{"components":{"schemas":{"ActionMessageInput":{"properties":{"action":{"description":"Action to take on the message group","enum":["restore","warning_banner","quarantine","trash","move_to_spam","move_to_graymail","delete_calendar_events"],"type":"string"},"custom_action_ids":{"description":"IDs of actions to perform on the message group","items":{"type":"string"},"type":"array"},"share_with_sublime":{"description":"Whether to share the message group & review with Sublime","type":"boolean"}},"type":"object"},"Actions_typesActionEventCounts":{"properties":{"action_type":{"description":"The type of the action that was applied","type":"string"},"attempts":{"description":"The number of attempts made to apply the action","format":"int32","type":"integer"},"change":{"description":"The type of change that was made (either applied or reverted)","type":"string"},"created_at":{"description":"The time the action event was created","format":"date-time","type":"string"},"id":{"description":"The ID of the action event","type":"string"},"total":{"description":"The total number of messages that the action was applied to","format":"int32","type":"integer"}},"type":"object"},"AddListEntryInput":{"properties":{"string":{"description":"String list entry","maxLength":2000,"type":"string"}},"type":"object"},"AnalyzeMessageByIDInput":{"properties":{"queries":{"description":"Queries to analyze","items":{"$ref":"#/components/schemas/Handler_typesQuerySimple"},"type":"array"},"rules":{"description":"Rules to analyze","items":{"$ref":"#/components/schemas/Handler_typesRuleSimple"},"type":"array"},"run_active_detection_rules":{"default":false,"description":"Whether to analyze the message with all active detection rules in your organization","type":"boolean"},"run_all_detection_rules":{"default":false,"description":"Whether to analyze with all detection rules from all Feeds, including uninstalled + inactive Feed rules, as well as any active detection rules you’ve created that are not part of a Feed.","type":"boolean"},"run_all_insights":{"default":false,"description":"Whether to analyze with all insights","type":"boolean"}},"type":"object"},"AnalyzeMessageInput":{"properties":{"queries":{"description":"Queries to analyze","items":{"$ref":"#/components/schemas/Handler_typesQuerySimple"},"type":"array"},"raw_message":{"description":"The full base64 encoded raw eml message","format":"byte","type":"string"},"rules":{"description":"Rules to analyze","items":{"$ref":"#/components/schemas/Handler_typesRuleSimple"},"type":"array"},"run_active_detection_rules":{"default":false,"description":"Whether to analyze the message with all active detection rules in your organization","type":"boolean"},"run_all_detection_rules":{"default":false,"description":"Whether to analyze with all detection rules from all Feeds, including uninstalled + inactive Feed rules, as well as any active detection rules you’ve created that are not part of a Feed.","type":"boolean"},"run_all_insights":{"default":false,"description":"Whether to analyze with all insights","type":"boolean"}},"required":["raw_message"],"type":"object"},"AnalyzeRawMessageLiveFlowInput":{"properties":{"":{"type":"boolean"},"analyze_async":{"description":"Run analysis and finish ingestion async. flagged_rules will be empty on response.","type":"boolean"},"canonical_id":{"description":"Known Canonical (message group) ID","maxLength":64,"minLength":64,"nullable":true,"type":"string"},"create_mailbox":{"description":"Create mailbox if it doesn't exist. If true, message_source_id must also be set","type":"boolean"},"delivery_status":{"description":"Override delivery status. Use 'undelivered' to simulate inline processing (e.g. for testing interdict actions).","nullable":true,"type":"string"},"external_created_at":{"description":"Timestamp the message created at according to the external source","format":"date-time","nullable":true,"type":"string"},"external_message_id":{"description":"ID of the message according to the external source","nullable":true,"type":"string"},"external_thread_id":{"description":"ID of the thread the message belongs to according to the external source","nullable":true,"type":"string"},"folder":{"description":"The mailbox folder the message is in","nullable":true,"type":"string"},"labels":{"description":"Labels applied to the message by the mailbox","items":{"type":"string"},"type":"array"},"mailbox_email_address":{"description":"The email address of the mailbox containing this message","format":"email","type":"string"},"message_source_id":{"description":"API Message source ID associated with the mailbox.","format":"uuid","type":"string"},"message_type":{"$ref":"#/components/schemas/Mdm_serviceMessageType"},"raw_message":{"description":"The full base64 encoded raw eml message","type":"string"},"route_type":{"description":"The directional route type of the message","nullable":true,"type":"string"}},"required":["mailbox_email_address","message_source_id","raw_message"],"type":"object"},"AssignRoleToUserInput":{"properties":{"email_address":{"type":"string"},"role_title":{"type":"string"}},"type":"object"},"AttackScoreForRawMessageInput":{"properties":{"raw_message":{"description":"The full base64 encoded raw eml message","format":"byte","type":"string"}},"required":["raw_message"],"type":"object"},"BoundedValues_string":{"description":"Bounded first attachment names on messages in the group","properties":{"total":{"format":"int32","type":"integer"},"values":{"items":{"type":"string"},"type":"array"}},"type":"object"},"CreateEmailBombInput":{"properties":{"end_time":{"description":"End of the email bomb time range (must not be in the future)","format":"date-time","type":"string"},"mailbox_id":{"description":"ID of the mailbox to declare the email bomb for","type":"string"},"start_time":{"description":"Start of the email bomb time range","format":"date-time","type":"string"}},"required":["end_time","mailbox_id","start_time"],"type":"object"},"CreateListInput":{"properties":{"description":{"description":"Description of list","type":"string"},"name":{"description":"Unique name used to reference the list in MQL","type":"string"}},"required":["description","name"],"type":"object"},"CreateMessageInput":{"properties":{"canonical_id":{"description":"The canonical ID of the message, if known","nullable":true,"type":"string"},"external_created_at":{"description":"Timestamp the message created at according to the external source","nullable":true,"type":"string"},"external_message_id":{"description":"ID of the message according to the external source","nullable":true,"type":"string"},"external_thread_id":{"description":"ID of the thread the message belongs to according to the external source","nullable":true,"type":"string"},"folder":{"description":"The mailbox folder the message is in","nullable":true,"type":"string"},"labels":{"description":"Labels applied to the message by the mailbox","items":{"type":"string"},"type":"array"},"mailbox_email_address":{"description":"The email address of the mailbox containing this message","format":"email","nullable":true,"type":"string"},"message_type":{"$ref":"#/components/schemas/Mdm_serviceMessageType"},"raw_message":{"description":"The full base64 encoded raw eml message","format":"byte","type":"string"},"route_type":{"description":"The directional route type of the message","nullable":true,"type":"string"}},"required":["raw_message"],"type":"object"},"CreateRuleInput":{"properties":{"action_ids":{"description":"IDs of actions to run when the rule is triggered","items":{"type":"string"},"type":"array"},"active":{"description":"Activate the rule immediately","type":"boolean"},"attack_types":{"description":"Rule attack types","items":{"type":"string"},"type":"array"},"authors":{"description":"Rule authors. Defaults to the user that made the request","items":{"$ref":"#/components/schemas/TypesRuleAuthor"},"type":"array"},"auto_review_auto_share":{"description":"Whether auto-reviewed messages will be shared","type":"boolean"},"auto_review_classification":{"description":"The classification auto-reviewed messages will have, when an auto-review action is associated with the rule","nullable":true,"type":"string"},"description":{"description":"Description of rule","type":"string"},"detection_methods":{"description":"Rule detection technologies","items":{"type":"string"},"type":"array"},"false_positives":{"description":"Descriptions of known false positives that could occur","items":{"type":"string"},"type":"array"},"internal_type":{"description":"For core feed only","nullable":true,"type":"string"},"label":{"description":"Rule label","nullable":true,"type":"string"},"maturity":{"description":"Rule maturity","nullable":true,"type":"string"},"name":{"description":"Rule name","type":"string"},"references":{"description":"URL references","items":{"type":"string"},"type":"array"},"run_triage_on_excluded_messages":{"description":"For Triage rules only, whether this rule will run even if the message matched a global exclusion.","nullable":true,"type":"boolean"},"severity":{"description":"Rule severity","nullable":true,"type":"string"},"source":{"description":"Source","type":"string"},"tactics_and_techniques":{"description":"Rule tactics and techniques","items":{"type":"string"},"type":"array"},"tags":{"description":"Tags","items":{"type":"string"},"type":"array"},"triage_abuse_reports":{"description":"For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_classification_changes":{"description":"For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_dlp_rule_matched":{"description":"For Triage rules only, whether this rule will run for messages that matched a DLP rule. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_flagged_messages":{"description":"For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"type":{"description":"Type of the rule","enum":["detection","dlp","triage"],"type":"string"},"user_provided_tags":{"description":"User-provided tags","items":{"type":"string"},"type":"array"}},"required":["name","source"],"type":"object"},"CreateSCIMUserInput":{"properties":{"active":{"type":"boolean"},"emails":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMEmail"},"type":"array"},"externalId":{"description":"ID of the user in the external identity provider (e.g., Okta)","nullable":true,"type":"string"},"id":{"description":"ID of the user in Sublime","type":"string"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"name":{"$ref":"#/components/schemas/Handler_typesSCIMUserName"},"schemas":{"items":{"type":"string"},"type":"array"},"sublimeRole":{"description":"Deprecated. For backwards-compatibility with existing integrations. Prefer the property on \"urn:ietf:params:scim:schemas:extension:sublime:2.0:User\"","type":"string"},"urn:ietf:params:scim:schemas:extension:sublime:2.0:User":{"$ref":"#/components/schemas/Handler_typesSCIMSublimeUserExtension"},"userName":{"type":"string"}},"required":["name","userName"],"type":"object"},"DismissEmailBombInput":{"properties":{"review_comment":{"description":"Comment describing reason for dismissing the email bomb","nullable":true,"type":"string"}},"type":"object"},"DismissMessageCanonicalGroupInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"type":"object"},"DismissMultipleMessageGroupsInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"message_group_ids":{"description":"Canonical IDs of the message groups to dismiss","items":{"type":"string"},"minItems":1,"type":"array"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"required":["message_group_ids"],"type":"object"},"Enrichment_typesBrandInfo":{"description":"Information about the recognized brand on the target page","properties":{"confidence":{"description":"Level of confidence that the correct brand (or none) was identified","enum":["low","medium","high"],"type":"string"},"name":{"description":"Name of identified brand in the target page. Null if no brand was identified.","enum":["ABN","ADP","AOL","AT&T","Adobe","AliExpress","Amazon","American Express","Apple","Authentisign","Awardco","BB&T Corporation","BBVA","BT","Bass Pro Shop","Bank of America","Barclays","Belastingdienst","Benteler","BeyondTrust","Bol","Box","CFA","CNA","CVS","Caixabank","Capital One Bank","CalPoly","Captcha","Carta","Chase","ChicagoTitle","Citi","Cloudflare","Coinbase","Couer Mining","CyberArk","DHL","DKB","DPD","Dayforce","Digid","Discord","Discover","Disney","DocuSign","Dropbox","EY","Ebay","Europol","Experian","Facebook","FakeAttachment","FanDuel","FedEx","FidelityTitle","FirstAm","FuboTV","GLS","GM","GeekSquad","Gemini Trust","Generic Captcha","Generic Webmail","Github","Gmail","GoDaddy","Google","GoogleDrive","Google Voice","Gusto","HSBC Bank","Heroku","Home Depot","HubSpot","Hulu","Huntress","ING","IRS","Indeed","Instagram","Invite Company","JFrog","KPN","Kehe","Key Bank","LawyersTitle","Ledger","LinkedIn","Lloyds","M & T Bank","MadisonTitle","MailChimp","Mailgun","Mastercard","McAfee","Meta","MetaMask","Microsoft","Microsoft Office365","Microsoft OneDrive","Microsoft Outlook","Microsoft SharePoint","Microsoft Teams","Mimecast","NATO","NHS","NatWest","Navan","Navy Federal Credit Union","Netflix","Norton","OVO","Okta","OldRepublicTitle","OpenAI","PNC","Palo Alto Networks","Pandora","PayPal","PostNL","Postbank","Proton","Pulley","QuicklySign","Quickbooks","RBS","RLI","Rabobank","Rakuten","Robert Half","RoyalMail","SBB","SSA","Santander","Schwab","SendGrid","Shein","Signal","Silicon Valley Bank","Slack","Snowflake","Sparkasse","Spotify","Square","StewartTitle","Stratus","Stripe","SunTrust Bank","Swiss Post","Swisscom","TD Bank","Target","Targobank","Threads","TicorTitle","Tidal","TikTok","Trezor","TrustWallet","Tyrell","U.S. Bank","UCSB","UPS","USPS","Vanguard","Venmo","Visa","Vodafone","Volksbank","WeTransfer","Wells Fargo","Wex","WhatsApp","Wise","Workday","WoS","X","Yahoo","Zebra","Zelle","Zendesk","Ziggo","Zoom","Zscaler"],"type":"string"}},"type":"object"},"Enrichment_typesCredPhish":{"description":"CredPhish analysis of the screenshot taken for the final URL","properties":{"brand":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"confidence":{"description":"Level in a credential phish assessment, only set if .disposition is phishing","enum":["low","medium","high"],"type":"string"},"contains_captcha":{"description":"Final page contains a captcha test","nullable":true,"type":"boolean"},"contains_login":{"description":"Final page resembles a login screen","nullable":true,"type":"boolean"},"disposition":{"description":"Verdict of the link, determined by various stages of analysis","enum":["benign","phishing","unknown"],"type":"string"}},"type":"object"},"Enrichment_typesLinkAnalysisResult":{"description":"ml.link_analysis output","properties":{"additional_responses":{"description":"Additional HTTP responses for the page, which could be additional resources, XHR requests, etc.","items":{"$ref":"#/components/schemas/Link_analysis_typesAdditionalResponse"},"type":"array"},"analyzed":{"description":"Whether the target page was successfully analyzed for credential phishing attempts","type":"boolean"},"content_type":{"description":"Content type of the page","type":"string"},"credphish":{"$ref":"#/components/schemas/Enrichment_typesCredPhish"},"diagnostics":{"$ref":"#/components/schemas/Enrichment_typesLinkAnalysisRunDiagnostics"},"effective_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"files_downloaded":{"description":"All downloads from the page. These must download without interaction and within a few seconds","items":{"$ref":"#/components/schemas/Link_analysis_typesDownloadedFile"},"type":"array"},"final_dom":{"$ref":"#/components/schemas/Link_analysis_typesFinalDOM"},"original_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"redirect_history":{"description":"Each URL which the link analysis service was redirected through","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"retrieved":{"description":"Whether the page was successfully retrieved","type":"boolean"},"retrieved_at":{"description":"Time when the link analysis was initially retrieved","format":"date-time","nullable":true,"type":"string"},"screenshot":{"$ref":"#/components/schemas/Mdm_serviceFile"},"status_code":{"description":"HTTP status code for the requested page","format":"int32","type":"integer"},"submitted":{"description":"Whether the page was submitted to be retrieved for analysis","type":"boolean"},"unique_urls_accessed":{"description":"All unique URLs accessed during the analysis","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"Enrichment_typesLinkAnalysisRunDiagnostics":{"description":"INTERNAL","properties":{"created_at":{"description":"When the diagnostic object was created","format":"date-time","type":"string"},"submit_verdict":{"description":"Reason the URL was [not] submitted to Link Analysis","type":"string"},"submit_verdict_url":{"description":"The URL upon which the submit verdict was based","type":"string"}},"type":"object"},"FfiJSON":{"description":"Response from the URL decoded as a JSON object for application/json content types","type":"object"},"GetMessageAttachmentImageRawInput":{"properties":{"file_type":{"description":"The file type of the attachment","type":"string"},"raw":{"description":"The full base64 encoded raw attachment to render","format":"byte","type":"string"}},"required":["raw"],"type":"object"},"GraymailMultipleMessageGroupsInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"message_group_ids":{"description":"Canonical IDs of the message groups to move to graymail","items":{"type":"string"},"minItems":1,"type":"array"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"required":["message_group_ids"],"type":"object"},"Handler_typesAnalyzeRawMessageLiveFlowResponse":{"properties":{"canonical_id":{"description":"Canonical (message group) ID","type":"string"},"flagged_rules":{"description":"Flagged rules","items":{"$ref":"#/components/schemas/TypesFlatSqar"},"type":"array"},"message_id":{"description":"Message ID","format":"uuid","nullable":true,"type":"string"},"raw_message_id":{"description":"Raw message ID","format":"uuid","nullable":true,"type":"string"}},"type":"object"},"Handler_typesAnalyzeRawMessageResponse":{"properties":{"query_results":{"description":"Query result details","items":{"$ref":"#/components/schemas/Handler_typesAnalyzeResponseQuery"},"type":"array"},"rule_results":{"description":"Analyze result details","items":{"$ref":"#/components/schemas/Handler_typesAnalyzeResponseRule"},"type":"array"}},"type":"object"},"Handler_typesAnalyzeResponseQuery":{"properties":{"error":{"description":"Error message, if success == false","nullable":true,"type":"string"},"execution_time":{"description":"Execution time in seconds","format":"double","nullable":true,"type":"number"},"external_errors":{"description":"External errors that occurred during evaluation","items":{"type":"string"},"type":"array"},"query":{"$ref":"#/components/schemas/Handler_typesQuerySimpleMeta"},"result":{"description":"Result of the query evaluation","nullable":true},"success":{"description":"Whether execution was successful or errored","type":"boolean"}},"required":["execution_time","success"],"type":"object"},"Handler_typesAnalyzeResponseRule":{"properties":{"error":{"description":"Error message, if success == false","nullable":true,"type":"string"},"execution_time":{"description":"Execution time in seconds","format":"double","nullable":true,"type":"number"},"external_errors":{"description":"External errors that occurred during evaluation","items":{"type":"string"},"type":"array"},"matched":{"description":"Whether the rule matched the provided message","nullable":true,"type":"boolean"},"rule":{"$ref":"#/components/schemas/Handler_typesRuleSimplePublicID"},"success":{"description":"Whether execution was successful or errored","type":"boolean"}},"required":["execution_time","matched","success"],"type":"object"},"Handler_typesAttachmentImageContent":{"properties":{"data":{"description":"Base64 encoded PNGs of the raw attachment. Multiple if it is a document with pages.","items":{"items":{"format":"int32","type":"integer"},"type":"array"},"type":"array"},"hash":{"description":"The MD5 hash of the full attachment","type":"string"}},"type":"object"},"Handler_typesEventData":{"description":"Event data","properties":{"message":{"$ref":"#/components/schemas/TypesEventMessage"},"message_group":{"$ref":"#/components/schemas/TypesEventMessageGroup"},"request":{"$ref":"#/components/schemas/TypesAPIRequest"}},"type":"object"},"Handler_typesEventV0":{"properties":{"additional_data":{"description":"Additional event data","items":{"format":"int32","type":"integer"},"type":"array"},"created_at":{"description":"Event creation time","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Handler_typesUser"},"data":{"$ref":"#/components/schemas/Handler_typesEventData"},"id":{"description":"Event ID","format":"uuid","type":"string"},"type":{"description":"Event type","type":"string"}},"required":["created_at","data","id","type"],"type":"object"},"Handler_typesFlaggedRuleV0":{"properties":{"id":{"description":"ID of the flagged rule","type":"string"},"name":{"description":"Name of the flagged rule","type":"string"},"tags":{"description":"List of tags for the flagged rule","items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesGetHuntResponse":{"properties":{"message_groups":{"description":"Array of messages groups returned by the hunt","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupV0"},"type":"array"},"task_response":{"$ref":"#/components/schemas/Handler_typesGetTaskResponse"}},"type":"object"},"Handler_typesGetListResponse":{"properties":{"lists":{"description":"List of lists","items":{"$ref":"#/components/schemas/Handler_typesList"},"type":"array"}},"type":"object"},"Handler_typesGetScanResultResponse":{"properties":{"results":{"description":"binexplode list of responses for a single input file, each additional response represents an explosion result","items":{"$ref":"#/components/schemas/StrelkaResponse"},"type":"array"},"task_response":{"$ref":"#/components/schemas/Handler_typesGetTaskResponse"}},"type":"object"},"Handler_typesGetTaskResponse":{"description":"Generic information about the scan task execution, such as status or errors.","properties":{"created_at":{"description":"Task creation time","format":"date-time","type":"string"},"error":{"description":"Task error","type":"string"},"id":{"description":"Task ID","format":"uuid","type":"string"},"state":{"description":"Task status","enum":["pending","started","succeeded","failed","retrying"],"type":"string"}},"required":["id","state"],"type":"object"},"Handler_typesLinkAnalysisResponse":{"properties":{"additional_responses":{"description":"Additional HTTP responses for the page, which could be additional resources, XHR requests, etc.","items":{"$ref":"#/components/schemas/Link_analysis_typesAdditionalResponse"},"type":"array"},"analyzed":{"description":"Whether the target page was successfully analyzed for credential phishing attempts","type":"boolean"},"content_type":{"description":"Content type of the page","type":"string"},"credphish":{"$ref":"#/components/schemas/Enrichment_typesCredPhish"},"diagnostics":{"$ref":"#/components/schemas/Enrichment_typesLinkAnalysisRunDiagnostics"},"effective_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"files_downloaded":{"description":"All downloads from the page. These must download without interaction and within a few seconds","items":{"$ref":"#/components/schemas/Link_analysis_typesDownloadedFile"},"type":"array"},"final_dom":{"$ref":"#/components/schemas/Link_analysis_typesFinalDOM"},"original_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"page_status_code":{"description":"HTTP status code of the page","format":"int32","nullable":true,"type":"integer"},"redirect_history":{"description":"Each URL which the link analysis service was redirected through","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"retrieved":{"description":"Whether the page was successfully retrieved","type":"boolean"},"retrieved_at":{"description":"Time the page was retrieved","format":"date-time","nullable":true,"type":"string"},"screenshot":{"$ref":"#/components/schemas/Mdm_serviceFile"},"status_code":{"description":"HTTP status code for the requested page","format":"int32","type":"integer"},"submitted":{"description":"Whether the page was submitted to be retrieved for analysis","type":"boolean"},"unique_urls_accessed":{"description":"All unique URLs accessed during the analysis","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"would_analyze":{"description":"Whether the link would have been analyzed if run in a rule","type":"boolean"},"would_submit":{"description":"Whether the link would have been submitted if run in a rule","type":"boolean"}},"type":"object"},"Handler_typesList":{"properties":{"created_at":{"description":"List creation time","format":"date-time","type":"string"},"description":{"description":"Description of list","type":"string"},"editable":{"description":"If the list may be edited. False for system lists.","type":"boolean"},"entry_type":{"description":"Type of entry. Supported values are 'string', 'user_group', 'provider_org_unit'","type":"string"},"id":{"description":"List ID","format":"uuid","type":"string"},"name":{"description":"Unique name used to reference the list in MQL","type":"string"},"updated_at":{"description":"List last updated time","format":"date-time","type":"string"}},"required":["description","id","name"],"type":"object"},"Handler_typesListEntries":{"properties":{"entries":{"description":"List of string entries","items":{"type":"string"},"type":"array"},"overrides":{"description":"List of override string entries","items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesListRuleHistoryResponse":{"properties":{"history":{"additionalProperties":{"$ref":"#/components/schemas/Handler_typesRuleHistoryResponse"},"description":"List of rule history entries","type":"object"}},"type":"object"},"Handler_typesListRulesResponse":{"properties":{"count":{"description":"Count of results for this page","format":"int32","type":"integer"},"rules":{"description":"List of rules","items":{"$ref":"#/components/schemas/Handler_typesRule"},"type":"array"},"total":{"description":"Total number of results available","format":"int32","type":"integer"}},"type":"object"},"Handler_typesListSCIMResourceTypesResponse":{"properties":{"Resources":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMResourceType"},"type":"array"},"itemsPerPage":{"format":"int32","type":"integer"},"schemas":{"items":{"type":"string"},"type":"array"},"startIndex":{"format":"int32","type":"integer"},"totalResults":{"format":"int32","type":"integer"}},"type":"object"},"Handler_typesListSCIMSchemasResponse":{"properties":{"Resources":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMSchema"},"type":"array"},"itemsPerPage":{"format":"int32","type":"integer"},"schemas":{"items":{"type":"string"},"type":"array"},"startIndex":{"format":"int32","type":"integer"},"totalResults":{"format":"int32","type":"integer"}},"type":"object"},"Handler_typesListSCIMUsersResponse":{"properties":{"Resources":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMUser"},"type":"array"},"itemsPerPage":{"format":"int32","type":"integer"},"schemas":{"items":{"type":"string"},"type":"array"},"startIndex":{"format":"int32","type":"integer"},"totalResults":{"format":"int32","type":"integer"}},"type":"object"},"Handler_typesListUserReportsResponse":{"properties":{"count":{"description":"Count of user reports matching filters (up to limit)","format":"int32","type":"integer"},"user_reports":{"description":"User reports matching request filters","items":{"$ref":"#/components/schemas/Handler_typesMessageReportWithCanonicalID"},"type":"array"}},"type":"object"},"Handler_typesMailbox":{"description":"Mailbox that the email bomb was found in","properties":{"email":{"description":"Mailbox email address","type":"string"},"external_id":{"description":"ID of the mailbox in the source system (e.g., Office 365 or Google Workspace)","nullable":true,"type":"string"},"id":{"description":"Mailbox ID","format":"uuid","type":"string"}},"required":["email","id"],"type":"object"},"Handler_typesMessage":{"properties":{"canonical_id":{"description":"Canonical ID of the message","type":"string"},"created_at":{"description":"Datetime the message was created","format":"date-time","type":"string"},"external_id":{"description":"ID of the message in the source system (e.g., Office 365 or Google Workspace)","nullable":true,"type":"string"},"forward_recipients":{"description":"Email addresses this message was forwarded to by the recipient mailbox","items":{"type":"string"},"type":"array"},"forwarded_at":{"description":"Time this message was forwarded by the recipient mailbox. A null value indicates that it has not yet been forwarded","format":"date-time","nullable":true,"type":"string"},"id":{"description":"Message ID","format":"uuid","type":"string"},"landed_in_spam":{"description":"Whether the message landed in the recipient's spam folder","nullable":true,"type":"boolean"},"mailbox":{"$ref":"#/components/schemas/Handler_typesMailbox"},"message_source_id":{"description":"ID of the message source of the message","format":"uuid","nullable":true,"type":"string"},"read_at":{"description":"Time this message was read in the user's mailbox. A null value indicates that it has not yet been marked read","format":"date-time","nullable":true,"type":"string"},"recipients":{"description":"Details of the message recipients","items":{"$ref":"#/components/schemas/Handler_typesRecipient"},"type":"array"},"replied_at":{"description":"Time that this message was replied to by the recipient mailbox. A null value indicates that it has not yet been replied to by the recipient","format":"date-time","nullable":true,"type":"string"},"sender":{"$ref":"#/components/schemas/Handler_typesSender"},"subject":{"description":"Subject of the message","type":"string"}},"required":["canonical_id","created_at","id","message_source_id","recipients","sender","subject"],"type":"object"},"Handler_typesMessageGroupActivityEvent":{"properties":{"client_ip":{"description":"Client IP of the click (click events only)","nullable":true,"type":"string"},"forward_recipients":{"$ref":"#/components/schemas/BoundedValues_string"},"mailbox":{"$ref":"#/components/schemas/Handler_typesMessageGroupActivityEventMailbox"},"message_id":{"description":"ID of the message, except for 'received' events","nullable":true,"type":"string"},"recipients":{"$ref":"#/components/schemas/TruncatedBoundedValues_string"},"timestamp":{"description":"Time of the event","format":"date-time","type":"string"},"type":{"description":"Type of activity event","type":"string"},"url":{"description":"URL that was clicked (click events only)","nullable":true,"type":"string"},"user_agent":{"description":"User agent of the click (click events only)","nullable":true,"type":"string"}},"type":"object"},"Handler_typesMessageGroupActivityEventMailbox":{"description":"Details about the mailbox associated with the message, except for 'received' events","properties":{"display_name":{"description":"Display name of the mailbox","nullable":true,"type":"string"},"email_address":{"description":"Email address of the mailbox","type":"string"},"external_id":{"description":"External ID of the mailbox","nullable":true,"type":"string"}},"type":"object"},"Handler_typesMessageGroupEventLinkClick":{"properties":{"clicked_at":{"description":"The time that the link was clicked","format":"date-time","type":"string"},"client_ip":{"description":"The originating client IP for the click","type":"string"},"mailbox_display_name":{"description":"Display name of mailbox that performed the action","nullable":true,"type":"string"},"mailbox_email_address":{"description":"Mailbox email address that performed the action","nullable":true,"type":"string"},"mailbox_external_id":{"description":"External ID of the mailbox that performed the action","nullable":true,"type":"string"},"message_id":{"description":"ID of the Sublime message for which the action occurred","type":"string"},"user_agent":{"description":"The originating user-agent for the click","type":"string"}},"type":"object"},"Handler_typesMessageGroupEventLinksClickedV0":{"properties":{"clicks":{"description":"Click events for the URL","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupEventLinkClick"},"type":"array"},"url":{"description":"URL that was clicked","type":"string"}},"type":"object"},"Handler_typesMessageGroupSIEMSummaryItem":{"properties":{"attachment_hashes":{"$ref":"#/components/schemas/BoundedValues_string"},"attachment_names":{"$ref":"#/components/schemas/BoundedValues_string"},"detection_rule_names":{"description":"Names of detection rules that flagged messages in the group","items":{"type":"string"},"type":"array"},"first_seen":{"description":"Oldest message effective_at in the group","format":"date-time","type":"string"},"id":{"description":"Canonical ID of the message group","type":"string"},"last_seen":{"description":"Newest message effective_at in the group","format":"date-time","type":"string"},"link_clicks":{"$ref":"#/components/schemas/TruncatedBoundedValues_handler_types.MessageGroupActivityEvent"},"message_count":{"description":"Effective number of messages in the group","format":"int32","type":"integer"},"recipient_count":{"description":"Number of unique recipients across the group","format":"int32","type":"integer"},"sender_domains":{"$ref":"#/components/schemas/BoundedValues_string"},"senders":{"$ref":"#/components/schemas/BoundedValues_string"},"source_ips":{"$ref":"#/components/schemas/TruncatedBoundedValues_string"},"subjects":{"$ref":"#/components/schemas/BoundedValues_string"}},"type":"object"},"Handler_typesMessageGroupSIEMSummaryResponse":{"properties":{"cursor":{"description":"Opaque cursor for the next page; pass it back as the cursor query param. Null when no more pages are available.","nullable":true,"type":"string"},"message_groups":{"description":"List of flagged message groups for SIEM ingestion","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupSIEMSummaryItem"},"type":"array"}},"type":"object"},"Handler_typesMessageGroupV0":{"properties":{"classification":{"description":"Classification of the message group","nullable":true,"type":"string"},"flagged_rules":{"description":"Flagged rules from the message","items":{"$ref":"#/components/schemas/Handler_typesFlaggedRuleV0"},"type":"array"},"id":{"description":"Canonical ID of the group","type":"string"},"message_links_clicked":{"description":"Message link clicked events","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupEventLinksClickedV0"},"type":"array"},"messages":{"description":"Message previews","items":{"$ref":"#/components/schemas/Handler_typesMessagePreviewV0"},"type":"array"},"organization_id":{"description":"ID of the group's organization","type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"},"review_label":{"description":"Message group label","nullable":true,"type":"string"},"review_status":{"description":"Message group status","nullable":true,"type":"string"},"state":{"description":"Message group state","nullable":true,"type":"string"},"user_reports":{"description":"User reports of the message","items":{"$ref":"#/components/schemas/Handler_typesMessageReportV0"},"type":"array"}},"required":["id"],"type":"object"},"Handler_typesMessageImage":{"properties":{"data":{"description":"Base64-encoded image data","format":"byte","type":"string"},"is_empty_body":{"description":"If the message is missing a body. In this case an empty PNG is returned.","type":"boolean"},"mime_type":{"description":"MIME type of the image","type":"string"}},"type":"object"},"Handler_typesMessageImageLink":{"properties":{"expires_in":{"description":"Approximate duration of link in seconds","format":"int32","type":"integer"},"url":{"description":"Temporary link to image","type":"string"}},"required":["expires_in","url"],"type":"object"},"Handler_typesMessagePreviewV0":{"properties":{"created_at":{"description":"Time this message was added to Sublime","format":"date-time","type":"string"},"delivered":{"description":"Whether or not the message has been delivered","type":"boolean"},"forward_recipients":{"description":"Email addresses this message was forwarded to by the recipient mailbox","items":{"type":"string"},"type":"array"},"forwarded_at":{"description":"Time this message was forwarded by the recipient mailbox. A null value indicates that it has not yet been forwarded","format":"date-time","nullable":true,"type":"string"},"id":{"description":"Sublime message ID","type":"string"},"mailbox":{"$ref":"#/components/schemas/Handler_typesMailbox"},"read_at":{"description":"Time this message was read in the user's mailbox. A null value indicates that it has not yet been marked read","format":"date-time","nullable":true,"type":"string"},"recipients":{"description":"Details of the message recipients","items":{"$ref":"#/components/schemas/Handler_typesRecipient"},"type":"array"},"replied_at":{"description":"Time that this message was replied to by the recipient mailbox. A null value indicates that it has not yet been replied to by the recipient","format":"date-time","nullable":true,"type":"string"},"sender":{"$ref":"#/components/schemas/Handler_typesSender"},"subject":{"description":"Subject of the message","type":"string"}},"required":["id","mailbox","recipients","sender","subject"],"type":"object"},"Handler_typesMessageReportV0":{"properties":{"channel":{"description":"Channel used to report the group","type":"string"},"reported_at":{"description":"Time the group was reported","format":"date-time","type":"string"},"reported_by_message_id":{"description":"ID of the reporting message (the user forward)","nullable":true,"type":"string"},"reporter":{"description":"Email address of the user who reported the group","type":"string"}},"type":"object"},"Handler_typesMessageReportWithCanonicalID":{"properties":{"channel":{"description":"Channel used to report the group","type":"string"},"reported_at":{"description":"Time the group was reported","format":"date-time","type":"string"},"reported_by_message_id":{"description":"ID of the reporting message (the user forward)","nullable":true,"type":"string"},"reported_message_canonical_id":{"description":"Canonical ID of the message that was reported","type":"string"},"reporter":{"description":"Email address of the user who reported the group","type":"string"}},"type":"object"},"Handler_typesQuerySimple":{"properties":{"name":{"description":"Query name","nullable":true,"type":"string"},"severity":{"description":"Severity associated with the query","nullable":true,"type":"string"},"source":{"description":"The MQL source to run against the message","nullable":true,"type":"string"}},"required":["source"],"type":"object"},"Handler_typesQuerySimpleMeta":{"description":"Metadata about the query evaluated against the message","properties":{"name":{"description":"Query name","nullable":true,"type":"string"},"severity":{"description":"Severity associated with the query","nullable":true,"type":"string"},"source":{"description":"Query source","nullable":true,"type":"string"}},"type":"object"},"Handler_typesRecipient":{"properties":{"email":{"description":"Email address","type":"string"}},"required":["email"],"type":"object"},"Handler_typesRule":{"properties":{"active":{"description":"Indicates whether or not the rule is active and will flag matching messages","type":"boolean"},"created_at":{"description":"Rule creation time","format":"date-time","type":"string"},"description":{"description":"Description of rule","type":"string"},"id":{"description":"Rule ID","format":"uuid","type":"string"},"name":{"description":"Rule name","type":"string"},"references":{"description":"URLs of reference resources for this rule","items":{"type":"string"},"type":"array"},"severity":{"description":"Rule severity","enum":["informational","low","medium","high","critical"],"type":"string"},"source":{"description":"Rule MQL (Message Query Language) source","type":"string"},"tags":{"description":"Freeform tags for this rule (for example, \"Executive Impersonation\")","items":{"type":"string"},"type":"array"},"updated_at":{"description":"Rule last updated time","format":"date-time","type":"string"}},"required":["description","name","source"],"type":"object"},"Handler_typesRuleHistoryResponse":{"properties":{"actions":{"description":"Actions associated with the rule","items":{"$ref":"#/components/schemas/TypesSqarAction"},"type":"array"},"flagged_message_groups_report":{"$ref":"#/components/schemas/Handler_typesRuleHistoryStats"},"rule":{"$ref":"#/components/schemas/TypesAPIRule"}},"type":"object"},"Handler_typesRuleHistoryStats":{"description":"Rule history stats for message groups","properties":{"classified_detection_rate":{"description":"The percentage of classified detections","format":"double","nullable":true,"type":"number"},"count_classified_benign":{"description":"Total number of classified benign rule history entries","format":"int32","type":"integer"},"count_classified_graymail":{"description":"Total number of classified graymail rule history entries","format":"int32","type":"integer"},"count_classified_malicious":{"description":"Total number of classified malicious rule history entries","format":"int32","type":"integer"},"count_classified_no_reason":{"description":"Total number of classified no reason rule history entries","format":"int32","type":"integer"},"count_classified_simulation":{"description":"Total number of classified simulation rule history entries","format":"int32","type":"integer"},"count_classified_unwanted":{"description":"Total number of classified unwanted rule history entries","format":"int32","type":"integer"},"count_unreviewed":{"description":"Total number of unreviewed rule history entries","format":"int32","type":"integer"},"total":{"description":"Total number of rule history entries","format":"int32","type":"integer"}},"type":"object"},"Handler_typesRuleSimple":{"properties":{"active":{"description":"Whether the rule is active","type":"boolean"},"feed_id":{"description":"Feed ID associated with the rule","nullable":true,"type":"string"},"name":{"description":"Rule name","nullable":true,"type":"string"},"severity":{"description":"Severity associated with the rule","nullable":true,"type":"string"},"source":{"description":"The MQL source to run against the message","type":"string"}},"required":["source"],"type":"object"},"Handler_typesRuleSimplePublicID":{"description":"Metadata for the rule compared against the message","properties":{"id":{"description":"Rule ID","nullable":true,"type":"string"},"name":{"description":"Rule name","nullable":true,"type":"string"},"severity":{"description":"Severity associated with the rule","nullable":true,"type":"string"},"source":{"description":"The MQL source for the rule","type":"string"}},"required":["source"],"type":"object"},"Handler_typesSCIMAuthenticationScheme":{"properties":{"description":{"type":"string"},"name":{"type":"string"},"primary":{"type":"boolean"},"type":{"type":"string"}},"type":"object"},"Handler_typesSCIMEmail":{"properties":{"primary":{"type":"boolean"},"type":{"type":"string"},"value":{"type":"string"}},"type":"object"},"Handler_typesSCIMMeta":{"description":"Schema metadata","properties":{"created":{"description":"DateTime when the resource was created","type":"string"},"lastModified":{"description":"DateTime when the resource was last modified","type":"string"},"location":{"description":"URL of the resource","type":"string"},"resourceType":{"description":"Resource type","type":"string"}},"type":"object"},"Handler_typesSCIMPatchOperation":{"properties":{"op":{"type":"string"},"path":{"nullable":true,"type":"string"},"value":{"description":"Value of any type, including null","nullable":true}},"required":["op"],"type":"object"},"Handler_typesSCIMResourceType":{"properties":{"description":{"description":"Description of the resource","type":"string"},"endpoint":{"description":"Endpoint for the resource","type":"string"},"id":{"description":"ID of the resource in Sublime","type":"string"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"name":{"description":"Name of the resource","type":"string"},"schema":{"description":"Schema for the resource","type":"string"},"schemaExtensions":{"description":"Schema Extensions for the resource","items":{"$ref":"#/components/schemas/Handler_typesSCIMSchemaExtension"},"type":"array"},"schemas":{"items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesSCIMSchema":{"properties":{"attributes":{"description":"Schema attributes","items":{"$ref":"#/components/schemas/Handler_typesSCIMSchemaAttribute"},"type":"array"},"description":{"description":"Schema description","type":"string"},"id":{"description":"Schema ID","type":"string"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"name":{"description":"Schema name","type":"string"},"schemas":{"items":{"type":"string"},"type":"array"}},"type":"object"},"Handler_typesSCIMSchemaAttribute":{"properties":{"canonicalValues":{"items":{"type":"string"},"type":"array"},"caseExact":{"type":"boolean"},"description":{"type":"string"},"multiValued":{"type":"boolean"},"mutability":{"type":"string"},"name":{"type":"string"},"required":{"type":"boolean"},"returned":{"type":"string"},"subAttributes":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMSchemaSubAttribute"},"type":"array"},"type":{"type":"string"},"uniqueness":{"type":"string"}},"type":"object"},"Handler_typesSCIMSchemaExtension":{"properties":{"required":{"description":"Whether the extension is required","type":"boolean"},"schema":{"description":"URI of the schema extension","type":"string"}},"type":"object"},"Handler_typesSCIMSchemaSubAttribute":{"properties":{"caseExact":{"type":"boolean"},"description":{"type":"string"},"mutability":{"type":"string"},"name":{"type":"string"},"required":{"type":"boolean"},"returned":{"type":"string"},"type":{"type":"string"},"uniqueness":{"type":"string"}},"type":"object"},"Handler_typesSCIMServiceProviderConfig":{"properties":{"authenticationSchemes":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMAuthenticationScheme"},"type":"array"},"bulk":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigBulk"},"changePassword":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigChange"},"documentationURI":{"type":"string"},"etag":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigETag"},"filter":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigFilter"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"patch":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigPatch"},"schemas":{"items":{"type":"string"},"type":"array"},"sort":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfigSort"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigBulk":{"properties":{"maxOperations":{"format":"int32","type":"integer"},"maxPayloadSize":{"format":"int32","type":"integer"},"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigChange":{"properties":{"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigETag":{"properties":{"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigFilter":{"properties":{"maxResults":{"format":"int32","type":"integer"},"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigPatch":{"properties":{"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMServiceProviderConfigSort":{"properties":{"supported":{"type":"boolean"}},"type":"object"},"Handler_typesSCIMSublimeUserExtension":{"properties":{"sublimeRole":{"description":"Sublime role of the user, such as 'admin', 'engineer', 'analyst', or a custom role","type":"string"}},"type":"object"},"Handler_typesSCIMUser":{"properties":{"active":{"type":"boolean"},"emails":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMEmail"},"type":"array"},"externalId":{"description":"ID of the user in the external identity provider (e.g., Okta)","nullable":true,"type":"string"},"id":{"description":"ID of the user in Sublime","type":"string"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"name":{"$ref":"#/components/schemas/Handler_typesSCIMUserName"},"schemas":{"items":{"type":"string"},"type":"array"},"sublimeRole":{"description":"Deprecated. For backwards-compatibility with existing integrations. Prefer the property on \"urn:ietf:params:scim:schemas:extension:sublime:2.0:User\"","type":"string"},"urn:ietf:params:scim:schemas:extension:sublime:2.0:User":{"$ref":"#/components/schemas/Handler_typesSCIMSublimeUserExtension"},"userName":{"type":"string"}},"required":["name","userName"],"type":"object"},"Handler_typesSCIMUserName":{"properties":{"familyName":{"type":"string"},"givenName":{"type":"string"}},"type":"object"},"Handler_typesSender":{"description":"Details of the message sender","properties":{"display_name":{"description":"Display name","type":"string"},"email":{"description":"Email address","type":"string"}},"required":["email"],"type":"object"},"Handler_typesTaskAccepted":{"properties":{"task_id":{"description":"Task ID. Use the /v0/tasks/:id endpoint to check the task status.","format":"uuid","type":"string"}},"required":["task_id"],"type":"object"},"Handler_typesUser":{"description":"User that created the event. Nil if system originated","properties":{"access_restricted":{"description":"For inactive users only. Indicates the user cannot actually access due to permissions in parent org","type":"boolean"},"active":{"description":"Whether or not the user is active/enabled (generally managed through SCIM)","type":"boolean"},"created_at":{"description":"User creation time","format":"date-time","type":"string"},"deleted_at":{"description":"User deletion time","format":"date-time","nullable":true,"type":"string"},"email_address":{"description":"Email address","format":"email","type":"string"},"first_name":{"description":"First name","format":"string","type":"string"},"google_oauth_user_id":{"description":"The user's Google user ID, if it exists'","type":"string"},"id":{"description":"User ID","format":"uuid","type":"string"},"is_enrolled":{"description":"Whether the user has begun using the system (e.g. accepted an invitation or logged in at least once)","type":"boolean"},"last_name":{"description":"Last name","format":"string","type":"string"},"microsoft_oauth_user_id":{"description":"The user's Microsoft user ID, if it exists'","type":"string"},"phone_number":{"description":"Phone number","nullable":true,"type":"string"},"role":{"description":"Role assumed by the user","type":"string"},"service_account":{"description":"The service account type (e.g., 'ade') if this is a service account","nullable":true,"type":"string"},"updated_at":{"description":"User last updated time","format":"date-time","type":"string"}},"required":["created_at","email_address","first_name","id","last_name","updated_at"],"type":"object"},"Handler_typesV0ListMessageGroupsResponse":{"properties":{"count":{"description":"Count of messages groups for this page","format":"int32","type":"integer"},"message_groups":{"description":"Array of messages groups matching the search","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupV0"},"type":"array"},"stats_limit_exceeded":{"description":"Indicates if 'total' is a lower bound","type":"boolean"},"total":{"description":"Total number of messages groups matching the search","format":"int32","type":"integer"}},"required":["count","total"],"type":"object"},"Handler_typesValidateRuleResponse":{"properties":{"functions":{"description":"Function names found in the rule","items":{"type":"string"},"type":"array"},"is_org_dependent":{"description":"Whether the rule uses org-specific fields, lists, or functions","type":"boolean"},"list":{"description":"List names found in the rule","items":{"type":"string"},"type":"array"},"validation_error":{"description":"Validation error message if the rule is invalid","type":"string"}},"type":"object"},"HandlersAsaReportResponseV0":{"properties":{"attack_type":{"description":"Present if verdict is 'malicious'","items":{"$ref":"#/components/schemas/HandlersAsaTitleDescriptionPair"},"type":"array"},"full_explanation":{"description":"Comprehensive explanation of the findings, including verdict, attack type, attack technique, and complete reasoning.","type":"string"},"summary":{"description":"Executive summary of the findings, including verdict, attack type, attack technique, and high-level reasoning.","type":"string"},"tactics_and_techniques":{"description":"Array of techniques used in the attack. Present if verdict is 'malicious'","items":{"$ref":"#/components/schemas/HandlersAsaTitleDescriptionPair"},"type":"array"},"verdict":{"description":"ASA verdict","enum":["malicious","spam","graymail","benign","likely_benign","unknown"],"type":"string"}},"type":"object"},"HandlersAsaTitleDescriptionPair":{"properties":{"description":{"type":"string"},"title":{"type":"string"}},"type":"object"},"HandlersAsaVerdictResponseV0":{"properties":{"verdict":{"description":"ASA verdict","enum":["malicious","spam","graymail","likely_benign","benign","unknown"],"type":"string"}},"type":"object"},"HandlersAssignRoleToUserResponse":{"type":"object"},"HandlersAttackScoreResponse":{"properties":{"graymail_score":{"description":"Score from 0 to 100, with higher scores indicating a higher correlation with messages involved in graymail.","format":"double","nullable":true,"type":"number"},"score":{"description":"Score from 0 to 100, with higher scores indicating a higher correlation with messages involved in attacks.","format":"double","nullable":true,"type":"number"},"top_signals":{"description":"Top signals contributing to the score","items":{"$ref":"#/components/schemas/HandlersAttackScoreSignalResult"},"type":"array"},"verdict":{"description":"Verdict of the score, determined by thresholds.","nullable":true,"type":"string"}},"type":"object"},"HandlersAttackScoreSignalResult":{"properties":{"category":{"type":"string"},"description":{"type":"string"},"rank":{"format":"int32","type":"integer"}},"type":"object"},"HandlersGenerateBinExplodeDSLFunctionDocsResponse":{"properties":{"file.explode":{"description":"binexplode list of responses for a single input file, each additional response represents an explosion result","items":{"$ref":"#/components/schemas/StrelkaResponse"},"type":"array"}},"type":"object"},"HandlersGenerateDSLFunctionDocsResponse":{"properties":{"file.oletools":{"$ref":"#/components/schemas/OletoolsResult"}},"type":"object"},"HandlersGenerateLinkAnalysisDocsResponse":{"properties":{"ml.link_analysis":{"$ref":"#/components/schemas/Enrichment_typesLinkAnalysisResult"}},"type":"object"},"HandlersGenerateLogoDetectDocsResponse":{"properties":{"ml.logo_detect":{"$ref":"#/components/schemas/Logo_detectResult"}},"type":"object"},"HandlersGenerateMacroClassifierDocsResponse":{"properties":{"ml.macro_classifier":{"$ref":"#/components/schemas/MlMacroClassifierResult"}},"type":"object"},"HandlersGenerateNLUClassifierDocsResponse":{"properties":{"ml.nlu_classifier":{"$ref":"#/components/schemas/MlNLU3TopicResult"}},"type":"object"},"HandlersGenerateParseTextDocsResponse":{"properties":{"file.parse_text":{"$ref":"#/components/schemas/Org_dslParseTextResult"}},"type":"object"},"HandlersGenerateProfileBySenderDocsResponse":{"properties":{"profile.by_sender":{"$ref":"#/components/schemas/SenderprofileBaseSenderProfile"}},"type":"object"},"HandlersGenerateRegexExtractDocsResponse":{"properties":{"regex.extract":{"description":"regex.extract output","items":{"$ref":"#/components/schemas/UtilRegexExtractMatch"},"type":"array"}},"type":"object"},"HandlersGenerateTopicDocsResponse":{"properties":{"beta.ml_topic":{"$ref":"#/components/schemas/MlTopicResult"}},"type":"object"},"HandlersGenerateWhoisDocsResponse":{"properties":{"network.whois":{"$ref":"#/components/schemas/WhoisResult"}},"type":"object"},"HandlersGetAuditLogEventResponse":{"properties":{"additional_data":{"description":"Additional event data","items":{"format":"int32","type":"integer"},"type":"array"},"created_at":{"description":"Event creation time","format":"date-time","type":"string"},"created_by":{"$ref":"#/components/schemas/Handler_typesUser"},"data":{"$ref":"#/components/schemas/Handler_typesEventData"},"id":{"description":"Event ID","format":"uuid","type":"string"},"type":{"description":"Event type","type":"string"}},"required":["created_at","data","id","type"],"type":"object"},"HandlersGetMessageCanonicalGroupTasksResponse":{"properties":{"actions":{"description":"Tasks associated with the message group","items":{"$ref":"#/components/schemas/Actions_typesActionEventCounts"},"type":"array"}},"type":"object"},"HandlersGetV0HuntJobResponse":{"properties":{"error":{"description":"Error message if the hunt job failed.","nullable":true,"type":"string"},"id":{"description":"ID of the hunt job.","type":"string"},"private":{"description":"Restrict hunt job visibility to admins only.","type":"boolean"},"range_end_time":{"description":"Exclusive end datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","format":"date-time","type":"string"},"range_start_time":{"description":"Inclusive start datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","format":"date-time","type":"string"},"results_truncated":{"description":"Whether the hunt job was truncated due to reaching the results limit.","type":"boolean"},"source":{"description":"MQL source of the hunt job.","type":"string"},"status":{"description":"Status of the hunt job.","enum":["IN_PROGRESS","FAILED","CANCELED","COMPLETED"],"type":"string"}},"required":["range_end_time","range_start_time"],"type":"object"},"HandlersGetV0HuntJobResultsResponse":{"properties":{"message_groups":{"description":"Array of messages groups returned by the hunt","items":{"$ref":"#/components/schemas/Handler_typesMessageGroupV0"},"type":"array"},"total_group_count":{"description":"Total count of message groups returned by the hunt","format":"int32","type":"integer"}},"type":"object"},"HandlersListEventTypesResponse":{"properties":{"event_types":{"description":"Event types","items":{"$ref":"#/components/schemas/TypesEventTypeElement"},"type":"array"}},"type":"object"},"HandlersListEventsInAuditLogResponse":{"properties":{"count":{"description":"Count of results for this page","format":"int32","type":"integer"},"events":{"description":"Events. Platform deployments have 7 day event retention, while Enterprise and Cloud have unlimited retention.","items":{"$ref":"#/components/schemas/Handler_typesEventV0"},"type":"array"},"total":{"description":"Total number of results available","format":"int32","type":"integer"}},"required":["count","events","total"],"type":"object"},"HandlersMessage":{"properties":{"canonical_group_id":{"description":"Identifier shared by messages with the same canonical_id that arrive within the same period without a 60-minute gap","type":"string"},"canonical_id":{"description":"The sha1 hash of the message body text and sender","type":"string"},"created_at":{"description":"Datetime the message was created","type":"string"},"data_model":{"$ref":"#/components/schemas/Mdm_serviceMessageDataModel"},"delivered_at":{"description":"The time, if any, at which the message was delivered","format":"date-time","nullable":true,"type":"string"},"effective_at":{"description":"The effective time of the message","format":"date-time","nullable":true,"type":"string"},"id":{"description":"Message ID","format":"uuid","type":"string"},"mailbox_id":{"description":"ID of the mailbox for the message","format":"uuid","nullable":true,"type":"string"},"matched_global_exclusion":{"description":"Whether or not the message matched a global exclusion rule","nullable":true,"type":"boolean"},"preview":{"$ref":"#/components/schemas/TypesPreview"},"raw_message_id":{"description":"ID of the raw message that generated this message","format":"uuid","type":"string"},"received_inline":{"description":"Whether or not the message was received via inline processing","type":"boolean"},"reports_as_phish":{"description":"ID of the message group this message reports as phish","nullable":true,"type":"string"},"reviewed_at":{"description":"Datetime the message was reviewed","nullable":true,"type":"string"},"status":{"description":"The status of the message","nullable":true,"type":"string"},"status_changed_at":{"description":"The time when the status last changed","format":"date-time","nullable":true,"type":"string"},"type":{"$ref":"#/components/schemas/TypesMessageType"}},"required":["canonical_group_id","canonical_id","created_at","data_model","id","preview","raw_message_id"],"type":"object"},"HandlersReviewMessagesResponse":{"properties":{"actions":{"description":"List of actions that were applied","items":{"type":"string"},"type":"array"},"task_id":{"description":"Tracking ID of the parent task","nullable":true,"type":"string"}},"type":"object"},"HandlersScimEchoResp":{"properties":{"user_email":{"type":"string"}},"type":"object"},"HandlersStartHuntJobResponse":{"properties":{"hunt_job_id":{"description":"ID of the started hunt job.","type":"string"}},"type":"object"},"HandlersV0CreateEmailBombResponse":{"properties":{"created_bomb_id":{"description":"ID of the newly created bomb. Omitted when the time range merged into existing bombs.","format":"uuid","nullable":true,"type":"string"},"overlapping_bomb_ids":{"description":"IDs of all bombs overlapping the requested time range","format":"uuid","items":{"type":"string"},"type":"array"},"updated_bomb_ids":{"description":"IDs of existing bombs expanded to cover the requested time range","format":"uuid","items":{"type":"string"},"type":"array"}},"type":"object"},"HandlersV0EmailBombDetail":{"properties":{"active":{"description":"Whether the email bomb is currently active (based on last_message_added_at)","type":"boolean"},"created_at":{"description":"Time when the email bomb was first detected","format":"date-time","type":"string"},"end_time":{"description":"End time of the email bomb, when the last message was received","format":"date-time","type":"string"},"id":{"description":"ID of the email bomb","format":"uuid","type":"string"},"last_message_added_at":{"description":"Time when the last message was added to the email bomb","format":"date-time","type":"string"},"mailbox":{"$ref":"#/components/schemas/Handler_typesMailbox"},"message_count":{"description":"Total number of messages in the email bomb","format":"int32","type":"integer"},"reviewed_at":{"description":"Time when this email bomb was reviewed","format":"date-time","nullable":true,"type":"string"},"reviewed_by_user_id":{"description":"ID of the user who dismissed this email bomb","format":"uuid","nullable":true,"type":"string"},"start_time":{"description":"Start time of the email bomb, when the first message was received","format":"date-time","type":"string"},"updated_at":{"description":"Time when the email bomb was last updated","format":"date-time","type":"string"}},"type":"object"},"HandlersV0GetEmailBombResponse":{"properties":{"active":{"description":"Whether the email bomb is currently active (based on last_message_added_at)","type":"boolean"},"created_at":{"description":"Time when the email bomb was first detected","format":"date-time","type":"string"},"end_time":{"description":"End time of the email bomb, when the last message was received","format":"date-time","type":"string"},"id":{"description":"ID of the email bomb","format":"uuid","type":"string"},"last_message_added_at":{"description":"Time when the last message was added to the email bomb","format":"date-time","type":"string"},"mailbox":{"$ref":"#/components/schemas/Handler_typesMailbox"},"message_count":{"description":"Total number of messages in the email bomb","format":"int32","type":"integer"},"reviewed_at":{"description":"Time when this email bomb was reviewed","format":"date-time","nullable":true,"type":"string"},"reviewed_by_user_id":{"description":"ID of the user who dismissed this email bomb","format":"uuid","nullable":true,"type":"string"},"start_time":{"description":"Start time of the email bomb, when the first message was received","format":"date-time","type":"string"},"updated_at":{"description":"Time when the email bomb was last updated","format":"date-time","type":"string"}},"type":"object"},"HandlersV0ListEmailBombsResponse":{"properties":{"count":{"description":"Count of email bombs for this page","format":"int32","type":"integer"},"email_bombs":{"description":"List of email bombs","items":{"$ref":"#/components/schemas/HandlersV0EmailBombDetail"},"type":"array"},"total":{"description":"Total number of email bombs","format":"int32","type":"integer"}},"required":["count","total"],"type":"object"},"HandlersV0ListMailboxesResponse":{"properties":{"active":{"description":"Total number of active matching filters","format":"int32","type":"integer"},"count":{"description":"Count of results for this page","format":"int32","type":"integer"},"mailboxes":{"description":"List of mailboxes","items":{"$ref":"#/components/schemas/HandlersV0Mailbox"},"type":"array"},"total":{"description":"Total number of results available","format":"int32","type":"integer"}},"type":"object"},"HandlersV0Mailbox":{"properties":{"active":{"description":"Whether the mailbox is active","type":"boolean"},"email_address":{"description":"Mailbox email address","type":"string"},"id":{"description":"Mailbox ID","format":"uuid","type":"string"},"subscription_error_status":{"description":"Error type encountered when last trying to subscribe to change notifications from the provider (null if most recently successful)","nullable":true,"type":"string"}},"required":["email_address","id"],"type":"object"},"HuntMessageGroupsInput":{"properties":{"created_at[gte]":{"description":"Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups with a message processed at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"},"created_at[lt]":{"description":"Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned.","format":"date-time","nullable":true,"type":"string"},"private":{"description":"Restrict hunt visibility to admin-only","type":"boolean"},"source":{"description":"Source of MQL to hunt with","type":"string"}},"required":["source"],"type":"object"},"HydraNLUContent":{"properties":{"confidence":{"description":"Confidence of the classification","enum":["low","medium","high"],"type":"string"},"name":{"description":"The name of the category","enum":["invoice","payment","purchase_order"],"type":"string"}},"type":"object"},"HydraNLUEntity":{"properties":{"name":{"description":"The classification label given to the text","enum":["urgency","request","financial","org","greeting","salutation","sender","recipient","disclaimer"],"type":"string"},"text":{"description":"The extracted text being classified","type":"string"}},"type":"object"},"HydraNLUIntent":{"properties":{"confidence":{"description":"Confidence of the classification","enum":["low","medium","high"],"type":"string"},"name":{"description":"The name of the category","enum":["bec","benign","callback_scam","cred_theft","extortion","steal_pii","job_scam","advance_fee"],"type":"string"}},"type":"object"},"HydraTopic":{"properties":{"confidence":{"description":"The confidence level of this topic applying to the body.","nullable":true,"type":"string"},"name":{"description":"The name of the topic.","enum":["Acts of Violence","Advertising and Promotions","B2B Cold Outreach","Benefit Enrollment","Bounce Back and Delivery Failure Notifications","Charity and Non-Profit","Contact List Solicitation","Customer Service and Support","E-Signature","E-vite with External RSVP","Educational and Research","Emergency Alerts","Entertainment and Sports","Environmental and Sustainability","Events and Webinars","File Sharing and Cloud Services","Financial Communications","Government Services","Health and Wellness","Legal and Compliance","News and Current Events","Newsletters and Digests","Order Confirmations","Out of Band Pivot","Out of Office and Automatic Replies","Payment Information","Political Mail","Professional and Career Development","Purchase Orders","Reminders and Notifications","Request to View Invoice","Romance","Secure Message","Security and Authentication","Sexually Explicit Messages","Shipping and Package","Social Media and Networking","Software and App Updates","Travel and Transportation","Voicemail Call and Missed Call Notifications"],"type":"string"}},"type":"object"},"LinkAnalysisEvaluateInput":{"properties":{"no_logo_detect":{"description":"Whether to skip logo detection","type":"boolean"},"url":{"description":"URL to analyze","type":"string"}},"required":["url"],"type":"object"},"Link_analysis_typesAdditionalResponse":{"properties":{"content_type":{"description":"Content type of the response","type":"string"},"file":{"$ref":"#/components/schemas/Link_analysis_typesDownloadedFile"},"json":{"$ref":"#/components/schemas/FfiJSON"},"status_code":{"description":"HTTP status code for the response","format":"int32","type":"integer"},"url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"Link_analysis_typesDownloadedFile":{"description":"Raw HTTP response payload as a file","properties":{"file_extension":{"description":"File extension from context such as headers","type":"string"},"file_name":{"description":"File name","type":"string"},"file_type":{"description":"File type determined by looking at the magic bytes in the file","enum":["3gp","7z","Z","aac","aiff","amr","ar","avi","bmp","bz2","cab","cr2","crx","dcm","deb","dex","dey","doc","docx","dwg","elf","eot","epub","exe","flac","flv","gif","gz","heif","html","ico","ics","iso","jp2","jpg","jxr","lz","m4a","m4v","macho","mid","mkv","mov","mp3","mp4","mpg","nes","ogg","otf","pdf","png","ppt","pptx","ps","psd","rar","rpm","rtf","sqlite","svg","swf","tar","tif","ttf","wasm","wav","webm","webp","wmv","woff","woff2","xls","xlsx","xz","zip","zst","unknown"],"type":"string"},"md5":{"description":"MD5 hash of the downloaded file","type":"string"},"raw":{"description":"Base64 encoded source of the file","format":"base64","nullable":true,"type":"string"},"sha1":{"description":"SHA1 hash of the downloaded file","type":"string"},"sha256":{"description":"SHA256 hash of the downloaded file","type":"string"},"size":{"description":"Size of the file in bytes","format":"int64","nullable":true,"type":"integer"}},"type":"object"},"Link_analysis_typesFinalDOM":{"description":"Full DOM of the analyzed URL","properties":{"display_text":{"description":"Visible text of the HTML document, with invisible characters removed and non-ASCII characters converted to ASCII spaces.","nullable":true,"type":"string"},"inner_text":{"description":"Inner text of the HTML document that doesn't include HTML tags.","nullable":true,"type":"string"},"links":{"description":"Links found within the DOM","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"raw":{"description":"Decoded raw content of a body text type (text/[subtype] section)","nullable":true,"type":"string"}},"type":"object"},"Logo_detectPageResult":{"properties":{"brands":{"items":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"type":"array"},"error":{"type":"string"},"page_index":{"format":"int32","type":"integer"}},"type":"object"},"Logo_detectResult":{"description":"ml.logo_detect","properties":{"brands":{"description":"Information about the recognized brands in the image","items":{"$ref":"#/components/schemas/Enrichment_typesBrandInfo"},"type":"array"},"error":{"description":"Error message when scanning image for logos","type":"string"},"page_results":{"description":"Logo detect results for each individual page","items":{"$ref":"#/components/schemas/Logo_detectPageResult"},"type":"array"},"scanned":{"description":"Whether an image was scanned for logos","type":"boolean"},"total_pages":{"description":"The total number of pages for the input file","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"Mdm_serviceAttachment":{"properties":{"content_id":{"description":"Content-ID extracted from the MIME payload; is stripped of leading and trailing <> characters","type":"string"},"content_transfer_encoding":{"description":"Content-Transfer-Encoding extracted from the MIME payload","type":"string"},"content_type":{"description":"Content-Type extracted from the MIME payload","type":"string"},"file_extension":{"description":"File extension from context such as headers","type":"string"},"file_name":{"description":"File name","type":"string"},"file_type":{"description":"File type determined by looking at the magic bytes in the file","enum":["3gp","7z","Z","aac","aiff","amr","ar","avi","bmp","bz2","cab","cr2","crx","dcm","deb","dex","dey","doc","docx","dwg","elf","eot","epub","exe","flac","flv","gif","gz","heif","html","ico","ics","iso","jp2","jpg","jxr","lz","m4a","m4v","macho","mid","mkv","mov","mp3","mp4","mpg","nes","ogg","otf","pdf","png","ppt","pptx","ps","psd","rar","rpm","rtf","sqlite","svg","swf","tar","tif","ttf","wasm","wav","webm","webp","wmv","woff","woff2","xls","xlsx","xz","zip","zst","unknown"],"type":"string"},"md5":{"description":"MD5 hash of the raw contents","type":"string"},"raw":{"description":"Base64 encoded source of the file","format":"base64","nullable":true,"type":"string"},"sha1":{"description":"SHA1 hash of the raw contents","type":"string"},"sha256":{"description":"SHA256 hash of the raw contents","type":"string"},"size":{"description":"Size of the file in bytes","format":"int64","nullable":true,"type":"integer"}},"type":"object"},"Mdm_serviceAuthResults":{"description":"Results of authentication. Supported fields include 'Authentication-Results', 'X-Original-Authentication-Results', 'X-MS-Exchange-Authentication-Results', 'X-Agari-Authentication-Results', 'Authentication-Results-Original', and 'ARC-Authentication-Results'. Specification details can be found at https://tools.ietf.org/html/rfc8601","properties":{"compauth":{"$ref":"#/components/schemas/Mdm_serviceCompAuth"},"dkim":{"description":"Verdict of the Domain Keys Identified Mail check","enum":["none","pass","fail","policy","neutral","temperror","permerror"],"type":"string"},"dkim_details":{"description":"List of details of the Domain Keys Identified Mail checks","items":{"$ref":"#/components/schemas/Mdm_serviceSignature"},"type":"array"},"dmarc":{"description":"Verdict of the Domain-based Message Authentication, Reporting & Conformance check","enum":["none","pass","fail","bestguesspass"],"type":"string"},"dmarc_details":{"$ref":"#/components/schemas/Mdm_serviceDMARC"},"instance":{"description":"Instance number of this auth result (if ARC)","type":"string"},"server":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"spf":{"description":"Verdict of the Sender Policy Framework","enum":["none","pass","fail","softfail","policy","neutral","temperror","permerror"],"type":"string"},"spf_details":{"$ref":"#/components/schemas/Mdm_serviceSPF"},"type":{"description":"The type of authentication result, derived from the field name","type":"string"}},"type":"object"},"Mdm_serviceAuthSummary":{"description":"Summary of authentication results for the message","properties":{"dmarc":{"$ref":"#/components/schemas/Mdm_serviceDMARCSummary"},"spf":{"$ref":"#/components/schemas/Mdm_serviceSPFSummary"}},"type":"object"},"Mdm_serviceBanner":{"properties":{"links":{"description":"All links found in the banner, unique by the target and display text/url.","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"text":{"description":"The text content from the warning banner.","type":"string"}},"type":"object"},"Mdm_serviceBody":{"description":"Body of the email","properties":{"current_thread":{"$ref":"#/components/schemas/Mdm_serviceThread"},"html":{"$ref":"#/components/schemas/Mdm_serviceBodyHTML"},"ips":{"description":"IP Addresses located in the body","items":{"$ref":"#/components/schemas/Mdm_serviceIP"},"type":"array"},"links":{"description":"All links found in the body of the message, unique by the target and display text/url.","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"plain":{"$ref":"#/components/schemas/Mdm_servicePlain"},"previous_threads":{"description":"The previous texts threads of the message'","items":{"$ref":"#/components/schemas/Mdm_servicePreviousThread"},"type":"array"}},"type":"object"},"Mdm_serviceBodyHTML":{"description":"The body part containing content-type text/html","properties":{"charset":{"description":"charset of the text/[subtype]","type":"string"},"content_transfer_encoding":{"description":"Content-Transfer-Encoding of the text/[subtype]","type":"string"},"display_text":{"description":"Visible text of the HTML document, with invisible characters removed and non-ASCII characters converted to ASCII spaces.","nullable":true,"type":"string"},"inner_text":{"description":"Inner text of the HTML document that doesn't include HTML tags.","nullable":true,"type":"string"},"links":{"description":"All links found in the HTML part of the body of the message","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"raw":{"description":"Decoded raw content of a body text type (text/[subtype] section)","nullable":true,"type":"string"}},"type":"object"},"Mdm_serviceCompAuth":{"description":"Composite Authentication result, used by Microsoft O365","properties":{"reason":{"description":"Reason for the verdict","type":"string"},"verdict":{"description":"Verdict of the compauth","type":"string"}},"required":["reason","verdict"],"type":"object"},"Mdm_serviceDMARC":{"description":"Details of the Domain-based Message Authentication, Reporting & Conformance check","properties":{"action":{"description":"Indicates the action taken by the spam filter based on the results of the DMARC check. For more information see https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide#authentication-results-message-header-fields","nullable":true,"type":"string"},"disposition":{"description":"Gmail-applied policy","nullable":true,"type":"string"},"from":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"policy":{"description":"Policy for the organizational domain","nullable":true,"type":"string"},"sub_policy":{"description":"Policy for the subdomain of the organizational domain","nullable":true,"type":"string"},"verdict":{"description":"Describes the results of the DMARC check for the message","nullable":true,"type":"string"},"version":{"description":"DMARC version","nullable":true,"type":"string"}},"type":"object"},"Mdm_serviceDMARCSummary":{"description":"Summary of the DMARC check","properties":{"details":{"$ref":"#/components/schemas/Mdm_serviceDMARC"},"error":{"description":"Whether the DMARC check errored","nullable":true,"type":"boolean"},"pass":{"description":"Whether the DMARC check passed","nullable":true,"type":"boolean"},"received_hop":{"description":"The lowest hop at which the DMARC check was made","format":"int32","type":"integer"}},"type":"object"},"Mdm_serviceDomain":{"description":"Domain parsed from X-Authenticated-Domain or X-Authenticated-Sender headers, which represents the domain used for sender authentication, typically the domain of the sending organization. This field provides additional context for analyzing the legitimacy of the sender","properties":{"domain":{"description":"The fully qualified domain name (FQDN). This may not *always* be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar","format":"hostname","type":"string"},"punycode":{"description":"Interpreted punycode if the domain starts with xn--. For example, if 'domain' is 'xn--ublimesecurity-4xc.com' then 'punycode' is śublimesecurity.com","type":"string"},"root_domain":{"description":"The root domain, including the TLD","format":"hostname","type":"string"},"sld":{"description":"Second-level domain, e.g. 'windows' for the domain 'windows.net'","type":"string"},"subdomain":{"description":"Subdomain, e.g. 'drive' for the domain 'drive.google.com'","type":"string"},"tld":{"description":"The domain's top-level domain. E.g. the TLD of google.com is 'com'","type":"string"},"valid":{"description":"Whether the domain is valid","type":"boolean"}},"required":["domain"],"type":"object"},"Mdm_serviceEmailAddress":{"description":"Email address object","properties":{"domain":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"email":{"description":"Full email address","format":"email","type":"string"},"local_part":{"description":"Local-part, i.e. before the @","type":"string"}},"type":"object"},"Mdm_serviceExternal":{"description":"Cloud API provider or other external source metadata","properties":{"created_at":{"description":"The created time of the message as provided by the cloud API (G Suite or Office 365) or other external source. This is typically the time the external source received the message","format":"date-time","nullable":true,"type":"string"},"message_id":{"description":"The message ID as provided by the cloud API (G Suite or Office 365) or other external source","type":"string"},"route_type":{"description":"whether the message was sent or received","enum":["sent","received"],"type":"string"},"spam":{"description":"The upstream mail gateway determined the message to be spam. For cloud API providers, this will be the same as spam_folder. For other implementation methods like transport rules, this will be determined by message header values (e.g. X-SPAM) if supported","nullable":true,"type":"boolean"},"spam_folder":{"description":"The message arrived in the user's spam folder. This only applies to cloud APIs (G Suite or Office 365)","nullable":true,"type":"boolean"},"thread_id":{"description":"The thread/conversation's unique ID as provided by the cloud API (G Suite or Office 365)","type":"string"}},"type":"object"},"Mdm_serviceFile":{"description":"File containing screenshot of final_url","properties":{"file_extension":{"description":"File extension from context such as headers","type":"string"},"file_name":{"description":"File name","type":"string"},"file_type":{"description":"File type determined by looking at the magic bytes in the file","enum":["3gp","7z","Z","aac","aiff","amr","ar","avi","bmp","bz2","cab","cr2","crx","dcm","deb","dex","dey","doc","docx","dwg","elf","eot","epub","exe","flac","flv","gif","gz","heif","html","ico","ics","iso","jp2","jpg","jxr","lz","m4a","m4v","macho","mid","mkv","mov","mp3","mp4","mpg","nes","ogg","otf","pdf","png","ppt","pptx","ps","psd","rar","rpm","rtf","sqlite","svg","swf","tar","tif","ttf","wasm","wav","webm","webp","wmv","woff","woff2","xls","xlsx","xz","zip","zst","unknown"],"type":"string"},"raw":{"description":"Base64 encoded source of the file","format":"base64","nullable":true,"type":"string"},"size":{"description":"Size of the file in bytes","format":"int64","nullable":true,"type":"integer"}},"type":"object"},"Mdm_serviceHeaders":{"description":"The message headers","properties":{"auth_summary":{"$ref":"#/components/schemas/Mdm_serviceAuthSummary"},"date":{"description":"Date the email was sent in UTC.","format":"date-time","nullable":true,"type":"string"},"date_original_offset":{"description":"UTC timezone offset of the sender","nullable":true,"type":"string"},"delivered_to":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"},"domains":{"description":"All domains found in the Received headers","items":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"type":"array"},"from":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"hops":{"description":"List of hops the message took from Sender to Recipient","items":{"$ref":"#/components/schemas/Mdm_serviceHop"},"type":"array"},"in_reply_to":{"description":"In-Reply-To header value which identifies its parent message if exists","nullable":true,"type":"string"},"ips":{"description":"All IP addresses found in the Received headers","items":{"$ref":"#/components/schemas/Mdm_serviceIP"},"type":"array"},"mailer":{"description":"X-Mailer or User-Agent extracted from headers","nullable":true,"type":"string"},"message_id":{"description":"Message-ID extracted from the header","nullable":true,"type":"string"},"references":{"description":"The Message-IDs of the other messages within this chain","items":{"type":"string"},"type":"array"},"reply_to":{"description":"Where replies should be delivered to","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"},"return_path":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"},"x_authenticated_domain":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"x_authenticated_sender":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"},"x_client_ip":{"$ref":"#/components/schemas/Mdm_serviceIP"},"x_originating_ip":{"$ref":"#/components/schemas/Mdm_serviceIP"},"x_secure_server_account":{"description":"X-SecureServer-Acct header, which represents a unique identifier associated with the sender's email account on a secure server and can be used to trace the email back to a specific account or user. ","nullable":true,"type":"string"},"x_sender":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"}},"required":["hops"],"type":"object"},"Mdm_serviceHop":{"properties":{"authentication_results":{"$ref":"#/components/schemas/Mdm_serviceAuthResults"},"fields":{"description":"List of all raw header fields contained within this hop","items":{"$ref":"#/components/schemas/Mdm_serviceHopField"},"type":"array"},"index":{"description":"Index indicates the order in which a hop occurred from sender to recipient","format":"int32","type":"integer"},"received":{"$ref":"#/components/schemas/Mdm_serviceReceived"},"received_spf":{"$ref":"#/components/schemas/Mdm_serviceSPF"},"signature":{"$ref":"#/components/schemas/Mdm_serviceSignature"}},"required":["fields","index"],"type":"object"},"Mdm_serviceHopField":{"properties":{"name":{"description":"The name of the field","type":"string"},"position":{"description":"This field's position along the entire list of header fields","format":"int32","type":"integer"},"value":{"description":"The value contained within the field","type":"string"}},"required":["name","position"],"type":"object"},"Mdm_serviceIP":{"description":"X-Originating-IP header, which identifies the originating IP address of the sender client","properties":{"ip":{"description":"The IP in canonical form","type":"string"},"translation":{"$ref":"#/components/schemas/Mdm_serviceIPTranslation"},"version":{"description":"The version of IP (i.e., 4 or 6), null for backward compatibility.","format":"int32","nullable":true,"type":"integer"}},"required":["ip"],"type":"object"},"Mdm_serviceIPTranslation":{"properties":{"original":{"description":"The IP in its original format if it is an IPv4-mapped-IPv6 source address","nullable":true,"type":"string"},"v4_to_v6":{"description":"Whether 'Original' is IPv4-mapped-IPv6","type":"boolean"}},"type":"object"},"Mdm_serviceLink":{"properties":{"display_text":{"description":"The text of a hyperlink, if it's not a URL","type":"string"},"display_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"href_url":{"$ref":"#/components/schemas/Mdm_serviceURL"},"mismatched":{"description":"Whether the display URL and href URL root domains are mismatched (i.e. .href_url.domain.root_domain != .display_url.domain.root_domain, where both are not null and valid domains)","nullable":true,"type":"boolean"},"parser":{"description":"The parser that was used to derived the link","enum":["plain","hyperlink"],"type":"string"},"visible":{"description":"Whether the link is visible to a human when previewing an email or page","nullable":true,"type":"boolean"}},"type":"object"},"Mdm_serviceMailbox":{"description":"Organizer mailbox with email and display name","properties":{"display_name":{"description":"Display name","type":"string"},"email":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"}},"required":["email"],"type":"object"},"Mdm_serviceMailboxExtended":{"description":"The mailbox where the message was found","properties":{"display_name":{"description":"Display name","type":"string"},"email":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"},"first_name":{"description":"First name (given name) of the mailbox owner","type":"string"},"last_name":{"description":"Last name (surname) of the mailbox owner","type":"string"}},"required":["email"],"type":"object"},"Mdm_serviceMessageDataModel":{"description":"Full data model of the message","properties":{"_errors":{"description":"Non-fatal errors while parsing MDM","items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"_meta":{"$ref":"#/components/schemas/Mdm_serviceMetadata"},"attachments":{"description":"Attachments","items":{"$ref":"#/components/schemas/Mdm_serviceAttachment"},"type":"array"},"body":{"$ref":"#/components/schemas/Mdm_serviceBody"},"external":{"$ref":"#/components/schemas/Mdm_serviceExternal"},"headers":{"$ref":"#/components/schemas/Mdm_serviceHeaders"},"mailbox":{"$ref":"#/components/schemas/Mdm_serviceMailboxExtended"},"recipients":{"$ref":"#/components/schemas/Mdm_serviceRecipients"},"sender":{"$ref":"#/components/schemas/Mdm_serviceSenderMailbox"},"subject":{"$ref":"#/components/schemas/Mdm_serviceSubject"},"type":{"$ref":"#/components/schemas/Mdm_serviceMessageType"}},"required":["_meta","headers","recipients","sender","type"],"type":"object"},"Mdm_serviceMessageType":{"description":"Override on message types, defined from the perspective of your organization","properties":{"inbound":{"description":"Message was sent from someone outside your organization, to *at least one* recipient inside your organization","type":"boolean"},"internal":{"description":"Message was sent from someone inside your organization, to *at least one* recipient inside your organization. Messages *must be authenticated* by either SPF or DKIM to be treated as internal.","type":"boolean"},"outbound":{"description":"Message was sent from someone inside your organization, to *at least one* recipient outside your organization","type":"boolean"}},"type":"object"},"Mdm_serviceMetadata":{"description":"Metadata","properties":{"canonical_id":{"description":"A deterministic ID, generated from metadata such as Attachments, Body, Subject, Sender and is used to group similar messages/campaigns together","type":"string"},"created_at":{"description":"Creation time of the data model","format":"date-time","type":"string"},"effective_at":{"description":"Effective time of the data model, used for evaluation against lists and historical functions such as sender profiles or whois.","format":"date-time","nullable":true,"type":"string"},"id":{"description":"Message ID","format":"uuid","type":"string"}},"required":["canonical_id","created_at"],"type":"object"},"Mdm_servicePlain":{"description":"The body part containing content-type text/plain","properties":{"charset":{"description":"charset of the text/[subtype]","type":"string"},"content_transfer_encoding":{"description":"Content-Transfer-Encoding of the text/[subtype]","type":"string"},"links":{"description":"All links found in the plain part of the body of the message","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"raw":{"description":"Decoded raw content of a body text type (text/[subtype] section)","nullable":true,"type":"string"}},"type":"object"},"Mdm_servicePreviousThread":{"properties":{"banners":{"description":"All warning banners found in the body of the message.","items":{"$ref":"#/components/schemas/Mdm_serviceBanner"},"type":"array"},"date":{"description":"Date extracted from thread preamble","format":"date-time","nullable":true,"type":"string"},"index":{"description":"The index of the thread among all threads, sorted from most recent to oldest","format":"int32","type":"integer"},"links":{"description":"All links found in the given thread, unique by the target and display text/url.","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"preamble":{"description":"The preamble text from the thread, typically the headers of a reply or forward. Things like From, Sent, Subject, saved as one big multiline string. This doesn't include banners.","type":"string"},"recipients":{"$ref":"#/components/schemas/Mdm_serviceThreadRecipients"},"sender":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"subject":{"$ref":"#/components/schemas/Mdm_serviceSubject"},"text":{"description":"The text content from the latest reply/forward in a message thread. This typically excludes content from forwarded messages and warning banners.","type":"string"}},"type":"object"},"Mdm_serviceReceived":{"description":"Details of the Received field","properties":{"additional":{"$ref":"#/components/schemas/Mdm_serviceReceivedAdditional"},"id":{"$ref":"#/components/schemas/Mdm_serviceReceivedID"},"link":{"$ref":"#/components/schemas/Mdm_serviceReceivedVia"},"mailbox":{"$ref":"#/components/schemas/Mdm_serviceReceivedFor"},"protocol":{"$ref":"#/components/schemas/Mdm_serviceReceivedWith"},"server":{"$ref":"#/components/schemas/Mdm_serviceReceivedBy"},"source":{"$ref":"#/components/schemas/Mdm_serviceReceivedFrom"},"time":{"description":"Time parsed from the Received header","format":"date-time","nullable":true,"type":"string"},"zone_offset":{"description":"Timezone offset parsed from the Received header","nullable":true,"type":"string"}},"type":"object"},"Mdm_serviceReceivedAdditional":{"description":"The remaining additional clauses of the Received header","properties":{"raw":{"description":"The raw string for remaining additional clauses, such as transport information","type":"string"}},"type":"object"},"Mdm_serviceReceivedBy":{"description":"The 'by' section of the Received header, denoting the current server","properties":{"raw":{"description":"The raw string of 'by' section","type":"string"}},"type":"object"},"Mdm_serviceReceivedFor":{"description":"The 'for' section of the Received header, denoting the destination mailbox","properties":{"raw":{"description":"The raw string of 'for' section","type":"string"}},"type":"object"},"Mdm_serviceReceivedFrom":{"description":"The 'from' section of the Received header, relating to a server in a prior hop","properties":{"raw":{"description":"The raw string of 'from' section","type":"string"}},"type":"object"},"Mdm_serviceReceivedID":{"description":"The 'id' section of the Received header","properties":{"raw":{"description":"The raw string of 'id' section","type":"string"}},"type":"object"},"Mdm_serviceReceivedVia":{"description":"The 'via' section of the Received header, denoting transport","properties":{"raw":{"description":"The raw string of 'via' section","type":"string"}},"type":"object"},"Mdm_serviceReceivedWith":{"description":"The 'with' section of the Received header, denoting the protocol used","properties":{"raw":{"description":"The raw string of 'with' section","type":"string"}},"type":"object"},"Mdm_serviceRecipients":{"description":"Recipient objects","properties":{"bcc":{"description":"List of 'bcc' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"},"cc":{"description":"List of 'cc' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"},"to":{"description":"List of 'to' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"}},"type":"object"},"Mdm_serviceRewriteDetails":{"description":"Information about an original URL that was unfurled from rewrite detection","properties":{"encoders":{"description":"List of detected URL rewrite encoders while unraveling the URL","items":{"enum":["adobe","appspot","aws_ses","azurecomm","azure_safelink","barracuda","bing_open_redirect","branch_io","checkpoint","cisco","cloudflare","convertkit","deref_mail","doubleclick","edgepilot","esvalabs","exactag","exclaimer","facebook","fireeye","fortimail","generic_desturl","generic_logout_redirect","go_acoustic","google_amp","google_amp_project","google_adservices","google_meet_redirect","google_notifications","google_open_redirect","google_tag_manager","google_travel_redirect","google_translate_open_redirect","google_user_content","href_li","indeed_open_redirect","inky","instagram","mailgun","mailjet","mandrill","messagegears","microsoft","microsoft_dynamics","microsoft_oauth_redirect","monday_tracker","postmark","ppcprotect","proofpoint","pylonlinks","securence","sophos","sqclick","squarespace","sublime","titanhq","topsec","trend_micro","vtiger","wix","yahoo","youtube_set_sid"],"type":"string"},"type":"array"},"original":{"description":"Original URL without any unraveling URL rewrites","type":"string"}},"required":["original"],"type":"object"},"Mdm_serviceSPF":{"description":"Details of the Sender Policy Framework check. Supported fields include 'Received-SPF' and 'X-Received-SPF'","properties":{"client_ip":{"$ref":"#/components/schemas/Mdm_serviceIP"},"description":{"description":"Verbose description of the SPF verdict","nullable":true,"type":"string"},"designator":{"description":"Email or domain of the designating body","nullable":true,"type":"string"},"helo":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"server":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"verdict":{"description":"Verdict of the SPF","nullable":true,"type":"string"}},"type":"object"},"Mdm_serviceSPFSummary":{"description":"Summary of the SPF check","properties":{"details":{"$ref":"#/components/schemas/Mdm_serviceSPF"},"error":{"description":"Whether the SPF check errored","nullable":true,"type":"boolean"},"pass":{"description":"Whether the SPF check passed","nullable":true,"type":"boolean"},"received_hop":{"description":"The lowest hop at which the SPF check was made","format":"int32","type":"integer"}},"type":"object"},"Mdm_serviceSenderMailbox":{"description":"Sender object","properties":{"decoders":{"description":"Decoders used to parse the email sender info, if any","items":{"enum":["google_groups"],"type":"string"},"type":"array"},"display_name":{"description":"Display name","type":"string"},"email":{"$ref":"#/components/schemas/Mdm_serviceEmailAddress"}},"required":["email"],"type":"object"},"Mdm_serviceSignature":{"description":"Details of a message signature. Supported fields include 'DKIM-Signature', 'DomainKey-Signature', 'X-Google-DKIM-Signature' and 'ARC-Message-Signature'","properties":{"algorithm":{"description":"Signing algorithm","type":"string"},"body_hash":{"description":"Body Hash","type":"string"},"domain":{"description":"Domain identified in the DKIM signature if any. This is the domain that's queried for the public key.","type":"string"},"headers":{"description":"Header fields signed by the algorithm","type":"string"},"instance":{"description":"Instance number of this signature (if ARC)","type":"string"},"selector":{"description":"Selector","type":"string"},"signature":{"description":"Signature of headers and body","type":"string"},"type":{"description":"The type of signature, derived from the field name","type":"string"},"version":{"description":"Version","type":"string"}},"type":"object"},"Mdm_serviceSubject":{"description":"Subject object","properties":{"base":{"description":"Subject of the email with tags and reply/forward indicators removed","type":"string"},"is_forward":{"description":"Indicates if the subject of the email is a forward","nullable":true,"type":"boolean"},"is_reply":{"description":"Indicates if the subject of the email is a reply","nullable":true,"type":"boolean"},"subject":{"description":"Subject of the email","type":"string"},"tags":{"description":"Leading tags extracted from the subject, e.g. [External] or (Warning)","items":{"type":"string"},"type":"array"}},"type":"object"},"Mdm_serviceThread":{"description":"The current text thread of the message","properties":{"banners":{"description":"All warning banners found in the body of the message.","items":{"$ref":"#/components/schemas/Mdm_serviceBanner"},"type":"array"},"links":{"description":"All links found in the given thread, unique by the target and display text/url.","items":{"$ref":"#/components/schemas/Mdm_serviceLink"},"type":"array"},"preamble":{"description":"The preamble text from the thread, typically the headers of a reply or forward. Things like From, Sent, Subject, saved as one big multiline string. This doesn't include banners.","type":"string"},"text":{"description":"The text content from the latest reply/forward in a message thread. This typically excludes content from forwarded messages and warning banners.","type":"string"}},"type":"object"},"Mdm_serviceThreadRecipients":{"description":"Recipients extracted from thread preamble","properties":{"bcc":{"description":"List of 'bcc' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"},"cc":{"description":"List of 'cc' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"},"to":{"description":"List of 'to' Mailbox objects","items":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"type":"array"}},"type":"object"},"Mdm_serviceURL":{"description":"URL details when QR code type is url","properties":{"domain":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"fragment":{"description":"Fragment identifier; the text following the # in the URL (also called the anchor tag)","type":"string"},"ip":{"$ref":"#/components/schemas/Mdm_serviceIP"},"password":{"description":"The password specified before the domain name","type":"string"},"path":{"description":"Everything after the TLD and before the query parameters","type":"string"},"port":{"description":"The port used for the URL. If no explicit port is set, the port will be inferred from the protocol","format":"int32","nullable":true,"type":"integer"},"query_params":{"description":"The full query parameters of the URL","type":"string"},"query_params_decoded":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"description":"The decoded query parameters of the URL","type":"object"},"rewrite":{"$ref":"#/components/schemas/Mdm_serviceRewriteDetails"},"scheme":{"description":"Protocol for the URL request, e.g. http","type":"string"},"url":{"description":"Full URL","type":"string"},"username":{"description":"The username specified before the domain name of the URL","type":"string"}},"required":["url"],"type":"object"},"MlMacroClassifierResult":{"description":"ml.macro_classifier output","properties":{"confidence":{"description":"The likelihood that a macro was correctly identified as a true positive","enum":["low","medium","high"],"type":"string"},"error":{"description":"Errors that occurred while scanning and assessing macros","type":"string"},"malicious":{"description":"Whether macros were detected and flagged as malicious with any degree of confidence","type":"boolean"}},"type":"object"},"MlNLU3TopicResult":{"description":"ml.nlu_classifier output","properties":{"entities":{"description":"Entities identified in the submitted text","items":{"$ref":"#/components/schemas/HydraNLUEntity"},"type":"array"},"error":{"description":"Errors that occurred","type":"string"},"intents":{"description":"Intents of classified text","items":{"$ref":"#/components/schemas/HydraNLUIntent"},"type":"array"},"language":{"description":"Primary language of classified text, or unknown if unknown","enum":["unknown","english","french","german","spanish","chinese","japanese","..."],"type":"string"},"success":{"description":"Whether topic detection ran successfully.","type":"boolean"},"tags":{"description":"Content tags for classified text","items":{"$ref":"#/components/schemas/HydraNLUContent"},"type":"array"},"topics":{"description":"The topics found in the body.","items":{"$ref":"#/components/schemas/HydraTopic"},"type":"array"}},"type":"object"},"MlTopicResult":{"description":"beta.ml_topic output","properties":{"topics":{"description":"The topics found in the body.","items":{"$ref":"#/components/schemas/HydraTopic"},"type":"array"}},"type":"object"},"OletoolsBoolIndicator":{"description":"Whether this file contains an ObjectPool stream","properties":{"exists":{"description":"Whether the indicator exists in the file or not","type":"boolean"},"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"}},"type":"object"},"OletoolsIndicators":{"description":"Suspicious indicators that could indicate that a file is suspicious or malicious","properties":{"container_format":{"$ref":"#/components/schemas/OletoolsStringIndicator"},"encryption":{"$ref":"#/components/schemas/OletoolsBoolIndicator"},"external_relationships":{"$ref":"#/components/schemas/OletoolsIntIndicator"},"file_format":{"$ref":"#/components/schemas/OletoolsStringIndicator"},"flash_objects":{"$ref":"#/components/schemas/OletoolsIntIndicator"},"object_pool":{"$ref":"#/components/schemas/OletoolsBoolIndicator"},"vba_macros":{"$ref":"#/components/schemas/OletoolsBoolIndicator"}},"type":"object"},"OletoolsIntIndicator":{"description":"Embedded flash objects (SWF files) detected in OLE streams. There may be false positives","properties":{"count":{"description":"The number of instances of this indicator","format":"int32","type":"integer"},"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"}},"type":"object"},"OletoolsMacroKeyword":{"properties":{"description":{"description":"Details on why the keyword is suspicious","type":"string"},"keyword":{"description":"Suspicious keyword","type":"string"},"type":{"description":"The type of keyword identified","enum":["autoexec","suspicious","ioc","hex_string","base64_string","dridex_string"],"type":"string"}},"type":"object"},"OletoolsObjRelationship":{"properties":{"name":{"description":"Relationship name","type":"string"},"target":{"description":"External relationship link","type":"string"},"target_url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"OletoolsResult":{"description":"oletools output","properties":{"error":{"description":"Error message when running OLE Tools on the file","type":"string"},"indicators":{"$ref":"#/components/schemas/OletoolsIndicators"},"macros":{"$ref":"#/components/schemas/OletoolsVBAMacros"},"relationships":{"description":"OLE relationships to external objects","items":{"$ref":"#/components/schemas/OletoolsObjRelationship"},"type":"array"}},"type":"object"},"OletoolsStringIndicator":{"description":"Container format, eg 'OLE'","properties":{"risk":{"description":"The risk level of the indicator","enum":["high","medium","low","none","info","unknown","error"],"type":"string"},"value":{"description":"The value of the indicator","type":"string"}},"type":"object"},"OletoolsVBAMacros":{"description":"Macros identified and analyzed","properties":{"keywords":{"description":"Suspicious keywords detected. See 'olevba' for more information","items":{"$ref":"#/components/schemas/OletoolsMacroKeyword"},"type":"array"},"modules":{"description":"VBA macro modules detected","items":{"$ref":"#/components/schemas/OletoolsVBAModule"},"type":"array"},"vba_code_all_modules":{"description":"Source code of all VBA modules","type":"string"}},"type":"object"},"OletoolsVBAModule":{"properties":{"form_string":{"description":"Printable strings from each VBA form","type":"string"},"form_variables":{"description":"VBA form variables","type":"string"},"ole_stream":{"description":"OLE macro stream","type":"string"},"vba_code":{"description":"Source code of the VBA macro","type":"string"},"vba_file_name":{"description":"File name of the VBA macro","type":"string"}},"type":"object"},"Org_dslParseTextResult":{"description":"file.parse_text output","properties":{"text":{"description":"The decoded string, after interpreting the raw bytes with the corresponding encoding.","type":"string"}},"type":"object"},"PatchListInput":{"properties":{"description":{"description":"Description of list","type":"string"}},"required":["description"],"type":"object"},"PatchSCIMUserInput":{"properties":{"Operations":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMPatchOperation"},"minItems":1,"type":"array"},"schemas":{"items":{"type":"string"},"type":"array"}},"required":["Operations","schemas"],"type":"object"},"PostScanInput":{"properties":{"file_contents":{"description":"Base64 encoded raw contents of file","type":"string"},"file_name":{"description":"Name of file, can be anything but must be provided","type":"string"}},"required":["file_contents","file_name"],"type":"object"},"QuarantineMessageCanonicalGroupInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"type":"object"},"QuarantineMultipleMessageGroupsInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"message_group_ids":{"description":"Canonical IDs of the message groups to quarantine","items":{"type":"string"},"minItems":1,"type":"array"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"required":["message_group_ids"],"type":"object"},"RestoreMessageCanonicalGroupInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"type":"object"},"RestoreMultipleMessageGroupsInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"message_group_ids":{"description":"Canonical IDs of the message groups to restore","items":{"type":"string"},"minItems":1,"type":"array"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"required":["message_group_ids"],"type":"object"},"ReviewMessageGroupsInput":{"properties":{"action":{"description":"Action to take on the message group","enum":["restore","warning_banner","quarantine","trash","move_to_spam","move_to_graymail","delete_calendar_events"],"type":"string"},"classification":{"description":"Classification of the message group","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation","skip"],"type":"string"},"custom_action_ids":{"description":"IDs of actions to perform on the message group","items":{"type":"string"},"type":"array"},"message_group_ids":{"description":"Canonical IDs of the message groups to review","items":{"type":"string"},"minItems":1,"type":"array"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"},"share_with_sublime":{"description":"Whether to share the message group & review with Sublime","type":"boolean"}},"required":["classification","message_group_ids"],"type":"object"},"SenderprofileBaseSenderProfile":{"description":"profile.by_sender output","properties":{"any_messages_benign":{"description":"A message from this sender was explicitly labeled as a 'Benign'. If the message is later labeled as anything else (a message can only have one label), the count is reversed.","type":"boolean"},"any_messages_malicious_or_spam":{"description":"A message from this sender was either explicitly labeled as spam or malicious. This is triggered by applying any of the labels 'Phish', 'Missed Attack', 'Spam'. If the label is changed to anything else (a message can only have one label), the count is also reversed.","type":"boolean"},"auth_failed":{"description":"Whether this message had any authentication failures","type":"boolean"},"days_known":{"description":"Number of days since the first message was received from the sender. Defaults to 0 for new senders for legacy and compatibility reasons.","format":"double","type":"number"},"prevalence":{"description":"Summary verdict for how prevalent the sender email is against all sender emails","enum":["new","outlier","rare","uncommon","common"],"type":"string"},"solicited":{"description":"Whether outbound messages have been sent to the sender in a prior conversation","type":"boolean"}},"type":"object"},"SetListEntriesInput":{"properties":{"entries":{"description":"List entries","items":{"type":"string"},"type":"array"}},"required":["entries"],"type":"object"},"SetMessageAccessJustificationInput":{"properties":{"justification":{"description":"Justification for accessing this message's contents","type":"string"}},"type":"object"},"ShareWithSublimePublicInput":{"properties":{"destination":{"description":"Consent-scoped destination on Themis. Empty for the default shared-samples flow.","type":"string"},"report_label":{"description":"User reported label that categorizes the report","enum":["spam","phishing","false_positive","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for the report","type":"string"}},"type":"object"},"StartHuntJobInput":{"properties":{"name":{"description":"Name of the hunt job.","nullable":true,"type":"string"},"private":{"description":"Restrict hunt job visibility to admins only.","type":"boolean"},"range_end_time":{"description":"Exclusive end datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","format":"date-time","type":"string"},"range_start_time":{"description":"Inclusive start datetime of the hunt job, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","format":"date-time","type":"string"},"source":{"description":"MQL source of the hunt job.","type":"string"},"triage_email_bomb":{"description":"Pre-filters to only include messages that are contained in an email bomb. Combined with triage_reported, triage_flagged, and triage_dlp_rule_matched with a logical OR.","type":"boolean"},"triage_flagged":{"description":"Pre-filters to only includes flagged messages. Combined with triage_reported, triage_email_bomb, and triage_dlp_rule_matched with a logical OR.","type":"boolean"},"triage_reported":{"description":"Pre-filters to only includes user-reported messages. Combined with triage_flagged, triage_email_bomb, and triage_dlp_rule_matched with a logical OR.","type":"boolean"}},"required":["range_end_time","range_start_time","source"],"type":"object"},"StrelkaBZip2":{"description":"Unpacks bzip2 files. Reports size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaDocX":{"description":"Extracts details for a document, and explodes the text for further scanning.","properties":{"author":{"nullable":true,"type":"string"},"category":{"nullable":true,"type":"string"},"comments":{"nullable":true,"type":"string"},"created":{"format":"date-time","nullable":true,"type":"string"},"font_colors":{"description":"all non black (#000000) detected font colors. represented as web colors (hex) without '#' prefix.","items":{"type":"string"},"type":"array"},"image_count":{"format":"int32","nullable":true,"type":"integer"},"keywords":{"nullable":true,"type":"string"},"last_printed":{"format":"date-time","nullable":true,"type":"string"},"modified":{"format":"date-time","nullable":true,"type":"string"},"revision":{"format":"int32","nullable":true,"type":"integer"},"subject":{"nullable":true,"type":"string"},"title":{"nullable":true,"type":"string"},"word_count":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaEmbeddedHTMLScript":{"properties":{"language":{"description":"Language of script, e.g. 'javascript'","nullable":true,"type":"string"},"scripts":{"nullable":true,"type":"string"},"type":{"nullable":true,"type":"string"}},"type":"object"},"StrelkaEncryptedDoc":{"description":"Unpacks encrypted doc files by trying to break the password. Does not report totals","properties":{"cracked_password":{"description":"If the doc was successfully opened, this is the password for the doc.","nullable":true,"type":"string"}},"type":"object"},"StrelkaEncryptedZip":{"description":"Unpacks encrypted ZIP files by trying to break the password. Reports total files even if the zip could not be cracked.","properties":{"cracked_password":{"description":"If the ZIP was successfully opened, this is the password for the zip.","nullable":true,"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaEntropy":{"description":"Shannon entropy of file","properties":{"entropy":{"description":"Shannon entropy (log base 2). A higher number means higher entropy.","format":"double","nullable":true,"type":"number"}},"type":"object"},"StrelkaExifTool":{"description":"Responses from the popular ExifTools application","properties":{"command_line_arguments":{"type":"string"},"create_date":{"format":"date-time","nullable":true,"type":"string"},"creator":{"type":"string"},"exif_tool_version":{"format":"double","type":"number"},"fields":{"items":{"$ref":"#/components/schemas/StrelkaKeyVal"},"type":"array"},"file_permissions":{"type":"string"},"file_type":{"type":"string"},"file_type_extension":{"type":"string"},"flags":{"items":{"type":"string"},"type":"array"},"hot_key":{"type":"string"},"image_height":{"description":"In pixels","format":"int32","type":"integer"},"image_width":{"description":"In pixels","format":"int32","type":"integer"},"linearized":{"type":"string"},"local_base_path":{"type":"string"},"modify_date":{"format":"date-time","nullable":true,"type":"string"},"page_count":{"format":"int32","type":"integer"},"pdf_version":{"type":"string"},"producer":{"type":"string"},"relative_path":{"type":"string"},"run_window":{"type":"string"},"source_file":{"type":"string"},"target_file_dos_name":{"type":"string"},"title":{"type":"string"},"zip_bit_flag":{"format":"int32","type":"integer"},"zip_compressed_size":{"format":"int32","type":"integer"},"zip_file_name":{"type":"string"},"zip_modify_date":{"format":"date-time","nullable":true,"type":"string"},"zip_uncompressed_size":{"format":"int32","type":"integer"}},"type":"object"},"StrelkaFlavors":{"description":"matched yara and mime for file type identification","properties":{"external":{"description":"Flavors marked by scanners exploding a file","items":{"type":"string"},"type":"array"},"mime":{"description":"Detected MIME type using the libmagic unix utility.","type":"string"},"yara":{"description":"Matched YARA rules, for current definitions see [here](https://github.com/sublime-security/strelka/blob/main/build/configs/taste.yara)","items":{"enum":["_7zip_file","arj_file","browser_manifest","cab_file","cpio_file","encrypted_zip","encrypted_word_document","iso_file","mhtml_file","rar_file","tar_file","xar_file","zip_file","mp3_file","pkcs7_file","x509_der_file","x509_pem_file","bzip2_file","gzip_file","lzma_file","xz_file","zlib_file","doc_subheader_file","mso_file","olecf_file","ooxml_file","pdf_file","poi_hpbf_file","rtf_file","vbframe_file","wordml_file","xfdf_file","email_file","tnef_file","base64_pe","pgp_file","elf_file","lnk_file","macho_file","mz_file","bmp_file","cmap_file","gif_file","jpeg_file","postscript_file","png_file","psd_file","psd_image_file","svg_file","xicc_file","xmp_file","jar_manifest_file","bplist_file","fws_file","cws_file","zws_file","debian_package_file","rpm_file","upx_file","batch_file","javascript_file","vb_file","hta_file","html_file","ini_file","json_file","php_file","plist_file","soap_file","xml_file","avi_file","wmv_file"],"type":"string"},"type":"array"}},"type":"object"},"StrelkaGZip":{"description":"Unpacks gzip. Reports the size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaHTML":{"description":"Scripts and basic details from HTML files. Explodes scripts for further scanning.","properties":{"hyperlinks":{"items":{"type":"string"},"type":"array"},"scripts":{"description":"All unique identifiers present in JS. unescape and write may be considered suspicious; a variable name is also an identifier.","items":{"$ref":"#/components/schemas/StrelkaEmbeddedHTMLScript"},"type":"array"},"spans":{"description":"HTML Span Tags","items":{"$ref":"#/components/schemas/StrelkaHTMLSpan"},"type":"array"},"title":{"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaHTMLSpan":{"properties":{"style":{"type":"string"}},"type":"object"},"StrelkaHash":{"description":"Multiple hash algorithms","properties":{"md5":{"type":"string"},"sha1":{"type":"string"},"sha256":{"type":"string"},"ssdeep":{"type":"string"}},"type":"object"},"StrelkaICS":{"description":"Parses iCalendar files and extracts events, attachments, and metadata","properties":{"calendars":{"description":"Parsed calendar objects","items":{"$ref":"#/components/schemas/StrelkaICSCalendar"},"type":"array"},"flags":{"description":"Warning/error flags from parsing","items":{"type":"string"},"type":"array"},"parse_error":{"description":"Error message if parsing failed","nullable":true,"type":"string"},"total":{"$ref":"#/components/schemas/StrelkaICSTotal"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaICSAttachment":{"properties":{"decode_error":{"description":"Extraction error message","type":"string"},"extracted":{"description":"Whether file was extracted","type":"boolean"},"filename":{"description":"Original filename","type":"string"},"mime_type":{"description":"MIME type","type":"string"},"size":{"description":"File size in bytes","type":"string"},"type":{"description":"Attachment type","enum":["binary","base64_binary","uri","other"],"type":"string"},"uri":{"description":"URI for external references","type":"string"}},"type":"object"},"StrelkaICSAttendee":{"properties":{"mailbox":{"$ref":"#/components/schemas/Mdm_serviceMailbox"},"partstat":{"description":"Participation status","type":"string"},"role":{"description":"Attendee role","type":"string"},"rsvp":{"description":"RSVP requested","type":"boolean"}},"type":"object"},"StrelkaICSCalendar":{"properties":{"calscale":{"description":"Calendar scale","type":"string"},"components":{"description":"Calendar components","items":{"$ref":"#/components/schemas/StrelkaICSComponent"},"type":"array"},"method":{"description":"Calendar method","type":"string"},"prodid":{"description":"Product identifier","type":"string"},"version":{"description":"iCalendar version","type":"string"}},"type":"object"},"StrelkaICSComponent":{"properties":{"attachments":{"description":"File attachments","items":{"$ref":"#/components/schemas/StrelkaICSAttachment"},"type":"array"},"attendees":{"description":"Event attendees","items":{"$ref":"#/components/schemas/StrelkaICSAttendee"},"type":"array"},"class":{"description":"Classification","type":"string"},"created":{"description":"Creation date/time","type":"string"},"description":{"description":"Detailed description","type":"string"},"dtend":{"description":"End date/time","type":"string"},"dtstamp":{"description":"Creation timestamp","type":"string"},"dtstart":{"description":"Start date/time","type":"string"},"duration":{"description":"Duration in human-readable format","type":"string"},"last_modified":{"description":"Last modification date/time","type":"string"},"location":{"description":"Event location","type":"string"},"organizers":{"description":"Event organizers","items":{"$ref":"#/components/schemas/StrelkaICSOrganizer"},"type":"array"},"priority":{"description":"Priority level (0-9)","type":"string"},"sequence":{"description":"Revision sequence","type":"string"},"status":{"description":"Event status","type":"string"},"summary":{"description":"Brief description","type":"string"},"transp":{"description":"Transparency","type":"string"},"type":{"description":"Component type","enum":["VEVENT","VTODO","VJOURNAL","VTIMEZONE","VALARM"],"type":"string"},"uid":{"description":"Unique identifier","type":"string"},"urls":{"description":"Referenced URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaICSOrganizer":{"properties":{"mailbox":{"$ref":"#/components/schemas/Mdm_serviceMailbox"}},"type":"object"},"StrelkaICSTotal":{"description":"Summary counts for calendar components","properties":{"alarms":{"description":"Total VALARM components","format":"int32","type":"integer"},"attachments":{"description":"Total ATTACH properties","format":"int32","type":"integer"},"attendees":{"description":"Total attendees across all components","format":"int32","type":"integer"},"components":{"description":"Total calendar components","format":"int32","type":"integer"},"events":{"description":"Total VEVENT components","format":"int32","type":"integer"},"extracted_files":{"description":"Successfully extracted files","format":"int32","type":"integer"},"journals":{"description":"Total VJOURNAL components","format":"int32","type":"integer"},"organizers":{"description":"Total organizers across all components","format":"int32","type":"integer"},"timezones":{"description":"Total VTIMEZONE components","format":"int32","type":"integer"},"todos":{"description":"Total VTODO components","format":"int32","type":"integer"},"urls":{"description":"Total URL properties","format":"int32","type":"integer"}},"type":"object"},"StrelkaJavascript":{"description":"Contains details about the types of elements found in a JS script. Very simple scripts might signal obfuscation.","properties":{"identifiers":{"description":"All unique identifiers present in JS. unescape and write may be considered suspicious; a variable name is also an identifier.","items":{"type":"string"},"type":"array"},"keywords":{"description":"All unique keywords present in JS, e.g. 'if'.","items":{"type":"string"},"type":"array"},"regular_expressions":{"description":"All unique regular expressions present JS.","items":{"type":"string"},"type":"array"},"strings":{"description":"All unique strings present in JS.","items":{"type":"string"},"type":"array"},"tokens":{"description":"All unique tokens/types present in JS. The other values in this type would be present in this list if they occur at all. E.g. a simple script may contain just Identifier & Punctuator (punctuator is not included any further)","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaJpegGif":{"description":"Extracts contents past the GIF trailer for further processing. Empty if there's no data based trailer.","properties":{"trailer_index":{"format":"int32","type":"integer"}},"type":"object"},"StrelkaKeyVal":{"properties":{"key":{"type":"string"},"value":{"type":"string"}},"type":"object"},"StrelkaLNK":{"description":"Extracted details from LNK files. See ExifTools too.","properties":{"MAC":{"type":"string"},"command_line_arguments":{"type":"string"},"drive_serial_number":{"type":"string"},"drive_type":{"type":"string"},"local_base_path":{"type":"string"},"machine_id":{"type":"string"},"relative_path":{"type":"string"},"volume_label":{"type":"string"},"working_dir":{"type":"string"}},"type":"object"},"StrelkaLibArchive":{"description":"Unpacks archives supported by libarchive (including ISO files). Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaMachO":{"description":"Unpacks and inspects Mach Objects (executables, libraries, etc)","properties":{"commands":{"description":"All commands within","items":{"type":"string"},"type":"array"},"has_code_signature":{"type":"boolean"},"header":{"properties":{"cpu":{"description":"Details about the CPU/arch the binary is intended for","properties":{"primary":{"description":"Primary type, e.g. x86_64","type":"string"},"sub":{"description":"Human description (may include ',', 'and', etc)","type":"string"}},"type":"object"},"file":{"description":"Typo of Macho","enum":["BUNDLE","CORE","DSYM","DYLIB","DYLIB_STUB","DYLINKER","EXECUTE","FVMLIB","KEXT_BUNDLE","OBJECT","PRELOAD"],"type":"string"},"flags":{"description":"Flag List from header","items":{"type":"string"},"type":"array"}},"type":"object"},"load_dylinker_name":{"description":"Dylinker command name used","type":"string"},"nx":{"description":"Binary has NX (non-executable stack) protection","type":"boolean"},"pie":{"description":"Binary is position independent","type":"boolean"},"source_version":{"description":"5 part source version","type":"string"},"symbols":{"description":"Details about symbols within binary","properties":{"imported":{"description":"Imported symbols","items":{"type":"string"},"type":"array"},"libraries":{"description":"Imported libraries","items":{"type":"string"},"type":"array"}},"type":"object"},"total_binaries":{"description":"Number of binaries registered","format":"int32","type":"integer"},"total_commands":{"description":"Number of load commands","format":"int32","type":"integer"},"total_libraries":{"description":"Number of libraries/Dylib commands","format":"int32","type":"integer"},"total_relocations":{"description":"Number of relocations","format":"int32","type":"integer"},"total_sections":{"description":"Number of sections","format":"int32","type":"integer"},"total_segments":{"description":"Number of segments","format":"int32","type":"integer"},"total_symbols":{"description":"Number of symbols","format":"int32","type":"integer"}},"type":"object"},"StrelkaOCR":{"description":"Attempts to find text in images and explodes the text for further scanning.","properties":{"raw":{"description":"Full text returned from OCR, including whitespace","type":"string"},"text":{"description":"Array of words found by OCR","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaOle":{"description":"Unpacks valid OLE files. Reports total files.","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaPDF":{"description":"Unpacks a PDF for further processing. Reports total files.","properties":{"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"urls":{"description":"Detected URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaPDFObjHash":{"description":"Generates PDF Object Hash of the given PDF file","properties":{"hash_string":{"description":"Hash string used to generate the object hash for the PDF","type":"string"},"object_hash":{"description":"Object hash of the PDF. This is the hash of the object types present in the document.","type":"string"}},"type":"object"},"StrelkaPPTX":{"description":"Extracts details for a powerpoint (pptx) document, and explodes the text for further scanning.","properties":{"author":{"nullable":true,"type":"string"},"category":{"nullable":true,"type":"string"},"comments":{"nullable":true,"type":"string"},"created":{"format":"date-time","nullable":true,"type":"string"},"image_count":{"format":"int32","nullable":true,"type":"integer"},"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"keywords":{"nullable":true,"type":"string"},"last_modified_by":{"nullable":true,"type":"string"},"last_printed":{"format":"date-time","nullable":true,"type":"string"},"modified":{"format":"date-time","nullable":true,"type":"string"},"revision":{"format":"int32","nullable":true,"type":"integer"},"slide_count":{"format":"int32","nullable":true,"type":"integer"},"subject":{"nullable":true,"type":"string"},"title":{"nullable":true,"type":"string"},"urls":{"description":"Detected URLs","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"},"word_count":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaQR":{"description":"Checks for QR codes and evaluates them","properties":{"data":{"description":"Raw UTF8 Data","nullable":true,"type":"string"},"type":{"description":"Type of content, if known","enum":["email","mobile","app","geo","wifi","url","undefined"],"type":"string"},"url":{"$ref":"#/components/schemas/Mdm_serviceURL"}},"type":"object"},"StrelkaRTF":{"description":"Unpacks RTF files. Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaRar":{"description":"Unpacks rar files. Reports totals","properties":{"host_os":{"nullable":true,"type":"string"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaResponse":{"properties":{"depth":{"description":"depth in explosion, starts at 0","format":"int32","type":"integer"},"file_extension":{"description":"file extension if known. Using YARA and MIME rules (see .flavors) may provide more accurate detections.","type":"string"},"file_name":{"description":"name of the file, or a placeholder. For files exploded from an archive this will be the actual name, but for extracted text, octet stream etc, it will be assigned by the parent to something arbitrary.","type":"string"},"flavors":{"$ref":"#/components/schemas/StrelkaFlavors"},"node_id":{"description":"ID representing this file in the tree","type":"string"},"parent_node_id":{"description":"ID of parent, or not present for the root","type":"string"},"scan":{"$ref":"#/components/schemas/StrelkaScan"},"size":{"description":"file size in bytes","format":"int32","type":"integer"},"source":{"description":"Scanner which 'exploded' this file","type":"string"}},"type":"object"},"StrelkaScan":{"description":"Contains results of all available bin explode scanners. Some scanners explode embedded binaries more than offer scan/analysis. Some of these have total_extracted & total_unextracted (the count of any files remaining after limits are hit). Some exploding scanners have limited analyses, besides the insight into the count of embedded files (see ZIP). RawOCR is an example which explodes, but does not report totals & explodes content which isn't truly an embedded file.","properties":{"bzip2":{"$ref":"#/components/schemas/StrelkaBZip2"},"docx":{"$ref":"#/components/schemas/StrelkaDocX"},"encrypted_doc":{"$ref":"#/components/schemas/StrelkaEncryptedDoc"},"encrypted_zip":{"$ref":"#/components/schemas/StrelkaEncryptedZip"},"entropy":{"$ref":"#/components/schemas/StrelkaEntropy"},"exiftool":{"$ref":"#/components/schemas/StrelkaExifTool"},"gif":{"$ref":"#/components/schemas/StrelkaJpegGif"},"gzip":{"$ref":"#/components/schemas/StrelkaGZip"},"hash":{"$ref":"#/components/schemas/StrelkaHash"},"html":{"$ref":"#/components/schemas/StrelkaHTML"},"ics":{"$ref":"#/components/schemas/StrelkaICS"},"javascript":{"$ref":"#/components/schemas/StrelkaJavascript"},"jpeg":{"$ref":"#/components/schemas/StrelkaJpegGif"},"libarchive":{"$ref":"#/components/schemas/StrelkaLibArchive"},"lnk":{"$ref":"#/components/schemas/StrelkaLNK"},"macho":{"$ref":"#/components/schemas/StrelkaMachO"},"ocr":{"$ref":"#/components/schemas/StrelkaOCR"},"ole":{"$ref":"#/components/schemas/StrelkaOle"},"pdf":{"$ref":"#/components/schemas/StrelkaPDF"},"pdf_obj_hash":{"$ref":"#/components/schemas/StrelkaPDFObjHash"},"pptx":{"$ref":"#/components/schemas/StrelkaPPTX"},"qr":{"$ref":"#/components/schemas/StrelkaQR"},"rar":{"$ref":"#/components/schemas/StrelkaRar"},"rtf":{"$ref":"#/components/schemas/StrelkaRTF"},"strings":{"$ref":"#/components/schemas/StrelkaStrings"},"tar":{"$ref":"#/components/schemas/StrelkaTar"},"url":{"$ref":"#/components/schemas/StrelkaURL"},"vba":{"$ref":"#/components/schemas/StrelkaVBA"},"xml":{"$ref":"#/components/schemas/StrelkaXML"},"yara":{"$ref":"#/components/schemas/StrelkaYARA"},"zip":{"$ref":"#/components/schemas/StrelkaZip"},"zlib":{"$ref":"#/components/schemas/StrelkaZLib"}},"type":"object"},"StrelkaStrings":{"description":"Simply finds and extracts any strings from.","properties":{"raw":{"description":"If the entire input is a string, mirror the input as a single string.","type":"string"},"strings":{"description":"All detected strings.","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaTar":{"description":"Unpacks tar files. Reports totals","properties":{"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaURL":{"description":"Detects URLs from text (generally text unpacked by other scanners).","properties":{"invalid_urls":{"description":"URLs which could not be parsed","items":{"type":"string"},"type":"array"},"urls":{"description":"Detected URLs.","items":{"$ref":"#/components/schemas/Mdm_serviceURL"},"type":"array"}},"type":"object"},"StrelkaVBA":{"description":"Examines VBA macros in Ole files, and unpacks macro code for further analysis.","properties":{"auto_exec":{"description":"All keywords associated with auto exec macros","items":{"type":"string"},"type":"array"},"base64":{"description":"Decoded base64 strings","items":{"type":"string"},"type":"array"},"dridex":{"description":"Decoded dridex strings","items":{"type":"string"},"type":"array"},"hex":{"description":"Decoded hex strings","items":{"type":"string"},"type":"array"},"ioc":{"description":"String values of indicators, such as 'cmd.exe'","items":{"type":"string"},"type":"array"},"suspicious":{"description":"Reported descriptions of suspicious behavior, e.g. 'Run' or 'Hex Strings'","items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"},"vba_obfuscated":{"description":"Decoded vba obfuscated strings","items":{"type":"string"},"type":"array"}},"type":"object"},"StrelkaXML":{"description":"Finds namespaces and other details from XML","properties":{"doc_type":{"description":"DOCTYPE declaration from file","type":"string"},"namespaces":{"items":{"type":"string"},"type":"array"},"tags":{"items":{"type":"string"},"type":"array"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"version":{"description":"XML version as declared by the document","nullable":true,"type":"string"}},"type":"object"},"StrelkaYARA":{"description":"Reports YARA results from custom installed YARA rules.","properties":{"flags":{"items":{"type":"string"},"type":"array"},"matches":{"items":{"$ref":"#/components/schemas/StrelkaYARAMatch"},"type":"array"}},"type":"object"},"StrelkaYARAMatch":{"properties":{"meta":{"additionalProperties":{"type":"string"},"type":"object"},"name":{"type":"string"}},"type":"object"},"StrelkaZLib":{"description":"Unpacks zlib files. Reports size","properties":{"size":{"description":"Size of uncompressed file within.","format":"int32","nullable":true,"type":"integer"}},"type":"object"},"StrelkaZip":{"description":"Unpacks ZIP files. Reports total files.","properties":{"all_paths":{"description":"All member paths included in the zip (files and folders)","items":{"type":"string"},"type":"array"},"attempted_files":{"description":"File names, including path, which the scanner attempted to open (cuts off at a limit)","items":{"type":"string"},"type":"array"},"encrypted":{"description":"True if known to be encrypted. scan.encrypted_zip can contain details if password is bypassed.","type":"boolean"},"total_extracted":{"format":"int32","nullable":true,"type":"integer"},"total_files":{"format":"int32","nullable":true,"type":"integer"}},"type":"object"},"TrashMessageCanonicalGroupInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"type":"object"},"TrashMultipleMessageGroupsInput":{"properties":{"classification":{"description":"Classification to apply to the messages being reviewed. Optional.","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"message_group_ids":{"description":"Canonical IDs of the message groups to trash","items":{"type":"string"},"minItems":1,"type":"array"},"report_label":{"description":"Label to apply to messages being reviewed. Optional.","enum":["spam","phishing","false_positive","false_negative","phishing_simulation","graymail","violation","non-violation"],"type":"string"},"review_comment":{"description":"Comment describing reason for action","nullable":true,"type":"string"}},"required":["message_group_ids"],"type":"object"},"TruncatedBoundedValues_handler_types.MessageGroupActivityEvent":{"description":"Link clicks observed on messages in the group, newest first; for full history use GET /v1/messages/groups/{id}/activity?type=click","properties":{"total":{"format":"int32","type":"integer"},"truncated":{"type":"boolean"},"values":{"items":{"$ref":"#/components/schemas/Handler_typesMessageGroupActivityEvent"},"type":"array"}},"type":"object"},"TruncatedBoundedValues_string":{"description":"The first recipient email addresses of the message involved in the event (received events only), may truncate with as few as 1 recipient","properties":{"total":{"format":"int32","type":"integer"},"truncated":{"type":"boolean"},"values":{"items":{"type":"string"},"type":"array"}},"type":"object"},"TypesAPIRequest":{"description":"API request data, if originated from an API request","properties":{"api_key_name":{"description":"Name of API key if an API key was used","nullable":true,"type":"string"},"authentication_method":{"description":"Description of how request was authenticated","nullable":true,"type":"string"},"body":{"description":"Request body","type":"string"},"id":{"description":"API request ID","format":"uuid","type":"string"},"ip":{"description":"IP address of requester, if available","nullable":true,"type":"string"},"method":{"description":"HTTP method","type":"string"},"path":{"description":"URL path","type":"string"},"query":{"additionalProperties":{"type":"string"},"description":"Query parameters","type":"object"},"user_agent":{"description":"User agent of requester, if available","type":"string"}},"required":["id","method","path"],"type":"object"},"TypesAPIRule":{"description":"Rule base","properties":{"action_ids":{"description":"IDs of actions to run when the rule is triggered","items":{"type":"string"},"type":"array"},"active":{"description":"Indicates whether or not the rule is active and will flag matching messages","type":"boolean"},"attack_types":{"description":"Rule attack types","items":{"type":"string"},"type":"array"},"authors":{"description":"Rule authors","items":{"$ref":"#/components/schemas/TypesRuleAuthor"},"type":"array"},"auto_review_auto_share":{"description":"Whether auto-reviewed messages will be shared","type":"boolean"},"auto_review_classification":{"description":"The classification auto-reviewed messages will have, when an auto-review action is associated with the rule","enum":["malicious","benign","spam","graymail","simulation","unwanted","violation","non-violation"],"type":"string"},"created_at":{"description":"Rule creation time","format":"date-time","type":"string"},"description":{"description":"Description of rule","type":"string"},"detection_methods":{"description":"Rule detection technologies","items":{"type":"string"},"type":"array"},"false_positives":{"description":"Descriptions of known false positives that could occur","items":{"type":"string"},"type":"array"},"id":{"description":"Rule ID","format":"uuid","type":"string"},"label":{"description":"Rule label","type":"string"},"last_activated_at":{"description":"When the rule was last activated","format":"date-time","type":"string"},"maturity":{"description":"Rule maturity","type":"string"},"name":{"description":"Rule name","type":"string"},"passive":{"description":"Indicates whether or not the rule is in passive mode","type":"boolean"},"references":{"description":"URLs of reference resources for this rule","items":{"type":"string"},"type":"array"},"run_triage_on_excluded_messages":{"description":"For Triage rules only, whether this rule will run even if the message matched a global exclusion.","type":"boolean"},"severity":{"description":"Rule severity","enum":["informational","low","medium","high","critical"],"type":"string"},"source":{"description":"Rule MQL (Message Query Language) source","type":"string"},"tactics_and_techniques":{"description":"Rule tactics and techniques","items":{"type":"string"},"type":"array"},"tags":{"description":"Freeform tags for this rule (for example, \"Executive Impersonation\")","items":{"type":"string"},"type":"array"},"triage_abuse_reports":{"description":"For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true.","type":"boolean"},"triage_classification_changes":{"description":"For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true.","type":"boolean"},"triage_dlp_rule_matched":{"description":"For Triage rules only, whether this rule will run for messages that matched a DLP rule. For triage rules, one triage_ field must be true.","type":"boolean"},"triage_flagged_messages":{"description":"For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true.","type":"boolean"},"type":{"description":"Rule type","type":"string"},"updated_at":{"description":"Rule last updated time","format":"date-time","type":"string"}},"required":["description","name","source"],"type":"object"},"TypesEventMessage":{"description":"API request data, if originated from an API request","properties":{"id":{"description":"Message ID","format":"uuid","type":"string"}},"required":["id"],"type":"object"},"TypesEventMessageGroup":{"description":"Message group data, if originated from an API request taking an action on a message group","properties":{"id":{"description":"Message Group ID","format":"uuid","type":"string"}},"required":["id"],"type":"object"},"TypesEventTypeElement":{"properties":{"name":{"type":"string"},"type":{"type":"string"}},"type":"object"},"TypesFlatSqar":{"description":"Originating rule for this rule exclusion","properties":{"actions":{"description":"Actions associated with the rule","items":{"$ref":"#/components/schemas/TypesSqarAction"},"type":"array"},"active":{"description":"Whether the rule is active","type":"boolean"},"active_updated_at":{"description":"When the Rule was last activated/deactivated","format":"date-time","type":"string"},"asa_verdict_trigger":{"description":"The ASA verdict that triggered this rule, if applicable","nullable":true,"type":"string"},"attack_types":{"description":"Rule attack types","items":{"type":"string"},"type":"array"},"authors":{"description":"Authors and contributors of a rule","items":{"$ref":"#/components/schemas/TypesRuleAuthor"},"type":"array"},"auto_review_auto_share":{"description":"Whether auto-reviewed messages will be shared","type":"boolean"},"auto_review_classification":{"description":"The classification auto-reviewed messages will have, when an auto-review action is associated with the rule","nullable":true,"type":"string"},"child_ids":{"description":"IDs of any child sqars, if any","items":{"type":"string"},"type":"array"},"created_at":{"description":"Rule creation time","format":"date-time","nullable":true,"type":"string"},"created_by_api_request_id":{"description":"Created by API Request ID","format":"uuid","nullable":true,"type":"string"},"created_by_org_id":{"description":"Original rule creator org ID","format":"uuid","nullable":true,"type":"string"},"created_by_org_name":{"description":"Original rule creator org name","nullable":true,"type":"string"},"created_by_user_id":{"description":"Original rule creator user ID","format":"uuid","nullable":true,"type":"string"},"created_by_user_name":{"description":"Original rule creator user name","nullable":true,"type":"string"},"description":{"description":"Description of rule","nullable":true,"type":"string"},"detection_methods":{"description":"Rule detection technologies","items":{"type":"string"},"type":"array"},"false_positives":{"description":"Descriptions of known false positives that could occur","items":{"type":"string"},"type":"array"},"feed_external_rule_id":{"description":"External rule ID of a rule from a feed","nullable":true,"type":"string"},"feed_id":{"description":"Feed ID for a rule from a feed","nullable":true,"type":"string"},"full_type":{"description":"Sqar type (rule or query) and subtype","enum":["detection_rule","dlp_rule","triage_rule","insight_query","signal_query"],"type":"string"},"id":{"description":"Rule ID","format":"uuid","type":"string"},"immutable":{"description":"Whether changes to the source or metadata are permitted","type":"boolean"},"internal_type":{"description":"Unique internal type for rule","nullable":true,"type":"string"},"label":{"description":"Rule label","nullable":true,"type":"string"},"maturity":{"description":"Rule maturity","nullable":true,"type":"string"},"name":{"description":"Rule name","type":"string"},"org_id":{"description":"Org ID","format":"uuid","type":"string"},"parent_id":{"description":"ID of the parent sqar, if there is one","nullable":true,"type":"string"},"passive":{"description":"Whether the rule is in passive mode","type":"boolean"},"references":{"description":"URL references","items":{"type":"string"},"type":"array"},"run_triage_on_excluded_messages":{"description":"For Triage rules only, whether this rule will run even if the message matched a global exclusion.","type":"boolean"},"severity":{"description":"Rule severity","nullable":true,"type":"string"},"source":{"description":"Source","type":"string"},"source_md5":{"description":"MD5 hash of source","type":"string"},"tactics_and_techniques":{"description":"Rule tactics and techniques","items":{"type":"string"},"type":"array"},"tags":{"description":"Tags","items":{"type":"string"},"type":"array"},"triage_abuse_reports":{"description":"For Triage rules only, whether this rule will run for reported messages","type":"boolean"},"triage_ade_complete":{"description":"For Triage rules only, whether this rule will run as triggered by ADE processing completing","type":"boolean"},"triage_asa_complete":{"description":"For Triage rules only, whether this rule will run as triggered by ASA processing completing","type":"boolean"},"triage_classification_changes":{"description":"For Triage rules only, whether this rule will run when a reported message has a classification change","type":"boolean"},"triage_dlp_rule_matched":{"description":"For Triage rules only, whether this rule will run for messages that matched a DLP rule","type":"boolean"},"triage_email_bomb":{"description":"For Triage rules only, whether this rule will run for messages found in an email bomb","type":"boolean"},"triage_flagged_messages":{"description":"For Triage rules only, whether this rule will run for messages which flagged","type":"boolean"},"type":{"description":"Rule type","nullable":true,"type":"string"},"updated_at":{"description":"Rule last updated time","format":"date-time","nullable":true,"type":"string"},"user_can_delete":{"description":"Whether the rule can be deleted by a user","type":"boolean"},"user_provided_tags":{"description":"User-provided tags","items":{"type":"string"},"type":"array"}},"required":["created_at","id","name","source","source_md5","updated_at"],"type":"object"},"TypesMessageType":{"description":"The types of the message","properties":{"inbound":{"description":"Message was sent from someone outside your organization, to *at least one* recipient inside your organization","type":"boolean"},"internal":{"description":"Message was sent between two or more participants inside your organization","type":"boolean"},"outbound":{"description":"Message was sent from someone inside your organization, to *at least one* recipient outside your organization","type":"boolean"}},"type":"object"},"TypesPreview":{"description":"Preview of key details from the message header","properties":{"attachment_sha256":{"description":"SHA256 hashes of attachments","items":{"type":"string"},"type":"array"},"recipients":{"description":"Emails of all recipients","items":{"type":"string"},"type":"array"},"sender_display_name":{"description":"Display name of the sender","type":"string"},"sender_email_address":{"description":"Email of the sender","type":"string"},"subject":{"description":"Subject of the message","type":"string"}},"required":["recipients","sender_display_name","sender_email_address","subject"],"type":"object"},"TypesRuleAuthor":{"properties":{"name":{"description":"Name of a rule author","type":"string"},"twitter":{"description":"Twitter handle for a rule author","type":"string"}},"type":"object"},"TypesSqarAction":{"properties":{"active":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"type":{"type":"string"}},"type":"object"},"UpdateRuleInput":{"properties":{"action_ids":{"description":"IDs of actions to run when the rule is triggered","items":{"type":"string"},"type":"array"},"attack_types":{"description":"Rule attack types","items":{"type":"string"},"type":"array"},"authors":{"description":"Rule authors. Defaults to the user that made the request","items":{"$ref":"#/components/schemas/TypesRuleAuthor"},"type":"array"},"auto_review_auto_share":{"description":"Whether auto-reviewed messages will be shared","type":"boolean"},"auto_review_classification":{"description":"The classification auto-reviewed messages will have, when an auto-review action is associated with the rule","nullable":true,"type":"string"},"description":{"description":"Description of rule","type":"string"},"detection_methods":{"description":"Rule detection technologies","items":{"type":"string"},"type":"array"},"false_positives":{"description":"Descriptions of known false positives that could occur","items":{"type":"string"},"type":"array"},"internal_type":{"description":"For core feed only","nullable":true,"type":"string"},"label":{"description":"Rule label","nullable":true,"type":"string"},"maturity":{"description":"Rule maturity","nullable":true,"type":"string"},"name":{"description":"Rule name","type":"string"},"references":{"description":"URL references","items":{"type":"string"},"type":"array"},"run_triage_on_excluded_messages":{"description":"For Triage rules only, whether this rule will run even if the message matched a global exclusion.","nullable":true,"type":"boolean"},"severity":{"description":"Rule severity","nullable":true,"type":"string"},"source":{"description":"Source","type":"string"},"tactics_and_techniques":{"description":"Rule tactics and techniques","items":{"type":"string"},"type":"array"},"tags":{"description":"Tags","items":{"type":"string"},"type":"array"},"triage_abuse_reports":{"description":"For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_classification_changes":{"description":"For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_dlp_rule_matched":{"description":"For Triage rules only, whether this rule will run for messages that matched a DLP rule. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_flagged_messages":{"description":"For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"user_provided_tags":{"description":"User-provided tags","items":{"type":"string"},"type":"array"}},"required":["name","source"],"type":"object"},"UpdateSCIMUserInput":{"properties":{"active":{"type":"boolean"},"emails":{"items":{"$ref":"#/components/schemas/Handler_typesSCIMEmail"},"type":"array"},"externalId":{"description":"ID of the user in the external identity provider (e.g., Okta)","nullable":true,"type":"string"},"id":{"description":"ID of the user in Sublime","type":"string"},"meta":{"$ref":"#/components/schemas/Handler_typesSCIMMeta"},"name":{"$ref":"#/components/schemas/Handler_typesSCIMUserName"},"schemas":{"items":{"type":"string"},"type":"array"},"sublimeRole":{"description":"Deprecated. For backwards-compatibility with existing integrations. Prefer the property on \"urn:ietf:params:scim:schemas:extension:sublime:2.0:User\"","type":"string"},"urn:ietf:params:scim:schemas:extension:sublime:2.0:User":{"$ref":"#/components/schemas/Handler_typesSCIMSublimeUserExtension"},"userName":{"type":"string"}},"required":["name","userName"],"type":"object"},"UtilRegexExtractMatch":{"properties":{"full_match":{"description":"A complete match to the regular expression","type":"string"},"groups":{"description":"All captured groups","items":{"type":"string"},"type":"array"},"named_groups":{"additionalProperties":{"type":"string"},"description":"A mapping of named capture groups names to values","type":"object"}},"type":"object"},"ValidateRuleInput":{"properties":{"action_ids":{"description":"IDs of actions to run when the rule is triggered","items":{"type":"string"},"type":"array"},"active":{"description":"Activate the rule immediately","type":"boolean"},"attack_types":{"description":"Rule attack types","items":{"type":"string"},"type":"array"},"authors":{"description":"Rule authors. Defaults to the user that made the request","items":{"$ref":"#/components/schemas/TypesRuleAuthor"},"type":"array"},"auto_review_auto_share":{"description":"Whether auto-reviewed messages will be shared","type":"boolean"},"auto_review_classification":{"description":"The classification auto-reviewed messages will have, when an auto-review action is associated with the rule","nullable":true,"type":"string"},"description":{"description":"Description of rule","type":"string"},"detection_methods":{"description":"Rule detection technologies","items":{"type":"string"},"type":"array"},"false_positives":{"description":"Descriptions of known false positives that could occur","items":{"type":"string"},"type":"array"},"internal_type":{"description":"For core feed only","nullable":true,"type":"string"},"label":{"description":"Rule label","nullable":true,"type":"string"},"maturity":{"description":"Rule maturity","nullable":true,"type":"string"},"name":{"description":"Rule name","type":"string"},"references":{"description":"URL references","items":{"type":"string"},"type":"array"},"run_triage_on_excluded_messages":{"description":"For Triage rules only, whether this rule will run even if the message matched a global exclusion.","nullable":true,"type":"boolean"},"severity":{"description":"Rule severity","nullable":true,"type":"string"},"source":{"description":"Source","type":"string"},"tactics_and_techniques":{"description":"Rule tactics and techniques","items":{"type":"string"},"type":"array"},"tags":{"description":"Tags","items":{"type":"string"},"type":"array"},"triage_abuse_reports":{"description":"For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_classification_changes":{"description":"For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_dlp_rule_matched":{"description":"For Triage rules only, whether this rule will run for messages that matched a DLP rule. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"triage_flagged_messages":{"description":"For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true.","nullable":true,"type":"boolean"},"type":{"description":"Type of the rule","enum":["detection","dlp","triage"],"type":"string"},"user_provided_tags":{"description":"User-provided tags","items":{"type":"string"},"type":"array"}},"required":["name","source"],"type":"object"},"WhoisResult":{"description":"network.whois output","properties":{"administrative_company":{"description":"The company of the administrative contact","type":"string"},"administrative_email":{"description":"The email address of the administrative contact","type":"string"},"administrative_name":{"description":"The name of the administrative contact","type":"string"},"administrative_phone":{"description":"The phone number of the administrative contact","type":"string"},"checked_at":{"description":"Date that this registration was last checked","format":"date-time","nullable":true,"type":"string"},"created_at":{"description":"Date that the domain was first created","format":"date-time","nullable":true,"type":"string"},"days_old":{"description":"The number of elapsed days since this domain was registered","format":"double","nullable":true,"type":"number"},"domain_status":{"description":"The status codes for this domain registration","items":{"type":"string"},"type":"array"},"error":{"description":"Error when looking up the domain in whois","type":"string"},"expires_at":{"description":"Date that this domain registration expires","format":"date-time","nullable":true,"type":"string"},"found":{"description":"Whether the domain was found via WHOIS","nullable":true,"type":"boolean"},"name_servers":{"description":"The authoritative name servers for this domain, parsed into domain objects","items":{"$ref":"#/components/schemas/Mdm_serviceDomain"},"type":"array"},"registrant_address":{"description":"The address of the registrant","type":"string"},"registrant_city":{"description":"The city of the registrant","type":"string"},"registrant_company":{"description":"The company that registered this domain","type":"string"},"registrant_country":{"description":"The country of the registrant","type":"string"},"registrant_country_code":{"description":"The country code of the registrant","type":"string"},"registrant_email":{"description":"The email address of the registrant","type":"string"},"registrant_fax":{"description":"The fax number of the registrant","type":"string"},"registrant_name":{"description":"The name of the person or entity that registered this domain","type":"string"},"registrant_phone":{"description":"The phone number of the registrant","type":"string"},"registrant_state":{"description":"The state or province of the registrant","type":"string"},"registrant_zip":{"description":"The postal/zip code of the registrant","type":"string"},"registrar_name":{"description":"The registrar that reported this information","type":"string"},"root_domain":{"description":"The root domain that was looked up","type":"string"},"technical_company":{"description":"The company of the technical contact","type":"string"},"technical_email":{"description":"The email address of the technical contact","type":"string"},"technical_name":{"description":"The name of the technical contact","type":"string"},"technical_phone":{"description":"The phone number of the technical contact","type":"string"},"updated_at":{"description":"Date that this domain registration was last updated","format":"date-time","nullable":true,"type":"string"}},"type":"object"}},"securitySchemes":{"bearerAuth":{"scheme":"bearer","type":"http"}}},"info":{"contact":{"email":"support@sublime.security"},"title":"Sublime Platform API","version":""},"openapi":"3.0.1","paths":{"/v0/audit-log/events":{"get":{"description":"List events in audit log","operationId":"listEventsInAuditLog","parameters":[{"description":"Inclusive start datetime filter for time of event creation, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only events at or after this time will be returned.","in":"query","name":"created_at[gte]","schema":{"description":"Inclusive start datetime filter for time of event creation, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only events at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive end datetime filter for time of event creation, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only events before this time will be returned.","in":"query","name":"created_at[lt]","schema":{"description":"Exclusive end datetime filter for time of event creation, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only events before this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"The maximum number of entries to return. If the value exceeds the maximum, then the maximum value will be used","in":"query","name":"limit","schema":{"description":"The maximum number of entries to return. If the value exceeds the maximum, then the maximum value will be used","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"The (zero-based) offset of the first rules to return","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the first rules to return","format":"int32","nullable":true,"type":"integer"}},{"description":"Event type","in":"query","name":"type","schema":{"description":"Event type","nullable":true,"type":"string"}},{"description":"Filter by user IDs","explode":true,"in":"query","name":"user_ids","schema":{"description":"Filter by user IDs","items":{"type":"string"},"type":"array"},"style":"form"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersListEventsInAuditLogResponse"}}},"description":"OK"}},"summary":"List events in audit log","tags":["Events in the audit log"]}},"/v0/audit-log/events/types":{"get":{"description":"List all event types for audit log","operationId":"listEventTypesForAuditLog","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersListEventTypesResponse"}}},"description":"OK"}},"summary":"List event types for audit log","tags":["Events in the audit log"]}},"/v0/audit-log/events/{id}":{"get":{"operationId":"getEventFromAuditLog","parameters":[{"description":"Event ID","in":"path","name":"id","required":true,"schema":{"description":"Event ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersGetAuditLogEventResponse"}}},"description":"OK"}},"summary":"Retrieve event from audit log","tags":["Events in the audit log"]}},"/v0/binexplode/scan":{"post":{"description":"Starts a task to explode a binary. Returns a task ID to track and ultimately retrieve results. Results expire after 1 hour. Max original file size of 37 mb (base 64 encoded 49 mb)","operationId":"postScan","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PostScanInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"OK"}},"summary":"Upload a binary to be binexploded","tags":["BinExplode"]}},"/v0/binexplode/scan/{id}":{"get":{"description":"Retrieve the results of a completed binexplode scan.","operationId":"getScan","parameters":[{"description":"Task ID","in":"path","name":"id","required":true,"schema":{"description":"Task ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesGetScanResultResponse"}}},"description":"OK"}},"summary":"Get results of a binexplode scan","tags":["BinExplode"]}},"/v0/enrichment/link_analysis/evaluate":{"post":{"description":"Analyze a provided link using ml.link_analysis functionality.","operationId":"linkAnalysisEvaluate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/LinkAnalysisEvaluateInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesLinkAnalysisResponse"}}},"description":"OK"}},"summary":"Analyze a provided link using ml.link_analysis functionality","tags":["Enrichment"]}},"/v0/hunt-jobs":{"post":{"description":"Start a hunt job","operationId":"startHuntJob","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/StartHuntJobInput"}}}},"responses":{"201":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersStartHuntJobResponse"}}},"description":"Created"}},"summary":"Start hunt job","tags":["Hunt Jobs"]}},"/v0/hunt-jobs/{id}":{"get":{"description":"Get a hunt job","operationId":"getHuntJob","parameters":[{"description":"ID of the hunt job.","in":"path","name":"id","required":true,"schema":{"description":"ID of the hunt job.","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersGetV0HuntJobResponse"}}},"description":"OK"}},"summary":"Get hunt job","tags":["Hunt Jobs"]}},"/v0/hunt-jobs/{id}/results":{"get":{"description":"Get hunt job detailed results. Provides message group details and summaries","operationId":"getHuntJobResults","parameters":[{"description":"ID of the hunt job.","in":"path","name":"id","required":true,"schema":{"description":"ID of the hunt job.","type":"string"}},{"description":"The maximum number of results to return.","in":"query","name":"limit","schema":{"description":"The maximum number of results to return.","format":"int32","maximum":500,"minimum":1,"nullable":true,"type":"integer"}},{"description":"The (zero-based) offset of the first hunt job results to return.","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the first hunt job results to return.","format":"int32","nullable":true,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersGetV0HuntJobResultsResponse"}}},"description":"OK"}},"summary":"Get hunt job results","tags":["Hunt Jobs"]}},"/v0/lists":{"get":{"description":"Retrieve filtered lists","operationId":"getLists","parameters":[{"description":"List type to filter by. One of 'string', 'user_group', 'provider_org_unit'.","in":"query","name":"entry_type","required":true,"schema":{"description":"List type to filter by. One of 'string', 'user_group', 'provider_org_unit'.","enum":["string","user_group","provider_org_unit"],"type":"string"}},{"description":"Optional ID (exact match) to filter by","in":"query","name":"id","schema":{"description":"Optional ID (exact match) to filter by","format":"uuid","type":"string"}},{"description":"Optional name (exact match) to filter by","in":"query","name":"name","schema":{"description":"Optional name (exact match) to filter by","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesGetListResponse"}}},"description":"OK"}},"summary":"Retrieve lists","tags":["Lists"]},"post":{"description":"Create a list","operationId":"createList","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateListInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesList"}}},"description":"OK"}},"summary":"Create list","tags":["Lists"]}},"/v0/lists/{id}":{"delete":{"description":"Delete a list","operationId":"deleteList","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete list","tags":["Lists"]},"get":{"description":"Get a list","operationId":"getList","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesList"}}},"description":"OK"}},"summary":"Get list","tags":["Lists"]},"patch":{"description":"Patch a list","operationId":"patchList","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PatchListInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesList"}}},"description":"OK"}},"summary":"Patch list","tags":["Lists"]}},"/v0/lists/{id}/entries":{"get":{"description":"Get all list entries","operationId":"getListEntries","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListEntries"}}},"description":"OK"}},"summary":"Get list entries","tags":["Lists"]},"put":{"description":"Set (overwrite) all list entries","operationId":"setListEntries","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SetListEntriesInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Set list entries","tags":["Lists"]}},"/v0/lists/{id}/entries/entry":{"delete":{"description":"Delete list entry, if present","operationId":"deleteListEntry","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}},{"description":"String list entry","in":"query","name":"string","required":true,"schema":{"description":"String list entry","maxLength":2000,"type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete list entry","tags":["Lists"]},"get":{"description":"Get list entry, if present","operationId":"getListEntry","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}},{"description":"String list entry","in":"query","name":"string","required":true,"schema":{"description":"String list entry","maxLength":2000,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"type":"string"}}},"description":"OK"}},"summary":"Get list entry","tags":["Lists"]},"post":{"description":"Add list entry, if not already present","operationId":"addListEntry","parameters":[{"description":"List ID","in":"path","name":"id","required":true,"schema":{"description":"List ID","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddListEntryInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Add list entry","tags":["Lists"]}},"/v0/live-flow/raw-messages/analyze":{"post":{"description":"Process a raw message","operationId":"analyzeRawMessageLiveFlow","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AnalyzeRawMessageLiveFlowInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesAnalyzeRawMessageLiveFlowResponse"}}},"description":"OK"}},"summary":"Process raw message","tags":["Live flow"]}},"/v0/mailboxes":{"get":{"description":"List all mailboxes","operationId":"listMailboxes","parameters":[{"description":"Filter for effectively active mailboxes (marked active with a live subscription)","in":"query","name":"active","schema":{"description":"Filter for effectively active mailboxes (marked active with a live subscription)","nullable":true,"type":"boolean"}},{"description":"Email addresses of the mailboxes to return (comma-delimited)","in":"query","name":"email_addresses","schema":{"description":"Email addresses of the mailboxes to return (comma-delimited)","nullable":true,"type":"string"}},{"description":"The maximum number of entries to return. If the value exceeds the maximum, then the maximum value will be used","in":"query","name":"limit","schema":{"description":"The maximum number of entries to return. If the value exceeds the maximum, then the maximum value will be used","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"Comma-delimited list of mailbox types to filter by","in":"query","name":"mailbox_types","schema":{"description":"Comma-delimited list of mailbox types to filter by","nullable":true,"type":"string"}},{"description":"Filter for mailboxes marked active","in":"query","name":"marked_active","schema":{"description":"Filter for mailboxes marked active","nullable":true,"type":"boolean"}},{"description":"ID of the message source the mailboxes belong to","in":"query","name":"message_source_id","schema":{"description":"ID of the message source the mailboxes belong to","nullable":true,"type":"string"}},{"description":"The (zero-based) offset of the first mailbox to return","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the first mailbox to return","format":"int32","nullable":true,"type":"integer"}},{"description":"Search across mailbox names and email addresses","in":"query","name":"search","schema":{"description":"Search across mailbox names and email addresses","nullable":true,"type":"string"}},{"description":"Comma-delimited list of subscription error types to filter by","in":"query","name":"sub_error_types","schema":{"description":"Comma-delimited list of subscription error types to filter by","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersV0ListMailboxesResponse"}}},"description":"OK"}},"summary":"List mailboxes","tags":["Mailboxes"]}},"/v0/message-groups":{"get":{"description":"List message groups","operationId":"listMessageGroups","parameters":[{"description":"Filters result to only message groups with the provided attachment name","explode":true,"in":"query","name":"attachment_name__is","schema":{"description":"Filters result to only message groups with the provided attachment name","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided attachment SHA256","explode":true,"in":"query","name":"attachment_sha256__is","schema":{"description":"Filters result to only message groups with the provided attachment SHA256","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided attack score verdict","explode":true,"in":"query","name":"attack_score_verdict__is","schema":{"description":"Filters result to only message groups with the provided attack score verdict","items":{"enum":["unknown","likely_benign","suspicious","malicious","graymail","spam"],"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups that have flagged (ONLY) rules with the 'Attack surface reduction' tag","in":"query","name":"attack_surface_reduction__filter","schema":{"description":"Filters result to only message groups that have flagged (ONLY) rules with the 'Attack surface reduction' tag","format":"bool","nullable":true,"type":"string"}},{"description":"Filters result to only message groups with the provided canonical ID","explode":true,"in":"query","name":"canonical_id__is","schema":{"description":"Filters result to only message groups with the provided canonical ID","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Inclusive start datetime filter, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups that contain a message processed at or after this time will be returned.","in":"query","name":"created_at__gte","schema":{"description":"Inclusive start datetime filter, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups that contain a message processed at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive end datetime filter, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups that contain a message processed before this time will be returned.","in":"query","name":"created_at__lt","schema":{"description":"Exclusive end datetime filter, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups that contain a message processed before this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"DEPRECATED: Use first_message_reported_at__gte","in":"query","name":"first_message_reported_at[gte]","schema":{"description":"DEPRECATED: Use first_message_reported_at__gte","format":"date-time","nullable":true,"type":"string"}},{"description":"Filters result to only message groups with a message first reported at or after the provided time. Datetime must be in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","in":"query","name":"first_message_reported_at__gte","schema":{"description":"Filters result to only message groups with a message first reported at or after the provided time. Datetime must be in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z').","format":"date-time","nullable":true,"type":"string"}},{"description":"Filters result to only message groups with at least one flagged message","in":"query","name":"flagged","schema":{"description":"Filters result to only message groups with at least one flagged message","format":"bool","nullable":true,"type":"boolean"}},{"description":"Filters result to only message groups with the provided flagged rule ID","explode":true,"in":"query","name":"flagged_rule_id__is","schema":{"description":"Filters result to only message groups with the provided flagged rule ID","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided flagged rule severity","explode":true,"in":"query","name":"flagged_rule_severity__is","schema":{"description":"Filters result to only message groups with the provided flagged rule severity","items":{"enum":["informational","low","medium","high","critical"],"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided historically flagged rule ID","explode":true,"in":"query","name":"historically_flagged_rule_id__is","schema":{"description":"Filters result to only message groups with the provided historically flagged rule ID","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided historically flagged rule severity","explode":true,"in":"query","name":"historically_flagged_rule_severity__is","schema":{"description":"Filters result to only message groups with the provided historically flagged rule severity","items":{"enum":["informational","low","medium","high","critical"],"type":"string"},"type":"array"},"style":"form"},{"description":"DEPRECATED: Use created_at__gte instead","in":"query","name":"last_message_created_at[gte]","schema":{"description":"DEPRECATED: Use created_at__gte instead","format":"date-time","nullable":true,"type":"string"}},{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","in":"query","name":"limit","schema":{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"Filters result to only message groups with the provided mailbox email","explode":true,"in":"query","name":"mailbox_email__is","schema":{"description":"Filters result to only message groups with the provided mailbox email","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"The (zero-based) offset of the message groups to return","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the message groups to return","format":"int32","nullable":true,"type":"integer"}},{"description":"Filters result to only message groups with the provided recipient email","explode":true,"in":"query","name":"recipient_email__is","schema":{"description":"Filters result to only message groups with the provided recipient email","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided reporter","explode":true,"in":"query","name":"reported_as_phish_by__is","schema":{"description":"Filters result to only message groups with the provided reporter","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups which have or have not been reviewed","in":"query","name":"reviewed","schema":{"description":"Filters result to only message groups which have or have not been reviewed","format":"bool","nullable":true,"type":"boolean"}},{"description":"Filters result to only message groups with the provided sender display name","explode":true,"in":"query","name":"sender_display_name__is","schema":{"description":"Filters result to only message groups with the provided sender display name","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided sender domain","explode":true,"in":"query","name":"sender_domain__is","schema":{"description":"Filters result to only message groups with the provided sender domain","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided sender email","explode":true,"in":"query","name":"sender_email__is","schema":{"description":"Filters result to only message groups with the provided sender email","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided spam status","explode":true,"in":"query","name":"spam__is","schema":{"description":"Filters result to only message groups with the provided spam status","items":{"enum":["spam","not_spam","mixed"],"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with the provided subject","explode":true,"in":"query","name":"subject__is","schema":{"description":"Filters result to only message groups with the provided subject","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Filters result to only message groups with at least one reported message","in":"query","name":"user_reported","schema":{"description":"Filters result to only message groups with at least one reported message","format":"bool","nullable":true,"type":"boolean"}},{"description":"Filters result to only message groups with the provided vendor","explode":true,"in":"query","name":"vendor_id__is","schema":{"description":"Filters result to only message groups with the provided vendor","items":{"type":"string"},"type":"array"},"style":"form"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesV0ListMessageGroupsResponse"}}},"description":"OK"}},"summary":"List message groups","tags":["Message Groups"]}},"/v0/message-groups/dismiss":{"post":{"description":"Dismiss all messages in multiple groups, including future messages.","operationId":"dismissMultipleMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DismissMultipleMessageGroupsInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Dismiss multiple message groups","tags":["Message Groups"]}},"/v0/message-groups/hunt":{"post":{"deprecated":true,"description":"DEPRECATED: Hunt using MQL to find message groups. Please use the POST /v0/hunt-jobs endpoint instead.","operationId":"huntMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HuntMessageGroupsInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"OK"}},"summary":"Hunt message groups","tags":["Message Groups"]}},"/v0/message-groups/hunt/{id}":{"get":{"deprecated":true,"description":"DEPRECATED: Retrieve the results of a completed hunt. Please use the GET /v0/hunt-jobs/:id endpoint instead.","operationId":"getHuntResults","parameters":[{"description":"Task ID","in":"path","name":"id","required":true,"schema":{"description":"Task ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesGetHuntResponse"}}},"description":"OK"}},"summary":"Get results of a hunt","tags":["Message Groups"]}},"/v0/message-groups/move-to-graymail":{"post":{"description":"Move to Graymail all messages in multiple groups, including future messages.","operationId":"graymailMultipleMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/GraymailMultipleMessageGroupsInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Graymail multiple message groups","tags":["Message Groups"]}},"/v0/message-groups/quarantine":{"post":{"description":"Quarantine all messages in multiple groups, including future messages.","operationId":"quarantineMultipleMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/QuarantineMultipleMessageGroupsInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Quarantine multiple message groups","tags":["Message Groups"]}},"/v0/message-groups/restore":{"post":{"description":"Restore all previously-trashed messages in multiple groups and turn off automatic trashing of future messages in the groups. \"For an Office 365 message source, each message will be put back in the folder it was in before. For a Google Workspace message source, any applied labels (e.g. \"Trash\") will be removed from each message.\"","operationId":"restoreMultipleMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RestoreMultipleMessageGroupsInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Restore multiple message groups","tags":["Message Groups"]}},"/v0/message-groups/review":{"post":{"description":"Review, classify and take actions on message groups","operationId":"reviewMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReviewMessageGroupsInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersReviewMessagesResponse"}}},"description":"Accepted"}},"summary":"Review message groups","tags":["Message Groups"]}},"/v0/message-groups/search":{"get":{"description":"Search all message groups","operationId":"searchMessageGroups","parameters":[{"description":"Searches every field (performs a case insensitive, OR search in all fields). Not compatible with other search fields.","in":"query","name":"any","schema":{"description":"Searches every field (performs a case insensitive, OR search in all fields). Not compatible with other search fields.","nullable":true,"type":"string"}},{"description":"Search for messages containing an attachment MD5 match","in":"query","name":"attachment_md5","schema":{"description":"Search for messages containing an attachment MD5 match","maxLength":32,"minLength":32,"nullable":true,"type":"string"}},{"description":"Search for messages containing an attachment SHA1 match","in":"query","name":"attachment_sha1","schema":{"description":"Search for messages containing an attachment SHA1 match","maxLength":40,"minLength":40,"nullable":true,"type":"string"}},{"description":"Search for messages containing an attachment SHA256 match","in":"query","name":"attachment_sha256","schema":{"description":"Search for messages containing an attachment SHA256 match","maxLength":64,"minLength":64,"nullable":true,"type":"string"}},{"description":"Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups with a message processed at or after this time will be returned.","in":"query","name":"created_at[gte]","schema":{"description":"Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups with a message processed at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned.","in":"query","name":"created_at[lt]","schema":{"description":"Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Deprecated, use created_at[lt]. Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned.","in":"query","name":"created_at[lte]","schema":{"description":"Deprecated, use created_at[lt]. Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups with a message processed before this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Search in attachment filenames (case insensitive wildcard match)","in":"query","name":"file_name","schema":{"description":"Search in attachment filenames (case insensitive wildcard match)","nullable":true,"type":"string"}},{"description":"Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups reported at or after this time will be returned.","in":"query","name":"first_reported_as_phish_at[gte]","schema":{"description":"Inclusive start datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only message groups reported at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups reported before this time will be returned.","in":"query","name":"first_reported_as_phish_at[lt]","schema":{"description":"Exclusive end datetime filter for search, in UTC using the ISO 8601 format (e.g., '2021-05-04T15:09:26Z'). Only message groups reported before this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"DEPRECATED: Use 'sender' instead. Search in the From field. (case insensitive wildcard match)","in":"query","name":"from","schema":{"description":"DEPRECATED: Use 'sender' instead. Search in the From field. (case insensitive wildcard match)","nullable":true,"type":"string"}},{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","in":"query","name":"limit","schema":{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"Search for a mailbox by email address (case insensitive, wildcard match)","in":"query","name":"mailbox","schema":{"description":"Search for a mailbox by email address (case insensitive, wildcard match)","nullable":true,"type":"string"}},{"description":"Search in the Message-ID header (case insensitive wildcard match)","in":"query","name":"message_id","schema":{"description":"Search in the Message-ID header (case insensitive wildcard match)","nullable":true,"type":"string"}},{"description":"The (zero-based) offset of the message groups to return","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the message groups to return","format":"int32","nullable":true,"type":"integer"}},{"description":"Search in the From field (case insensitive wildcard match)","in":"query","name":"sender","schema":{"description":"Search in the From field (case insensitive wildcard match)","nullable":true,"type":"string"}},{"description":"Search for messages in any of the given states","explode":true,"in":"query","name":"states","schema":{"description":"Search for messages in any of the given states","items":{"type":"string"},"type":"array"},"style":"form"},{"description":"Search in the message subject (case insensitive wildcard match)","in":"query","name":"subject","schema":{"description":"Search in the message subject (case insensitive wildcard match)","nullable":true,"type":"string"}},{"description":"Search in the To, CC, and Bcc fields (case insensitive wildcard match). If possible, use 'mailbox' and 'type' instead for better performance","in":"query","name":"to","schema":{"description":"Search in the To, CC, and Bcc fields (case insensitive wildcard match). If possible, use 'mailbox' and 'type' instead for better performance","nullable":true,"type":"string"}},{"description":"Search for messages by type","in":"query","name":"type","schema":{"description":"Search for messages by type","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesV0ListMessageGroupsResponse"}}},"description":"OK"}},"summary":"Search message groups","tags":["Message Groups"]}},"/v0/message-groups/siem-summary":{"get":{"description":"Returns a paginated, reduced-field summary of flagged message groups intended for SIEM ingestion. Array fields are bounded to keep payloads under typical SIEM batch limits.","operationId":"getMessageGroupSIEMSummary","parameters":[{"description":"Opaque pagination cursor returned in the previous response's cursor field.","in":"query","name":"cursor","schema":{"description":"Opaque pagination cursor returned in the previous response's cursor field.","nullable":true,"type":"string"}},{"description":"The maximum number of message groups to return.","in":"query","name":"limit","schema":{"default":100,"description":"The maximum number of message groups to return.","format":"int32","maximum":1000,"minimum":1,"type":"integer"}},{"description":"Inclusive lower bound on the sort timestamp (newest_created_at for type=flagged, first_reported_as_phish_at for type=reported).","in":"query","name":"timestamp__gte","schema":{"description":"Inclusive lower bound on the sort timestamp (newest_created_at for type=flagged, first_reported_as_phish_at for type=reported).","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive upper bound on the sort timestamp (newest_created_at for type=flagged, first_reported_as_phish_at for type=reported).","in":"query","name":"timestamp__lt","schema":{"description":"Exclusive upper bound on the sort timestamp (newest_created_at for type=flagged, first_reported_as_phish_at for type=reported).","format":"date-time","nullable":true,"type":"string"}},{"description":"Which timestamp the endpoint sorts/filters on: 'flagged' uses newest_created_at, 'reported' uses first_reported_as_phish_at.","in":"query","name":"type","schema":{"default":"flagged","description":"Which timestamp the endpoint sorts/filters on: 'flagged' uses newest_created_at, 'reported' uses first_reported_as_phish_at.","enum":["flagged","reported"],"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesMessageGroupSIEMSummaryResponse"}}},"description":"OK"}},"summary":"Get SIEM-oriented summary of flagged message groups","tags":["Message Groups"]}},"/v0/message-groups/trash":{"post":{"description":"Trash all messages in multiple groups, including future messages. For an Office 365 message source, each message will be moved to the \"Recoverable Items\" folder. For a Google Workspace message source, the \"Trash\" label will be added to each message.","operationId":"trashMultipleMessageGroups","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TrashMultipleMessageGroupsInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Trash multiple message groups","tags":["Message Groups"]}},"/v0/message-groups/{id}":{"get":{"description":"Retrieve the details of a single message group.","operationId":"getMessageGroup","parameters":[{"description":"Canonical ID of the message group to retrieve","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to retrieve","type":"string"}},{"description":"Sort previews with these message IDs at the top","explode":true,"in":"query","name":"sort_previews_message_id__is","schema":{"description":"Sort previews with these message IDs at the top","items":{"type":"string"},"type":"array"},"style":"form"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesMessageGroupV0"}}},"description":"OK"}},"summary":"Get a single message group","tags":["Message Groups"]}},"/v0/message-groups/{id}/dismiss":{"post":{"description":"Dismiss all messages in a group, including future messages.","operationId":"dismissMessageCanonicalGroup","parameters":[{"description":"Canonical ID of the message group to dismiss","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to dismiss","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DismissMessageCanonicalGroupInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Dismiss message group","tags":["Message Groups"]}},"/v0/message-groups/{id}/quarantine":{"post":{"description":"Quarantine all messages in a group, including future messages.","operationId":"quarantineMessageCanonicalGroup","parameters":[{"description":"Canonical ID of the message group to quarantine","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to quarantine","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/QuarantineMessageCanonicalGroupInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Quarantine message group","tags":["Message Groups"]}},"/v0/message-groups/{id}/restore":{"post":{"description":"Restore all previously-trashed or quarantined messages in a group and turn off automatic trashing/quarantining of future messages in the group. \"For an Office 365 message source, each message will be put back in the folder it was in before. For a Google Workspace message source, any applied labels (e.g. \"Trash\") will be removed from each message.\"","operationId":"restoreMessageCanonicalGroup","parameters":[{"description":"Canonical ID of the message group to restore","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to restore","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RestoreMessageCanonicalGroupInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Restore message group","tags":["Message Groups"]}},"/v0/message-groups/{id}/share-with-sublime":{"post":{"description":"Share a message with the Sublime team","operationId":"shareWithSublimePublic","parameters":[{"description":"Canonical ID of the message group to share","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to share","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ShareWithSublimePublicInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Share a message with Sublime","tags":["Message Groups"]}},"/v0/message-groups/{id}/trash":{"post":{"description":"Trash all messages in a group, including future messages. For an Office 365 message source, each message will be moved to the \"Recoverable Items\" folder. For a Google Workspace message source, the \"Trash\" label will be added to each message.","operationId":"trashMessageCanonicalGroup","parameters":[{"description":"Canonical ID of the message group to trash","in":"path","name":"id","required":true,"schema":{"description":"Canonical ID of the message group to trash","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TrashMessageCanonicalGroupInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Trash message group","tags":["Message Groups"]}},"/v0/messages/analyze":{"post":{"description":"Analyze a raw message with provided rules and/or active rules in your Sublime organization. Note: All messages will be treated as inbound.","operationId":"analyzeMessage","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AnalyzeMessageInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesAnalyzeRawMessageResponse"}}},"description":"OK"}},"summary":"Analyze a raw message","tags":["Messages"]}},"/v0/messages/attachment/image":{"post":{"description":"Render image for attachment from the raw base64 encoded bytes","operationId":"getMessageAttachmentImageRaw","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetMessageAttachmentImageRawInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesAttachmentImageContent"}}},"description":"OK"}},"summary":"Render image for attachment from the raw base64 encoded bytes","tags":["Messages"]}},"/v0/messages/attack_score":{"post":{"description":"Evaluate attack score for a raw message","operationId":"attackScoreForRawMessage","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AttackScoreForRawMessageInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersAttackScoreResponse"}}},"description":"OK"}},"summary":"Evaluate attack score for a raw message","tags":["Messages"]}},"/v0/messages/bombs":{"get":{"description":"List email bombs","operationId":"listEmailBombs","parameters":[{"description":"Filter by active status. true = only active, false = only inactive, null = all","in":"query","name":"active","schema":{"description":"Filter by active status. true = only active, false = only inactive, null = all","nullable":true,"type":"boolean"}},{"description":"Filter by dismissed status. true = only dismissed, false = only not dismissed, null = all","in":"query","name":"dismissed","schema":{"description":"Filter by dismissed status. true = only dismissed, false = only not dismissed, null = all","nullable":true,"type":"boolean"}},{"description":"The maximum number of email bombs to return","in":"query","name":"limit","schema":{"description":"The maximum number of email bombs to return","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"The (zero-based) offset of the email bombs to return","in":"query","name":"offset","schema":{"description":"The (zero-based) offset of the email bombs to return","format":"int32","nullable":true,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersV0ListEmailBombsResponse"}}},"description":"OK"}},"summary":"List email bombs","tags":["Email Bombs"]},"post":{"description":"Mark a mailbox time range as an email bomb. A new bomb is created if no existing bomb covers the range; otherwise the existing bomb is extended. Messages within the range are associated asynchronously.","operationId":"createEmailBomb","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateEmailBombInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersV0CreateEmailBombResponse"}}},"description":"Accepted"}},"summary":"Create email bomb","tags":["Email Bombs"]}},"/v0/messages/bombs/{id}":{"get":{"description":"Get email bomb","operationId":"getEmailBomb","parameters":[{"description":"ID of the email bomb","in":"path","name":"id","required":true,"schema":{"description":"ID of the email bomb","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersV0GetEmailBombResponse"}}},"description":"OK"}},"summary":"Get email bomb","tags":["Email Bombs"]}},"/v0/messages/bombs/{id}/dismiss":{"post":{"description":"Dismiss an email bomb, marking it as reviewed by the user","operationId":"dismissEmailBomb","parameters":[{"description":"ID of the email bomb to dismiss","in":"path","name":"id","required":true,"schema":{"description":"ID of the email bomb to dismiss","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DismissEmailBombInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Dismiss email bomb","tags":["Email Bombs"]}},"/v0/messages/create":{"post":{"description":"Create a new message data model from a raw message","operationId":"createMessage","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateMessageInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersMessage"}}},"description":"OK"}},"summary":"Create message","tags":["Messages"]}},"/v0/messages/groups/{id}/action-state":{"get":{"description":"Retrieve details about the state of manual actions for a canonical group","operationId":"getMessageCanonicalGroupActionState","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}},{"description":"Only return action states created after this time","in":"query","name":"created_at__gte","schema":{"description":"Only return action states created after this time","format":"date-time","nullable":true,"type":"string"}},{"description":"The maximum number of action states to return. If the value exceeds the maximum, then the maximum value will be used.","in":"query","name":"limit","schema":{"default":10,"description":"The maximum number of action states to return. If the value exceeds the maximum, then the maximum value will be used.","format":"int32","maximum":50,"type":"integer"}},{"description":"The (zero-based) offset of the action states to return","in":"query","name":"offset","schema":{"default":0,"description":"The (zero-based) offset of the action states to return","format":"int32","type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersGetMessageCanonicalGroupTasksResponse"}}},"description":"OK"}},"summary":"Retrieve details about the state of manual actions for a canonical group","tags":["Messages"]}},"/v0/messages/{id}":{"get":{"description":"Retrieve a message","operationId":"getMessage","parameters":[{"in":"path","name":"id","required":true,"schema":{"format":"uuid","type":"string"}},{"description":"When true, recompute the MDM from the raw EML. For internal use only!","in":"query","name":"recompute_mdm_from_raw","schema":{"description":"When true, recompute the MDM from the raw EML. For internal use only!","nullable":true,"type":"boolean"}},{"description":"When true, any text field over 1MB will be cleared before returning","in":"query","name":"remove_large_text_fields","schema":{"description":"When true, any text field over 1MB will be cleared before returning","nullable":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesMessage"}}},"description":"OK"}},"summary":"Retrieve message","tags":["Messages"]}},"/v0/messages/{id}/actions":{"post":{"description":"Perform actions (trash, restore, quarantine, warning banner, move to spam) on an individual message","operationId":"actionMessage","parameters":[{"description":"ID of the message to act on","in":"path","name":"id","required":true,"schema":{"description":"ID of the message to act on","format":"uuid","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionMessageInput"}}}},"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Perform actions on an individual message","tags":["Messages"]}},"/v0/messages/{id}/analyze":{"post":{"description":"Analyze a message by ID with provided rules and/or active rules in your Sublime organization","operationId":"analyzeMessageByID","parameters":[{"description":"The ID of the message","in":"path","name":"id","required":true,"schema":{"description":"The ID of the message","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AnalyzeMessageByIDInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesAnalyzeRawMessageResponse"}}},"description":"OK"}},"summary":"Analyze a message by ID","tags":["Messages"]}},"/v0/messages/{id}/asa_report":{"get":{"description":"Retrieve ASA report for a message","operationId":"retrieveASAReport","parameters":[{"description":"Message ID","in":"path","name":"id","required":true,"schema":{"description":"Message ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersAsaReportResponseV0"}}},"description":"OK"}},"summary":"Retrieve ASA report for a message","tags":["Messages"]}},"/v0/messages/{id}/asa_verdict":{"get":{"description":"Retrieve ASA verdict for a message","operationId":"retrieveASAVerdict","parameters":[{"description":"Message ID","in":"path","name":"id","required":true,"schema":{"description":"Message ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersAsaVerdictResponseV0"}}},"description":"OK"}},"summary":"Retrieve ASA verdict for a message","tags":["Messages"]}},"/v0/messages/{id}/attachment/{hash}/image":{"get":{"description":"Retrieve image of PDF attachment by md5 hash","operationId":"getMessageAttachmentImage","parameters":[{"description":"MD5 hash of the attachment to retrieve","in":"path","name":"hash","required":true,"schema":{"description":"MD5 hash of the attachment to retrieve","type":"string"}},{"description":"Sublime Message ID","in":"path","name":"id","required":true,"schema":{"description":"Sublime Message ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesAttachmentImageContent"}}},"description":"OK"}},"summary":"Retrieve image of PDF attachment by md5 hash","tags":["Messages"]}},"/v0/messages/{id}/attack_score":{"get":{"description":"Evaluate attack score against an existing message","operationId":"attackScoreForMessage","parameters":[{"description":"Message ID","in":"path","name":"id","required":true,"schema":{"description":"Message ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersAttackScoreResponse"}}},"description":"OK"}},"summary":"Evaluate attack score against an existing message","tags":["Messages"]}},"/v0/messages/{id}/eml":{"get":{"description":"Retrieve the raw EML for the message","operationId":"getMessageEML","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Retrieve raw EML","tags":["Messages"]}},"/v0/messages/{id}/image":{"get":{"description":"Retrieve an image of the message","operationId":"getMessageImage","parameters":[{"in":"path","name":"id","required":true,"schema":{"format":"uuid","type":"string"}},{"description":"When true, recompute the MDM from the raw EML. For internal use only!","in":"query","name":"recompute_mdm_from_raw","schema":{"description":"When true, recompute the MDM from the raw EML. For internal use only!","nullable":true,"type":"boolean"}},{"description":"When true, any text field over 1MB will be cleared before returning","in":"query","name":"remove_large_text_fields","schema":{"description":"When true, any text field over 1MB will be cleared before returning","nullable":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesMessageImage"}}},"description":"OK"}},"summary":"Retrieve image of message","tags":["Messages"]}},"/v0/messages/{id}/image_link":{"get":{"description":"Retrieve a temporary link to the image of the message","operationId":"getMessageImageLink","parameters":[{"in":"path","name":"id","required":true,"schema":{"format":"uuid","type":"string"}},{"description":"Period link should be valid for. Default is 15 minutes, max 7 days.","in":"query","name":"link_duration_seconds","schema":{"description":"Period link should be valid for. Default is 15 minutes, max 7 days.","format":"int32","maximum":604800,"nullable":true,"type":"integer"}},{"allowEmptyValue":true,"description":"When true, link will always be presigned against Sublime. When false, the link may be to S3 directly.","in":"query","name":"platform_link","schema":{"description":"When true, link will always be presigned against Sublime. When false, the link may be to S3 directly.","type":"boolean"}},{"description":"When true, recompute the MDM from the raw EML. For internal use only!","in":"query","name":"recompute_mdm_from_raw","schema":{"description":"When true, recompute the MDM from the raw EML. For internal use only!","nullable":true,"type":"boolean"}},{"description":"When true, any text field over 1MB will be cleared before returning","in":"query","name":"remove_large_text_fields","schema":{"description":"When true, any text field over 1MB will be cleared before returning","nullable":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesMessageImageLink"}}},"description":"OK"}},"summary":"Retrieve a temporary link to the image of message","tags":["Messages"]}},"/v0/messages/{id}/justification":{"post":{"description":"Set message contents access justification for a message for the user associated with the API key being used","operationId":"SetMessageAccessJustification","parameters":[{"in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SetMessageAccessJustificationInput"}}}},"responses":{"200":{"description":"OK"}},"summary":"Set access justification","tags":["Messages"]}},"/v0/messages/{id}/message_data_model":{"get":{"description":"Retrieve the message's Message Data Model. If there is no justification, it will be redacted.","operationId":"getMessageDataModel","parameters":[{"in":"path","name":"id","required":true,"schema":{"format":"uuid","type":"string"}},{"description":"When true, recompute the MDM from the raw EML. For internal use only!","in":"query","name":"recompute_mdm_from_raw","schema":{"description":"When true, recompute the MDM from the raw EML. For internal use only!","nullable":true,"type":"boolean"}},{"description":"When true, any text field over 1MB will be cleared before returning","in":"query","name":"remove_large_text_fields","schema":{"description":"When true, any text field over 1MB will be cleared before returning","nullable":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Mdm_serviceMessageDataModel"}}},"description":"OK"}},"summary":"Retrieve the message's Message Data Model","tags":["Messages"]}},"/v0/messages/{id}/restore":{"post":{"description":"Restore a previously-trashed message. \"For an Office 365 message source, the message will be put back in the folder it was in before. For a Google Workspace message source, any applied labels (e.g. \"Trash\") will be removed from the message.\"","operationId":"restoreMessage","parameters":[{"description":"ID of the message to restore","in":"path","name":"id","required":true,"schema":{"description":"ID of the message to restore","format":"uuid","type":"string"}}],"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Restore a previously-trashed message","tags":["Messages"]}},"/v0/messages/{id}/trash":{"post":{"description":"Trash a message. For an Office 365 message source, the message will be moved to the \"Recoverable Items\" folder. For a Google Workspace message source, the \"Trash\" label will be added to the message.","operationId":"trashMessage","parameters":[{"description":"ID of the message to trash","in":"path","name":"id","required":true,"schema":{"description":"ID of the message to trash","format":"uuid","type":"string"}}],"responses":{"202":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesTaskAccepted"}}},"description":"Accepted"}},"summary":"Trash message","tags":["Messages"]}},"/v0/roles/assign":{"put":{"description":"Assign a role to a user within the organization","operationId":"assignRoleToUser","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AssignRoleToUserInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersAssignRoleToUserResponse"}}},"description":"OK"}},"summary":"Assign role to user","tags":["Roles"]}},"/v0/rules":{"get":{"description":"List rules","operationId":"listRules","parameters":[{"description":"Restrict to rules that are explicitly in or not in a feed","in":"query","name":"in_feed","schema":{"description":"Restrict to rules that are explicitly in or not in a feed","nullable":true,"type":"boolean"}},{"description":"The maximum number of entries to return. Maximum value is 500.","in":"query","name":"limit","schema":{"default":50,"description":"The maximum number of entries to return. Maximum value is 500.","format":"int32","maximum":500,"type":"integer"}},{"description":"The (zero-based) offset of the first rule to return","in":"query","name":"offset","schema":{"default":0,"description":"The (zero-based) offset of the first rule to return","format":"int32","type":"integer"}},{"description":"Search for matching case-insensitive substring across rule name, description, and MQL source","in":"query","name":"search","schema":{"description":"Search for matching case-insensitive substring across rule name, description, and MQL source","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListRulesResponse"}}},"description":"OK"}},"summary":"List rules","tags":["Rules"]},"post":{"description":"Create a rule","operationId":"createRule","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateRuleInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesAPIRule"}}},"description":"OK"}},"summary":"Create rule","tags":["Rules"]}},"/v0/rules/rule-history":{"get":{"description":"List history for rules","operationId":"listRuleHistory","parameters":[{"description":"Restrict to rules that are active","in":"query","name":"active","schema":{"description":"Restrict to rules that are active","nullable":true,"type":"boolean"}},{"description":"Filter by classifications made after this datetime","in":"query","name":"classification_created_at[gte]","required":true,"schema":{"description":"Filter by classifications made after this datetime","format":"date-time","nullable":true,"type":"string"}},{"description":"Filter by classifications made before this datetime","in":"query","name":"classification_created_at[lte]","required":true,"schema":{"description":"Filter by classifications made before this datetime","format":"date-time","nullable":true,"type":"string"}},{"description":"Number of results to return","in":"query","name":"count","schema":{"description":"Number of results to return","format":"int32","nullable":true,"type":"integer"}},{"description":"Restrict to rules that are in a feed","in":"query","name":"in_feed","schema":{"description":"Restrict to rules that are in a feed","nullable":true,"type":"boolean"}},{"description":"Offset from the first result","in":"query","name":"offset","schema":{"description":"Offset from the first result","format":"int32","nullable":true,"type":"integer"}},{"description":"Restrict to rules that have one of the given types","explode":true,"in":"query","name":"type","schema":{"description":"Restrict to rules that have one of the given types","items":{"enum":["detection","triage","dlp"],"type":"string"},"type":"array"},"style":"form"}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListRuleHistoryResponse"}}},"description":"OK"}},"summary":"List history for rules","tags":["Rules"]}},"/v0/rules/validate":{"post":{"description":"Validate a rule (MQL, YAML fields, etc). When run against the sandbox or analyzer, no auth is needed but custom lists etc will not be available.","operationId":"validateRule","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ValidateRuleInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesValidateRuleResponse"}}},"description":"OK"}},"summary":"Validate rule","tags":["Rules"]}},"/v0/rules/{id}":{"delete":{"description":"Delete a rule","operationId":"deleteRule","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","format":"uuid","type":"string"}}],"responses":{"200":{"description":"OK"}},"summary":"Delete rule","tags":["Rules"]},"get":{"description":"Retrieve a rule","operationId":"getRule","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesAPIRule"}}},"description":"OK"}},"summary":"Retrieve rule","tags":["Rules"]},"put":{"description":"Update a rule to a new definition","operationId":"updateRule","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UpdateRuleInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesAPIRule"}}},"description":"OK"}},"summary":"Update rule","tags":["Rules"]}},"/v0/rules/{id}/activate":{"post":{"description":"Activate a rule","operationId":"activateRule","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesAPIRule"}}},"description":"OK"}},"summary":"Activate rule","tags":["Rules"]}},"/v0/rules/{id}/deactivate":{"post":{"description":"Deactivate a rule","operationId":"deactivateRule","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TypesAPIRule"}}},"description":"OK"}},"summary":"Deactivate rule","tags":["Rules"]}},"/v0/rules/{id}/rule-history":{"get":{"description":"Retrieve history of a rule","operationId":"getRuleHistory","parameters":[{"description":"Rule ID","in":"path","name":"id","required":true,"schema":{"description":"Rule ID","format":"uuid","type":"string"}},{"description":"Filter by classifications made after this datetime","in":"query","name":"classification_created_at[gte]","schema":{"description":"Filter by classifications made after this datetime","format":"date-time","nullable":true,"type":"string"}},{"description":"Filter by classifications made before this datetime","in":"query","name":"classification_created_at[lte]","schema":{"description":"Filter by classifications made before this datetime","format":"date-time","nullable":true,"type":"string"}},{"description":"Filter by classifications made since the rule has been updated","in":"query","name":"use_rule_last_updated_as_created_at","schema":{"description":"Filter by classifications made since the rule has been updated","nullable":true,"type":"boolean"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesRuleHistoryResponse"}}},"description":"OK"}},"summary":"Retrieve history of a rule","tags":["Rules"]}},"/v0/scim/ResourceTypes":{"get":{"description":"List SCIM resource types","operationId":"listSCIMResourceTypes","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListSCIMResourceTypesResponse"}}},"description":"OK"}},"summary":"List SCIM resource types","tags":["SCIM"]}},"/v0/scim/ResourceTypes/{id}":{"get":{"description":"Get SCIM resource type","operationId":"getSCIMResourceType","parameters":[{"description":"ID of the resource type","in":"path","name":"id","required":true,"schema":{"description":"ID of the resource type","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMResourceType"}}},"description":"OK"}},"summary":"Get SCIM resource type","tags":["SCIM"]}},"/v0/scim/Schemas":{"get":{"description":"List SCIM schemas","operationId":"listSCIMSchemas","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListSCIMSchemasResponse"}}},"description":"OK"}},"summary":"List SCIM schemas","tags":["SCIM"]}},"/v0/scim/Schemas/{id}":{"get":{"description":"Get SCIM schema","operationId":"getSCIMSchema","parameters":[{"description":"Schema ID","in":"path","name":"id","required":true,"schema":{"description":"Schema ID","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMSchema"}}},"description":"OK"}},"summary":"Get SCIM schema","tags":["SCIM"]}},"/v0/scim/ServiceProviderConfig":{"get":{"description":"Get SCIM service provider configuration","operationId":"getSCIMServiceProviderConfig","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMServiceProviderConfig"}}},"description":"OK"}},"summary":"Get SCIM service provider configuration","tags":["SCIM"]}},"/v0/scim/Users":{"get":{"description":"List SCIM users","operationId":"listSCIMUsers","parameters":[{"description":"Maximum number of results","in":"query","name":"count","schema":{"default":100,"description":"Maximum number of results","format":"int32","maximum":1000,"minimum":1,"type":"integer"}},{"description":"Optional filter like 'userName eq \"bob@example.com\"'","in":"query","name":"filter","schema":{"description":"Optional filter like 'userName eq \"bob@example.com\"'","type":"string"}},{"description":"1-indexed starting index","in":"query","name":"startIndex","schema":{"default":1,"description":"1-indexed starting index","format":"int32","minimum":1,"type":"integer"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListSCIMUsersResponse"}}},"description":"OK"}},"summary":"List SCIM users","tags":["SCIM"]},"post":{"description":"Create SCIM user","operationId":"createSCIMUser","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateSCIMUserInput"}}}},"responses":{"201":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMUser"}}},"description":"Created"}},"summary":"Create SCIM user","tags":["SCIM"]}},"/v0/scim/Users/{id}":{"delete":{"description":"Delete SCIM user","operationId":"deleteSCIMUser","parameters":[{"description":"Sublime ID of the user","in":"path","name":"id","required":true,"schema":{"description":"Sublime ID of the user","type":"string"}}],"responses":{"204":{"description":"No Content"}},"summary":"Delete SCIM user","tags":["SCIM"]},"get":{"description":"Get SCIM user","operationId":"getSCIMUser","parameters":[{"description":"Sublime ID of the user","in":"path","name":"id","required":true,"schema":{"description":"Sublime ID of the user","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMUser"}}},"description":"OK"}},"summary":"Get SCIM user","tags":["SCIM"]},"patch":{"description":"Patch SCIM user","operationId":"patchSCIMUser","parameters":[{"description":"Sublime ID of the user","in":"path","name":"id","required":true,"schema":{"description":"Sublime ID of the user","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PatchSCIMUserInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMUser"}}},"description":"OK"}},"summary":"Patch SCIM user","tags":["SCIM"]},"put":{"description":"Update SCIM user","operationId":"updateSCIMUser","parameters":[{"description":"Sublime ID of the user","in":"path","name":"id","required":true,"schema":{"description":"Sublime ID of the user","type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UpdateSCIMUserInput"}}}},"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesSCIMUser"}}},"description":"OK"}},"summary":"Update SCIM user","tags":["SCIM"]}},"/v0/scim/validate_auth":{"get":{"description":"Validate SCIM specific auth","operationId":"validateSCIMAuth","responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HandlersScimEchoResp"}}},"description":"OK"}},"summary":"Validate SCIM specific auth","tags":["SCIM"]}},"/v0/tasks/{id}":{"get":{"description":"Retrieve a task","operationId":"getTask","parameters":[{"description":"Task ID","in":"path","name":"id","required":true,"schema":{"description":"Task ID","format":"uuid","type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesGetTaskResponse"}}},"description":"OK"}},"summary":"Retrieve task","tags":["Tasks"]}},"/v0/user-reports":{"get":{"description":"List user reports","operationId":"listUserReports","parameters":[{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","in":"query","name":"limit","schema":{"description":"The maximum number of message groups to return. If the value exceeds the maximum, then the maximum value will be used.","format":"int32","maximum":500,"nullable":true,"type":"integer"}},{"description":"Inclusive start datetime filter for time of report, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only reports at or after this time will be returned.","in":"query","name":"reported_at[gte]","schema":{"description":"Inclusive start datetime filter for time of report, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only reports at or after this time will be returned.","format":"date-time","nullable":true,"type":"string"}},{"description":"Exclusive end datetime filter for time of report, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only reports before this time will be returned.","in":"query","name":"reported_at[lt]","schema":{"description":"Exclusive end datetime filter for time of report, in UTC using the ISO 8601 format (e.g., '2021-03-14T15:09:26Z'). Only reports before this time will be returned.","format":"date-time","nullable":true,"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Handler_typesListUserReportsResponse"}}},"description":"OK"}},"summary":"List user reports","tags":["User Reports"]}}},"security":[{"bearerAuth":[]}],"servers":[{"url":"{scheme}://{server}","variables":{"scheme":{"default":"https","enum":["http","https"]},"server":{"default":"platform.sublime.security","description":"Base URL of your Sublime deployment"}}}],"tags":[{"name":"API Credentials"},{"name":"API Keys"},{"name":"Actions"},{"name":"Ade"},{"name":"Admin authorization request"},{"name":"Analyze"},{"name":"Asa"},{"name":"Audit Log"},{"name":"Authentication"},{"name":"Backtest Jobs"},{"name":"BinExplode"},{"name":"Create"},{"name":"Crowdstrike Sandbox"},{"name":"DLP Export"},{"name":"DLP Stats"},{"name":"DLP alerts"},{"name":"DSL functions"},{"name":"Debug"},{"name":"Demo"},{"name":"Dev config"},{"name":"Dev webhooks"},{"name":"Email Bombs"},{"name":"Enrichment"},{"name":"Error Logs"},{"name":"Events"},{"name":"Events in the audit log"},{"name":"Exclusions"},{"name":"Export"},{"name":"External API Keys"},{"name":"Flags"},{"name":"Get"},{"name":"Google"},{"name":"Historical ingestion"},{"name":"Hunt Jobs"},{"name":"Inline alerts"},{"name":"Inline processing"},{"name":"Link clicks"},{"name":"Lists"},{"name":"Live flow"},{"name":"Logo Image"},{"name":"Mailboxes"},{"name":"Marketplace"},{"name":"Message Groups"},{"name":"Message Sources"},{"name":"Messages"},{"name":"Microsoft"},{"name":"Modify"},{"name":"OAuth"},{"name":"Organizations"},{"name":"Phishing Simulations"},{"name":"Phishing Simulations (Beta)"},{"name":"Platform setup"},{"name":"Quarantine Digest"},{"name":"Roles"},{"name":"Rule feeds"},{"name":"Rules"},{"name":"SCIM"},{"name":"Stats"},{"name":"Tasks"},{"name":"User Reports"},{"name":"User groups"},{"name":"Users"},{"name":"Vendor Domains"},{"name":"Vendors"},{"name":"Web socket handlers"},{"name":"provider org units (OUs)"},{"name":"roles"}],"x-readme":{"explorer-enabled":false}}