Skip to content

Threats

Manage threats in the Threat & Asset Management (TAM) module.

Commands

threats list

List threats with optional filtering, searching, and sorting.

1
mysecutec threats list [flags]

Flags

Flag Type Default Description
--limit int 20 Maximum number of results
--offset int 0 Number of results to skip
--search string Search filter
--sort strings Sort fields (prefix - for descending)
--severity strings Filter by severity
--status strings Filter by combined status
--system-status strings Filter by system status
--user-status strings Filter by user status
--module strings Filter by license module
--threat-type strings Filter by threat type (e.g., DNM item types)
--asset-id string Filter by asset ID
--related-to-asset-id string Filter by related asset ID
--breach-category strings Filter by breach category
--first-seen-from string First seen date range start
--first-seen-to string First seen date range end
--updated-from string Last updated date range start
--updated-to string Last updated date range end
--deleted bool false Show deleted threats

Valid severities: critical, high, medium, low, info

Valid statuses: accepted, false_positive, solved, unsolved

Valid system statuses: false_positive, solved, unsolved

Valid user statuses: accepted, false_positive, solved, unsolved

Valid license modules: asm, dnm, lcm, m365

Valid threat types (DNM): BLACK_MARKET, BOTNET, PII_EXPOSURE, IM_CONTENT, SUSPICIOUS_CONTENT

API

1
GET /tam/v1/threats/

Query Parameters:

Parameter Type Description
limit int Max results
offset int Skip results
search string Search filter
sort string Sort fields (comma-separated)
severity string Severity filter (comma-separated)
status string Status filter (comma-separated)
system_status string System status filter
user_status string User status filter
license_module string License module filter
asset_id string Asset ID filter
related_to_asset_id string Related asset ID filter
breach_category string Breach category filter (comma-separated)
first_seen_from string Date range start
first_seen_to string Date range end
updated_at_from string Updated date range start
updated_at_to string Updated date range end
deleted bool Include deleted threats

Request Example

1
mysecutec threats list --severity critical,high --module asm --limit 10 --sort -cvss_score

1
2
3
GET /tam/v1/threats/?limit=10&offset=0&severity=critical,high&license_module=asm&sort=-cvss_score
Authorization: Bearer <token>
Accept: application/json

Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
  "pagination": {
    "limit": 10,
    "offset": 0,
    "total": 23,
    "unfiltered_total": 150,
    "next": "/tam/v1/threats/?limit=10&offset=10",
    "previous": null
  },
  "threats": [
    {
      "id": "t1234-5678-abcd-ef90",
      "name": "CVE-2024-1234 - Remote Code Execution",
      "description": "A critical RCE vulnerability in the web server...",
      "note": null,
      "external_id": "CVE-2024-1234",
      "cvss_score": 9.8,
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "severity": "critical",
      "cvss_category": {
        "code": "critical",
        "label": "Critical"
      },
      "days_to_remediate": 15,
      "risk_priority_score": 95.5,
      "status": "unsolved",
      "system_status": "unsolved",
      "user_status": null,
      "unsolved_annotation_note": null,
      "first_seen_at": "2025-03-01T12:00:00Z",
      "status_updated_at": "2025-03-01T12:00:00Z",
      "created_at": "2025-03-01T12:00:00Z",
      "updated_at": "2025-03-01T12:00:00Z",
      "asset_id": "a1b2c3d4",
      "asset": {
        "id": "a1b2c3d4",
        "name": "example.com",
        "type": "domain"
      },
      "tech_solution": {
        "tech_solution_slug": "asm-scanner",
        "license_module_slug": "asm",
        "source_data": {}
      },
      "data": {}
    }
  ]
}

Model: Threat

Field Type Description
id string (UUID) Threat identifier
name string Threat name
description string Full description
note string User note (nullable)
external_id string External reference (e.g., CVE ID)
cvss_score float CVSS score (0-10, nullable)
cvss_vector string CVSS vector string (nullable)
severity string Severity level (nullable)
cvss_category CVSSCategory Severity category object
days_to_remediate int Days to remediate
risk_priority_score float Risk priority score
status string Combined status
system_status string System-determined status
user_status string User-set status (nullable)
unsolved_annotation_note string Annotation note (nullable)
first_seen_at timestamp First detection time (nullable)
status_updated_at timestamp Last status change
created_at timestamp Creation timestamp
updated_at timestamp Last update timestamp
asset_id string Associated asset ID
asset AssetMinimal Minimal asset info
tech_solution ThreatTechSolution Source tech solution
data map Arbitrary additional data

threats get

Retrieve a single threat by ID.

1
mysecutec threats get <threat_id>

API

1
GET /tam/v1/threats/{id}

Request Example

1
mysecutec threats get t1234-5678-abcd-ef90

1
2
3
GET /tam/v1/threats/t1234-5678-abcd-ef90
Authorization: Bearer <token>
Accept: application/json

Response

Returns a single Threat object (same structure as in the list response).

threats update

Update a threat's note, user status, or annotation.

1
mysecutec threats update <threat_id> [flags]

Flags

Flag Type Description
--note string Threat note
--user-status string User status
--annotation-note string Annotation note

Valid user statuses: unsolved, patched, accepted, rejected

API

1
PATCH /tam/v1/threats/{id}

Request Example

1
mysecutec threats update t1234-5678 --user-status accepted --note "Risk accepted per review"

1
2
3
4
5
6
7
8
PATCH /tam/v1/threats/t1234-5678
Authorization: Bearer <token>
Content-Type: application/json

{
  "note": "Risk accepted per review",
  "user_status": "accepted"
}

Model: ThreatPatch

Field Type Description
note string Threat note
user_status string User status
unsolved_annotation_note string Annotation note

Response

Returns the updated Threat object.

threats status

Apply a user status (and optional note) to many threats at once via the TAM bulk endpoint. The endpoint uses partial-success semantics: each ID is reported as succeeded or failed individually.

Threat IDs may be passed as positional arguments, repeated --id flags, or piped on stdin (one ID per line) with --stdin. Up to 1000 IDs per request.

This is a mutation: it prompts for confirmation unless --yes is given.

1
mysecutec threats status [threat_id...] [flags]

Flags

Flag Type Default Description
--id strings Threat ID (repeatable)
--user-status string User status to set (required)
--note string Status note (user_status_note)
--stdin bool false Read threat IDs from stdin (one per line)
-y, --yes bool false Skip the confirmation prompt

Valid user statuses: unsolved, false_positive, accepted, solved

API

1
PATCH /tam/v1/threats/status

Request Example

1
mysecutec threats status <id1> <id2> --user-status accepted --note "Risk accepted"

1
2
3
4
5
6
7
8
9
PATCH /tam/v1/threats/status
Authorization: Bearer <token>
Content-Type: application/json

{
  "threat_ids": ["<id1>", "<id2>"],
  "user_status": "accepted",
  "user_status_note": "Risk accepted"
}

Piping IDs from a list query:

1
2
mysecutec threats list --severity low -o json | jq -r '.threats[].id' | \
  mysecutec threats status --stdin --user-status false_positive --yes

Model: ThreatBulkStatusUpdate

Field Type Description
threat_ids []string Threat IDs to update (up to 1000)
user_status string User status to apply (required)
user_status_note string Optional status note

Response

The endpoint returns HTTP 200 with partial-success semantics: per-ID results are split between successful and failed, with an overall summary.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
  "successful": [
    { "threat_id": "<id1>", "user_status": "accepted" }
  ],
  "failed": [
    { "threat_id": "<id2>", "error_type": "not_found", "error_message": "Threat not found" }
  ],
  "summary": {
    "total_attempted": 2,
    "total_successful": 1,
    "total_failed": 1,
    "success_rate": 0.5
  }
}

Model: ThreatBulkStatusResponse

Field Type Description
successful []ThreatBulkStatusItem Per-ID successes
failed []ThreatBulkStatusFailure Per-ID failures
summary ThreatBulkStatusSummary Aggregate counts

Model: ThreatBulkStatusItem

Field Type Description
threat_id string Threat ID
user_status string Applied user status

Model: ThreatBulkStatusFailure

Field Type Description
threat_id string Threat ID
error_type string Error category
error_message string Error detail

Model: ThreatBulkStatusSummary

Field Type Description
total_attempted int Total IDs attempted
total_successful int Number that succeeded
total_failed int Number that failed
success_rate float Fraction that succeeded (0-1)

threats logs

View audit logs for a specific threat.

1
mysecutec threats logs <threat_id> [flags]

Flags

Flag Type Default Description
--limit int 20 Maximum number of results
--offset int 0 Number of results to skip
--include-system bool true Include system-generated (sync/merge) events
--sort strings -created_at Sort fields (prefix - for descending)

API

1
GET /tam/v1/threats/{id}/logs

Query Parameters:

Parameter Type Description
limit int Max results
offset int Skip results
include_system bool Include system/sync-generated events
sort string Sort fields (comma-separated)

Request Example

1
mysecutec threats logs t1234-5678 --limit 5

1
2
3
GET /tam/v1/threats/t1234-5678/logs?limit=5&offset=0
Authorization: Bearer <token>
Accept: application/json

Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
  "pagination": {
    "limit": 5,
    "offset": 0,
    "total": 3
  },
  "logs": [
    {
      "id": "log-uuid-123",
      "threat_id": "t1234-5678",
      "operation": "status_change",
      "created_by": "user@example.com",
      "created_at": "2025-06-15T09:00:00Z",
      "updated_at": "2025-06-15T09:00:00Z",
      "change_data": {
        "field": "user_status",
        "old_value": null,
        "new_value": "accepted"
      }
    }
  ]
}

Model: ThreatLog

Field Type Description
id string (UUID) Log entry ID
threat_id string Associated threat ID
operation string Operation performed
created_by string User who made the change
created_at timestamp When the change occurred
updated_at timestamp Last update timestamp
change_data map Details of the change

threats filter

Get available filter options for the threats list view.

1
mysecutec threats filter

API

1
GET /tam/v1/threats/filter

Request Example

1
mysecutec threats filter

1
2
3
GET /tam/v1/threats/filter
Authorization: Bearer <token>
Accept: application/json

Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
  "statuses": [
    { "label": "Unsolved", "value": "unsolved", "unfiltered_total": 80, "filtered_total": 80 },
    { "label": "Solved", "value": "solved", "unfiltered_total": 40, "filtered_total": 40 },
    { "label": "Accepted", "value": "accepted", "unfiltered_total": 20, "filtered_total": 20 },
    { "label": "False Positive", "value": "false_positive", "unfiltered_total": 10, "filtered_total": 10 }
  ],
  "severities": [
    { "label": "Critical", "value": "critical", "unfiltered_total": 5, "filtered_total": 5 },
    { "label": "High", "value": "high", "unfiltered_total": 15, "filtered_total": 15 },
    { "label": "Medium", "value": "medium", "unfiltered_total": 40, "filtered_total": 40 },
    { "label": "Low", "value": "low", "unfiltered_total": 60, "filtered_total": 60 },
    { "label": "Info", "value": "info", "unfiltered_total": 30, "filtered_total": 30 }
  ],
  "system_statuses": [
    { "label": "Unsolved", "value": "unsolved", "unfiltered_total": 80, "filtered_total": 80 },
    { "label": "Solved", "value": "solved", "unfiltered_total": 40, "filtered_total": 40 },
    { "label": "False Positive", "value": "false_positive", "unfiltered_total": 10, "filtered_total": 10 }
  ],
  "user_statuses": [
    { "label": "Unsolved", "value": "unsolved", "unfiltered_total": 80, "filtered_total": 80 },
    { "label": "Accepted", "value": "accepted", "unfiltered_total": 20, "filtered_total": 20 },
    { "label": "Solved", "value": "solved", "unfiltered_total": 40, "filtered_total": 40 },
    { "label": "False Positive", "value": "false_positive", "unfiltered_total": 10, "filtered_total": 10 }
  ],
  "license_modules": [
    { "label": "ASM", "value": "asm", "unfiltered_total": 60, "filtered_total": 60 },
    { "label": "LCM", "value": "lcm", "unfiltered_total": 45, "filtered_total": 45 },
    { "label": "M365", "value": "m365", "unfiltered_total": 30, "filtered_total": 30 },
    { "label": "DNM", "value": "dnm", "unfiltered_total": 15, "filtered_total": 15 }
  ]
}

threats aggregate

Internal aggregation endpoint used by module-specific KPI commands (ASM, LCM, DNM, etc.).

API

1
POST /tam/v1/threats/aggregate

Request Body

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
  "group_by": [
    { "path": "severity", "alias": "severity" },
    { "path": "first_seen_at.year", "alias": "year" }
  ],
  "select": [
    { "path": "id", "alias": "count" }
  ],
  "filters": {
    "license_module": ["asm"],
    "jsonb_filters": [
      { "path": "data.item_type", "values": ["BLACK_MARKET"] }
    ]
  },
  "limit": 100,
  "offset": 0
}

Model: ThreatAggregateRequest

Field Type Description
group_by []AggregateField Fields to group by
select []AggregateField Fields to select/count
filters AggregateFilters Filter criteria
limit int Max results
offset int Skip results

Model: AggregateField

Field Type Description
path string Field path
alias string Result alias

Common group_by paths: severity, system_status, user_status, first_seen_at.year, first_seen_at.month, data.item_type, data.enriched.breach.category, data.enriched.breach.source_id

Model: AggregateFilters

Field Type Description
license_module []string License module filter
jsonb_filters []JsonbFilter JSONB field filters

Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
{
  "pagination": {
    "limit": 100,
    "offset": 0,
    "total": 5
  },
  "results": [
    {
      "severity": "critical",
      "count": 5,
      "year": 2025
    },
    {
      "severity": "high",
      "count": 15,
      "year": 2025
    }
  ],
  "total": 5
}

Model: ThreatAggregateEntry

Field Type Description
source_id string Source identifier (nullable)
name string Name (nullable)
category string Category (nullable)
severity string Severity (nullable)
item_type string Item type (nullable)
count int Aggregated count
year int Year (nullable)
month int Month (nullable)