SecurityCenter API: Query

/query

Methods
GET

Gets the list of Queries.

Fields Parameter
Expand

NOTE:  Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields type "vuln", sourceType "cumulative" | null

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all

Request Parameters

Expand

Parameters must be passed in as query string (as opposed to JSON) in the format of: /query?type=lce

{
	"type" : <string> "alert" | "all" | "lce" | "mobile" | "ticket" | "user" | "vuln" DEFAULT "all"
}
Filter Parameters

usable - The response will be an object containing an array of usable Queries. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Queries. By default, both usable and manageable objects are returned. 

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"usable" : [
			{
				"id" : "1",
				"name" : "Name",
				"description" : "Test for posting an alert query"
			},
			{
				"id" : "2",
				"name" : "Post Copy Response Example",
				"description" : ""
			},
			{
				"id" : "3",
				"name" : "Post Copy Response Example2",
				"description" : ""
			},
			{
				"id" : "1391",
				"name" : "TEST",
				"description" : ""
			},
			{
				"id" : "1467",
				"name" : "Test 1",
				"description" : ""
			},
			{
				"id" : "1468",
				"name" : "Test 2",
				"description" : ""
			},
			{
				"id" : "1469",
				"name" : "Test 3",
				"description" : ""
			},
			{
				"id" : "1470",
				"name" : "Test 4",
				"description" : ""
			},
			{
				"id" : "1471",
				"name" : "Test 5",
				"description" : ""
			}
		],
		"manageable" : [
			{
				"id" : "1",
				"name" : "Name",
				"description" : "Test for posting an alert query"
			},
			{
				"id" : "2",
				"name" : "Post Copy Response Example",
				"description" : ""
			},
			{
				"id" : "3",
				"name" : "Post Copy Response Example2",
				"description" : ""
			},
			{
				"id" : "1391",
				"name" : "TEST",
				"description" : ""
			},
			{
				"id" : "1434",
				"name" : "query1",
				"description" : "Created with 'group1's shared asset: 'Test Asset 1'.\n\nThis asset will be unshared"
			},
			{
				"id" : "1435",
				"name" : "query2",
				"description" : "Created with 'group1's shared asset: 'Test Asset 2'.\n\nThis asset will be deleted"
			},
			{
				"id" : "1436",
				"name" : "group1Query",
				"description" : ""
			},
			{
				"id" : "1467",
				"name" : "Test 1",
				"description" : ""
			},
			{
				"id" : "1468",
				"name" : "Test 2",
				"description" : ""
			},
			{
				"id" : "1469",
				"name" : "Test 3",
				"description" : ""
			},
			{
				"id" : "1470",
				"name" : "Test 4",
				"description" : ""
			},
			{
				"id" : "1471",
				"name" : "Test 5",
				"description" : ""
			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1427750981
}

POST

Adds a Query

Request Parameters
Expand
{
	"name" : <string>,
	"description" : <string> DEFAULT "",
	"ownerID" : <string> DEFAULT <Session User ID)
	"tags" : <string> DEFAULT "",
	"type" : <string> "alert" | "lce" | "mobile" | "ticket" | "user" | "vuln",
	"context" : <string> DEFAULT "",
	"browseColumns" : <string> DEFAULT "",
	"browseSortColumn" : <string> DEFAULT "",
	"browseSortDirection" : <string> "ASC" | "DESC" DEFAULT "ASC",
	...
}


Type: "alert" (Expand)
Alert Type
...
	"sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive),
	"startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listalerts",
	"filters" : [
		{
			"filterName" : <string> "alertName" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "description" | "didTriggerLastEvaluation" | "lastEvaluatedEndTime" | "lastEvaluatedStartTime" | "lastEvaluatedTimeFrame" | "lastTriggeredEndTime" | "lastTriggeredStartTime" | "lastTriggeredTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame",
			"operator" : <string> "",
			"value" : <string> | <number>
		}...
	] DEFAULT []
...
Type: "lce" (Expand)
LCE Type

NOTE: Filter operators are not validated, but the provided filters are the ones that will properly function.

...
	"sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash. Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set. default 0 if not specified),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set. default 100 if not specified),
	"tool" : <string> "listdata" | "sumasset" | "sumclassa" | "sumclassb" | "sumclassc" | "sumdate" | "sumevent" | "sumevent2" | "sumip" | "sumport" | "sumprotocol" | "sumsensor" | "sumtime" | "sumtype" | "sumuser" | "syslog" | "timedist",
	"filters" : [
		{
			"filterName" : <string> "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "dport" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "port" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "sport" | "starttime" | "text" | "timeframe" | "type" | "user",
 
			filterName "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "starttime" | "text" | "timeframe" | "type" | "user"
			-------------------------------------------
			"operator" : <string> "=" | "!=",
			"value" : (Format depends on filter's "filterName" parameter)
 
			filterName "dport" | "port" | "sport"
			-------------------------------------------
			"operator" :  <string> "=" | "!=" | "<=" | ">=",
			"value" : (Format depends on filter's "filterName" parameter)

		}...
	] DEFAULT []
...
sourceType "archive"

Note: sourceType will never be "archive." This is included for informational purposes only. Current functionality doesn't accept sourceType parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"view" : <string>,
	"lce" : {
		"id" : <number>
	}
...
Type: "mobile" (Expand)
Mobile Type

NOTE: Filter operators are not validated, but the provided filters are the ones that will properly function.

...
	"sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
	"tool" : <string> "listvuln" | "sumdeviceid" | "summdmuser" | "summodel" | "sumoscpe" | "sumpluginid" | "vulndetails",
	"filters" : [
		{
			"filterName" : <string> "baseCVSSScore" | "cvssV3BaseScore" | "deviceID" | "deviceModel" | "deviceUser" | "deviceVersion" | "exploitAvailable" | "family" | "familyID" | "lastMitigated" | "lastSeen" | "mdmType" | "osCPE" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginOutput" | "pluginPublished" | "port" | "protocol" | "repository" | "repositoryIDs" | "serialNumber" | "severity" | "vulnPublished",
			  			
			filterName "osCPE" | "baseCVSSScore" | "cvssV3BaseScore" |"pluginOutput" | "repository" | "repositoryIDs" | "deviceID" | "deviceModel" | "deviceUser" | "pluginID"
			------------------------------------------------------------
			"operator" : "=" | "!=",
			"value" : (Format depends on filter's "filterName" parameter)
 
			filterName "mdmType" | "pluginName" | "lastMitigated" | "lastSeen" | "vulnPublished" | "pluginModified" | "patchPublished" | "pluginPublished" | "acceptedRisk" | "daysMitigated" | "dnsName" | "exploitAvailable" | "family" | "familyID" | "ip" | "lastMitigated" | "mitigatedStatus" | "pluginText" | "port" | "protocol" | "recastRisk" | "responsibleUser" | "severity" | "xref"
			---------------------------------------------------------------------------------------------------------------------------------
			"operator" : <string> "=" | "<=" | ">=" | "!=" | "between" | "outside" | "contains" | "excludes" | "in" | "!in",
			"value" : (Format depends on filter's "filterName" parameter)
			
		}...
	] DEFAULT []
...
Type: "ticket" (Expand)
Ticket Type
...
	"sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
	"startOffset" : <number> OPTIONAL (integer; default "0" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listtickets" | "sumassignee" | "sumclassification" | "sumcreator" | "sumstatus",
	"filters" : [
		{
			"filterName" : <string> "assignedEndTime" | "assignedStartTime" | "assignedTimeFrame" | "assignee" | "assigneeID" | "classification" | "closedEndTime" | "closedStartTime" | "closedTimeFrame" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame" | "owner" | "ownerID" | "resolvedEndTime" | "resolvedStartTime" | "resolvedTimeFrame" | "status",
			"value" : (Format depends on filter's "filterName" parameter)
		}...
	] DEFAULT []
...
Type: "user" (Expand)
User Type
...
	"sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir.  username, roleID, and groupID will attempt to perform case-insensitive sort on the text field in relation to the ID),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
	"startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listusers" | "sumgroup" | "sumrole",
	"filters" : [
		{
			"filterName" : <string> "address" | "authType" | "country" | "email" | "fax" | "firstname" | "group" | "groupID" | "lastLoginEndTime" | "lastLoginStartTime" | "lastLoginTimeFrame" | "lastname" | "locked" | "phone" | "role" | "roleID" | "state" | "title" | "username",
			"operator" : <string>,
			"value" : (Format depends on filter's "filterName" parameter)
		}...
	]
...
Type: "vuln" (Expand)
Vuln Type

NOTE: Filter operators are not validated, but the provided filters are the ones that will properly function.

...
	"sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" DEFAULT "ASC" (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
	"tool" : <string> "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "sumasset" | "sumcce" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
	"filters" : [
		{
			"filterName" : <string> "acceptRiskStatus" | "asset" | "assetID" | "auditFile" | "auditFileID" | "baseCVSSScore" | "benchmarkName" | "cceID" | "cpe" | "cveID" | "cvssV3BaseScore" | "cvssV3Vector" | "cvssVector" | "dataFormat" | "daysMitigated" | "daysToMitigated" | "dnsName" | "exploitAvailable" | "exploitFrameworks" | "family" | "familyID" | "firstSeen" | "iavmID" | "ip" | "lastMitigated" | "lastSeen" | "mitigatedStatus" | "msbulletinID" | "outputAssets" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginPublished" | "pluginText" | "pluginType" | "policy" | "policyID" | "port" | "protocol" | "recastRiskStatus" | "repository" | "repositoryIDs" | "responsibleUser" | "responsibleUserIDs" | "severity" | "stigSeverity" | "tcpport" | "udpport" | "uuid" | "vulnPublished" | "xref",
 
			filterName "acceptRiskStatus"
			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "all" | "accepted" | "notAccepted"
 
			NOTE: During evaluation on the Analysis page, or for various objects, presenting 
			      no "acceptRiskStatus" filter defaults to the "notAccepted" behavior.
  
			filterName "asset"
			------------------
			"operator": <string> "=" | "~" (combination expression),
 
			filterName "asset", operator "="
			--------------------------------
			"value" : [
				{
					"id" : <number> (integer)
				}...
			]
 
			filterName "asset", operator "~"
			--------------------------------
			"value" : <comboRecord> { 
				"operator": <string> "complement" | "intersection" | "difference" | "union", 
				"operand1": <comboRecord> | <number> (integer) | {
					"id" : <number> (integer)
				}
 
				operator not "complement"
				-------------------------
				"operand2": <comboRecord> | <number> (integer) | {
					"id" : <number> (integer)
				}
			}

			filterName "auditFile" | "policy" | "repository" | "responsibleUser"
			--------------------------------------------------------------------
			"operator": <string> "=",
			"value" : {
				"id" : <number> (integer)
			}
 			
			filterName "baseCVSSScore"
			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)

			filterName "cvssV3BaseScore"
			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
			
			filterName "benchmarkName"
			--------------------------
			"operator" : <string> "=" (fuzzy-left, right-anchored match),
			"value" : <string> 

			filterName "cceID" | "iavmID"
			-----------------------------
			"operator" : <string> "=" (fuzzy match),
			"value" : <string> (comma-separated list)

			filterName "cpe"
			----------------
			"operator": <string> "=" (i.e. explicit per entry) | 
			                     "~=" (i.e. fuzzy match across entire entries string) | 
			                     "pcre" (i.e. Perl-compatible, regular expression, across entire entries string),
 
			filterName "cpe", operator "=" | "~="
			-------------------------------------
			"value" : <string> (comma-separated or newline-separated list)

			filterName "cpe", operator "pcre"
			---------------------------------
			"value" : <string> (Perl-compatible, regular expression)

			filterName "cveID" | "msbulletinID"
			-----------------------------------
			"operator" : <string> "=" (fuzzy match),
			"value" : <string> (comma-separated or newline-separated list)

			filterName "cvssVector"
			-----------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
 
								Simple CVSS Vector = <string> "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:M" | "AC:L" | "Au:N" | "Au:S" | "Au:M" | "C:N" | "C:P" | "C:C" | "I:N" | "I:P" | "I:C" | "A:N" | "A:P" | "A:C" | "E:ND" | "E:U" | "E:P" | "E:POC" | "E:F" | "E:H" | "RL:ND" | "RL:O" | "RL:OF" | "RL:T" | "RL:TF" | "RL:W" | "RL:U" | "RC:ND" | "RC:UC" | "RC:UR" | "RC:C"
								Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)

			filterName "cvssV3Vector"
			-----------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
 
								Simple CVSS Vector = <string> "AV:P" | "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:L" | "PR:H" | "PR:L" | "PR:N" | "PR:U" | "UI:R" | "UI:N" | "S:C" | "S:U" | "C:N" | "C:L" | "C:H" | "I:N" | "I:L" | "I:H" | "A:N" | "A:L" | "A:H" | "E:H" | "E:F" | "E:P" | "E:U" | "E:X" | "RL:U" | "RL:W" | "RL:OF" | "RL:T" | "RL:O" | "RL:X" | "RC:C" | "RC:R" | "RC:U" | "RC:X"
								Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)

			filterName "daysMitigated" | "firstSeen" | "lastMitigated" | "lastSeen" | "pluginModified" | "pluginPublished" | "vulnPublished"
			---------------------------------------------------------------------------------------------------------------------------------------------------
			"operator": <string> "=" (relative with custom format),
			"value" : <string> "<minDaysBack>:<maxDaysBack>" (Both minDaysBack and maxDaysBack are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago].) | "<minDaysBack>:all" (A value "all" indicates to return all results before minDaysBack) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter"

			filterName "dnsName"
			--------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated or newline-separated list of valid DNS names)
 
			filterName "exploitAvailable"
			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "true" | "false"

			filterName "exploitFrameworks"
			------------------------------
			"operator": <string> "=" (i.e. explicit for entire entries string) | 
			                     "~=" (i.e. fuzzy match across entire entries string),
			"value" : <string>

			filterName "family"
			-------------------
			"operator": <string> "=" | "!=",
			"value" : [
				{
					"id" : <number> (integer)
				}...
			]

			filterName "ip"
			---------------
			"operator" : <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of valid IPs and/or DNS names)

			filterName "mitigatedStatus"
			----------------------------
			"operator": <string> "=",
			"value" : <string> "previously" | "never"
 
 			filterName "outputAssets"
			-------------------------
			"operator": <string> "=",
			"value" : <string> (comma-separated list of Integers) | [
				{
					"id" : <number> (integer)
				}...
			]
 			filterName "patchPublished"
			---------------------------
			"operator": <string> "=",
			"value" : <string> "<endDay>:<startDay>" | "<endDay>:all" (Both endDay and startDay are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago]. A value of "all" for startDay is interpreted as "0" [i.e. from "now", back endDay days ago]) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter" | "none" (i.e vulnerabilities that cannot be resolved through a patch)
			
			filterName "pluginID"
			---------------------
			"operator" : <string> "=" | "!=" | "<=" | ">=",

			filterName "pluginID", operator "=" | "!="
			------------------------------------------
			"value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 8388607)

			filterName "pluginID", operator "<=" | ">="
			-------------------------------------------
			"value" : <number> (integer, between 0 and 8388607)

			filterName "pluginName"
			-----------------------
			"operator": <string> "=" (i.e. fuzzy match) | "pcre" (i.e. Perl-compatible, regular expression),
			"value" : <string>


			filterName "pluginText"
			-----------------------
			"operator": <string> "=" (i.e. fuzzy match, stripped text [forced]) | 
			                     "pcre" (i.e. Perl-compatible, regular expression, stripped text [forced]),
			"value" : <string>

			filterName "pluginType"
			-----------------------
			"operator": <string> "=",
			"value" : <string> "passive" | "lce" | "active" | "compliance" (comma-separated)
 
			filterName "port" | "tcpport" | "udpport"
			-----------------------------------------
			"operator" : <string> "=" | "!=" | "<=" | ">=",
 
			filterName "port" | "tcpport" | "udpport", operator "=" | "!="
			--------------------------------------------------------------
			"value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 65535)

			filterName "port" | "tcpport" | "udpport", operator "<=" | ">="
			---------------------------------------------------------------
			"value" : <number> (integer, between 0 and 65535)
 
			filterName "protocol"
			---------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of integers)

			filterName "recastRiskStatus"
			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "recast" | "notRecast"

			filterName "severity"
			---------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of integers) | [
				{
					"id" : <number> (integer)
				}...
			]
 
			filterName "stigSeverity"
			-------------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of Roman Numerals) | [
				{
					"id" : <string> (valid Roman Numeral)
				}...
			]
 
			filterName "xref"
			-----------------
			"operator" : <string> "=" | "!=",
			"value" : <string> (comma-separated list of XREF Expressions)
				XREF Expression = <string> "<type>|<wildCard>" (XREF Type and ID Wildcard, pipe-delimited)
					XREF Type = <string>
					ID Wildcard = <string> (where "?" matches a single occurrence of any character and "*" matches any character, any number of times)
 		}...
	] DEFAULT []
...
sourceType null

Note: sourceType will always be null. Current functionality doesn't accept sourceType parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary"
...
sourceType "cumulative"

Note: sourceType will never be "cumulative." This is included for informational purposes only. Current functionality doesn't accept sourceType parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
	"scanID" : <number>
...
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "12"
		"creatorID" : "1",
		"ownerID" : "1",
		"name" : "Test Combo Filter 2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1403620113",
		"modifiedTime" : "1403620113",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"
			}
		],
		"canManage" : "true",
		"canUse" : "true",
		"creator" : {
			"id" : "1"
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe"
		},
		"owner" : {
			"id" : "1",
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe"
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1404224762
}

/query/{id}

Methods
GET

Gets the Query associated with {id}.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all


NOTE:  Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "12"
		"creatorID" : "1",
		"ownerID" : "1",
		"name" : "Test Combo Filter 2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1403620113",
		"modifiedTime" : "1403620113",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"
			}
		],
		"canManage" : "true",
		"canUse" : "true",
		"creator" : {
			"id" : "1"
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe"
		},
		"owner" : {
			"id" : "1",
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe"
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1404224762
}

PATCH

Edits the Query associated with {id} , changing only the passed in fields.

Request Parameters

(All fields are optional)

See /query::POST for parameters.

Example Response
See /query/{id}::GET

DELETE

Deletes the Query associated with {id} , depending on access and permissions.

Example Response
Expand
{
	"type" : "regular",
	"response" : "",
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1403100582
}

/query/{id}/share

Methods
POST

Shares the Query associated with {id}, depending on access and permissions

Request Parameters
Expand
{
	"groups" : [
		{
			"id" : <number>
		}...
	]
}
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "3",
		"creatorID" : "1",
		"ownerID" : "1",
		"name" : "Post Copy Response Example2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1408380088",
		"modifiedTime" : "1408380088",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"
			}
		],
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1409087882
}

/query/tag

Methods
GET

Gets the full list of unique Query tags

Example Response
Expand
{
	"type" : "regular",
	"response" : [
		"Tag1",
		"Tag2",
		"Tag3"
	],
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1461093219
}