tie_attacks
List Indicator of Attack (IoA) instances for a resource within a security profile. Filter by attack type, date range, or search to identify and investigate threats.
Instructions
List IoA attack instances for a resource within a profile.
The TIE API requires scoping attacks to a resource. For example, to see attacks against directory id 8: resource_type="directory", resource_value="8".
Args: resource_type: What resource_value refers to — infrastructure, directory, hostname, or ip. resource_value: The id (for infrastructure/directory) or name/ip value to scope to. profile_id: Security profile id (default 1). attack_type_ids: Optional list of attack type ids to filter (e.g. DCSync, Kerberoasting). date_start: Optional ISO 8601 start of date range. date_end: Optional ISO 8601 end of date range. include_closed: Include closed attacks (default False). limit: Max results (default 50). order: Sort order by date, "desc" (newest first) or "asc". search: Optional free-text search filter.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| limit | No | ||
| order | No | desc | |
| search | No | ||
| date_end | No | ||
| date_start | No | ||
| profile_id | No | ||
| resource_type | Yes | ||
| include_closed | No | ||
| resource_value | Yes | ||
| attack_type_ids | No |