{"components":{"schemas":{"BulkPatchChildOrganizationLicensingInput":{"properties":{"items":{"description":"Per-organization transitions to apply. Capped at 200 entries per call. The same org_id may not appear more than once. The caller must be able to manage licenses on every listed organization, or the entire request is rejected before any transition is attempted.","items":{"$ref":"#/components/schemas/Handler_typesBulkLicensingItem"},"maxItems":200,"minItems":1,"type":"array"}},"required":["items"],"type":"object"},"CreateChildOrganizationInput":{"properties":{"can_add_children":{"description":"Whether the child organization can have its own child organizations","nullable":true,"type":"boolean"},"can_manage_child_licenses":{"description":"Whether the child organization can manage its descendants' licenses","nullable":true,"type":"boolean"},"licenses":{"description":"Licenses to provision on the new organization. Omit for an unlicensed (free) org.","items":{"$ref":"#/components/schemas/Handler_typesLicenseInput"},"type":"array"},"name":{"description":"Name of the child organization","type":"string"}},"required":["name"],"type":"object"},"Enrichment_typesBrandInfo":{"description":"Information about the recognized brand on the target page","properties":{"confidence":{"description":"Level of confidence that the correct brand (or none) was identified","enum":["low","medium","high"],"type":"string"},"name":{"description":"Name of identified brand in the target page. Null if no brand was identified.","enum":["ABN","ADP","AOL","AT&T","Adobe","AliExpress","Amazon","American Express","Apple","Authentisign","Awardco","BB&T Corporation","BBVA","BT","Bass Pro Shop","Bank of America","Barclays","Belastingdienst","Benteler","BeyondTrust","Bol","Box","CFA","CNA","CVS","Caixabank","Capital One Bank","CalPoly","Captcha","Carta","Chase","ChicagoTitle","Citi","Cloudflare","Coinbase","Couer Mining","CyberArk","DHL","DKB","DPD","Dayforce","Digid","Discord","Discover","Disney","DocuSign","Dropbox","EY","Ebay","Europol","Experian","Facebook","FakeAttachment","FanDuel","FedEx","FidelityTitle","FirstAm","FuboTV","GLS","GM","GeekSquad","Gemini Trust","Generic Captcha","Generic Webmail","Github","Gmail","GoDaddy","Google","GoogleDrive","Google Voice","Gusto","HSBC Bank","Heroku","Home Depot","HubSpot","Hulu","Huntress","ING","IRS","Indeed","Instagram","Invite Company","JFrog","KPN","Kehe","Key Bank","LawyersTitle","Ledger","LinkedIn","Lloyds","M & T Bank","MadisonTitle","MailChimp","Mailgun","Mastercard","McAfee","Meta","MetaMask","Microsoft","Microsoft Office365","Microsoft OneDrive","Microsoft Outlook","Microsoft SharePoint","Microsoft Teams","Mimecast","NATO","NHS","NatWest","Navan","Navy Federal Credit Union","Netflix","Norton","OVO","Okta","OldRepublicTitle","OpenAI","PNC","Palo Alto Networks","Pandora","PayPal","PostNL","Postbank","Proton","Pulley","QuicklySign","Quickbooks","RBS","RLI","Rabobank","Rakuten","Robert Half","RoyalMail","SBB","SSA","Santander","Schwab","SendGrid","Shein","Signal","Silicon Valley Bank","Slack","Snowflake","Sparkasse","Spotify","Square","StewartTitle","Stratus","Stripe","SunTrust Bank","Swiss Post","Swisscom","TD Bank","Target","Targobank","Threads","TicorTitle","Tidal","TikTok","Trezor","TrustWallet","Tyrell","U.S. Bank","UCSB","UPS","USPS","Vanguard","Venmo","Visa","Vodafone","Volksbank","WeTransfer","Wells Fargo","Wex","WhatsApp","Wise","Workday","WoS","X","Yahoo","Zebra","Zelle","Zendesk","Ziggo","Zoom","Zscaler"],"type":"string"}},"type":"object"},"Enrichment_typesCredPhish":{"description":"CredPhish analysis of the screenshot taken for the final URL","properties":{"brand":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"confidence":{"description":"Level in a credential phish assessment, only set if .disposition is phishing","enum":["low","medium","high"],"type":"string"},"contains_captcha":{"description":"Final page contains a captcha test","nullable":true,"type":"boolean"},"contains_login":{"description":"Final page resembles a login screen","nullable":true,"type":"boolean"},"disposition":{"description":"Verdict of the link, determined by various stages of analysis","enum":["benign","phishing","unknown"],"type":"string"}},"type":"object"},"Enrichment_typesLinkAnalysisResult":{"description":"ml.link_analysis output","properties":{"additional_responses":{"description":"Additional HTTP responses for the page, which could be additional resources, XHR requests, etc.","items":{"$ref":"#/components/schemas/Link_analysis_typesAdditionalResponse"},"type":"array"},"analyzed":{"description":"Whether the target page was successfully analyzed for credential phishing attempts","type":"boolean"},"content_type":{"description":"Content type of the page","type":"string"},"credphish":{"$ref":"#/components/schemas/Enrichment_typesCredPhish"},"diagnostics":{"$ref":"#/components/schemas/Enrichment_typesLinkAnalysisRunDiagnostics"},"effective_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"files_downloaded":{"description":"All downloads from the page. These must download without interaction and within a few seconds","items":{"$ref":"#/components/schemas/Link_analysis_typesDownloadedFile"},"type":"array"},"final_dom":{"$ref":"#/components/schemas/Link_analysis_typesFinalDOM"},"original_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"redirect_history":{"description":"Each URL which the link analysis service was redirected through","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"retrieved":{"description":"Whether the page was successfully retrieved","type":"boolean"},"retrieved_at":{"description":"Time when the link analysis was initially retrieved","format":"date-time","nullable":true,"type":"string"},"screenshot":{"$ref":"#/components/schemas/Mdm_serviceFile"},"status_code":{"description":"HTTP status code for the requested page","format":"int32","type":"integer"},"submitted":{"description":"Whether the page was submitted to be retrieved for analysis","type":"boolean"},"unique_urls_accessed":{"description":"All unique URLs accessed during the analysis","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"Enrichment_typesLinkAnalysisRunDiagnostics":{"description":"INTERNAL","properties":{"created_at":{"description":"When the diagnostic object was created","format":"date-time","type":"string"},"submit_verdict":{"description":"Reason the URL was [not] submitted to Link Analysis","type":"string"},"submit_verdict_url":{"description":"The URL upon which the submit verdict was based","type":"string"}},"type":"object"},"FfiJSON":{"description":"Response from the URL decoded as a JSON object for application/json content types","type":"object"},"Handler_typesBulkLicensingItem":{"properties":{"licenses":{"description":"License transition to apply to this organization. Exactly one license per entry is supported today; the array shape is reserved for future multi-SKU support.","items":{"$ref":"#/components/schemas/Handler_typesLicenseInput"},"maxItems":1,"minItems":1,"type":"array"},"org_id":{"description":"ID of the child organization this entry targets. Must be a descendant of the calling organization.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","type":"string"}},"required":["licenses","org_id"],"type":"object"},"Handler_typesBulkLicensingResult":{"properties":{"error":{"description":"Human-readable failure reason when status is \"failed\". Safe to surface to end users.","example":"enterprise subscriptions cannot be transitioned to a trial","type":"string"},"licenses":{"description":"Licenses present on the organization after the transition. Populated when status is \"ok\".","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"org_id":{"description":"ID of the organization this result applies to.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","type":"string"},"status":{"description":"\"ok\" if the transition succeeded for this organization; \"failed\" otherwise. Inspect error for the failure reason.","enum":["ok failed"],"example":"ok","type":"string"},"warnings":{"description":"Non-fatal issues encountered while applying the transition for this organization.","items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesBulkPatchChildOrganizationLicensingResponse":{"properties":{"results":{"description":"One entry per requested organization, in the same order as the request's items array. Inspect each entry's status field to detect partial failure.","items":{"$ref":"#/components/schemas/Handler_typesBulkLicensingResult"},"type":"array"}},"type":"object"},"Handler_typesChildOrganizationSearchHit":{"properties":{"active_automation_rule_count":{"description":"Number of active automation rules","format":"int32","type":"integer"},"active_detection_rule_count":{"description":"Number of active detection rules","format":"int32","type":"integer"},"active_mailbox_count":{"description":"Number of currently active mailboxes","format":"int32","type":"integer"},"can_add_children":{"description":"Whether this organization can add child organizations","nullable":true,"type":"boolean"},"can_manage_child_licenses":{"description":"Whether this organization can manage child organization licenses","nullable":true,"type":"boolean"},"created_at":{"description":"Time at which the organization was created","format":"date-time","type":"string"},"deleted_at":{"description":"Time at which org was soft deleted (inaccessible, data not deleted)","format":"date-time","nullable":true,"type":"string"},"depth":{"description":"Depth of this organization relative to the search root (1 = direct child of the search root, 2 = grandchild, etc.)","example":1,"format":"int32","type":"integer"},"id":{"description":"Organization unique ID","type":"string"},"licenses":{"description":"Active licenses for this organization","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"name":{"description":"Organization chosen name","type":"string"},"parent":{"$ref":"#/components/schemas/Handler_typesChildOrganizationSearchHitParent"},"parent_org_id":{"description":"ID of this organization's parent in the hierarchy. The top-level organization has no parent. Omitted when not populated.","nullable":true,"type":"string"},"scheduled_for_deletion_at":{"description":"Time at which hard deletion of org data is scheduled to begin","format":"date-time","nullable":true,"type":"string"},"total_mailbox_count":{"description":"Total number of mailboxes","format":"int32","type":"integer"}},"type":"object"},"Handler_typesChildOrganizationSearchHitParent":{"description":"Immediate parent organization summary. Present only when the request set include_parent=true. The parent's own parent is not populated.","properties":{"active_automation_rule_count":{"description":"Number of active automation rules","format":"int32","type":"integer"},"active_detection_rule_count":{"description":"Number of active detection rules","format":"int32","type":"integer"},"active_mailbox_count":{"description":"Number of currently active mailboxes","format":"int32","type":"integer"},"can_add_children":{"description":"Whether this organization can add child organizations","nullable":true,"type":"boolean"},"can_manage_child_licenses":{"description":"Whether this organization can manage child organization licenses","nullable":true,"type":"boolean"},"created_at":{"description":"Time at which the organization was created","format":"date-time","type":"string"},"deleted_at":{"description":"Time at which org was soft deleted (inaccessible, data not deleted)","format":"date-time","nullable":true,"type":"string"},"depth":{"description":"Depth of this parent organization relative to the search root (0 = the search root itself).","example":0,"format":"int32","type":"integer"},"id":{"description":"Organization unique ID","type":"string"},"licenses":{"description":"Active licenses for this organization","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"name":{"description":"Organization chosen name","type":"string"},"parent_org_id":{"description":"ID of this organization's parent in the hierarchy. The top-level organization has no parent. Omitted when not populated.","nullable":true,"type":"string"},"scheduled_for_deletion_at":{"description":"Time at which hard deletion of org data is scheduled to begin","format":"date-time","nullable":true,"type":"string"},"total_mailbox_count":{"description":"Total number of mailboxes","format":"int32","type":"integer"}},"type":"object"},"Handler_typesCreateChildOrganizationResponse":{"properties":{"id":{"description":"ID of the newly created organization","format":"uuid","type":"string"},"licenses":{"description":"Licenses successfully provisioned on the new organization","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"warnings":{"description":"Non-fatal issues encountered while applying optional settings","items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesLicenseInput":{"properties":{"sku":{"description":"Product SKU identifier","type":"string"},"status":{"description":"Desired billing state for the license. Use \"canceled\" to downgrade an existing license back to free.","type":"string"},"trial_days":{"description":"Length of the trial in days (only used when status is trialing.) If not set, the default trial length will be used.","format":"int32","maximum":90,"minimum":1,"nullable":true,"type":"integer"}},"required":["sku","status"],"type":"object"},"Handler_typesListChildOrganizationsResponse":{"properties":{"children":{"description":"The child organizations, ordered by name.","items":{"$ref":"#/components/schemas/TypesOrganization"},"type":"array"},"total":{"description":"Total number of the calling organization's child organizations, ignoring offset/limit.","example":3,"format":"int32","type":"integer"}},"type":"object"},"Handler_typesPatchChildOrganizationLicensingResponse":{"properties":{"licenses":{"description":"Licenses present on the organization after the requested transition. A license whose transition failed is omitted; see warnings for details.","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"warnings":{"description":"Non-fatal issues encountered while applying the transition. A non-empty warnings array alongside a partial licenses array indicates partial success.","items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesSearchChildOrganizationsResponse":{"properties":{"count":{"description":"Number of hits returned (always equal to len(hits)).","example":3,"format":"int32","type":"integer"},"hits":{"description":"Matching organizations, ordered by descending similarity to the query.","items":{"$ref":"#/components/schemas/Handler_typesChildOrganizationSearchHit"},"type":"array"}},"type":"object"},"HandlersGenerateBinExplodeDSLFunctionDocsResponse":{"properties":{"file.explode":{"description":"binexplode list of responses for a single input file, each additional response represents an explosion result","items":{"$ref":"#/components/schemas/StrelkaResponse"},"type":"array"}},"type":"object"},"HandlersGenerateDSLFunctionDocsResponse":{"properties":{"file.oletools":{"$ref":"#/components/schemas/OletoolsResult"}},"type":"object"},"HandlersGenerateLinkAnalysisDocsResponse":{"properties":{"ml.link_analysis":{"$ref":"#/components/schemas/Enrichment_typesLinkAnalysisResult"}},"type":"object"},"HandlersGenerateLogoDetectDocsResponse":{"properties":{"ml.logo_detect":{"$ref":"#/components/schemas/Logo_detectResult"}},"type":"object"},"HandlersGenerateMacroClassifierDocsResponse":{"properties":{"ml.macro_classifier":{"$ref":"#/components/schemas/MlMacroClassifierResult"}},"type":"object"},"HandlersGenerateNLUClassifierDocsResponse":{"properties":{"ml.nlu_classifier":{"$ref":"#/components/schemas/MlNLU3TopicResult"}},"type":"object"},"HandlersGenerateParseTextDocsResponse":{"properties":{"file.parse_text":{"$ref":"#/components/schemas/Org_dslParseTextResult"}},"type":"object"},"HandlersGenerateProfileBySenderDocsResponse":{"properties":{"profile.by_sender":{"$ref":"#/components/schemas/SenderprofileBaseSenderProfile"}},"type":"object"},"HandlersGenerateRegexExtractDocsResponse":{"properties":{"regex.extract":{"description":"regex.extract output","items":{"$ref":"#/components/schemas/UtilRegexExtractMatch"},"type":"array"}},"type":"object"},"HandlersGenerateTopicDocsResponse":{"properties":{"beta.ml_topic":{"$ref":"#/components/schemas/MlTopicResult"}},"type":"object"},"HandlersGenerateWhoisDocsResponse":{"properties":{"network.whois":{"$ref":"#/components/schemas/WhoisResult"}},"type":"object"},"HydraNLUContent":{"properties":{"confidence":{"description":"Confidence of the classification","enum":["low","medium","high"],"type":"string"},"name":{"description":"The name of the category","enum":["invoice","payment","purchase_order"],"type":"string"}},"type":"object"},"HydraNLUEntity":{"properties":{"name":{"description":"The classification label given to the text","enum":["urgency","request","financial","org","greeting","salutation","sender","recipient","disclaimer"],"type":"string"},"text":{"description":"The extracted text being classified","type":"string"}},"type":"object"},"HydraNLUIntent":{"properties":{"confidence":{"description":"Confidence of the classification","enum":["low","medium","high"],"type":"string"},"name":{"description":"The name of the category","enum":["bec","benign","callback_scam","cred_theft","extortion","steal_pii","job_scam","advance_fee"],"type":"string"}},"type":"object"},"HydraTopic":{"properties":{"confidence":{"description":"The confidence level of this topic applying to the body.","nullable":true,"type":"string"},"name":{"description":"The name of the topic.","enum":["Acts of Violence","Advertising and Promotions","B2B Cold Outreach","Benefit Enrollment","Bounce Back and Delivery Failure Notifications","Charity and Non-Profit","Contact List Solicitation","Customer Service and Support","E-Signature","E-vite with External RSVP","Educational and Research","Emergency Alerts","Entertainment and Sports","Environmental and Sustainability","Events and Webinars","File Sharing and Cloud Services","Financial Communications","Government Services","Health and Wellness","Legal and Compliance","News and Current Events","Newsletters and Digests","Order Confirmations","Out of Band Pivot","Out of Office and Automatic Replies","Payment Information","Political Mail","Professional and Career Development","Purchase Orders","Reminders and Notifications","Request to View Invoice","Romance","Secure Message","Security and Authentication","Sexually Explicit Messages","Shipping and Package","Social Media and Networking","Software and App Updates","Travel and Transportation","Voicemail Call and Missed Call Notifications"],"type":"string"}},"type":"object"},"Link_analysis_typesAdditionalResponse":{"properties":{"content_type":{"description":"Content type of the response","type":"string"},"file":{"$ref":"#/components/schemas/Link_analysis_typesDownloadedFile"},"json":{"$ref":"#/components/schemas/FfiJSON"},"status_code":{"description":"HTTP status code for the response","format":"int32","type":"integer"},"url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"Link_analysis_typesDownloadedFile":{"description":"Raw HTTP response payload as a file","properties":{"file_extension":{"description":"File extension from context such as headers","type":"string"},"file_name":{"description":"File name","type":"string"},"file_type":{"description":"File type determined by looking at the magic bytes in the file","enum":["3gp","7z","Z","aac","aiff","amr","ar","avi","bmp","bz2","cab","cr2","crx","dcm","deb","dex","dey","doc","docx","dwg","elf","eot","epub","exe","flac","flv","gif","gz","heif","html","ico","ics","iso","jp2","jpg","jxr","lz","m4a","m4v","macho","mid","mkv","mov","mp3","mp4","mpg","nes","ogg","otf","pdf","png","ppt","pptx","ps","psd","rar","rpm","rtf","sqlite","svg","swf","tar","tif","ttf","wasm","wav","webm","webp","wmv","woff","woff2","xls","xlsx","xz","zip","zst","unknown"],"type":"string"},"md5":{"description":"MD5 hash of the downloaded file","type":"string"},"raw":{"description":"Base64 encoded source of the file","format":"base64","nullable":true,"type":"string"},"sha1":{"description":"SHA1 hash of the downloaded file","type":"string"},"sha256":{"description":"SHA256 hash of the downloaded file","type":"string"},"size":{"description":"Size of the file in bytes","format":"int64","nullable":true,"type":"integer"}},"type":"object"},"Link_analysis_typesFinalDOM":{"description":"Full DOM of the analyzed URL","properties":{"display_text":{"description":"Visible text of the HTML document, with invisible characters removed and non-ASCII characters converted to ASCII spaces.","nullable":true,"type":"string"},"inner_text":{"description":"Inner text of the HTML document that doesn't include HTML tags.","nullable":true,"type":"string"},"links":{"description":"Links found within the DOM","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"raw":{"description":"Decoded raw content of a body text type (text/[subtype] section)","nullable":true,"type":"string"}},"type":"object"},"Logo_detectPageResult":{"properties":{"brands":{"items":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"type":"array"},"error":{"type":"string"},"page_index":{"format":"int32","type":"integer"}},"type":"object"},"Logo_detectResult":{"description":"ml.logo_detect","properties":{"brands":{"description":"Information about the recognized brands in the image","items":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"type":"array"},"error":{"description":"Error message when scanning image for logos","type":"string"},"page_results":{"description":"Logo detect results for each individual page","items":{"$ref":"#/components/schemas/Logo_detectPageResult"},"type":"array"},"scanned":{"description":"Whether an image was scanned for logos","type":"boolean"},"total_pages":{"description":"The total number of pages for the input file","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"Mdm_serviceDomain":{"description":"Domain parsed from X-Authenticated-Domain or X-Authenticated-Sender headers, which represents the domain used for sender authentication, typically the domain of the sending organization. This field provides additional context for analyzing the legitimacy of the sender","properties":{"domain":{"description":"The fully qualified domain name (FQDN). This may not *always* be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar","format":"hostname","type":"string"},"punycode":{"description":"Interpreted punycode if the domain starts with xn--. For example, if 'domain' is 'xn--ublimesecurity-4xc.com' then 'punycode' is śublimesecurity.com","type":"string"},"root_domain":{"description":"The root domain, including the TLD","format":"hostname","type":"string"},"sld":{"description":"Second-level domain, e.g. 'windows' for the domain 'windows.net'","type":"string"},"subdomain":{"description":"Subdomain, e.g. 'drive' for the domain 'drive.google.com'","type":"string"},"tld":{"description":"The domain's top-level domain. E.g. the TLD of google.com is 'com'","type":"string"},"valid":{"description":"Whether the domain is valid","type":"boolean"}},"required":["domain"],"type":"object"},"Mdm_serviceEmailAddress":{"description":"Email address object","properties":{"domain":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"email":{"description":"Full email address","format":"email","type":"string"},"local_part":{"description":"Local-part, i.e. before the @","type":"string"}},"type":"object"},"Mdm_serviceFile":{"description":"File containing screenshot of final_url","properties":{"file_extension":{"description":"File extension from context such as headers","type":"string"},"file_name":{"description":"File name","type":"string"},"file_type":{"description":"File type determined by looking at the magic bytes in the file","enum":["3gp","7z","Z","aac","aiff","amr","ar","avi","bmp","bz2","cab","cr2","crx","dcm","deb","dex","dey","doc","docx","dwg","elf","eot","epub","exe","flac","flv","gif","gz","heif","html","ico","ics","iso","jp2","jpg","jxr","lz","m4a","m4v","macho","mid","mkv","mov","mp3","mp4","mpg","nes","ogg","otf","pdf","png","ppt","pptx","ps","psd","rar","rpm","rtf","sqlite","svg","swf","tar","tif","ttf","wasm","wav","webm","webp","wmv","woff","woff2","xls","xlsx","xz","zip","zst","unknown"],"type":"string"},"raw":{"description":"Base64 encoded source of the file","format":"base64","nullable":true,"type":"string"},"size":{"description":"Size of the file in bytes","format":"int64","nullable":true,"type":"integer"}},"type":"object"},"Mdm_serviceIP":{"description":"X-Originating-IP header, which identifies the originating IP address of the sender client","properties":{"ip":{"description":"The IP in canonical form","type":"string"},"translation":{"$ref":"#/components/schemas/Mdm_serviceIPTranslation"},"version":{"description":"The version of IP (i.e., 4 or 6), null for backward compatibility.","format":"int32","nullable":true,"type":"integer"}},"required":["ip"],"type":"object"},"Mdm_serviceIPTranslation":{"properties":{"original":{"description":"The IP in its original format if it is an IPv4-mapped-IPv6 source address","nullable":true,"type":"string"},"v4_to_v6":{"description":"Whether 'Original' is IPv4-mapped-IPv6","type":"boolean"}},"type":"object"},"Mdm_serviceLink":{"properties":{"display_text":{"description":"The text of a hyperlink, if it's not a URL","type":"string"},"display_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"href_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"mismatched":{"description":"Whether the display URL and href URL root domains are mismatched (i.e. .href_url.domain.root_domain != .display_url.domain.root_domain, where both are not null and valid domains)","nullable":true,"type":"boolean"},"parser":{"description":"The parser that was used to derived the link","enum":["plain","hyperlink"],"type":"string"},"visible":{"description":"Whether the link is visible to a human when previewing an email or page","nullable":true,"type":"boolean"}},"type":"object"},"Mdm_serviceMailbox":{"description":"Organizer mailbox with email and display name","properties":{"display_name":{"description":"Display name","type":"string"},"email":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"}},"required":["email"],"type":"object"},"Mdm_serviceRewriteDetails":{"description":"Information about an original URL that was unfurled from rewrite detection","properties":{"encoders":{"description":"List of detected URL rewrite encoders while unraveling the URL","items":{"enum":["adobe","appspot","aws_ses","azurecomm","azure_safelink","barracuda","bing_open_redirect","branch_io","checkpoint","cisco","cloudflare","convertkit","deref_mail","doubleclick","edgepilot","esvalabs","exactag","exclaimer","facebook","fireeye","fortimail","generic_desturl","generic_logout_redirect","go_acoustic","google_amp","google_amp_project","google_adservices","google_meet_redirect","google_notifications","google_open_redirect","google_tag_manager","google_travel_redirect","google_translate_open_redirect","google_user_content","href_li","indeed_open_redirect","inky","instagram","mailgun","mailjet","mandrill","messagegears","microsoft","microsoft_dynamics","microsoft_oauth_redirect","monday_tracker","postmark","ppcprotect","proofpoint","pylonlinks","securence","sophos","sqclick","squarespace","sublime","titanhq","topsec","trend_micro","vtiger","wix","yahoo","youtube_set_sid"],"type":"string"},"type":"array"},"original":{"description":"Original URL without any unraveling URL rewrites","type":"string"}},"required":["original"],"type":"object"},"Mdm_serviceURL":{"description":"URL details when QR code type is url","properties":{"domain":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"fragment":{"description":"Fragment identifier; the text following the # in the URL (also called the anchor tag)","type":"string"},"ip":{"$ref":"#/components/schemas/Mdm_serviceIP"},"password":{"description":"The password specified before the domain name","type":"string"},"path":{"description":"Everything after the TLD and before the query parameters","type":"string"},"port":{"description":"The port used for the URL. If no explicit port is set, the port will be inferred from the protocol","format":"int32","nullable":true,"type":"integer"},"query_params":{"description":"The full query parameters of the URL","type":"string"},"query_params_decoded":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"description":"The decoded query parameters of the URL","type":"object"},"rewrite":{"$ref":"#/components/schemas/Mdm_serviceRewriteDetails"},"scheme":{"description":"Protocol for the URL request, e.g. http","type":"string"},"url":{"description":"Full URL","type":"string"},"username":{"description":"The username specified before the domain name of the URL","type":"string"}},"required":["url"],"type":"object"},"MlMacroClassifierResult":{"description":"ml.macro_classifier output","properties":{"confidence":{"description":"The likelihood that a macro was correctly identified as a true positive","enum":["low","medium","high"],"type":"string"},"error":{"description":"Errors that occurred while scanning and assessing macros","type":"string"},"malicious":{"description":"Whether macros were detected and flagged as malicious with any degree of confidence","type":"boolean"}},"type":"object"},"MlNLU3TopicResult":{"description":"ml.nlu_classifier output","properties":{"entities":{"description":"Entities identified in the submitted text","items":{"$ref":"#/components/schemas/HydraNLUEntity"},"type":"array"},"error":{"description":"Errors that occurred","type":"string"},"intents":{"description":"Intents of classified text","items":{"$ref":"#/components/schemas/HydraNLUIntent"},"type":"array"},"language":{"description":"Primary language of classified text, or unknown if unknown","enum":["unknown","english","french","german","spanish","chinese","japanese","..."],"type":"string"},"success":{"description":"Whether topic detection ran successfully.","type":"boolean"},"tags":{"description":"Content tags for classified text","items":{"$ref":"#/components/schemas/HydraNLUContent"},"type":"array"},"topics":{"description":"The topics found in the body.","items":{"$ref":"#/components/schemas/HydraTopic"},"type":"array"}},"type":"object"},"MlTopicResult":{"description":"beta.ml_topic output","properties":{"topics":{"description":"The topics found in the body.","items":{"$ref":"#/components/schemas/HydraTopic"},"type":"array"}},"type":"object"},"OletoolsBoolIndicator":{"description":"Whether this file contains an ObjectPool stream","properties":{"exists":{"description":"Whether the indicator exists in the file or not","type":"boolean"},"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"}},"type":"object"},"OletoolsIndicators":{"description":"Suspicious indicators that could indicate that a file is suspicious or malicious","properties":{"container_format":{"$ref":"#/components/schemas/OletoolsStringIndicator"},"encryption":{"$ref":"#/components/schemas/OletoolsBoolIndicator"},"external_relationships":{"$ref":"#/components/schemas/OletoolsIntIndicator"},"file_format":{"$ref":"#/components/schemas/OletoolsStringIndicator"},"flash_objects":{"$ref":"#/components/schemas/OletoolsIntIndicator"},"object_pool":{"$ref":"#/components/schemas/OletoolsBoolIndicator"},"vba_macros":{"$ref":"#/components/schemas/OletoolsBoolIndicator"}},"type":"object"},"OletoolsIntIndicator":{"description":"Embedded flash objects (SWF files) detected in OLE streams. There may be false positives","properties":{"count":{"description":"The number of instances of this indicator","format":"int32","type":"integer"},"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"}},"type":"object"},"OletoolsMacroKeyword":{"properties":{"description":{"description":"Details on why the keyword is suspicious","type":"string"},"keyword":{"description":"Suspicious keyword","type":"string"},"type":{"description":"The type of keyword identified","enum":["autoexec","suspicious","ioc","hex_string","base64_string","dridex_string"],"type":"string"}},"type":"object"},"OletoolsObjRelationship":{"properties":{"name":{"description":"Relationship name","type":"string"},"target":{"description":"External relationship link","type":"string"},"target_url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"OletoolsResult":{"description":"oletools output","properties":{"error":{"description":"Error message when running OLE Tools on the file","type":"string"},"indicators":{"$ref":"#/components/schemas/OletoolsIndicators"},"macros":{"$ref":"#/components/schemas/OletoolsVBAMacros"},"relationships":{"description":"OLE relationships to external objects","items":{"$ref":"#/components/schemas/OletoolsObjRelationship"},"type":"array"}},"type":"object"},"OletoolsStringIndicator":{"description":"Container format, eg 'OLE'","properties":{"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"},"value":{"description":"The value of the indicator","type":"string"}},"type":"object"},"OletoolsVBAMacros":{"description":"Macros identified and analyzed","properties":{"keywords":{"description":"Suspicious keywords detected. See 'olevba' for more information","items":{"$ref":"#/components/schemas/OletoolsMacroKeyword"},"type":"array"},"modules":{"description":"VBA macro modules detected","items":{"$ref":"#/components/schemas/OletoolsVBAModule"},"type":"array"},"vba_code_all_modules":{"description":"Source code of all VBA modules","type":"string"}},"type":"object"},"OletoolsVBAModule":{"properties":{"form_string":{"description":"Printable strings from each VBA form","type":"string"},"form_variables":{"description":"VBA form variables","type":"string"},"ole_stream":{"description":"OLE macro stream","type":"string"},"vba_code":{"description":"Source code of the VBA macro","type":"string"},"vba_file_name":{"description":"File name of the VBA macro","type":"string"}},"type":"object"},"Org_dslParseTextResult":{"description":"file.parse_text output","properties":{"text":{"description":"The decoded string, after interpreting the raw bytes with the corresponding encoding.","type":"string"}},"type":"object"},"PatchChildOrganizationInput":{"properties":{"can_add_children":{"description":"Set whether this organization may create its own child organizations. Granting requires the target to be below the maximum hierarchy depth.","example":true,"nullable":true,"type":"boolean"},"can_manage_child_licenses":{"description":"Set whether this organization may manage licenses on its descendants. Granting requires child-organization license management to be enabled for the root organization and the target's immediate parent to already hold this permission; revoking is always allowed.","example":false,"nullable":true,"type":"boolean"},"name":{"description":"New display name for the organization. Must be non-empty after trimming whitespace.","example":"Acme Corp (renamed)","nullable":true,"type":"string"}},"type":"object"},"PatchChildOrganizationLicensingInput":{"properties":{"licenses":{"description":"Desired license to apply. Exactly one license per request is supported today; the array shape is reserved for future multi-SKU support.","items":{"$ref":"#/components/schemas/Handler_typesLicenseInput"},"maxItems":1,"minItems":1,"type":"array"}},"required":["licenses"],"type":"object"},"SenderprofileBaseSenderProfile":{"description":"profile.by_sender output","properties":{"any_messages_benign":{"description":"A message from this sender was explicitly labeled as a 'Benign'. If the message is later labeled as anything else (a message can only have one label), the count is reversed.","type":"boolean"},"any_messages_malicious_or_spam":{"description":"A message from this sender was either explicitly labeled as spam or malicious. This is triggered by applying any of the labels 'Phish', 'Missed Attack', 'Spam'. If the label is changed to anything else (a message can only have one label), the count is also reversed.","type":"boolean"},"auth_failed":{"description":"Whether this message had any authentication failures","type":"boolean"},"days_known":{"description":"Number of days since the first message was received from the sender. Defaults to 0 for new senders for legacy and compatibility reasons.","format":"double","type":"number"},"prevalence":{"description":"Summary verdict for how prevalent the sender email is against all sender emails","enum":["new","outlier","rare","uncommon","common"],"type":"string"},"solicited":{"description":"Whether outbound messages have been sent to the sender in a prior conversation","type":"boolean"}},"type":"object"},"StrelkaBZip2":{"description":"Unpacks bzip2 files. Reports size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaDocX":{"description":"Extracts details for a document, and explodes the text for further scanning.","properties":{"author":{"nullable":true,"type":"string"},"category":{"nullable":true,"type":"string"},"comments":{"nullable":true,"type":"string"},"created":{"format":"date-time","nullable":true,"type":"string"},"font_colors":{"description":"all non black (#000000) detected font colors. represented as web colors (hex) without '#' prefix.","items":{"type":"string"},"type":"array"},"image_count":{"format":"int32","nullable":true,"type":"integer"},"keywords":{"nullable":true,"type":"string"},"last_printed":{"format":"date-time","nullable":true,"type":"string"},"modified":{"format":"date-time","nullable":true,"type":"string"},"revision":{"format":"int32","nullable":true,"type":"integer"},"subject":{"nullable":true,"type":"string"},"title":{"nullable":true,"type":"string"},"word_count":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaEmbeddedHTMLScript":{"properties":{"language":{"description":"Language of script, e.g. 'javascript'","nullable":true,"type":"string"},"scripts":{"nullable":true,"type":"string"},"type":{"nullable":true,"type":"string"}},"type":"object"},"StrelkaEncryptedDoc":{"description":"Unpacks encrypted doc files by trying to break the password. Does not report totals","properties":{"cracked_password":{"description":"If the doc was successfully opened, this is the password for the doc.","nullable":true,"type":"string"}},"type":"object"},"StrelkaEncryptedZip":{"description":"Unpacks encrypted ZIP files by trying to break the password. Reports total files even if the zip could not be cracked.","properties":{"cracked_password":{"description":"If the ZIP was successfully opened, this is the password for the zip.","nullable":true,"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaEntropy":{"description":"Shannon entropy of file","properties":{"entropy":{"description":"Shannon entropy (log base 2). A higher number means higher entropy.","format":"double","nullable":true,"type":"number"}},"type":"object"},"StrelkaExifTool":{"description":"Responses from the popular ExifTools application","properties":{"command_line_arguments":{"type":"string"},"create_date":{"format":"date-time","nullable":true,"type":"string"},"creator":{"type":"string"},"exif_tool_version":{"format":"double","type":"number"},"fields":{"items":{"$ref":"#/components/schemas/StrelkaKeyVal"},"type":"array"},"file_permissions":{"type":"string"},"file_type":{"type":"string"},"file_type_extension":{"type":"string"},"flags":{"items":{"type":"string"},"type":"array"},"hot_key":{"type":"string"},"image_height":{"description":"In pixels","format":"int32","type":"integer"},"image_width":{"description":"In pixels","format":"int32","type":"integer"},"linearized":{"type":"string"},"local_base_path":{"type":"string"},"modify_date":{"format":"date-time","nullable":true,"type":"string"},"page_count":{"format":"int32","type":"integer"},"pdf_version":{"type":"string"},"producer":{"type":"string"},"relative_path":{"type":"string"},"run_window":{"type":"string"},"source_file":{"type":"string"},"target_file_dos_name":{"type":"string"},"title":{"type":"string"},"zip_bit_flag":{"format":"int32","type":"integer"},"zip_compressed_size":{"format":"int32","type":"integer"},"zip_file_name":{"type":"string"},"zip_modify_date":{"format":"date-time","nullable":true,"type":"string"},"zip_uncompressed_size":{"format":"int32","type":"integer"}},"type":"object"},"StrelkaFlavors":{"description":"matched yara and mime for file type identification","properties":{"external":{"description":"Flavors marked by scanners exploding a file","items":{"type":"string"},"type":"array"},"mime":{"description":"Detected MIME type using the libmagic unix utility.","type":"string"},"yara":{"description":"Matched YARA rules, for current definitions see [here](https://github.com/sublime-security/strelka/blob/main/build/configs/taste.yara)","items":{"enum":["_7zip_file","arj_file","browser_manifest","cab_file","cpio_file","encrypted_zip","encrypted_word_document","iso_file","mhtml_file","rar_file","tar_file","xar_file","zip_file","mp3_file","pkcs7_file","x509_der_file","x509_pem_file","bzip2_file","gzip_file","lzma_file","xz_file","zlib_file","doc_subheader_file","mso_file","olecf_file","ooxml_file","pdf_file","poi_hpbf_file","rtf_file","vbframe_file","wordml_file","xfdf_file","email_file","tnef_file","base64_pe","pgp_file","elf_file","lnk_file","macho_file","mz_file","bmp_file","cmap_file","gif_file","jpeg_file","postscript_file","png_file","psd_file","psd_image_file","svg_file","xicc_file","xmp_file","jar_manifest_file","bplist_file","fws_file","cws_file","zws_file","debian_package_file","rpm_file","upx_file","batch_file","javascript_file","vb_file","hta_file","html_file","ini_file","json_file","php_file","plist_file","soap_file","xml_file","avi_file","wmv_file"],"type":"string"},"type":"array"}},"type":"object"},"StrelkaGZip":{"description":"Unpacks gzip. Reports the size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaHTML":{"description":"Scripts and basic details from HTML files. Explodes scripts for further scanning.","properties":{"hyperlinks":{"items":{"type":"string"},"type":"array"},"scripts":{"description":"All unique identifiers present in JS. unescape and write may be considered suspicious; a variable name is also an identifier.","items":{"$ref":"#/components/schemas/StrelkaEmbeddedHTMLScript"},"type":"array"},"spans":{"description":"HTML Span Tags","items":{"$ref":"#/components/schemas/StrelkaHTMLSpan"},"type":"array"},"title":{"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaHTMLSpan":{"properties":{"style":{"type":"string"}},"type":"object"},"StrelkaHash":{"description":"Multiple hash algorithms","properties":{"md5":{"type":"string"},"sha1":{"type":"string"},"sha256":{"type":"string"},"ssdeep":{"type":"string"}},"type":"object"},"StrelkaICS":{"description":"Parses iCalendar files and extracts events, attachments, and metadata","properties":{"calendars":{"description":"Parsed calendar objects","items":{"$ref":"#/components/schemas/StrelkaICSCalendar"},"type":"array"},"flags":{"description":"Warning/error flags from parsing","items":{"type":"string"},"type":"array"},"parse_error":{"description":"Error message if parsing failed","nullable":true,"type":"string"},"total":{"$ref":"#/components/schemas/StrelkaICSTotal"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaICSAttachment":{"properties":{"decode_error":{"description":"Extraction error message","type":"string"},"extracted":{"description":"Whether file was extracted","type":"boolean"},"filename":{"description":"Original filename","type":"string"},"mime_type":{"description":"MIME type","type":"string"},"size":{"description":"File size in bytes","type":"string"},"type":{"description":"Attachment type","enum":["binary","base64_binary","uri","other"],"type":"string"},"uri":{"description":"URI for external references","type":"string"}},"type":"object"},"StrelkaICSAttendee":{"properties":{"mailbox":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"partstat":{"description":"Participation status","type":"string"},"role":{"description":"Attendee role","type":"string"},"rsvp":{"description":"RSVP requested","type":"boolean"}},"type":"object"},"StrelkaICSCalendar":{"properties":{"calscale":{"description":"Calendar scale","type":"string"},"components":{"description":"Calendar components","items":{"$ref":"#/components/schemas/StrelkaICSComponent"},"type":"array"},"method":{"description":"Calendar method","type":"string"},"prodid":{"description":"Product identifier","type":"string"},"version":{"description":"iCalendar version","type":"string"}},"type":"object"},"StrelkaICSComponent":{"properties":{"attachments":{"description":"File attachments","items":{"$ref":"#/components/schemas/StrelkaICSAttachment"},"type":"array"},"attendees":{"description":"Event attendees","items":{"$ref":"#/components/schemas/StrelkaICSAttendee"},"type":"array"},"class":{"description":"Classification","type":"string"},"created":{"description":"Creation date/time","type":"string"},"description":{"description":"Detailed description","type":"string"},"dtend":{"description":"End date/time","type":"string"},"dtstamp":{"description":"Creation timestamp","type":"string"},"dtstart":{"description":"Start date/time","type":"string"},"duration":{"description":"Duration in human-readable format","type":"string"},"last_modified":{"description":"Last modification date/time","type":"string"},"location":{"description":"Event location","type":"string"},"organizers":{"description":"Event organizers","items":{"$ref":"#/components/schemas/StrelkaICSOrganizer"},"type":"array"},"priority":{"description":"Priority level (0-9)","type":"string"},"sequence":{"description":"Revision sequence","type":"string"},"status":{"description":"Event status","type":"string"},"summary":{"description":"Brief description","type":"string"},"transp":{"description":"Transparency","type":"string"},"type":{"description":"Component type","enum":["VEVENT","VTODO","VJOURNAL","VTIMEZONE","VALARM"],"type":"string"},"uid":{"description":"Unique identifier","type":"string"},"urls":{"description":"Referenced URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaICSOrganizer":{"properties":{"mailbox":{"$ref":"#/components/schemas/Mdm_serviceMailbox"}},"type":"object"},"StrelkaICSTotal":{"description":"Summary counts for calendar components","properties":{"alarms":{"description":"Total VALARM components","format":"int32","type":"integer"},"attachments":{"description":"Total ATTACH properties","format":"int32","type":"integer"},"attendees":{"description":"Total attendees across all components","format":"int32","type":"integer"},"components":{"description":"Total calendar components","format":"int32","type":"integer"},"events":{"description":"Total VEVENT components","format":"int32","type":"integer"},"extracted_files":{"description":"Successfully extracted files","format":"int32","type":"integer"},"journals":{"description":"Total VJOURNAL components","format":"int32","type":"integer"},"organizers":{"description":"Total organizers across all components","format":"int32","type":"integer"},"timezones":{"description":"Total VTIMEZONE components","format":"int32","type":"integer"},"todos":{"description":"Total VTODO components","format":"int32","type":"integer"},"urls":{"description":"Total URL properties","format":"int32","type":"integer"}},"type":"object"},"StrelkaJavascript":{"description":"Contains details about the types of elements found in a JS script. Very simple scripts might signal obfuscation.","properties":{"identifiers":{"description":"All unique identifiers present in JS. unescape and write may be considered suspicious; a variable name is also an identifier.","items":{"type":"string"},"type":"array"},"keywords":{"description":"All unique keywords present in JS, e.g. 'if'.","items":{"type":"string"},"type":"array"},"regular_expressions":{"description":"All unique regular expressions present JS.","items":{"type":"string"},"type":"array"},"strings":{"description":"All unique strings present in JS.","items":{"type":"string"},"type":"array"},"tokens":{"description":"All unique tokens/types present in JS. The other values in this type would be present in this list if they occur at all. E.g. a simple script may contain just Identifier & Punctuator (punctuator is not included any further)","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaJpegGif":{"description":"Extracts contents past the GIF trailer for further processing. Empty if there's no data based trailer.","properties":{"trailer_index":{"format":"int32","type":"integer"}},"type":"object"},"StrelkaKeyVal":{"properties":{"key":{"type":"string"},"value":{"type":"string"}},"type":"object"},"StrelkaLNK":{"description":"Extracted details from LNK files. See ExifTools too.","properties":{"MAC":{"type":"string"},"command_line_arguments":{"type":"string"},"drive_serial_number":{"type":"string"},"drive_type":{"type":"string"},"local_base_path":{"type":"string"},"machine_id":{"type":"string"},"relative_path":{"type":"string"},"volume_label":{"type":"string"},"working_dir":{"type":"string"}},"type":"object"},"StrelkaLibArchive":{"description":"Unpacks archives supported by libarchive (including ISO files). Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaMachO":{"description":"Unpacks and inspects Mach Objects (executables, libraries, etc)","properties":{"commands":{"description":"All commands within","items":{"type":"string"},"type":"array"},"has_code_signature":{"type":"boolean"},"header":{"properties":{"cpu":{"description":"Details about the CPU/arch the binary is intended for","properties":{"primary":{"description":"Primary type, e.g. x86_64","type":"string"},"sub":{"description":"Human description (may include ',', 'and', etc)","type":"string"}},"type":"object"},"file":{"description":"Typo of Macho","enum":["BUNDLE","CORE","DSYM","DYLIB","DYLIB_STUB","DYLINKER","EXECUTE","FVMLIB","KEXT_BUNDLE","OBJECT","PRELOAD"],"type":"string"},"flags":{"description":"Flag List from header","items":{"type":"string"},"type":"array"}},"type":"object"},"load_dylinker_name":{"description":"Dylinker command name used","type":"string"},"nx":{"description":"Binary has NX (non-executable stack) protection","type":"boolean"},"pie":{"description":"Binary is position independent","type":"boolean"},"source_version":{"description":"5 part source version","type":"string"},"symbols":{"description":"Details about symbols within binary","properties":{"imported":{"description":"Imported symbols","items":{"type":"string"},"type":"array"},"libraries":{"description":"Imported libraries","items":{"type":"string"},"type":"array"}},"type":"object"},"total_binaries":{"description":"Number of binaries registered","format":"int32","type":"integer"},"total_commands":{"description":"Number of load commands","format":"int32","type":"integer"},"total_libraries":{"description":"Number of libraries/Dylib commands","format":"int32","type":"integer"},"total_relocations":{"description":"Number of relocations","format":"int32","type":"integer"},"total_sections":{"description":"Number of sections","format":"int32","type":"integer"},"total_segments":{"description":"Number of segments","format":"int32","type":"integer"},"total_symbols":{"description":"Number of symbols","format":"int32","type":"integer"}},"type":"object"},"StrelkaOCR":{"description":"Attempts to find text in images and explodes the text for further scanning.","properties":{"raw":{"description":"Full text returned from OCR, including whitespace","type":"string"},"text":{"description":"Array of words found by OCR","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaOle":{"description":"Unpacks valid OLE files. Reports total files.","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaPDF":{"description":"Unpacks a PDF for further processing. Reports total files.","properties":{"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"urls":{"description":"Detected URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaPDFObjHash":{"description":"Generates PDF Object Hash of the given PDF file","properties":{"hash_string":{"description":"Hash string used to generate the object hash for the PDF","type":"string"},"object_hash":{"description":"Object hash of the PDF. This is the hash of the object types present in the document.","type":"string"}},"type":"object"},"StrelkaPPTX":{"description":"Extracts details for a powerpoint (pptx) document, and explodes the text for further scanning.","properties":{"author":{"nullable":true,"type":"string"},"category":{"nullable":true,"type":"string"},"comments":{"nullable":true,"type":"string"},"created":{"format":"date-time","nullable":true,"type":"string"},"image_count":{"format":"int32","nullable":true,"type":"integer"},"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"keywords":{"nullable":true,"type":"string"},"last_modified_by":{"nullable":true,"type":"string"},"last_printed":{"format":"date-time","nullable":true,"type":"string"},"modified":{"format":"date-time","nullable":true,"type":"string"},"revision":{"format":"int32","nullable":true,"type":"integer"},"slide_count":{"format":"int32","nullable":true,"type":"integer"},"subject":{"nullable":true,"type":"string"},"title":{"nullable":true,"type":"string"},"urls":{"description":"Detected URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"word_count":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaQR":{"description":"Checks for QR codes and evaluates them","properties":{"data":{"description":"Raw UTF8 Data","nullable":true,"type":"string"},"type":{"description":"Type of content, if known","enum":["email","mobile","app","geo","wifi","url","undefined"],"type":"string"},"url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"StrelkaRTF":{"description":"Unpacks RTF files. Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaRar":{"description":"Unpacks rar files. Reports totals","properties":{"host_os":{"nullable":true,"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaResponse":{"properties":{"depth":{"description":"depth in explosion, starts at 0","format":"int32","type":"integer"},"file_extension":{"description":"file extension if known. Using YARA and MIME rules (see .flavors) may provide more accurate detections.","type":"string"},"file_name":{"description":"name of the file, or a placeholder. For files exploded from an archive this will be the actual name, but for extracted text, octet stream etc, it will be assigned by the parent to something arbitrary.","type":"string"},"flavors":{"$ref":"#/components/schemas/StrelkaFlavors"},"node_id":{"description":"ID representing this file in the tree","type":"string"},"parent_node_id":{"description":"ID of parent, or not present for the root","type":"string"},"scan":{"$ref":"#/components/schemas/StrelkaScan"},"size":{"description":"file size in bytes","format":"int32","type":"integer"},"source":{"description":"Scanner which 'exploded' this file","type":"string"}},"type":"object"},"StrelkaScan":{"description":"Contains results of all available bin explode scanners. Some scanners explode embedded binaries more than offer scan/analysis. Some of these have total_extracted & total_unextracted (the count of any files remaining after limits are hit). Some exploding scanners have limited analyses, besides the insight into the count of embedded files (see ZIP). RawOCR is an example which explodes, but does not report totals & explodes content which isn't truly an embedded file.","properties":{"bzip2":{"$ref":"#/components/schemas/StrelkaBZip2"},"docx":{"$ref":"#/components/schemas/StrelkaDocX"},"encrypted_doc":{"$ref":"#/components/schemas/StrelkaEncryptedDoc"},"encrypted_zip":{"$ref":"#/components/schemas/StrelkaEncryptedZip"},"entropy":{"$ref":"#/components/schemas/StrelkaEntropy"},"exiftool":{"$ref":"#/components/schemas/StrelkaExifTool"},"gif":{"$ref":"#/components/schemas/StrelkaJpegGif"},"gzip":{"$ref":"#/components/schemas/StrelkaGZip"},"hash":{"$ref":"#/components/schemas/StrelkaHash"},"html":{"$ref":"#/components/schemas/StrelkaHTML"},"ics":{"$ref":"#/components/schemas/StrelkaICS"},"javascript":{"$ref":"#/components/schemas/StrelkaJavascript"},"jpeg":{"$ref":"#/components/schemas/StrelkaJpegGif"},"libarchive":{"$ref":"#/components/schemas/StrelkaLibArchive"},"lnk":{"$ref":"#/components/schemas/StrelkaLNK"},"macho":{"$ref":"#/components/schemas/StrelkaMachO"},"ocr":{"$ref":"#/components/schemas/StrelkaOCR"},"ole":{"$ref":"#/components/schemas/StrelkaOle"},"pdf":{"$ref":"#/components/schemas/StrelkaPDF"},"pdf_obj_hash":{"$ref":"#/components/schemas/StrelkaPDFObjHash"},"pptx":{"$ref":"#/components/schemas/StrelkaPPTX"},"qr":{"$ref":"#/components/schemas/StrelkaQR"},"rar":{"$ref":"#/components/schemas/StrelkaRar"},"rtf":{"$ref":"#/components/schemas/StrelkaRTF"},"strings":{"$ref":"#/components/schemas/StrelkaStrings"},"tar":{"$ref":"#/components/schemas/StrelkaTar"},"url":{"$ref":"#/components/schemas/StrelkaURL"},"vba":{"$ref":"#/components/schemas/StrelkaVBA"},"xml":{"$ref":"#/components/schemas/StrelkaXML"},"yara":{"$ref":"#/components/schemas/StrelkaYARA"},"zip":{"$ref":"#/components/schemas/StrelkaZip"},"zlib":{"$ref":"#/components/schemas/StrelkaZLib"}},"type":"object"},"StrelkaStrings":{"description":"Simply finds and extracts any strings from.","properties":{"raw":{"description":"If the entire input is a string, mirror the input as a single string.","type":"string"},"strings":{"description":"All detected strings.","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaTar":{"description":"Unpacks tar files. Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaURL":{"description":"Detects URLs from text (generally text unpacked by other scanners).","properties":{"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"urls":{"description":"Detected URLs.","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaVBA":{"description":"Examines VBA macros in Ole files, and unpacks macro code for further analysis.","properties":{"auto_exec":{"description":"All keywords associated with auto exec macros","items":{"type":"string"},"type":"array"},"base64":{"description":"Decoded base64 strings","items":{"type":"string"},"type":"array"},"dridex":{"description":"Decoded dridex strings","items":{"type":"string"},"type":"array"},"hex":{"description":"Decoded hex strings","items":{"type":"string"},"type":"array"},"ioc":{"description":"String values of indicators, such as 'cmd.exe'","items":{"type":"string"},"type":"array"},"suspicious":{"description":"Reported descriptions of suspicious behavior, e.g. 'Run' or 'Hex Strings'","items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"},"vba_obfuscated":{"description":"Decoded vba obfuscated strings","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaXML":{"description":"Finds namespaces and other details from XML","properties":{"doc_type":{"description":"DOCTYPE declaration from file","type":"string"},"namespaces":{"items":{"type":"string"},"type":"array"},"tags":{"items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"version":{"description":"XML version as declared by the document","nullable":true,"type":"string"}},"type":"object"},"StrelkaYARA":{"description":"Reports YARA results from custom installed YARA rules.","properties":{"flags":{"items":{"type":"string"},"type":"array"},"matches":{"items":{"$ref":"#/components/schemas/StrelkaYARAMatch"},"type":"array"}},"type":"object"},"StrelkaYARAMatch":{"properties":{"meta":{"additionalProperties":{"type":"string"},"type":"object"},"name":{"type":"string"}},"type":"object"},"StrelkaZLib":{"description":"Unpacks zlib files. Reports size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaZip":{"description":"Unpacks ZIP files. Reports total files.","properties":{"all_paths":{"description":"All member paths included in the zip (files and folders)","items":{"type":"string"},"type":"array"},"attempted_files":{"description":"File names, including path, which the scanner attempted to open (cuts off at a limit)","items":{"type":"string"},"type":"array"},"encrypted":{"description":"True if known to be encrypted. scan.encrypted_zip can contain details if password is bypassed.","type":"boolean"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"TypesLicense":{"properties":{"sku":{"description":"Product SKU identifier","type":"string"},"status":{"description":"Billing status of this license (e.g. active, trialing, canceled)","type":"string"},"trial_expires_at":{"description":"When the trial period ends, if currently trialing","format":"date-time","nullable":true,"type":"string"}},"type":"object"},"TypesOrganization":{"description":"The root org","properties":{"active_automation_rule_count":{"description":"Number of active automation rules","format":"int32","type":"integer"},"active_detection_rule_count":{"description":"Number of active detection rules","format":"int32","type":"integer"},"active_mailbox_count":{"description":"Number of currently active mailboxes","format":"int32","type":"integer"},"can_add_children":{"description":"Whether this organization can add child organizations","nullable":true,"type":"boolean"},"can_manage_child_licenses":{"description":"Whether this organization can manage child organization licenses","nullable":true,"type":"boolean"},"created_at":{"description":"Time at which the organization was created","format":"date-time","type":"string"},"deleted_at":{"description":"Time at which org was soft deleted (inaccessible, data not deleted)","format":"date-time","nullable":true,"type":"string"},"id":{"description":"Organization unique ID","type":"string"},"licenses":{"description":"Active licenses for this organization","items":{"$ref":"#/components/schemas/TypesLicense"},"type":"array"},"name":{"description":"Organization chosen name","type":"string"},"parent_org_id":{"description":"ID of this organization's parent in the hierarchy. The top-level organization has no parent. Omitted when not populated.","nullable":true,"type":"string"},"scheduled_for_deletion_at":{"description":"Time at which hard deletion of org data is scheduled to begin","format":"date-time","nullable":true,"type":"string"},"total_mailbox_count":{"description":"Total number of mailboxes","format":"int32","type":"integer"}},"type":"object"},"UtilRegexExtractMatch":{"properties":{"full_match":{"description":"A complete match to the regular expression","type":"string"},"groups":{"description":"All captured groups","items":{"type":"string"},"type":"array"},"named_groups":{"additionalProperties":{"type":"string"},"description":"A mapping of named capture groups names to values","type":"object"}},"type":"object"},"WhoisResult":{"description":"network.whois output","properties":{"administrative_company":{"description":"The company of the administrative contact","type":"string"},"administrative_email":{"description":"The email address of the administrative contact","type":"string"},"administrative_name":{"description":"The name of the administrative contact","type":"string"},"administrative_phone":{"description":"The phone number of the administrative contact","type":"string"},"checked_at":{"description":"Date that this registration was last checked","format":"date-time","nullable":true,"type":"string"},"created_at":{"description":"Date that the domain was first created","format":"date-time","nullable":true,"type":"string"},"days_old":{"description":"The number of elapsed days since this domain was registered","format":"double","nullable":true,"type":"number"},"domain_status":{"description":"The status codes for this domain registration","items":{"type":"string"},"type":"array"},"error":{"description":"Error when looking up the domain in whois","type":"string"},"expires_at":{"description":"Date that this domain registration expires","format":"date-time","nullable":true,"type":"string"},"found":{"description":"Whether the domain was found via WHOIS","nullable":true,"type":"boolean"},"name_servers":{"description":"The authoritative name servers for this domain, parsed into domain objects","items":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"type":"array"},"registrant_address":{"description":"The address of the registrant","type":"string"},"registrant_city":{"description":"The city of the registrant","type":"string"},"registrant_company":{"description":"The company that registered this domain","type":"string"},"registrant_country":{"description":"The country of the registrant","type":"string"},"registrant_country_code":{"description":"The country code of the registrant","type":"string"},"registrant_email":{"description":"The email address of the registrant","type":"string"},"registrant_fax":{"description":"The fax number of the registrant","type":"string"},"registrant_name":{"description":"The name of the person or entity that registered this domain","type":"string"},"registrant_phone":{"description":"The phone number of the registrant","type":"string"},"registrant_state":{"description":"The state or province of the registrant","type":"string"},"registrant_zip":{"description":"The postal/zip code of the registrant","type":"string"},"registrar_name":{"description":"The registrar that reported this information","type":"string"},"root_domain":{"description":"The root domain that was looked up","type":"string"},"technical_company":{"description":"The company of the technical contact","type":"string"},"technical_email":{"description":"The email address of the technical contact","type":"string"},"technical_name":{"description":"The name of the technical contact","type":"string"},"technical_phone":{"description":"The phone number of the technical contact","type":"string"},"updated_at":{"description":"Date that this domain registration was last updated","format":"date-time","nullable":true,"type":"string"}},"type":"object"}},"securitySchemes":{"bearerAuth":{"scheme":"bearer","type":"http"}}},"info":{"contact":{"email":"support@sublime.security"},"title":"Multi-Tenancy API","version":""},"openapi":"3.0.1","paths":{"/v0/organizations/mine/child-organizations":{"get":{"description":"List the child organizations under the calling organization, including license and usage data.","operationId":"listChildOrganizations","parameters":[{"description":"Filter by active status. true returns only active organizations; false returns only soft-deleted or scheduled-for-deletion organizations; omit to return all.","in":"query","name":"active","schema":{"description":"Filter by active status. true returns only active organizations; false returns only soft-deleted or scheduled-for-deletion organizations; omit to return all.","example":true,"nullable":true,"type":"boolean"}},{"description":"Maximum number of organizations to return. Capped at 500.","in":"query","name":"limit","schema":{"description":"Maximum number of organizations to return. Capped at 500.","example":50,"format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"Zero-based offset into the result set, used for pagination.","in":"query","name":"offset","schema":{"description":"Zero-based offset into the result set, used for pagination.","example":0,"format":"int32","nullable":true,"type":"integer"}},{"description":"Restrict results to direct children of this organization. Must be the calling organization itself or one of its descendants. Defaults to the calling organization.","in":"query","name":"parent_org_id","schema":{"description":"Restrict results to direct children of this organization. Must be the calling organization itself or one of its descendants. Defaults to the calling organization.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListChildOrganizationsResponse"}}},"description":"OK"}},"summary":"List child organizations","tags":["Organizations"]},"post":{"description":"Create a child organization","operationId":"createChildOrganization","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateChildOrganizationInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesCreateChildOrganizationResponse"}}},"description":"OK"}},"summary":"Create child organization","tags":["Organizations"]}},"/v0/organizations/mine/child-organizations/bulk-licensing":{"post":{"description":"Apply license transitions to up to 200 child organizations in one call. Each organization is evaluated independently; per-organization failures are reported in the results array, not the HTTP status.","operationId":"bulkPatchChildOrganizationLicensing","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BulkPatchChildOrganizationLicensingInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesBulkPatchChildOrganizationLicensingResponse"}}},"description":"OK"}},"summary":"Bulk update child organization licensing","tags":["Organizations"]}},"/v0/organizations/mine/child-organizations/search":{"get":{"description":"Search the calling organization's descendant organizations by name using trigram similarity.","operationId":"searchChildOrganizations","parameters":[{"description":"Filter by active status. true returns only active organizations; false returns only soft-deleted or scheduled-for-deletion organizations; omit to return all.","in":"query","name":"active","schema":{"description":"Filter by active status. true returns only active organizations; false returns only soft-deleted or scheduled-for-deletion organizations; omit to return all.","example":true,"nullable":true,"type":"boolean"}},{"description":"If true, include each hit's immediate parent organization summary on the response.","in":"query","name":"include_parent","schema":{"description":"If true, include each hit's immediate parent organization summary on the response.","example":true,"nullable":true,"type":"boolean"}},{"description":"Maximum number of results to return. Capped at 200.","in":"query","name":"limit","schema":{"description":"Maximum number of results to return. Capped at 200.","example":50,"format":"int32","maximum":200,"nullable":true,"type":"integer"}},{"description":"Maximum depth to search relative to the search root. 1 returns direct children only, 2 includes grandchildren, and so on. Omit for unlimited depth.","in":"query","name":"max_depth","schema":{"description":"Maximum depth to search relative to the search root. 1 returns direct children only, 2 includes grandchildren, and so on. Omit for unlimited depth.","example":2,"format":"int32","minimum":1,"nullable":true,"type":"integer"}},{"description":"Root the search at this organization instead of the calling organization. Must be the calling organization, one of its descendants, or an ancestor the caller has access to.","in":"query","name":"parent_org_id","schema":{"description":"Root the search at this organization instead of the calling organization. Must be the calling organization, one of its descendants, or an ancestor the caller has access to.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","nullable":true,"type":"string"}},{"description":"Trigram-similarity search query against organization names. Omit or leave empty to return all descendants (subject to other filters).","in":"query","name":"query","schema":{"description":"Trigram-similarity search query against organization names. Omit or leave empty to return all descendants (subject to other filters).","example":"acme","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSearchChildOrganizationsResponse"}}},"description":"OK"}},"summary":"Search child organizations","tags":["Organizations"]}},"/v0/organizations/mine/child-organizations/{id}":{"patch":{"description":"Update a child organization's display name and delegation settings, returning the full child organization.","operationId":"patchChildOrganization","parameters":[{"description":"ID of the child organization to patch.","in":"path","name":"id","required":true,"schema":{"description":"ID of the child organization to patch.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PatchChildOrganizationInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesOrganization"}}},"description":"OK"}},"summary":"Update child organization","tags":["Organizations"]}},"/v0/organizations/mine/child-organizations/{id}/licensing":{"patch":{"description":"Apply a desired license to a child organization. The requested license is evaluated against the organization's current billing state and the appropriate transition is applied.","operationId":"patchChildOrganizationLicensing","parameters":[{"description":"ID of the child organization whose licenses to update.","in":"path","name":"id","required":true,"schema":{"description":"ID of the child organization whose licenses to update.","example":"019263d1-7c1a-7c8e-9c66-f1c2a9b1f4e2","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PatchChildOrganizationLicensingInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesPatchChildOrganizationLicensingResponse"}}},"description":"OK"}},"summary":"Update child organization licensing","tags":["Organizations"]}}},"security":[{"bearerAuth":[]}],"servers":[{"url":"{scheme}://{server}","variables":{"scheme":{"default":"https","enum":["http","https"]},"server":{"default":"platform.sublime.security","description":"Base URL of your Sublime deployment"}}}],"tags":[{"name":"API Credentials"},{"name":"API Keys"},{"name":"Actions"},{"name":"Ade"},{"name":"Admin authorization request"},{"name":"Analyze"},{"name":"Asa"},{"name":"Audit Log"},{"name":"Authentication"},{"name":"Backtest Jobs"},{"name":"BinExplode"},{"name":"Create"},{"name":"Crowdstrike Sandbox"},{"name":"DLP Export"},{"name":"DLP Stats"},{"name":"DLP alerts"},{"name":"DSL functions"},{"name":"Debug"},{"name":"Demo"},{"name":"Dev config"},{"name":"Dev webhooks"},{"name":"Email Bombs"},{"name":"Enrichment"},{"name":"Error Logs"},{"name":"Events"},{"name":"Events in the audit log"},{"name":"Exclusions"},{"name":"Export"},{"name":"External API Keys"},{"name":"Flags"},{"name":"Get"},{"name":"Google"},{"name":"Historical ingestion"},{"name":"Hunt Jobs"},{"name":"Inline alerts"},{"name":"Link clicks"},{"name":"Lists"},{"name":"Live flow"},{"name":"Logo Image"},{"name":"Mailboxes"},{"name":"Marketplace"},{"name":"Message Groups"},{"name":"Message Sources"},{"name":"Messages"},{"name":"Microsoft"},{"name":"Modify"},{"name":"OAuth"},{"name":"Organizations"},{"name":"Phishing Simulations"},{"name":"Phishing Simulations (Beta)"},{"name":"Platform setup"},{"name":"Quarantine Digest"},{"name":"Roles"},{"name":"Rule feeds"},{"name":"Rules"},{"name":"SCIM"},{"name":"Stats"},{"name":"Tasks"},{"name":"User Reports"},{"name":"User groups"},{"name":"Users"},{"name":"Vendor Domains"},{"name":"Vendors"},{"name":"Web socket handlers"},{"name":"provider org units (OUs)"},{"name":"roles"}],"x-readme":{"explorer-enabled":false}}