (string) –

AIMS Account Id

all_assets (list) –

(dict) –

assets (dict) –

__asset (dict) –

__source (string) –

al__deployment (string) –

createTime (number) –

Incident creation time

createtime_str (string) –

Incident creation time in ISO format

customer (string) –

Customer name

customer_status (dict) –

status (string) –

status_change_time (string) –

desc (string) –

humanFriendlyId (string) –

incident (dict) –

description (string) –

summary (string) –

threatRating (string) –

incidentId (string) –

Incident ID

incident_attack_class (string) –

incident_class (string) –

incident_type (string) –

snooze_status (dict) –

period_ms (number) –

reason_code (string) –

snoozed (boolean) –

summary (string) –

updateTime (number) –

updatetime_str (string) –

get_incident_filters(**kwargs)¶

Fetch the fields and values used to filter incidents

Request Syntax

response = client.get_incident_filters(
)

Return type

dict

Returns

Response Syntax

{
    'class': [
        'string'
    ],
    'detection_source': [
        'string'
    ],
    'escalated': [
        'False|True'
    ],
    'threat_level': [
        'string'
    ]
}

Response Definitions

class (list) –

(string) –

detection_source (list) –

(string) –

escalated (list) –

(boolean) –

threat_level (list) –

(string) –

get_incident_id_by_friendly(**kwargs)¶

Get incident ID by friendly ID

Request Syntax

response = client.get_incident_id_by_friendly(
    account_id='string'
    friendly_id='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
friendly_id (string) –
[REQUIRED]

Human friendly ID. A length 6 alpha-numeric ID shorter than IncidentID

Return type

list

Returns

Response Syntax

[
    {
        'accountId': 'string',
        'humanFriendlyId': 'string',
        'incidentId': 'string'
    }
]

Response Definitions

(dict) –

Incident key object

accountId (string) –

humanFriendlyId (string) –

incidentId (string) –

incidents_by_time(**kwargs)¶

Get incidents in a timespan for an account

Request Syntax

response = client.incidents_by_time(
    account_id='string'
    end_time='string'
    limit='integer'
    offset='integer'
    pagination='False|True'
    return_value='string'
    start_time='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
end_time (string) –
[REQUIRED]

Time to end span, either epoch timestamp or an ISO string
limit (integer) – Maximum number of items in the result set
offset (integer) – The (zero-based) offset of the first item in the result set
pagination (boolean) – Enable pagination of the result set
return_value (string) – Comma delimited list of dot-notation string names of desired properties in the result set. Use if you only want a subset of attributes from each incident
start_time (string) –
[REQUIRED]

Time to begin span, either epoch timestamp or an ISO string

Return type

dict

Returns

Response Syntax

'dict|list'

Response Definitions

partner_account_incidents(**kwargs)¶

Get incidents over a timerange for account and all accounts managed by it.

Request Syntax

response = client.partner_account_incidents(
    account_id='string'
    aid='string'
    end_time='string'
    limit='integer'
    offset='integer'
    pagination='False|True'
    return_value='string'
    start_time='string'
    time_stamp='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
aid (string) – A comma delimited list of accounts managed by account_id to return. E.g aid=10,11,12,13
end_time (string) –
[REQUIRED]

Time to end span, either epoch timestamp or an ISO string
limit (integer) – Maximum number of items in the result set
offset (integer) – The (zero-based) offset of the first item in the result set
pagination (boolean) – Enable pagination of the result set
return_value (string) – Comma delimited list of dot-notation string names of desired properties in the result set. Use if you only want a subset of attributes from each incident
start_time (string) –
[REQUIRED]

Time to begin span, either epoch timestamp or an ISO string
time_stamp (string) – The timestamp to search for incidents with, either ‘createTime’ or ‘updateTime’

Return type

dict

Returns

Response Syntax

'dict|list'

Response Definitions

partner_incidents(**kwargs)¶

Get incidents over a timerange for caller account and all accounts managed by it.

Request Syntax

response = client.partner_incidents(
    aid='string'
    end_time='string'
    limit='integer'
    offset='integer'
    pagination='False|True'
    return_value='string'
    start_time='string'
    time_stamp='string'
)

Parameters

aid (string) – A comma delimited list of accounts managed by account_id to return. E.g aid=10,11,12,13
end_time (string) –
[REQUIRED]

Time to end span, either epoch timestamp or an ISO string
limit (integer) – Maximum number of items in the result set
offset (integer) – The (zero-based) offset of the first item in the result set
pagination (boolean) – Enable pagination of the result set
return_value (string) – Comma delimited list of dot-notation string names of desired properties in the result set. Use if you only want a subset of attributes from each incident
start_time (string) –
[REQUIRED]

Time to begin span, either epoch timestamp or an ISO string
time_stamp (string) – The timestamp to search for incidents with, either ‘createTime’ or ‘updateTime’

Return type

dict

Returns

Response Syntax

'dict|list'

Response Definitions

reopen_incident(**kwargs)¶

reopen an incident

Request Syntax

response = client.reopen_incident(
    account_id='string'
    incident_id='string'
    notes='string'
)

Parameters

account_id (string) –
[REQUIRED]

AIMS Account ID
incident_id (string) –
[REQUIRED]

IRIS incident ID can either be a length 16 alpha-numeric string e.g. e11111ee11111111 or a UUID e.g. XXXX0000-0000-0000-0000-0XXX00000000
notes (string) –
[REQUIRED]

Notes about completion

Return type

dict

Returns

Response Syntax

{
    'new': {
        'notes': 'string',
        'reason_code': 'string',
        'status': 'string',
        'status_change_time': 'string'
    },
    'old': {
        'notes': 'string',
        'reason_code': 'string',
        'status': 'string',
        'status_change_time': 'string'
    }
}

Response Definitions

new (dict) – [REQUIRED]

notes (string) –

reason_code (string) –

status (string) –

status_change_time (string) –

old (dict) – [REQUIRED]

notes (string) –

reason_code (string) –

status (string) –

status_change_time (string) –

Iris¶

Client¶

Iris ¶

Client ¶