Get Ticket

Retrieves information of a specified ticket.

Required Permissions

Requires the MEMBER role or higher.

HTTP Request

GET /api/sonar/tickets/:guid

cURL Example

curl -H "Authorization: Bearer <API_KEY>" \
     https://HOSTNAME/api/sonar/tickets/49272877-75f2-4c2f-9301-d21c4f9a106d

Request Parameter

Key	Required	Type	Description	Note
guid	O	String	Ticket GUID	36 characters

Success Response

{
  "ticket": {
    "id": 2,
    "repo_guid": "5f0ba741-7551-400d-8bd6-1f14a6e8536d",
    "repo_name": "Threat",
    "guid": "49272877-75f2-4c2f-9301-d21c4f9a106d",
    "title": "Attempt to collect web server settings: 20.0.31.172",
    "priority": "LOW",
    "status": "APPROVED",
    "format": "JSON",
    "rule_guid": "ad4b9871-d5f0-4a8b-a341-8ac0afcdcddf",
    "rule_type": "STREAM",
    "rule_name": "Attempt to collect web server settings",
    "count": 7,
    "content": "{\"first_seen\":\"2022-09-14 17:34:19+0900\",\"last_seen\":\"2022-09-14 23:55:29+0900\",\"priority\":\"LOW\",\"rule_type\":\"STREAM\",\"rule_id\":27,\"src_ip\":\"20.0.31.172\",\"src_port\":null,\"dst_ip\":null,\"dst_port\":null,\"protocol\":null,\"action\":null,\"count\":1,\"msg\":\"웹 서버 설정 수집 시도: 20.0.31.172\",\"user\":null,\"host_ip\":null,\"mail_from\":null,\"mail_to\":null,\"mail_cc\":null,\"logger_id\":28,\"logger_name\":\"ko.logpresso.com \",\"field_order\":\"_time, src_ip, src_port, dst_ip, dst_port, status, method, path, query, user_agent\",\"url\":null,\"md5\":null,\"src_asn\":\"AS8075 Microsoft Corporation\",\"src_country\":\"US\",\"src_city\":null,\"src_lat\":37.750999450683594,\"src_lng\":-97.8219985961914}",
    "risk_score": 75,
    "mitre_techniques": [
      {
        "mitre_id": "T1190",
        "name": "Exploit Public-Facing Application",
        "display_name": "Initial Access: Exploit Public-Facing Application",
        "url": "https://attack.mitre.org/techniques/T1190/",
        "tactics": [
          {
            "mitre_id": "TA0001",
            "name": "Initial Access"
          }
        ]
      }
    ],
    "attack": true,
    "incident": false,
    "assignees": [
      {
        "company_guid": "6fbe27b7-f1ae-4d7a-a1a5-76d8fa9aa311",
        "company_name": "Logpresso",
        "user_guid": "bfd00bb0-be99-4fd5-8380-166f544975fa",
        "user_name": "Joshua",
        "task_type": "ASSIGNEE",
        "task_status": "CLOSED",
        "x_login": null,
        "x_user": null,
        "x_dept": null
      }
    ],
    "approvers": [
      {
        "company_guid": "6fbe27b7-f1ae-4d7a-a1a5-76d8fa9aa311",
        "company_name": "Logpresso",
        "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
        "user_name": "Jerry",
        "task_type": "APPROVER",
        "task_status": "APPROVED",
        "x_login": null,
        "x_user": null,
        "x_dept": null
      }
    ],
    "attachments": [
      {
        "guid": "d4390b7a-7d64-4a24-bd3e-af74b4f3c204",
        "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
        "ticket_guid": "49272877-75f2-4c2f-9301-d21c4f9a106d",
        "file_name": "3bc31b3d-bc25-4be5-8dae-d3cb1831da02.png",
        "file_size": 124118
      }
    ],
    "created": "2022-09-14 17:34:19+0900",
    "updated": "2022-09-14 23:55:29+0900",
    "closed": null,
    "x_login": null,
    "x_user": null,
    "x_dept": null,
    "comments": [
      {
        "guid": "b66a31b5-db94-478b-8751-194b5ee5f358",
        "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
        "user_name": "Joshua",
        "type": "TEXT",
        "format": "MARKDOWN",
        "content": "* Blocked the IP address in firewall.",
        "created": "2022-09-14 23:57:34+0900",
        "updated": "2022-09-14 23:57:34+0900",
        "x_login": null,
        "x_user": null,
        "x_dept": null
      }
    ]
  }
}

(Map) ticket
- id (32-bit integer): Ticket ID
- repo_guid (String): Ticket type GUID
- repo_name (String): Ticket type name
- site_guid (String): Site GUID
- site_name (String): Site name
- guid (String): Ticket GUID
- title (String): Ticket title
- priority (String): Ticket priority. One of the following: HIGH, MEDIUM, LOW.
- status (String): Ticket status. One of the following: NEW, ASSIGNED, IN_PROGRESS, SUBMITTED, APPROVED, REJECTED, CLOSED.
- format (String): Ticket format. One of the following: JSON, MARKDOWN, PLAIN. Threat detection ticket uses JSON format.
- rule_guid (String): Detection rule GUID
- rule_type (String): Detection rule type. STREAM or BATCH.
- rule_name (String): Detection rule name
- count (32-bit integer): Number of merged duplicate tickets
- content (String): Ticket data. The Event field is written in JSON format for threat detection tickets.
- risk_score (32-bit integer): Risk score. The risk score configured in the detection rule. Can be null.
- mitre_techniques (Array): List of associated MITRE ATT&CK techniques. Not included if no techniques are mapped to the detection rule.
  - mitre_id (String): MITRE ATT&CK technique ID
  - name (String): Technique name
  - display_name (String): Display name including tactic name
  - url (String): MITRE ATT&CK official documentation URL
  - tactics (Array): List of associated tactics
    - mitre_id (String): MITRE ATT&CK tactic ID
    - name (String): Tactic name
- attack (Boolean): Whether the detection is false or not, recorded after analysis. Logged as true if the detection is true
- incident (Boolean): Whether an incident occurred or not, recorded after analysis. Recorded as true if the incident requires an immediate response, such as an endpoint infection.
- assignees (Array): Ticket assignee list
  - company_guid (String): Company (tenant) GUID
  - company_name (String): Company (tenant) name
  - user_guid (String): Assignee GUID
  - user_name (String): Assignee name
  - task_type (String): Always ASSIGNEE
  - task_status (String): ASSIGNED or IN_PROGRESS or CLOSED
  - x_login (String): Login user name logged when the assignee account is deleted
  - x_user (String): User name logged when the assignee account is deleted
  - x_dept (String): Department name logged when the assignee account is deleted
- approvers (Array): Ticket approver list
  - company_guid (String): Company (tenant) GUID
  - company_name (String): Company (tenant) name
  - user_guid (String): Approver GUID
  - user_name (String): Approver name
  - task_type (String): Always APPROVER
  - task_status (String): ASSIGNED or IN_PROGRESS or CLOSED
  - x_login (String): Login user name logged when the approver account is deleted
  - x_user (String): User name logged when the approver account is deleted
  - x_dept (String): Department name logged when the approver account is deleted
- created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
- updated (String): Date and time of last modification (yyyy-MM-dd HH:mm:ssZ)
- closed (String): Date and time of ticket closing (yyyy-MM-dd HH:mm:ssZ)
- x_login (String): Login user name logged when the ticket author account is deleted
- x_user (String): User name logged when the ticket author account is deleted
- x_dept (String): Department name logged when the ticket author account is deleted
- x_site (String): Site name logged when the site is deleted
- comments (Array): Ticket comment list
  - guid (String): Ticket comment GUID
  - user_guid (String): Ticket author GUID
  - user_name (String): Ticket author name
  - type (String): Always TEXT
  - format (String): Markdown (MARKDOWN) or plain text (PLAIN)
  - content (String): Comment content
  - created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
  - updated (String): Date and time of last modification (yyyy-MM-dd HH:mm:ssZ)
  - x_login (String): Login user name logged when logged when the ticket comment author account is deleted
  - x_user (String): User name logged when logged when the ticket comment author account is deleted
  - x_dept (String): Department name logged when logged when the ticket comment author account is deleted

Error Responses

Ticket is not found

HTTP status code 200

{
  "ticket": null
}

Ticket identifier is not in valid GUID format

HTTP status code 400

{
  "error_code": "invalid-param-type",
  "error_msg": "guid should be guid type."
}