GraphQL API Reference
Welcome to the Horizon3.ai GraphQL API reference! This reference includes the complete set of GraphQL types, queries, mutations, and their parameters available to users of Horizon3.ai products.
First, learn how to authenticate with the API. If you are new to GraphQL, see the Getting Started guide.
API Endpoints
https://api.horizon3ai.com/v1/graphqlHeaders
Authorization: Bearer <YOUR_TOKEN_HERE>Queries
action_logs_count
Description
Number of action log records for a given pentest.
The action log is the set of all commands executed by NodeZero across all hosts during the pentest.
Response
Returns an Int!
Example
Query
query action_logs_count(
$input: OpInput!,
$page_input: PageInput
) {
action_logs_count(
input: $input,
page_input: $page_input
)
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{"data": {"action_logs_count": 987}}
action_logs_csv_presigned_url
Description
Generates a temporary AWS presigned URL for downloading the action log as a CSV.
The action log is the set of all commands executed by NodeZero across all hosts during the pentest.
action_logs_page
Description
Paginated list of action log records for a given pentest.
The action log is the set of all commands executed by NodeZero across all hosts during the pentest.
Response
Returns an ActionLogsPage!
Example
Query
query action_logs_page(
$input: OpInput!,
$page_input: PageInput
) {
action_logs_page(
input: $input,
page_input: $page_input
) {
page_info {
...PageInfoFragment
}
action_logs {
...ActionLogFragment
}
}
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{
"data": {
"action_logs_page": {
"page_info": PageInfo,
"action_logs": [ActionLog]
}
}
}
activedir_passwords_csv_url
Description
List of Active Direction passwords found during an AD Password Audit. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under ActiveDirPasswordCSV.
agent
Description
Fetch the agent aka NodeZero Runner with the given uuid or name in the current user's ClientAccount
Example
Query
query agent(
$uuid: String,
$name: String
) {
agent(
uuid: $uuid,
name: $name
) {
uuid
name
uname
log_file
last_heartbeat_at
last_heartbeat_time_ago
last_command {
...AgentCommandFragment
}
commands {
...AgentCommandFragment
}
created_at
}
}
Variables
{
"uuid": "xyz789",
"name": "xyz789"
}
Response
{
"data": {
"agent": {
"uuid": "12341234-1234-1234-1234-123412341234",
"name": "abc123",
"uname": "xyz789",
"log_file": "xyz789",
"last_heartbeat_at": "2021-07-22T05:02:40.294996",
"last_heartbeat_time_ago": "abc123",
"last_command": AgentCommand,
"commands": [AgentCommand],
"created_at": "2021-07-22T05:02:40.294996"
}
}
}
agents
Description
The list of h3-cli agents aka NodeZero Runners in the current user's ClientAccount
Response
Returns [Agent]
Example
Query
query agents {
agents {
uuid
name
uname
log_file
last_heartbeat_at
last_heartbeat_time_ago
last_command {
...AgentCommandFragment
}
commands {
...AgentCommandFragment
}
created_at
}
}
Response
{
"data": {
"agents": [
{
"uuid": "12341234-1234-1234-1234-123412341234",
"name": "abc123",
"uname": "xyz789",
"log_file": "xyz789",
"last_heartbeat_at": "2021-07-22T05:02:40.294996",
"last_heartbeat_time_ago": "abc123",
"last_command": AgentCommand,
"commands": [AgentCommand],
"created_at": "2021-07-22T05:02:40.294996"
}
]
}
}
agents_count
Description
The count of h3-cli agents aka NodeZero Runners in the current user's ClientAccount
asset_group
Description
Fetch a specific asset group from this account.
Response
Returns an AssetGroup
Arguments
| Name | Description |
|---|---|
uuid - String!
|
Example
Query
query asset_group($uuid: String!) {
asset_group(uuid: $uuid) {
uuid
name
op_template_uuid
op_template {
...OpTemplateFragment
}
user_account_uuid
user_account_name
client_account_uuid
client_account_company_name
last_ead_etl_completed_at
created_at
updated_at
op_series_uuid
assets_count
authorized_assets_count
external_domain_xops_count
authorized_external_domain_xops_count
in_scope_host_tab_xops_count
authorized_host_tab_xops_count
}
}
Variables
{"uuid": "xyz789"}
Response
{
"data": {
"asset_group": {
"uuid": "12341234-1234-1234-1234-123412341234",
"name": "abc123",
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template": OpTemplate,
"user_account_uuid": "12341234-1234-1234-1234-123412341234",
"user_account_name": "abc123",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"client_account_company_name": "xyz789",
"last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
"created_at": "2021-07-22T05:02:40.294996",
"updated_at": "2021-07-22T05:02:40.294996",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"assets_count": 123,
"authorized_assets_count": 123,
"external_domain_xops_count": 123,
"authorized_external_domain_xops_count": 987,
"in_scope_host_tab_xops_count": 123,
"authorized_host_tab_xops_count": 123
}
}
}
asset_groups_count
Description
The number of asset groups in this account.
asset_groups_page
Description
Paginated list of asset groups in this account.
Response
Returns an AssetGroupsPage!
Arguments
| Name | Description |
|---|---|
page_input - PageInput
|
Example
Query
query asset_groups_page($page_input: PageInput) {
asset_groups_page(page_input: $page_input) {
page_info {
...PageInfoFragment
}
asset_groups {
...AssetGroupFragment
}
}
}
Variables
{"page_input": PageInput}
Response
{
"data": {
"asset_groups_page": {
"page_info": PageInfo,
"asset_groups": [AssetGroup]
}
}
}
attack_path
Description
The AttackPath with the given uuid. An AttackPath represents the steps NodeZero took to achieve an Impact.
Response
Returns an AttackPath
Arguments
| Name | Description |
|---|---|
uuid - String!
|
Example
Query
query attack_path($uuid: String!) {
attack_path(uuid: $uuid) {
uuid
impact_type
impact_title
impact_description
name
attack_path_title
base_score
score
severity
context_score_description_md
context_score_description
op_id
weakness_refs
credential_refs
host_refs
time_to_finding_hms
time_to_finding_s
created_at
target_entity_text
target_entity_short_text
affected_asset_text
affected_asset_short_text
ip
host_name
host_text
}
}
Variables
{"uuid": "abc123"}
Response
{
"data": {
"attack_path": {
"uuid": "12341234-1234-1234-1234-123412341234",
"impact_type": "AWSUserRoleCompromise",
"impact_title": "abc123",
"impact_description": "abc123",
"name": "xyz789",
"attack_path_title": "xyz789",
"base_score": 987.65,
"score": 123.45,
"severity": "INFO",
"context_score_description_md": "xyz789",
"context_score_description": "abc123",
"op_id": "12341234-1234-1234-1234-123412341234",
"weakness_refs": ["xyz789"],
"credential_refs": ["abc123"],
"host_refs": ["xyz789"],
"time_to_finding_hms": "22:05:31",
"time_to_finding_s": 987,
"created_at": "2021-07-22T05:02:40.294996",
"target_entity_text": "abc123",
"target_entity_short_text": "abc123",
"affected_asset_text": "abc123",
"affected_asset_short_text": "xyz789",
"ip": "123.45.67.89",
"host_name": "abc123",
"host_text": "abc123"
}
}
}
attack_paths_count
Description
The count of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.
Example
Query
query attack_paths_count(
$input: OpInput!,
$page_input: PageInput
) {
attack_paths_count(
input: $input,
page_input: $page_input
)
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{"data": {"attack_paths_count": 987}}
attack_paths_csv_url
Description
The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.
Returned as a temporary presigned URL to a CSV file.
The CSV format is documented under ImpactCSV.
attack_paths_page
Description
The set of AttackPaths discovered during the given op. An AttackPath represents the steps NodeZero took to achieve an Impact.
Response
Returns an AttackPathsPage!
Example
Query
query attack_paths_page(
$input: OpInput!,
$page_input: PageInput
) {
attack_paths_page(
input: $input,
page_input: $page_input
) {
page_info {
...PageInfoFragment
}
attack_paths {
...AttackPathFragment
}
}
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{
"data": {
"attack_paths_page": {
"page_info": PageInfo,
"attack_paths": [AttackPath]
}
}
}
client_accounts_count
Description
Number of client accounts accessible by the current user.
client_accounts_page
Description
Client accounts accessible by the current user.
Response
Returns a ClientAccountsPage!
Arguments
| Name | Description |
|---|---|
page_input - PageInput
|
Example
Query
query client_accounts_page($page_input: PageInput) {
client_accounts_page(page_input: $page_input) {
page_info {
...PageInfoFragment
}
client_accounts {
...ClientAccountFragment
}
}
}
Variables
{"page_input": PageInput}
Response
{
"data": {
"client_accounts_page": {
"page_info": PageInfo,
"client_accounts": [ClientAccount]
}
}
}
external_domain_xop
Description
Returns the ExternalDomainXop with the given uuid.
Response
Returns an ExternalDomainXop
Arguments
| Name | Description |
|---|---|
uuid - String!
|
Example
Query
query external_domain_xop($uuid: String!) {
external_domain_xop(uuid: $uuid) {
uuid
op_series_uuid
xop_id
last_op_id
current_op_id
is_authorized
pentestable_rules {
...PentestableRulesFragment
}
is_dynamic_ip
excluded_domain_from_last_pentest {
...ExcludedDomainFragment
}
third_party_aliases
third_party_certificate_subject_cns
}
}
Variables
{"uuid": "xyz789"}
Response
{
"data": {
"external_domain_xop": {
"uuid": "12341234-1234-1234-1234-123412341234",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"xop_id": "xyz789",
"last_op_id": "xyz789",
"current_op_id": "abc123",
"is_authorized": false,
"pentestable_rules": PentestableRules,
"is_dynamic_ip": "123.45.67.89",
"excluded_domain_from_last_pentest": ExcludedDomain,
"third_party_aliases": ["xyz789"],
"third_party_certificate_subject_cns": [
"abc123"
]
}
}
}
external_domain_xops_count
Description
Count of domains in the given AssetGroup.op_series_uuid
Example
Query
query external_domain_xops_count(
$op_series_uuid: String!,
$page_input: PageInput
) {
external_domain_xops_count(
op_series_uuid: $op_series_uuid,
page_input: $page_input
)
}
Variables
{
"op_series_uuid": "xyz789",
"page_input": PageInput
}
Response
{"data": {"external_domain_xops_count": 987}}
hello
Description
Hello world example.
Response
Returns a String!
Example
Query
query hello {
hello
}
Response
{"data": {"hello": "abc123"}}
host_tab_xop
Description
Returns the HostTabXop with the given uuid.
Response
Returns a HostTabXop
Arguments
| Name | Description |
|---|---|
uuid - String!
|
Example
Query
query host_tab_xop($uuid: String!) {
host_tab_xop(uuid: $uuid) {
uuid
op_series_uuid
xop_id
ip
last_op_id
current_op_id
is_authorized
excluded_ip_from_last_pentest {
...ExcludedIPFragment
}
pentestable_rules {
...PentestableRulesFragment
}
third_party_aliases
third_party_certificate_subject_cns
}
}
Variables
{"uuid": "xyz789"}
Response
{
"data": {
"host_tab_xop": {
"uuid": "12341234-1234-1234-1234-123412341234",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"xop_id": "xyz789",
"ip": "123.45.67.89",
"last_op_id": "xyz789",
"current_op_id": "abc123",
"is_authorized": false,
"excluded_ip_from_last_pentest": ExcludedIP,
"pentestable_rules": PentestableRules,
"third_party_aliases": ["abc123"],
"third_party_certificate_subject_cns": [
"xyz789"
]
}
}
}
host_tab_xops_count
Description
Count of IPs in the given AssetGroup.op_series_uuid
Example
Query
query host_tab_xops_count(
$op_series_uuid: String!,
$page_input: PageInput
) {
host_tab_xops_count(
op_series_uuid: $op_series_uuid,
page_input: $page_input
)
}
Variables
{
"op_series_uuid": "xyz789",
"page_input": PageInput
}
Response
{"data": {"host_tab_xops_count": 123}}
host_tabs_count
Description
Count of in-scope hosts. At the op, asset, or client level, depending on the input provided. Provide client_account_uuid to get a subclient's count. Defaults to the current client account if none is provided (and neither op nor asset inputs are not provided).
Response
Returns an Int!
Example
Query
query host_tabs_count(
$input: OpInput,
$client_account_uuid: String,
$page_input: PageInput
) {
host_tabs_count(
input: $input,
client_account_uuid: $client_account_uuid,
page_input: $page_input
)
}
Variables
{
"input": OpInput,
"client_account_uuid": "abc123",
"page_input": PageInput
}
Response
{"data": {"host_tabs_count": 123}}
hosts_csv
use
Query.hosts_csv_url
Description
List of hosts found during a pentest. Returned as an array of comma-separated values, with each element in the array representing a row. Each element in array represents a single host, with the first element containing the column names.
hosts_csv_url
Description
List of hosts found during a pentest. Returns a presigned URL to the CSV file. The presigned URL expires after a short time. The CSV format is documented under HostCSV.
op
Description
Get pentest data.
Example
Query
query op($op_id: String!) {
op(op_id: $op_id) {
op_id
op_type
op_state
op_name
scheduled_timestamp_iso
scheduled_at
scheduled_at_date
completed_timestamp_iso
launched_timestamp_iso
confirmed_credentials_count
weaknesses_count
weaknesses_page {
...WeaknessesPageFragment
}
in_scope_hosts_count
feature_flags {
...FeatureFlagFragment
}
nodezero_script_url
duration_hms
duration_humanize
op_template_uuid
op_template_name
impact_paths_count
attack_paths_count
attack_paths_page {
...AttackPathsPageFragment
}
phished_impact_paths_count
phished_attack_paths_count
runner_uuid
runner_name
runner {
...AgentFragment
}
schedule_uuid
schedule_name
}
}
Variables
{"op_id": "abc123"}
Response
{
"data": {
"op": {
"op_id": "12341234-1234-1234-1234-123412341234",
"op_type": "NodeZero",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-04-24T18:28:22.119Z",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"confirmed_credentials_count": 987,
"weaknesses_count": 123,
"weaknesses_page": WeaknessesPage,
"in_scope_hosts_count": 987,
"feature_flags": [FeatureFlag],
"nodezero_script_url": "https://example.com/example",
"duration_hms": "22:05:21",
"duration_humanize": "2 hours, 23 minutes",
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"impact_paths_count": 987,
"attack_paths_count": 123,
"attack_paths_page": AttackPathsPage,
"phished_impact_paths_count": 987,
"phished_attack_paths_count": 987,
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "xyz789",
"runner": Agent,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123"
}
}
}
op_tabs_page
Description
Get a list of pentests for client accounts accessible by the current user.
Response
Returns an OpTabsPage!
Example
Query
query op_tabs_page(
$page_input: PageInput,
$exclude_sample_ops: Boolean
) {
op_tabs_page(
page_input: $page_input,
exclude_sample_ops: $exclude_sample_ops
) {
page_info {
...PageInfoFragment
}
op_tabs {
...OpTabFragment
}
}
}
Variables
{"page_input": PageInput, "exclude_sample_ops": false}
Response
{
"data": {
"op_tabs_page": {
"page_info": PageInfo,
"op_tabs": [OpTab]
}
}
}
op_template
Description
Get an op template.
Response
Returns an OpTemplate
Arguments
| Name | Description |
|---|---|
op_template_uuid - String!
|
The uuid of the op template |
Example
Query
query op_template($op_template_uuid: String!) {
op_template(op_template_uuid: $op_template_uuid) {
uuid
user_account_uuid
client_account_uuid
op_template_name
op_type
schedule_op_form {
...ScheduleOpFormFragment
}
row_created_at
row_updated_at
}
}
Variables
{"op_template_uuid": "xyz789"}
Response
{
"data": {
"op_template": {
"uuid": "12341234-1234-1234-1234-123412341234",
"user_account_uuid": "12341234-1234-1234-1234-123412341234",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "abc123",
"op_type": "NodeZero",
"schedule_op_form": ScheduleOpForm,
"row_created_at": "2021-07-22T05:02:40.294996",
"row_updated_at": "2021-07-22T05:02:40.294996"
}
}
}
op_templates
Description
List of op templates, of a specified op type, for the current client account. Includes default templates provided by Horizon3.ai.
Response
Returns [OpTemplate]
Arguments
| Name | Description |
|---|---|
op_type - String
|
Optional. Must be either "NodeZero" (for internal pentests) or "ExternalAttack" (for external pentests). Defaults to "NodeZero". |
Example
Query
query op_templates($op_type: String) {
op_templates(op_type: $op_type) {
uuid
user_account_uuid
client_account_uuid
op_template_name
op_type
schedule_op_form {
...ScheduleOpFormFragment
}
row_created_at
row_updated_at
}
}
Variables
{"op_type": "xyz789"}
Response
{
"data": {
"op_templates": [
{
"uuid": "12341234-1234-1234-1234-123412341234",
"user_account_uuid": "12341234-1234-1234-1234-123412341234",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"op_type": "NodeZero",
"schedule_op_form": ScheduleOpForm,
"row_created_at": "2021-07-22T05:02:40.294996",
"row_updated_at": "2021-07-22T05:02:40.294996"
}
]
}
}
op_templates_count
Description
Count of op templates for the current client account. Does not include default templates provided by Horizon3.ai.
op_templates_page
Description
List of op templates for the current client account. Does not include default templates provided by Horizon3.ai.
Response
Returns an OpTemplatesPage!
Arguments
| Name | Description |
|---|---|
page_input - PageInput
|
Example
Query
query op_templates_page($page_input: PageInput) {
op_templates_page(page_input: $page_input) {
page_info {
...PageInfoFragment
}
op_templates {
...OpTemplateFragment
}
}
}
Variables
{"page_input": PageInput}
Response
{
"data": {
"op_templates_page": {
"page_info": PageInfo,
"op_templates": [OpTemplate]
}
}
}
op_templates_page_count
use
Query.op_templates_count
Description
Count of op templates for the current client account. Does not include default templates provided by Horizon3.ai.
operators_count
Description
The count of NodeZero Operators in the current user's ClientAccount
ops_count
Description
Get the number of unique ops run by the client. Includes non-pentest types like ExternalAssetDiscovery.
Response
Returns an Int!
Example
Query
query ops_count(
$client_account_uuid: String,
$page_input: PageInput
) {
ops_count(
client_account_uuid: $client_account_uuid,
page_input: $page_input
)
}
Variables
{
"client_account_uuid": "abc123",
"page_input": PageInput
}
Response
{"data": {"ops_count": 123}}
pentest
Description
Get pentest data.
Example
Query
query pentest($op_id: String!) {
pentest(op_id: $op_id) {
op_id
op_type
name
state
user_name
client_name
min_scope
max_scope
exclude_scope
git_accounts {
...GitAccountFragment
}
aws_account_ids
feature_flags {
...FeatureFlagFragment
}
scheduled_at
launched_at
completed_at
canceled_at
etl_completed_at
duration_s
impacts_count
impact_paths_count
attack_paths_count
attack_paths_page {
...AttackPathsPageFragment
}
phished_impact_paths_count
phished_attack_paths_count
weakness_types_count
weaknesses_count
weaknesses_page {
...WeaknessesPageFragment
}
hosts_count
out_of_scope_hosts_count
external_domains_count
services_count
credentials_count
users_count
cred_access_count
data_stores_count
websites_count
data_resources_count
nodezero_script_url
nodezero_ip
runner {
...AgentFragment
}
}
}
Variables
{"op_id": "xyz789"}
Response
{
"data": {
"pentest": {
"op_id": "12341234-1234-1234-1234-123412341234",
"op_type": "NodeZero",
"name": "xyz789",
"state": "done",
"user_name": "xyz789",
"client_name": "abc123",
"min_scope": ["xyz789"],
"max_scope": ["xyz789"],
"exclude_scope": ["abc123"],
"git_accounts": [GitAccount],
"aws_account_ids": [AWSAccountId],
"feature_flags": [FeatureFlag],
"scheduled_at": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"duration_s": 123,
"impacts_count": 987,
"impact_paths_count": 987,
"attack_paths_count": 123,
"attack_paths_page": AttackPathsPage,
"phished_impact_paths_count": 123,
"phished_attack_paths_count": 987,
"weakness_types_count": 987,
"weaknesses_count": 123,
"weaknesses_page": WeaknessesPage,
"hosts_count": 123,
"out_of_scope_hosts_count": 123,
"external_domains_count": 987,
"services_count": 987,
"credentials_count": 123,
"users_count": 987,
"cred_access_count": 987,
"data_stores_count": 123,
"websites_count": 123,
"data_resources_count": Long,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"runner": Agent
}
}
}
pentest_reports_zip_url
Description
Returns a URL to a zip file containing all CSVs and PDFs for the given op_id.
The CSVs along with their schema types are listed below:
- certificates.csv: CertificateCSV
- credentials.csv: CredentialCSV
- data_stores.csv: ShareCSV
- database_repos.csv: DatabaseRepoCSV
- docker_registries.csv: DockerRegistryCSV
- external_domains.csv: ExternalDomainCSV
- file_shares.csv: FileShareCSV
- git_repos.csv: GitRepoCSV
- hosts.csv: HostCSV
- impacts.csv: ImpactCSV
- s3_buckets.csv: S3BucketCSV
- services.csv: ServiceCSV
- users.csv: UserCSV
- weaknesses.csv: WeaknessCSV
- websites.csv: WebShareCSV
Note: for pentests prior to Sep 2022, the zip file is generated "lazily"; ie. on demand, when the user first request it. The first request will receive a response saying the zip file is being generated. An email will be sent to the requesting user with a link to the zip file when it is ready. Subsequent requests will download the already-built zip file.
pentests_count
Description
Counts the number of pentests in the current client account, after applying any filters in page_input. By default archived pentests are excluded.
pentests_page
Description
Paginated list of pentests in the current client account. By default archived pentests are excluded.
Response
Returns a PentestsPage!
Arguments
| Name | Description |
|---|---|
page_input - PageInput
|
Pagination of pentests. |
Example
Query
query pentests_page($page_input: PageInput) {
pentests_page(page_input: $page_input) {
page_info {
...PageInfoFragment
}
pentests {
...PentestFragment
}
}
}
Variables
{"page_input": PageInput}
Response
{
"data": {
"pentests_page": {
"page_info": PageInfo,
"pentests": [Pentest]
}
}
}
sample_op_tabs
Description
Get a list of sample pentests for the current client account.
Response
Returns [OpTab!]
Example
Query
query sample_op_tabs {
sample_op_tabs {
uuid
op_id
op_state
op_name
scheduled_timestamp
scheduled_at
scheduled_at_date
scheduled_timestamp_iso
create_timestamp
create_timestamp_iso
launched_timestamp
launched_timestamp_iso
launched_at
completed_at
completed_timestamp
completed_timestamp_iso
canceled_at
canceled_timestamp
canceled_timestamp_iso
duration_hms
duration_humanize
op_type
weakness_types_count
weaknesses_count
host_tabs_count
domain_controllers_count
credentials_count
proven_credentials_count
confirmed_credentials_count
unproven_credentials_count
activedir_passwords_count
enabled_activedir_passwords_count
disabled_activedir_passwords_count
feature_flags {
...FeatureFlagFragment
}
impacts_headline_count
impact_paths_count
attack_paths_count
phished_impact_paths_count
phished_attack_paths_count
nodezero_script_url
nodezero_ip
etl_completed_at
start_paused
minimum_run_time
maximum_run_time
paused_at
paused_by_user_account_uuid
paused_by_user_account {
...UserAccountFragment
}
op_template_uuid
op_template_name
excluded_ips {
...ExcludedIPFragment
}
excluded_domains {
...ExcludedDomainFragment
}
runner_uuid
runner_name
runner {
...AgentFragment
}
run_nodezero_command {
...AgentCommandFragment
}
schedule_uuid
schedule_name
auto_injected_credential_uuids
}
}
Response
{
"data": {
"sample_op_tabs": [
{
"uuid": "12341234-1234-1234-1234-123412341234",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp": "1600793100.0",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-04-24T18:28:22.119Z",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"create_timestamp": "1600793100.0",
"create_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp": "1600793100.0",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"completed_timestamp": "1600793100.0",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"canceled_timestamp": "1600793100.0",
"canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
"duration_hms": "22:35:09",
"duration_humanize": "2 hours, 23 minutes",
"op_type": "NodeZero",
"weakness_types_count": 987,
"weaknesses_count": 123,
"host_tabs_count": 987,
"domain_controllers_count": 987,
"credentials_count": 987,
"proven_credentials_count": 123,
"confirmed_credentials_count": 123,
"unproven_credentials_count": 987,
"activedir_passwords_count": 123,
"enabled_activedir_passwords_count": 123,
"disabled_activedir_passwords_count": 987,
"feature_flags": [FeatureFlag],
"impacts_headline_count": 987,
"impact_paths_count": 123,
"attack_paths_count": 987,
"phished_impact_paths_count": 123,
"phished_attack_paths_count": 987,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"start_paused": true,
"minimum_run_time": 987,
"maximum_run_time": 987,
"paused_at": "2021-07-22T05:02:40.294996",
"paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
"paused_by_user_account": UserAccount,
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"excluded_ips": [ExcludedIP],
"excluded_domains": [ExcludedDomain],
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "abc123",
"runner": Agent,
"run_nodezero_command": AgentCommand,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123",
"auto_injected_credential_uuids": [
"abc123"
]
}
]
}
}
session_user_account
Description
Current user account.
Response
Returns a UserAccount
Example
Query
query session_user_account {
session_user_account {
uuid
email
name
user_role_id
sign_in_type
last_signed_in_at
}
}
Response
{
"data": {
"session_user_account": {
"uuid": "12341234-1234-1234-1234-123412341234",
"email": "john.smith@example.com",
"name": "John Smith",
"user_role_id": "USER",
"sign_in_type": "BASIC",
"last_signed_in_at": "2021-07-22T05:02:40.294996"
}
}
}
weakness
Description
The Weakness with the given uuid.
Example
Query
query weakness($uuid: String!) {
weakness(uuid: $uuid) {
uuid
created_at
vuln_id
vuln_aliases
vuln_category
vuln_name
vuln_short_name
vuln_cisa_kev
vuln_known_ransomware_campaign_use
op_id
ip
has_proof
proof_failure_code
proof_failure_reason
score
severity
base_score
base_severity
context_score
context_severity
context_score_description_md
context_score_description
time_to_finding_hms
time_to_finding_s
affected_asset_text
affected_asset_short_text
downstream_impact_types
downstream_impact_types_and_counts
impact_paths_count
attack_paths_count
diff_status
mitre_mappings {
...MitreMappingFragment
}
}
}
Variables
{"uuid": "xyz789"}
Response
{
"data": {
"weakness": {
"uuid": "12341234-1234-1234-1234-123412341234",
"created_at": "2021-07-22T05:02:40.294996",
"vuln_id": "xyz789",
"vuln_aliases": ["abc123"],
"vuln_category": "SECURITY_MISCONFIGURATION",
"vuln_name": "xyz789",
"vuln_short_name": "xyz789",
"vuln_cisa_kev": true,
"vuln_known_ransomware_campaign_use": true,
"op_id": "12341234-1234-1234-1234-123412341234",
"ip": "123.45.67.89",
"has_proof": false,
"proof_failure_code": "xyz789",
"proof_failure_reason": "abc123",
"score": 987.65,
"severity": "INFO",
"base_score": 987.65,
"base_severity": "INFO",
"context_score": 987.65,
"context_severity": "INFO",
"context_score_description_md": "abc123",
"context_score_description": "xyz789",
"time_to_finding_hms": "22:05:31",
"time_to_finding_s": 987,
"affected_asset_text": "xyz789",
"affected_asset_short_text": "xyz789",
"downstream_impact_types": ["AWSUserRoleCompromise"],
"downstream_impact_types_and_counts": [
"abc123"
],
"impact_paths_count": 987,
"attack_paths_count": 123,
"diff_status": "ADDED",
"mitre_mappings": [MitreMapping]
}
}
}
weaknesses_count
Description
The count of Weaknesses observed during the given op.
A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.
Example
Query
query weaknesses_count(
$input: OpInput!,
$page_input: PageInput
) {
weaknesses_count(
input: $input,
page_input: $page_input
)
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{"data": {"weaknesses_count": 123}}
weaknesses_csv
Use Query.weaknesses_csv_url
Description
The set of Weaknesses observed during the given op, as a set of CSV records.
A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.
Returned as an array of strings, with each string being a single record of comma-separated values. Eah string is equivalent to a line in a CSV file.
The CSV format is documented under WeaknessCSV.
The first string contains the header line, with the list of column names.
DEPRECATED: this API will eventually be removed, in favor of Query.weaknesses_csv_url.
Response
Returns [WeaknessCSV]
Arguments
| Name | Description |
|---|---|
input - OpInput!
|
Pentest to get weakness data for. |
Example
Query
query weaknesses_csv($input: OpInput!) {
weaknesses_csv(input: $input)
}
Variables
{"input": OpInput}
Response
{"data": {"weaknesses_csv": [WeaknessCSV]}}
weaknesses_csv_url
Description
The set of Weaknesses observed during the given op, as a set of CSV records.
A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.
Returned as a temporary presigned URL to a CSV file.
The CSV format is documented under WeaknessCSV.
weaknesses_diff_csv_url
Description
Returns a temporary, presigned URL to a CSV for a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.
Response
Returns a String
Arguments
| Name | Description |
|---|---|
op_diff_input - OpDiffInput!
|
Example
Query
query weaknesses_diff_csv_url($op_diff_input: OpDiffInput!) {
weaknesses_diff_csv_url(op_diff_input: $op_diff_input)
}
Variables
{"op_diff_input": OpDiffInput}
Response
{
"data": {
"weaknesses_diff_csv_url": "abc123"
}
}
weaknesses_diff_page
Description
Returns a "diff" of weaknesses between two pentests.
The diff contains only those weaknesses that are different between the two pentests. A weakness is "different" if it is present in one pentest but not the other.
The field Weakness.diff_status will be set to either ADDED or REMOVED in each record.
If a weakness was present in the first op (op_diff_input.op_id_1), but not the second op (op_diff_input.op_id_2), its diff_status will be set to REMOVED.
If a weakness was present in the second op, but not the first op, its diff_status will be set to ADDED.
Response
Returns a WeaknessesDiffPage!
Arguments
| Name | Description |
|---|---|
op_diff_input - OpDiffInput!
|
|
page_input - PageInput
|
Example
Query
query weaknesses_diff_page(
$op_diff_input: OpDiffInput!,
$page_input: PageInput
) {
weaknesses_diff_page(
op_diff_input: $op_diff_input,
page_input: $page_input
) {
page_info {
...PageInfoFragment
}
weaknesses {
...WeaknessFragment
}
}
}
Variables
{
"op_diff_input": OpDiffInput,
"page_input": PageInput
}
Response
{
"data": {
"weaknesses_diff_page": {
"page_info": PageInfo,
"weaknesses": [Weakness]
}
}
}
weaknesses_diff_stats
Description
Returns aggregate stats related to a diff of weaknesses between two pentests. See Query.weaknesses_diff_page for more info.
Response
Returns a DiffStats!
Arguments
| Name | Description |
|---|---|
op_diff_input - OpDiffInput!
|
|
page_input - PageInput
|
Example
Query
query weaknesses_diff_stats(
$op_diff_input: OpDiffInput!,
$page_input: PageInput
) {
weaknesses_diff_stats(
op_diff_input: $op_diff_input,
page_input: $page_input
) {
added_count
removed_count
unchanged_count
}
}
Variables
{
"op_diff_input": OpDiffInput,
"page_input": PageInput
}
Response
{
"data": {
"weaknesses_diff_stats": {
"added_count": 987,
"removed_count": 123,
"unchanged_count": 123
}
}
}
weaknesses_page
Description
The set of Weaknesses observed during the given op.
A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.
Response
Returns a WeaknessesPage!
Example
Query
query weaknesses_page(
$input: OpInput!,
$page_input: PageInput
) {
weaknesses_page(
input: $input,
page_input: $page_input
) {
page_info {
...PageInfoFragment
}
weaknesses {
...WeaknessFragment
}
}
}
Variables
{
"input": OpInput,
"page_input": PageInput
}
Response
{
"data": {
"weaknesses_page": {
"page_info": PageInfo,
"weaknesses": [Weakness]
}
}
}
Mutations
add_domains_to_asset_group
Description
Update an asset group with additional domains.
Response
Returns an AssetGroupOutput!
Arguments
| Name | Description |
|---|---|
asset_group_uuid - String!
|
ID of asset group to update. |
domains - [StringNotEmpty]!
|
List of domains to add to the asset group's scope. |
Example
Query
mutation add_domains_to_asset_group(
$asset_group_uuid: String!,
$domains: [StringNotEmpty]!
) {
add_domains_to_asset_group(
asset_group_uuid: $asset_group_uuid,
domains: $domains
) {
asset_group {
...AssetGroupFragment
}
}
}
Variables
{
"asset_group_uuid": "xyz789",
"domains": [StringNotEmpty]
}
Response
{
"data": {
"add_domains_to_asset_group": {
"asset_group": AssetGroup
}
}
}
authorize_domains
Description
Authorize the given AssetGroup domains for external pentesting.
Response
Returns a PentestableEntitiesOutput!
Arguments
| Name | Description |
|---|---|
external_domain_xop_uuids - [String!]!
|
Example
Query
mutation authorize_domains($external_domain_xop_uuids: [String!]!) {
authorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
pentestable_entities {
...PentestableEntityFragment
}
blocked_pentestable_entities {
...BlockedPentestableEntityFragment
}
}
}
Variables
{"external_domain_xop_uuids": ["xyz789"]}
Response
{
"data": {
"authorize_domains": {
"pentestable_entities": [PentestableEntity],
"blocked_pentestable_entities": [
BlockedPentestableEntity
]
}
}
}
authorize_ips
Description
Authorize the given AssetGroup IPs for external pentesting.
Response
Returns a PentestableEntitiesOutput!
Arguments
| Name | Description |
|---|---|
host_tab_xop_uuids - [String!]!
|
Example
Query
mutation authorize_ips($host_tab_xop_uuids: [String!]!) {
authorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
pentestable_entities {
...PentestableEntityFragment
}
blocked_pentestable_entities {
...BlockedPentestableEntityFragment
}
}
}
Variables
{"host_tab_xop_uuids": ["abc123"]}
Response
{
"data": {
"authorize_ips": {
"pentestable_entities": [PentestableEntity],
"blocked_pentestable_entities": [
BlockedPentestableEntity
]
}
}
}
bulk_authorize_domains
Description
Bulk authorize AssetGroup domains for external pentesting.
Response
Returns a PentestableEntitiesBulkOutput!
Arguments
| Name | Description |
|---|---|
op_series_uuid - String!
|
ID of op series. |
configured_domains_only - Boolean
|
If true, only domains configured in the AssetGroup's scope will be authorized. Default is false. |
page_input - PageInput
|
If filters are provided, only domains that match the filters will be authorized. |
Example
Query
mutation bulk_authorize_domains(
$op_series_uuid: String!,
$configured_domains_only: Boolean,
$page_input: PageInput
) {
bulk_authorize_domains(
op_series_uuid: $op_series_uuid,
configured_domains_only: $configured_domains_only,
page_input: $page_input
) {
pentestable_entities_count
}
}
Variables
{
"op_series_uuid": "xyz789",
"configured_domains_only": true,
"page_input": PageInput
}
Response
{"data": {"bulk_authorize_domains": {"pentestable_entities_count": 123}}}
bulk_authorize_ips
Description
Bulk authorize AssetGroup IPs for external pentesting.
Response
Returns a PentestableEntitiesBulkOutput!
Example
Query
mutation bulk_authorize_ips(
$op_series_uuid: String!,
$page_input: PageInput
) {
bulk_authorize_ips(
op_series_uuid: $op_series_uuid,
page_input: $page_input
) {
pentestable_entities_count
}
}
Variables
{
"op_series_uuid": "abc123",
"page_input": PageInput
}
Response
{"data": {"bulk_authorize_ips": {"pentestable_entities_count": 987}}}
bulk_deauthorize_domains
Description
Bulk DE-authorize AssetGroup domains for external pentesting.
Response
Returns a PentestableEntitiesBulkOutput!
Example
Query
mutation bulk_deauthorize_domains(
$op_series_uuid: String!,
$page_input: PageInput
) {
bulk_deauthorize_domains(
op_series_uuid: $op_series_uuid,
page_input: $page_input
) {
pentestable_entities_count
}
}
Variables
{
"op_series_uuid": "xyz789",
"page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_domains": {"pentestable_entities_count": 987}}}
bulk_deauthorize_ips
Description
Bulk DE-authorize AssetGroup IPs for external pentesting.
Response
Returns a PentestableEntitiesBulkOutput!
Example
Query
mutation bulk_deauthorize_ips(
$op_series_uuid: String!,
$page_input: PageInput
) {
bulk_deauthorize_ips(
op_series_uuid: $op_series_uuid,
page_input: $page_input
) {
pentestable_entities_count
}
}
Variables
{
"op_series_uuid": "xyz789",
"page_input": PageInput
}
Response
{"data": {"bulk_deauthorize_ips": {"pentestable_entities_count": 123}}}
cancel_op
Description
Cancel a pentest, if its current state allows it.
Example
Query
mutation cancel_op($op_id: String!) {
cancel_op(op_id: $op_id) {
uuid
op_id
op_state
op_name
scheduled_timestamp
scheduled_at
scheduled_at_date
scheduled_timestamp_iso
create_timestamp
create_timestamp_iso
launched_timestamp
launched_timestamp_iso
launched_at
completed_at
completed_timestamp
completed_timestamp_iso
canceled_at
canceled_timestamp
canceled_timestamp_iso
duration_hms
duration_humanize
op_type
weakness_types_count
weaknesses_count
host_tabs_count
domain_controllers_count
credentials_count
proven_credentials_count
confirmed_credentials_count
unproven_credentials_count
activedir_passwords_count
enabled_activedir_passwords_count
disabled_activedir_passwords_count
feature_flags {
...FeatureFlagFragment
}
impacts_headline_count
impact_paths_count
attack_paths_count
phished_impact_paths_count
phished_attack_paths_count
nodezero_script_url
nodezero_ip
etl_completed_at
start_paused
minimum_run_time
maximum_run_time
paused_at
paused_by_user_account_uuid
paused_by_user_account {
...UserAccountFragment
}
op_template_uuid
op_template_name
excluded_ips {
...ExcludedIPFragment
}
excluded_domains {
...ExcludedDomainFragment
}
runner_uuid
runner_name
runner {
...AgentFragment
}
run_nodezero_command {
...AgentCommandFragment
}
schedule_uuid
schedule_name
auto_injected_credential_uuids
}
}
Variables
{"op_id": "xyz789"}
Response
{
"data": {
"cancel_op": {
"uuid": "12341234-1234-1234-1234-123412341234",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp": "1600793100.0",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-04-24T18:28:22.119Z",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"create_timestamp": "1600793100.0",
"create_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp": "1600793100.0",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"completed_timestamp": "1600793100.0",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"canceled_timestamp": "1600793100.0",
"canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
"duration_hms": "22:35:09",
"duration_humanize": "2 hours, 23 minutes",
"op_type": "NodeZero",
"weakness_types_count": 987,
"weaknesses_count": 987,
"host_tabs_count": 123,
"domain_controllers_count": 987,
"credentials_count": 987,
"proven_credentials_count": 123,
"confirmed_credentials_count": 123,
"unproven_credentials_count": 123,
"activedir_passwords_count": 123,
"enabled_activedir_passwords_count": 987,
"disabled_activedir_passwords_count": 123,
"feature_flags": [FeatureFlag],
"impacts_headline_count": 987,
"impact_paths_count": 987,
"attack_paths_count": 123,
"phished_impact_paths_count": 123,
"phished_attack_paths_count": 987,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"start_paused": false,
"minimum_run_time": 123,
"maximum_run_time": 987,
"paused_at": "2021-07-22T05:02:40.294996",
"paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
"paused_by_user_account": UserAccount,
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"excluded_ips": [ExcludedIP],
"excluded_domains": [ExcludedDomain],
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "xyz789",
"runner": Agent,
"run_nodezero_command": AgentCommand,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123",
"auto_injected_credential_uuids": [
"xyz789"
]
}
}
}
create_asset_group
Description
Create an asset group. The asset group uses the scope configured in the given schedule_op_form to discover assets.
Response
Returns an AssetGroupOutput!
Arguments
| Name | Description |
|---|---|
schedule_op_form - ScheduleOpFormInput!
|
Scope for discovering assets. |
Example
Query
mutation create_asset_group($schedule_op_form: ScheduleOpFormInput!) {
create_asset_group(schedule_op_form: $schedule_op_form) {
asset_group {
...AssetGroupFragment
}
}
}
Variables
{"schedule_op_form": ScheduleOpFormInput}
Response
{
"data": {
"create_asset_group": {"asset_group": AssetGroup}
}
}
create_client_account
Description
Create a client account and grant the current user access.
Response
Returns a ClientAccountOutput!
Arguments
| Name | Description |
|---|---|
client_account_input - ClientAccountInput!
|
Example
Query
mutation create_client_account($client_account_input: ClientAccountInput!) {
create_client_account(client_account_input: $client_account_input) {
client_account {
...ClientAccountFragment
}
}
}
Variables
{"client_account_input": ClientAccountInput}
Response
{
"data": {
"create_client_account": {
"client_account": ClientAccount
}
}
}
create_op_template
Description
Create a pentest (aka "op") template.
Response
Returns a SaveOpTemplateOutput!
Arguments
| Name | Description |
|---|---|
op_template_name - String!
|
Name of pentest template. The name uniquely identifies the template in the client account. |
schedule_op_form - ScheduleOpFormInput!
|
Input data for scheduling pentest. |
Example
Query
mutation create_op_template(
$op_template_name: String!,
$schedule_op_form: ScheduleOpFormInput!
) {
create_op_template(
op_template_name: $op_template_name,
schedule_op_form: $schedule_op_form
) {
op_template {
...OpTemplateFragment
}
}
}
Variables
{
"op_template_name": "abc123",
"schedule_op_form": ScheduleOpFormInput
}
Response
{
"data": {
"create_op_template": {"op_template": OpTemplate}
}
}
create_user_account
Description
Add a user to a given client account. The user will receive an invitation email along with temporary login credentials, if needed.
Response
Returns a UserAccount
Arguments
| Name | Description |
|---|---|
input - CreateUserAccountInput!
|
Input data for creating user. |
Example
Query
mutation create_user_account($input: CreateUserAccountInput!) {
create_user_account(input: $input) {
uuid
email
name
user_role_id
sign_in_type
last_signed_in_at
}
}
Variables
{"input": CreateUserAccountInput}
Response
{
"data": {
"create_user_account": {
"uuid": "12341234-1234-1234-1234-123412341234",
"email": "john.smith@example.com",
"name": "John Smith",
"user_role_id": "USER",
"sign_in_type": "BASIC",
"last_signed_in_at": "2021-07-22T05:02:40.294996"
}
}
}
deauthorize_domains
Description
DE-authorize the given AssetGroup domains for external pentesting.
Response
Returns a PentestableEntitiesOutput!
Arguments
| Name | Description |
|---|---|
external_domain_xop_uuids - [String!]!
|
Example
Query
mutation deauthorize_domains($external_domain_xop_uuids: [String!]!) {
deauthorize_domains(external_domain_xop_uuids: $external_domain_xop_uuids) {
pentestable_entities {
...PentestableEntityFragment
}
blocked_pentestable_entities {
...BlockedPentestableEntityFragment
}
}
}
Variables
{"external_domain_xop_uuids": ["abc123"]}
Response
{
"data": {
"deauthorize_domains": {
"pentestable_entities": [PentestableEntity],
"blocked_pentestable_entities": [
BlockedPentestableEntity
]
}
}
}
deauthorize_ips
Description
DE-authorize the given AssetGroup IPs for external pentesting.
Response
Returns a PentestableEntitiesOutput!
Arguments
| Name | Description |
|---|---|
host_tab_xop_uuids - [String!]!
|
Example
Query
mutation deauthorize_ips($host_tab_xop_uuids: [String!]!) {
deauthorize_ips(host_tab_xop_uuids: $host_tab_xop_uuids) {
pentestable_entities {
...PentestableEntityFragment
}
blocked_pentestable_entities {
...BlockedPentestableEntityFragment
}
}
}
Variables
{"host_tab_xop_uuids": ["xyz789"]}
Response
{
"data": {
"deauthorize_ips": {
"pentestable_entities": [PentestableEntity],
"blocked_pentestable_entities": [
BlockedPentestableEntity
]
}
}
}
delete_client_account
Description
Delete a client account.
Response
Returns a Deleted!
Arguments
| Name | Description |
|---|---|
client_account_uuid - String!
|
Client account to delete. |
Example
Query
mutation delete_client_account($client_account_uuid: String!) {
delete_client_account(client_account_uuid: $client_account_uuid) {
success
}
}
Variables
{"client_account_uuid": "abc123"}
Response
{"data": {"delete_client_account": {"success": true}}}
delete_op_template
Description
Delete a pentest (aka "op") template by name.
Response
Returns a DeleteOpTemplateOutput!
Example
Query
mutation delete_op_template(
$op_template_name: String!,
$op_type: String,
$also_delete_schedules: Boolean
) {
delete_op_template(
op_template_name: $op_template_name,
op_type: $op_type,
also_delete_schedules: $also_delete_schedules
) {
op_template {
...OpTemplateFragment
}
}
}
Variables
{
"op_template_name": "xyz789",
"op_type": "xyz789",
"also_delete_schedules": false
}
Response
{
"data": {
"delete_op_template": {"op_template": OpTemplate}
}
}
delete_op_template_by_uuid
Description
Delete a pentest (aka "op") template by uuid.
Response
Returns a DeleteOpTemplateOutput!
Example
Query
mutation delete_op_template_by_uuid(
$uuid: String!,
$also_delete_schedules: Boolean
) {
delete_op_template_by_uuid(
uuid: $uuid,
also_delete_schedules: $also_delete_schedules
) {
op_template {
...OpTemplateFragment
}
}
}
Variables
{
"uuid": "xyz789",
"also_delete_schedules": false
}
Response
{
"data": {
"delete_op_template_by_uuid": {
"op_template": OpTemplate
}
}
}
delete_user_account
Description
Delete a user from a given client account.
Response
Returns a UserAccount
Arguments
| Name | Description |
|---|---|
email - EmailAddress!
|
Email address of user to delete. |
client_account_uuid - String
|
ID of client account to delete the user from. Defaults to the caller's client account. |
also_delete_api_keys - Boolean
|
Option to also delete user's API keys. Defaults to False |
Example
Query
mutation delete_user_account(
$email: EmailAddress!,
$client_account_uuid: String,
$also_delete_api_keys: Boolean
) {
delete_user_account(
email: $email,
client_account_uuid: $client_account_uuid,
also_delete_api_keys: $also_delete_api_keys
) {
uuid
email
name
user_role_id
sign_in_type
last_signed_in_at
}
}
Variables
{
"email": EmailAddress,
"client_account_uuid": "xyz789",
"also_delete_api_keys": false
}
Response
{
"data": {
"delete_user_account": {
"uuid": "12341234-1234-1234-1234-123412341234",
"email": "john.smith@example.com",
"name": "John Smith",
"user_role_id": "USER",
"sign_in_type": "BASIC",
"last_signed_in_at": "2021-07-22T05:02:40.294996"
}
}
}
pause_op
Description
Pause a pentest, if its current state allows it.
Example
Query
mutation pause_op($op_id: String!) {
pause_op(op_id: $op_id) {
uuid
op_id
op_state
op_name
scheduled_timestamp
scheduled_at
scheduled_at_date
scheduled_timestamp_iso
create_timestamp
create_timestamp_iso
launched_timestamp
launched_timestamp_iso
launched_at
completed_at
completed_timestamp
completed_timestamp_iso
canceled_at
canceled_timestamp
canceled_timestamp_iso
duration_hms
duration_humanize
op_type
weakness_types_count
weaknesses_count
host_tabs_count
domain_controllers_count
credentials_count
proven_credentials_count
confirmed_credentials_count
unproven_credentials_count
activedir_passwords_count
enabled_activedir_passwords_count
disabled_activedir_passwords_count
feature_flags {
...FeatureFlagFragment
}
impacts_headline_count
impact_paths_count
attack_paths_count
phished_impact_paths_count
phished_attack_paths_count
nodezero_script_url
nodezero_ip
etl_completed_at
start_paused
minimum_run_time
maximum_run_time
paused_at
paused_by_user_account_uuid
paused_by_user_account {
...UserAccountFragment
}
op_template_uuid
op_template_name
excluded_ips {
...ExcludedIPFragment
}
excluded_domains {
...ExcludedDomainFragment
}
runner_uuid
runner_name
runner {
...AgentFragment
}
run_nodezero_command {
...AgentCommandFragment
}
schedule_uuid
schedule_name
auto_injected_credential_uuids
}
}
Variables
{"op_id": "abc123"}
Response
{
"data": {
"pause_op": {
"uuid": "12341234-1234-1234-1234-123412341234",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp": "1600793100.0",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-10-24T18:28:22.119Z",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"create_timestamp": "1600793100.0",
"create_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp": "1600793100.0",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"completed_timestamp": "1600793100.0",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"canceled_timestamp": "1600793100.0",
"canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
"duration_hms": "22:35:09",
"duration_humanize": "2 hours, 23 minutes",
"op_type": "NodeZero",
"weakness_types_count": 987,
"weaknesses_count": 123,
"host_tabs_count": 123,
"domain_controllers_count": 123,
"credentials_count": 987,
"proven_credentials_count": 123,
"confirmed_credentials_count": 123,
"unproven_credentials_count": 987,
"activedir_passwords_count": 987,
"enabled_activedir_passwords_count": 123,
"disabled_activedir_passwords_count": 123,
"feature_flags": [FeatureFlag],
"impacts_headline_count": 987,
"impact_paths_count": 987,
"attack_paths_count": 123,
"phished_impact_paths_count": 123,
"phished_attack_paths_count": 123,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"start_paused": true,
"minimum_run_time": 987,
"maximum_run_time": 987,
"paused_at": "2021-07-22T05:02:40.294996",
"paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
"paused_by_user_account": UserAccount,
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"excluded_ips": [ExcludedIP],
"excluded_domains": [ExcludedDomain],
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "xyz789",
"runner": Agent,
"run_nodezero_command": AgentCommand,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123",
"auto_injected_credential_uuids": [
"xyz789"
]
}
}
}
remove_domains_from_asset_group
Description
Remove domains from an asset group.
Response
Returns an AssetGroupOutput!
Arguments
| Name | Description |
|---|---|
asset_group_uuid - String!
|
ID of asset group to update. |
domains - [StringNotEmpty]!
|
List of domains to remove from the asset group's scope. |
Example
Query
mutation remove_domains_from_asset_group(
$asset_group_uuid: String!,
$domains: [StringNotEmpty]!
) {
remove_domains_from_asset_group(
asset_group_uuid: $asset_group_uuid,
domains: $domains
) {
asset_group {
...AssetGroupFragment
}
}
}
Variables
{
"asset_group_uuid": "xyz789",
"domains": [StringNotEmpty]
}
Response
{
"data": {
"remove_domains_from_asset_group": {
"asset_group": AssetGroup
}
}
}
resume_op
Description
Resume a pentest, if its current state allows it.
Example
Query
mutation resume_op($op_id: String!) {
resume_op(op_id: $op_id) {
uuid
op_id
op_state
op_name
scheduled_timestamp
scheduled_at
scheduled_at_date
scheduled_timestamp_iso
create_timestamp
create_timestamp_iso
launched_timestamp
launched_timestamp_iso
launched_at
completed_at
completed_timestamp
completed_timestamp_iso
canceled_at
canceled_timestamp
canceled_timestamp_iso
duration_hms
duration_humanize
op_type
weakness_types_count
weaknesses_count
host_tabs_count
domain_controllers_count
credentials_count
proven_credentials_count
confirmed_credentials_count
unproven_credentials_count
activedir_passwords_count
enabled_activedir_passwords_count
disabled_activedir_passwords_count
feature_flags {
...FeatureFlagFragment
}
impacts_headline_count
impact_paths_count
attack_paths_count
phished_impact_paths_count
phished_attack_paths_count
nodezero_script_url
nodezero_ip
etl_completed_at
start_paused
minimum_run_time
maximum_run_time
paused_at
paused_by_user_account_uuid
paused_by_user_account {
...UserAccountFragment
}
op_template_uuid
op_template_name
excluded_ips {
...ExcludedIPFragment
}
excluded_domains {
...ExcludedDomainFragment
}
runner_uuid
runner_name
runner {
...AgentFragment
}
run_nodezero_command {
...AgentCommandFragment
}
schedule_uuid
schedule_name
auto_injected_credential_uuids
}
}
Variables
{"op_id": "abc123"}
Response
{
"data": {
"resume_op": {
"uuid": "12341234-1234-1234-1234-123412341234",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp": "1600793100.0",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-10-24T18:28:22.119Z",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"create_timestamp": "1600793100.0",
"create_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp": "1600793100.0",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"completed_timestamp": "1600793100.0",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"canceled_timestamp": "1600793100.0",
"canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
"duration_hms": "22:35:09",
"duration_humanize": "2 hours, 23 minutes",
"op_type": "NodeZero",
"weakness_types_count": 123,
"weaknesses_count": 987,
"host_tabs_count": 123,
"domain_controllers_count": 123,
"credentials_count": 987,
"proven_credentials_count": 123,
"confirmed_credentials_count": 987,
"unproven_credentials_count": 123,
"activedir_passwords_count": 987,
"enabled_activedir_passwords_count": 123,
"disabled_activedir_passwords_count": 987,
"feature_flags": [FeatureFlag],
"impacts_headline_count": 987,
"impact_paths_count": 987,
"attack_paths_count": 123,
"phished_impact_paths_count": 123,
"phished_attack_paths_count": 123,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"start_paused": true,
"minimum_run_time": 987,
"maximum_run_time": 987,
"paused_at": "2021-07-22T05:02:40.294996",
"paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
"paused_by_user_account": UserAccount,
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"excluded_ips": [ExcludedIP],
"excluded_domains": [ExcludedDomain],
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "xyz789",
"runner": Agent,
"run_nodezero_command": AgentCommand,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123",
"auto_injected_credential_uuids": [
"abc123"
]
}
}
}
save_op_template
Use
create_op_template and update_op_template instead. Description
Create or update a pentest (aka "op") template.
Response
Returns a SaveOpTemplateOutput!
Arguments
| Name | Description |
|---|---|
op_template_name - String!
|
Name of pentest template. The name uniquely identifies the template in the client account. |
schedule_op_form - ScheduleOpFormInput!
|
Input data for scheduling pentest. |
Example
Query
mutation save_op_template(
$op_template_name: String!,
$schedule_op_form: ScheduleOpFormInput!
) {
save_op_template(
op_template_name: $op_template_name,
schedule_op_form: $schedule_op_form
) {
op_template {
...OpTemplateFragment
}
}
}
Variables
{
"op_template_name": "xyz789",
"schedule_op_form": ScheduleOpFormInput
}
Response
{
"data": {
"save_op_template": {"op_template": OpTemplate}
}
}
schedule_op_template
Description
Schedule a pentest from a template.
Response
Returns a ScheduleOpOutput!
Arguments
| Name | Description |
|---|---|
op_template_name - String
|
@deprecated - use op_template_uuid instead. Name of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero. |
op_template_uuid - String
|
ID of pentest template. If not specified, defaults to the default template for the op_type specified in schedule_op_form.op_type, which in turn defaults to NodeZero. |
op_name - String
|
Name of the pentest, defaults to the name in pentest template. |
schedule_op_form - ScheduleOpFormInput
|
Optional parameters that, if set, override the corresponding parameters in the pentest template. |
agent_name - String
|
Assign an h3-cli agent to automatically launch NodeZero for this pentest. |
runner_uuid - String
|
Assign an h3-cli runner to automatically launch NodeZero for this pentest. |
schedule_name - String
|
The automated schedule to which this pentest is assigned. This is used internally by automated scheduling. |
Example
Query
mutation schedule_op_template(
$op_template_name: String,
$op_template_uuid: String,
$op_name: String,
$schedule_op_form: ScheduleOpFormInput,
$agent_name: String,
$runner_uuid: String,
$schedule_name: String
) {
schedule_op_template(
op_template_name: $op_template_name,
op_template_uuid: $op_template_uuid,
op_name: $op_name,
schedule_op_form: $schedule_op_form,
agent_name: $agent_name,
runner_uuid: $runner_uuid,
schedule_name: $schedule_name
) {
op {
...OpFragment
}
}
}
Variables
{
"op_template_name": "abc123",
"op_template_uuid": "xyz789",
"op_name": "abc123",
"schedule_op_form": ScheduleOpFormInput,
"agent_name": "abc123",
"runner_uuid": "xyz789",
"schedule_name": "abc123"
}
Response
{"data": {"schedule_op_template": {"op": Op}}}
update_asset_group_template
Description
Update an asset group's configuration.
Response
Returns a SaveOpTemplateOutput!
Arguments
| Name | Description |
|---|---|
asset_group_uuid - String!
|
ID of asset group. |
schedule_op_form - ScheduleOpFormInput!
|
Scope for discovering assets. |
Example
Query
mutation update_asset_group_template(
$asset_group_uuid: String!,
$schedule_op_form: ScheduleOpFormInput!
) {
update_asset_group_template(
asset_group_uuid: $asset_group_uuid,
schedule_op_form: $schedule_op_form
) {
op_template {
...OpTemplateFragment
}
}
}
Variables
{
"asset_group_uuid": "xyz789",
"schedule_op_form": ScheduleOpFormInput
}
Response
{
"data": {
"update_asset_group_template": {
"op_template": OpTemplate
}
}
}
update_client_account
Description
Update a client account.
Response
Returns a ClientAccount!
Arguments
| Name | Description |
|---|---|
client_account_input - ClientAccountUpdateInput!
|
Example
Query
mutation update_client_account($client_account_input: ClientAccountUpdateInput!) {
update_client_account(client_account_input: $client_account_input) {
uuid
parent_uuid
child_client_accounts {
...ClientAccountFragment
}
child_client_accounts_page {
...ClientAccountsPageFragment
}
child_client_accounts_count
company_name
company_short_name
company_logo_url
secondary_company_logo_url
company_colors {
...BrandColorFragment
}
white_label_reports_enabled
white_label_reports_cascade
row_created_at
session_user_role_id
assets_count
internal_assets_count
external_assets_count
}
}
Variables
{"client_account_input": ClientAccountUpdateInput}
Response
{
"data": {
"update_client_account": {
"uuid": "12341234-1234-1234-1234-123412341234",
"parent_uuid": "12341234-1234-1234-1234-123412341234",
"child_client_accounts": [ClientAccount],
"child_client_accounts_page": ClientAccountsPage,
"child_client_accounts_count": 987,
"company_name": "Horizon3 AI, Inc",
"company_short_name": "H3",
"company_logo_url": "https://example.com/example",
"secondary_company_logo_url": "https://example.com/example",
"company_colors": [BrandColor],
"white_label_reports_enabled": false,
"white_label_reports_cascade": true,
"row_created_at": "2021-07-22T05:02:40.294996",
"session_user_role_id": "USER",
"assets_count": 123,
"internal_assets_count": 987,
"external_assets_count": 987
}
}
}
update_op_template
Description
Update a pentest (aka "op") template by uuid. Allows for template renaming.
Response
Returns an UpdateOpTemplateOutput!
Example
Query
mutation update_op_template {
update_op_template {
op_template {
...OpTemplateFragment
}
}
}
Response
{
"data": {
"update_op_template": {"op_template": OpTemplate}
}
}
update_user_account
Description
Update a user and their role for a given client account.
Response
Returns a UserAccount!
Arguments
| Name | Description |
|---|---|
input - UpdateUserAccountInput!
|
Input data for updating user. |
Example
Query
mutation update_user_account($input: UpdateUserAccountInput!) {
update_user_account(input: $input) {
uuid
email
name
user_role_id
sign_in_type
last_signed_in_at
}
}
Variables
{"input": UpdateUserAccountInput}
Response
{
"data": {
"update_user_account": {
"uuid": "12341234-1234-1234-1234-123412341234",
"email": "john.smith@example.com",
"name": "John Smith",
"user_role_id": "USER",
"sign_in_type": "BASIC",
"last_signed_in_at": "2021-07-22T05:02:40.294996"
}
}
}
Types
AWSAccountId
Description
String scalar type with AWS Account ID format required (a 12-digit number).
Example
AWSAccountId
AccessLevel
Description
Client account access level.
Values
| Enum Value | Description |
|---|---|
|
|
Free trial access with certain limitations. |
|
|
Read-only access. |
|
|
Full access. |
|
|
Proof-of-value access |
|
|
Consulting+ access. |
|
|
Managed Service Provider |
Example
"FREE_TRIAL"
ActionLog
Description
Action log data that represents an entry in the pentest audit log. Each log entry represents an action taken against a host during a pentest.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
ID of action log. |
start_time - Datetime!
|
Timestamp at the start of action, in ISO format (UTC). |
endpoint_uuid - String
|
ID of host targeted by action. |
endpoint_ip - String
|
IP address of host targeted by action. |
end_time - Datetime!
|
Timestamp at the end of action, in ISO format (UTC). |
cmd - String!
|
Attack command run in action. |
module_id - String
|
Name of attack module used in action. |
module_name - String
|
Title name of attack module used in action. |
module_description - String
|
Description of attack module used in action. |
module_meta - ModuleMeta
|
Metadata for the attack module used in action. |
target_h3_names - [String]
|
List of assets and weaknesses associated with action. Assets include the IP, service, application, URL, or data store being targeted. |
exit_code - String!
|
Exit code from attack command run in action. |
op_id - String!
|
ID of pentest associated with action. |
op_snapshot_id - String!
|
ID of pentest snapshot associated with action. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"start_time": Datetime,
"endpoint_uuid": "12341234-1234-1234-1234-123412341234",
"endpoint_ip": "123.45.67.89",
"end_time": Datetime,
"cmd": "abc123",
"module_id": "abc123",
"module_name": "abc123",
"module_description": "abc123",
"module_meta": ModuleMeta,
"target_h3_names": ["xyz789"],
"exit_code": "xyz789",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_snapshot_id": "abc123"
}
ActionLogsPage
Description
Paginated data of action logs.
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Pagination of response. |
action_logs - [ActionLog!]!
|
List of action logs. |
Example
{
"page_info": PageInfo,
"action_logs": [ActionLog]
}
Agent
Description
Represents an Agent aka NodeZero Runner.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
Unique identifier |
name - String!
|
The name of the agent. The name is used when assigning scheduled ops to an agent. |
uname - String
|
The output of uname on the agent machine |
log_file - String
|
The file the agent is logging to on the local machine |
last_heartbeat_at - Datetime!
|
The last time the agent made contact with H3 (via GQL) |
last_heartbeat_time_ago - String!
|
last_heartbeat_at as a human-friendly "time ago" statement, eg. "3 minutes ago" |
last_command - AgentCommand
|
The last (or next) command for the agent. |
commands - [AgentCommand]
|
The last n command for the agent. |
Arguments
|
|
created_at - Datetime!
|
When the agent was first created |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"name": "xyz789",
"uname": "xyz789",
"log_file": "abc123",
"last_heartbeat_at": "2021-07-22T05:02:40.294996",
"last_heartbeat_time_ago": "abc123",
"last_command": AgentCommand,
"commands": [AgentCommand],
"created_at": "2021-07-22T05:02:40.294996"
}
AgentCommand
Description
Represents a command run by an Agent aka NodeZero Runner (see Agent).
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
Unique identifier |
agent_uuid - String!
|
The agent to run the command. |
command - String!
|
The command to run |
received_at - Datetime
|
When the agent received the command. |
completed_at - Datetime
|
When the agent completed the command. |
exit_status - String
|
The exit status/return code from the command process. |
log - String
|
The stdout+stderr log from the command process. |
created_at - Datetime!
|
When the command was created |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"agent_uuid": "12341234-1234-1234-1234-123412341234",
"command": "xyz789",
"received_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"exit_status": "xyz789",
"log": "xyz789",
"created_at": "2021-07-22T05:02:40.294996"
}
AssetGroup
Description
An AssetGroup represents a set of assets in a pentest environment. Assets are discovered by scanning the environment using the scope defined in the associated op template.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
ID of asset group |
name - String!
|
Name of asset group. |
op_template_uuid - String!
|
ID of pentest template for asset group. |
op_template - OpTemplate!
|
Data of pentest template for asset group. |
user_account_uuid - String!
|
ID of user that created the asset group. |
user_account_name - String!
|
Name of user account that created the asset group. |
client_account_uuid - String!
|
ID of client account that created the asset group. |
client_account_company_name - String!
|
Company name on the client account that created the asset group. |
last_ead_etl_completed_at - Datetime
|
Timestamp when the last asset discovery completed for this asset group. |
created_at - Datetime!
|
Timestamp when the asset group was created. |
updated_at - Datetime
|
Timestamp when the asset group was last updated. |
op_series_uuid - String!
|
ID of the ExternalAssetDiscovery op series associated with the asset group. |
assets_count - Int!
|
The number of domain and IP assets in this asset group. |
authorized_assets_count - Int!
|
The number of authorized domain and IP assets in this asset group. |
external_domain_xops_count - Int!
|
The number of domains in this asset group. |
authorized_external_domain_xops_count - Int!
|
The number of authorized domains in this asset group. |
in_scope_host_tab_xops_count - Int!
|
The number of in-scope IPs in this asset group. |
authorized_host_tab_xops_count - Int!
|
The number of authorized IPs in this asset group. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"name": "abc123",
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template": OpTemplate,
"user_account_uuid": "12341234-1234-1234-1234-123412341234",
"user_account_name": "abc123",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"client_account_company_name": "xyz789",
"last_ead_etl_completed_at": "2021-07-22T05:02:40.294996",
"created_at": "2021-07-22T05:02:40.294996",
"updated_at": "2021-07-22T05:02:40.294996",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"assets_count": 987,
"authorized_assets_count": 123,
"external_domain_xops_count": 987,
"authorized_external_domain_xops_count": 123,
"in_scope_host_tab_xops_count": 987,
"authorized_host_tab_xops_count": 987
}
AssetGroupOutput
Description
Asset group return type.
Fields
| Field Name | Description |
|---|---|
asset_group - AssetGroup!
|
The asset group. |
Example
{"asset_group": AssetGroup}
AssetGroupsPage
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Pagination of response. |
asset_groups - [AssetGroup!]!
|
List of asset groups. |
Example
{
"page_info": PageInfo,
"asset_groups": [AssetGroup]
}
AttackPath
Description
An AttackPath represents the steps NodeZero took to achieve an Impact.
The path includes exploited weaknesses, compromised credentials, and other findings that led to the Impact.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
Unique ID for this AttackPath. |
impact_type - ImpactType!
|
The type of impact. |
impact_title - String!
|
The impact type's title. |
impact_description - String!
|
The impact type's description. |
name - String!
|
The attack path's name/title. |
attack_path_title - String!
|
The attack path's name/title. |
base_score - Float
|
The impact type's base score. |
score - Float
|
The impact severity score. An impact's score is primarily dependent on its type. |
severity - Severity
|
The impact severity. |
context_score_description_md - String
|
Description of the impact, spelling out overall impact along with the weaknesses, credentials, and hosts involved in its attack path. In markdown format. |
context_score_description - String
|
Description of the impact, spelling out overall impact along with the weaknesses, credentials, and hosts involved in its attack path. |
op_id - String!
|
The op. |
weakness_refs - [String]
|
The weaknesses that appear in this attack path. Refs are formatted as {weakness_uuid},{weakness-id},{asset-name} |
credential_refs - [String]
|
The credentials that appear in this attack path. Refs are formatted as {credential_tab_uuid},{user_or_role_name},{asset-name} |
host_refs - [String]
|
The hosts that appear in this attack path. Refs are formatted as {host_tab_uuid},{ip} |
time_to_finding_hms - String
|
Time-to-finding in hh:mm:ss format |
time_to_finding_s - Int
|
Time-to-finding in seconds |
created_at - Datetime
|
When the impact occurred (ie. when the target_entity was found) |
target_entity_text - String
|
The name of the target entity that is the direct cause of this impact |
target_entity_short_text - String
|
The short-name of the target entity that is the direct cause of this impact |
affected_asset_text - String
|
The name of the asset affected by this impact. |
affected_asset_short_text - String
|
The short-name of the asset affected by this impact. |
ip - String
|
The host IP where this impact occurred. |
host_name - String
|
The host host_name where this impact occurred. |
host_text - String
|
The name of the host affected by this impact. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"impact_type": "AWSUserRoleCompromise",
"impact_title": "abc123",
"impact_description": "xyz789",
"name": "xyz789",
"attack_path_title": "abc123",
"base_score": 987.65,
"score": 123.45,
"severity": "INFO",
"context_score_description_md": "abc123",
"context_score_description": "xyz789",
"op_id": "12341234-1234-1234-1234-123412341234",
"weakness_refs": ["xyz789"],
"credential_refs": ["xyz789"],
"host_refs": ["xyz789"],
"time_to_finding_hms": "22:05:31",
"time_to_finding_s": 123,
"created_at": "2021-07-22T05:02:40.294996",
"target_entity_text": "abc123",
"target_entity_short_text": "abc123",
"affected_asset_text": "xyz789",
"affected_asset_short_text": "xyz789",
"ip": "123.45.67.89",
"host_name": "xyz789",
"host_text": "abc123"
}
AttackPathsPage
Description
Contains a page of AttackPath records, as fetched via Query.attack_paths_page.
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Pagination of response. |
attack_paths - [AttackPath!]!
|
List of attack paths. |
Example
{
"page_info": PageInfo,
"attack_paths": [AttackPath]
}
AuthzRole
Description
Authorization role of a user within a client account. A user's role may change with the client account.
Values
| Enum Value | Description |
|---|---|
|
|
User has non-admin access in the client account. |
|
|
User has read-only access in the client account. |
|
|
User has organizational admin access in the client account. |
|
|
This role is used with the h3-cli for configuring an automated runner for NodeZero. |
|
|
This role is used by the NodeZero Kubernetes Operator for accessing the API when provisioning Runners or Pentests. |
|
|
This role is used for pentests in which phishing is conducted, enable POSTing of phished credentials. |
Example
"USER"
BlockedPentestableEntity
Description
A BlockedPentestableEntity links an external domain or IP asset (the PentestableEntity) with its PentestableRules.
The PentestableRules determine whether or not we allow external pentesting of the asset. Assets are blocked if we determine they are owned by providers that do not permit pentesting.
Fields
| Field Name | Description |
|---|---|
pentestable_entity - PentestableEntity
|
The pentestable entity that was blocked. |
pentestable_rules - PentestableRules
|
Then rules that determined why we blocked the asset from external pentesting. |
Example
{
"pentestable_entity": PentestableEntity,
"pentestable_rules": PentestableRules
}
Boolean
Description
The Boolean scalar type represents true or false.
Example
true
BrandColor
Fields
| Field Name | Description |
|---|---|
type - BrandColorType!
|
Primary or Secondary. |
color - HexColor!
|
The color in hex notation. |
Example
{"type": "primary", "color": "#bb032d"}
BrandColorInput
Fields
| Input Field | Description |
|---|---|
type - BrandColorType!
|
Primary or Secondary. |
color - HexColor!
|
The color in hex notation. |
Example
{"type": "primary", "color": "#bb032d"}
BrandColorType
Values
| Enum Value | Description |
|---|---|
|
|
Primary color. |
|
|
Secondary color. |
Example
"primary"
ClientAccount
Description
Represents a client account.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
ID of client account. |
parent_uuid - String
|
ID of parent client account. |
child_client_accounts - [ClientAccount!]!
|
List of child client accounts, also known as sub-client accounts. |
child_client_accounts_page - ClientAccountsPage!
|
List of child client accounts, also known as sub-client accounts. Paginated. |
Arguments
|
|
child_client_accounts_count - Int!
|
Count of child client accounts, also known as sub-client accounts. |
Arguments
|
|
company_name - String!
|
Full company name. |
company_short_name - String!
|
Short name of company. |
company_logo_url - String
|
Company logo URL. |
secondary_company_logo_url - String
|
Secondary company logo URL. |
company_colors - [BrandColor!]
|
Company color scheme. |
white_label_reports_enabled - Boolean
|
Flag to enable co-branded reports. |
white_label_reports_cascade - Boolean
|
Flag to cascade co-branded reports to child accounts, if applicable. |
row_created_at - Datetime
|
Timestamp when the account was created, in ISO format (UTC). |
session_user_role_id - AuthzRole
|
Role of the current user in this client account. |
assets_count - Int!
|
Count of assets for this client. Does not include subclient assets. |
internal_assets_count - Int!
|
Count of internal assets for this client. Does not include subclient assets. |
external_assets_count - Int!
|
Count of external assets for this client. Does not include subclient assets. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"parent_uuid": "12341234-1234-1234-1234-123412341234",
"child_client_accounts": [ClientAccount],
"child_client_accounts_page": ClientAccountsPage,
"child_client_accounts_count": 123,
"company_name": "Horizon3 AI, Inc",
"company_short_name": "H3",
"company_logo_url": "https://example.com/example",
"secondary_company_logo_url": "https://example.com/example",
"company_colors": [BrandColor],
"white_label_reports_enabled": true,
"white_label_reports_cascade": true,
"row_created_at": "2021-07-22T05:02:40.294996",
"session_user_role_id": "USER",
"assets_count": 987,
"internal_assets_count": 987,
"external_assets_count": 123
}
ClientAccountInput
Description
Arguments to create client account.
Fields
| Input Field | Description |
|---|---|
CompanyName - StringNotEmpty!
|
Full company name. |
company_short_name - StringNotEmpty
|
Short company name. |
access_level - AccessLevel!
|
Access level of client account. |
parent_uuid - String
|
ID of client account to assign as parent. |
Example
{
"CompanyName": StringNotEmpty,
"company_short_name": StringNotEmpty,
"access_level": "FREE_TRIAL",
"parent_uuid": "12341234-1234-1234-1234-123412341234"
}
ClientAccountOutput
Description
Client account data wrapper.
Fields
| Field Name | Description |
|---|---|
client_account - ClientAccount
|
The client account. |
Example
{"client_account": ClientAccount}
ClientAccountUpdateInput
Description
Arguments to update client account.
Fields
| Input Field | Description |
|---|---|
uuid - String!
|
Client account to update. |
CompanyName - StringNotEmpty
|
Full company name. |
company_short_name - StringNotEmpty
|
Short company name. |
company_colors - [BrandColorInput!]
|
Company color scheme. |
white_label_reports_enabled - Boolean
|
Flag to enable co-branded reports. |
white_label_reports_cascade - Boolean
|
Flag to cascade co-branded reports to child accounts, if applicable. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"CompanyName": StringNotEmpty,
"company_short_name": StringNotEmpty,
"company_colors": [BrandColorInput],
"white_label_reports_enabled": true,
"white_label_reports_cascade": false
}
ClientAccountsPage
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Pagination of response. |
client_accounts - [ClientAccount!]!
|
List of client accounts. |
Example
{
"page_info": PageInfo,
"client_accounts": [ClientAccount]
}
CreateUserAccountInput
Description
Arguments to create user account.
Fields
| Input Field | Description |
|---|---|
name - String!
|
Name of user. |
email - EmailAddress!
|
Email of user. |
client_account_uuid - String
|
ID of client account to add the user to. Defaults to the current user client account. |
user_role_id - AuthzRole!
|
Role of user in the given client account. |
is_sso - Boolean
|
If set, a BASIC auth username/password account will not be created for the user. |
Example
{
"name": "John Smith",
"email": "john.smith@example.com",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"user_role_id": "USER",
"is_sso": false
}
Date
Description
String scalar type with date ISO format serialization, eg. 2021-07-22.
Example
"2024-10-24T18:28:22.119Z"
Datetime
Description
String scalar type with datetime ISO format serialization, eg. 2021-07-22T05:02:40.294996.
Example
Datetime
DeleteOpTemplateOutput
Fields
| Field Name | Description |
|---|---|
op_template - OpTemplate
|
The deleted op template |
Example
{"op_template": OpTemplate}
Deleted
Fields
| Field Name | Description |
|---|---|
success - Boolean!
|
The result of the operation. |
Example
{"success": false}
DiffStats
Description
Aggregate stats used with diff-related APIs, for example Query.weaknesses_diff_stats.
Example
{"added_count": 987, "removed_count": 123, "unchanged_count": 987}
DiffStatus
Description
Used with diff-related APIs, for example Query.weaknesses_diff_page.
Values
| Enum Value | Description |
|---|---|
|
|
Indicates the record is NOT present in the first set, but is present in the second set. |
|
|
Indicates the record is present in the first set, but is NOT present in the second set. |
Example
"ADDED"
EmailAddress
Description
String scalar type with email address format required.
Example
EmailAddress
ExcludedDomain
Description
Represents an external domain that was excluded from a pentest due to the given reason.
Example
{
"op_id": "12341234-1234-1234-1234-123412341234",
"domain": "abc123"
}
ExcludedIP
ExternalDomainXop
Description
This type is an abstraction over the ExternalDomain type representing a uniquely identified ExternalDomain asset across an OpSeries of ops. The asset is id'ed via the xop_id field. The xop_id field is set to the domain name.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
{op_series_uuid}/{xop_id} |
op_series_uuid - String!
|
This ExternalDomainXop type represents an asset being tracked across this OpSeries. |
xop_id - String!
|
The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid) For ExternalDomainXop, the xop_id is the domain name. |
last_op_id - String
|
The last op this domain name appeared in. |
current_op_id - String
|
The most recently run op in the OpSeries. |
is_authorized - Boolean
|
Indicates whether or not the domain has been marked "authorized for pentesting" by the user. |
pentestable_rules - PentestableRules
|
Apply rules to determine whether we allow the user to authorizie this ExternalDomain for pentesting. |
is_dynamic_ip - Boolean
|
Indicates whether the xop has been marked as "uses dynamic IPs" by the user |
excluded_domain_from_last_pentest - ExcludedDomain
|
The ExcludedDomain record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability. |
third_party_aliases - [String]
|
Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames). |
third_party_certificate_subject_cns - [String]
|
3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"xop_id": "abc123",
"last_op_id": "xyz789",
"current_op_id": "xyz789",
"is_authorized": true,
"pentestable_rules": PentestableRules,
"is_dynamic_ip": "123.45.67.89",
"excluded_domain_from_last_pentest": ExcludedDomain,
"third_party_aliases": ["xyz789"],
"third_party_certificate_subject_cns": [
"abc123"
]
}
FeatureFlag
Description
Represents Advanced Configuration settings.
Fields
| Field Name | Description |
|---|---|
name - String!
|
The name of the advanced configuration option. |
value - Boolean!
|
Indicates whether the option is enabled or disabled. |
property_name - String
|
Human-friendly name for this advanced configuration option. |
property_description - String
|
Description for this advanced configuration option. |
category_name - String
|
Category of this advanced configuration option. |
category_description - String
|
Category description. |
risk - FeatureFlagRiskType
|
The disruption risk associated with this advanced configuration option. |
enables_min_runtime - Boolean
|
Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.minimum_run_time. |
enables_password_spray - Boolean
|
Indicates whether this advanced configuration option should be used in conjunction with ScheduleOpFormInput.passwords_to_spray. |
is_new - Boolean!
|
Indicates the FeatureFlag was introduced after the last time the containing OpTemplate was saved. This helps alert the user about new Attack Config options available in their OpTemplate. Once the OpTemplate is re-saved with the new options, the is_new field is reset. |
Example
{
"name": "abc123",
"value": true,
"property_name": "xyz789",
"property_description": "abc123",
"category_name": "xyz789",
"category_description": "xyz789",
"risk": "none",
"enables_min_runtime": true,
"enables_password_spray": true,
"is_new": true
}
FeatureFlagInput
FeatureFlagRiskType
Values
| Enum Value | Description |
|---|---|
|
|
The feature has no risk of disruption to your environment. |
|
|
The feature has low risk of disruption to your environment. |
|
|
The feature has moderate risk of disruption to your environment. |
|
|
The feature has high risk of disruption to your environment. |
Example
"none"
FilterBy
Description
Filtering of response data. Corresponding type for FilterByInput.
Fields
| Field Name | Description |
|---|---|
field_name - StringNoWhitespace!
|
Name of parameter being filtered by. |
values - [String]
|
Values to filter for. See FilterByInput. |
not_values - [String]
|
Values to filter out. See FilterByInput. |
less_than - String
|
The field value is strictly less than this value. See FilterByInput. |
less_than_or_equal - String
|
The field value is less than OR equal to this value. See FilterByInput. |
greater_than - String
|
The field value is strictly greater than this value. See FilterByInput. |
greater_than_or_equal - String
|
The field value is strictly greater than this value. See FilterByInput. |
Example
{
"field_name": StringNoWhitespace,
"values": ["xyz789"],
"not_values": ["xyz789"],
"less_than": "abc123",
"less_than_or_equal": "abc123",
"greater_than": "xyz789",
"greater_than_or_equal": "abc123"
}
FilterByInput
Description
Filter by parameter, e.g. fetch results where field_name in values.
Fields
| Input Field | Description |
|---|---|
field_name - StringNoWhitespace!
|
Name of parameter to filter by. |
values - [String]
|
Values to filter for. Cannot be combined with not_values input.Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together. |
not_values - [String]
|
Values to filter out. Cannot be combined with values input.Can be combined with greater_than* or less_than* inputs. Combined inputs are AND'ed together. |
greater_than - String
|
The field value is strictly greater than this value. Cannot be combined with greater_than_or_equal input.Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together. |
greater_than_or_equal - String
|
The field value is strictly greater than this value. Cannot be combined with greater_than input.Can be combined with less_than* inputs and values, not_values inputs. Combined inputs are AND'ed together. |
less_than - String
|
The field value is strictly less than this value. Cannot be combined with less_than_or_equal input.Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together. |
less_than_or_equal - String
|
The field value is less than OR equal to this value. Cannot be combined with less_than input.Can be combined with greater_than* inputs and values, not_values inputs. Combined inputs are AND'ed together. |
Example
{
"field_name": StringNoWhitespace,
"values": ["xyz789"],
"not_values": ["abc123"],
"greater_than": "xyz789",
"greater_than_or_equal": "abc123",
"less_than": "xyz789",
"less_than_or_equal": "xyz789"
}
Float
Description
The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.
Example
987.65
GitAccount
Description
Corresponding (non-input) type. Note that GitAccounts are also created by the op.
Fields
| Field Name | Description |
|---|---|
name - String!
|
Name of the git account. |
source - GitAccountSource!
|
The git service associated with this git account. |
Example
{"name": "abc123", "source": "GitLab"}
GitAccountInput
Description
git input type
Fields
| Input Field | Description |
|---|---|
name - StringNoWhitespace!
|
Name of the git account. |
source - GitAccountSource!
|
The git service associated with this git account. |
Example
{"name": StringNoWhitespace, "source": "GitLab"}
GitAccountSource
Values
| Enum Value | Description |
|---|---|
|
|
The git account is associated with GitLab |
|
|
The git account is associated with GitHub |
|
|
The git account is associated with BitBucket. |
Example
"GitLab"
HexColor
Description
Hex color string, eg. #def or #bb032b.
Example
HexColor
HostCSV
Description
String scalar type representing a HostCSV row with columns:
- FirstSeen: Datetime
- Subnet: String
- SubnetSource: String
- IP: String
- Hostname: String
- DNSHostnames: String
- LDAPHostname: String
- InScope: Boolean
- OS: String
- Hardware: String
- Device: String
- NumWeaknesses: Int
- NumConfirmedWeaknesses: Int
- NumDataResources: Int
- NumCredentials: Int
- NumConfirmedCredentials: Int
- NumServices: Int
- NumWebShares: Int
- RiskScore: Float
- RiskScoreDescription: String
- OpID: String
Example
HostCSV
HostTabXop
Description
This type is an abstraction over the HostTab type representing a uniquely identified HostTab asset across an OpSeries of ops. The asset is ID'ed via the xop_id field. A HostTab's xop_id is set to its ip.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
{op_series_uuid}/{xop_id} |
op_series_uuid - String!
|
This HostTabXop type represents an asset being tracked across this OpSeries. |
xop_id - String!
|
The durable xop identity. Always derived from the data itself (ie. not an arbitrary uuid). For HostTabXops that represent AssetGroup IPs, the xop_id is the IP. |
ip - String!
|
The ip of this host. |
last_op_id - String
|
The last op this IP appeared in. |
current_op_id - String
|
The most recently run op in the OpSeries. |
is_authorized - Boolean
|
Indicates whether or not this IP has been marked "authorized for pentest" by the user. |
excluded_ip_from_last_pentest - ExcludedIP
|
The ExcludedIP record from the LAST ExternalAttack pentest against this AssetGroup/OpSeries. This will be non-null if the asset was authorized for pentesting, but was excluded (moved out of scope) in the last ExternalAttack pentest, due to drift or unreachability. |
pentestable_rules - PentestableRules
|
Apply rules to determine whether we allow the user to authorize this IP for pentesting. |
third_party_aliases - [String]
|
Full list of 3rd-party aliases. Includes all subdomains NOT covered by a TLD in the AssetGroup config. Aliases include CNAMEs (ExternalDomain.cname_chain) and DNS Reverse-Lookup Names (ExternalDomain.endpoint_dns_hostnames). |
third_party_certificate_subject_cns - [String]
|
3rd-party certificate subject CNs. Includes all CNs NOT covered by a TLD in the AssetGroup config. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"op_series_uuid": "12341234-1234-1234-1234-123412341234",
"xop_id": "abc123",
"ip": "123.45.67.89",
"last_op_id": "xyz789",
"current_op_id": "xyz789",
"is_authorized": false,
"excluded_ip_from_last_pentest": ExcludedIP,
"pentestable_rules": PentestableRules,
"third_party_aliases": ["xyz789"],
"third_party_certificate_subject_cns": [
"xyz789"
]
}
ImpactType
Description
Impact types.
Values
| Enum Value | Description |
|---|---|
|
|
Once an AWS user or role is compromised, anything that user or role has access to including cloud resources, cloud services, and data should be considered compromised. |
|
|
Once an AWS account is fully compromised, all cloud resources, cloud services, and data that exists in that AWS account should be considered fully compromised. |
|
|
DEPRECATED. |
|
|
Once a Microsoft Entra user is compromised, anything that user has access to should be considered compromised. This could include access to the Microsoft Entra tenant, Microsoft 365, and even access to Azure subscriptions. |
|
|
Once an Entra (AzureAD) tenant is fully compromised, any application, service, or resource that utilizes the Entra Entra tenant for Identity and Access Management (IAM) should be considered compromised. This includes cloud services such as Microsoft 365 and Azure-hosted resources such as virtual machines or databases. |
|
|
DEPRECATED |
|
|
Brand compromise covers ways in which an attacker can harm your company's reputation by, for instance, defacing the company's website, hosting malware off the company's domain, or carrying out phishing attacks that appear to originate from the company. |
|
|
Business email compromise allows attackers to send and receive emails under the guise of that user. Attackers commonly leverage email access to conduct business accounting fraud, conduct highly targeted phishing attacks, gain access to sensitive information, and elicit trusting coworkers to perform actions on their behalf. |
|
|
DEPRECATED. |
|
|
DEPRECATED. |
|
|
Critical infrastructure consists of key devices and applications that provide attackers a privileged position in the network from which they can access a wealth of sensitive data and launch further attacks. |
|
|
Once a domain is fully compromised, all hosts, domain user accounts, data, infrastructure and applications tied to that domain should be considered fully compromised. Additionally, applications running on a domain-joined machine or any application that uses Active Directory integration to authenticate users should be considered fully compromised. |
|
|
Once a domain user is compromised, anything that user account has access to should be considered compromised. |
|
|
Host compromise can lead to attackers gaining access to sensitive information, maintaining persistence within your network, and obtaining lateral movement within your networks. |
|
|
Perimeter breach can lead to attackers gaining access to your internal network from the public internet. |
|
|
Ransomware exposures can be used by attackers to obtain access to business-critical data stores, encrypt them with a secret key, and demand a ransom payment from your company before releasing the decryption key. Ransomware attacks can cause severe disruption to your business operations, even after the ransom is paid, as data stores must be decrypted and affected services restored. |
|
|
Sensitive data exposures can be used by attackers to obtain user credentials, PII (Personally identifiable information), financial account data, and other business-critical information to further exploit or gain profit. |
|
|
Once a Third Party SaaS user is compromised, anything that user has access to should be considered compromised. This could include access to private messages, files, and other application specific items. |
Example
"AWSUserRoleCompromise"
Int
Description
The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
Example
987
Long
Description
Int scalar type alias.
Example
Long
MitreMapping
Description
A MitreMapping consists of a specific combination of a MITRE Tactic, Technique, and optionally a Subtechnique. MitreMappings are associated with attack modules via ModuleMeta.
Fields
| Field Name | Description |
|---|---|
mitre_tactic_id - String!
|
The MITRE Tactic ID |
mitre_tactic - MitreTactic
|
The MITRE Tactic |
mitre_technique_id - String!
|
The MITRE Technique ID |
mitre_technique - MitreTechnique
|
The MITRE Technique |
mitre_subtechnique_id - String
|
The MITRE Subtechnique ID |
mitre_subtechnique - MitreSubtechnique
|
The MITRE Subtechnique |
Example
{
"mitre_tactic_id": "TA0043",
"mitre_tactic": MitreTactic,
"mitre_technique_id": "T1595",
"mitre_technique": MitreTechnique,
"mitre_subtechnique_id": "T1595.002",
"mitre_subtechnique": MitreSubtechnique
}
MitreSubtechnique
Description
Represents a MITRE Subtechnique
Fields
| Field Name | Description |
|---|---|
id - String!
|
The MITRE Subtechnique ID |
mitre_technique_id - String
|
The MITRE Technique ID that is the parent of this Subtechnique |
name - String
|
The MITRE Subtechnique name |
description - String
|
The MITRE Subtechnique description |
url - String
|
The documentation URL for the MITRE Subtechnique |
Example
{
"id": "T1595.001",
"mitre_technique_id": "T1595",
"name": "Scanning IP Blocks",
"description": "Adversaries may scan victim IP blocks...",
"url": "https://attack.mitre.org/techniques/T1595/001/"
}
MitreTactic
Description
Represents a MITRE Tactic
Example
{
"id": "TA0043",
"name": "Reconnaissance",
"description": "The adversary is trying to gather information...",
"url": "https://attack.mitre.org/tactics/TA0043/"
}
MitreTechnique
Description
Represents a MITRE Technique
Example
{
"id": "T1595",
"name": "Active Scanning",
"description": "Adversaries may execute active reconnaissance scans...",
"url": "https://attack.mitre.org/techniques/T1595/"
}
ModuleMeta
Description
Attack module metadata.
Fields
| Field Name | Description |
|---|---|
id - String!
|
ID of attack module. |
name - String
|
Name of attack module. |
description - String
|
Description of attack module. |
mitre_mappings - [MitreMapping]
|
MITRE Tactics, Techniques, and Subtechniques associated with this attack module |
Example
{
"id": "host_discovery",
"name": "Host Discovery",
"description": "The Host Discovery module finds assets on the network...",
"mitre_mappings": [MitreMapping]
}
Op
Description
Pentest data.
Fields
| Field Name | Description |
|---|---|
op_id - String
|
ID of pentest. |
op_type - OpType
|
Type of pentest. |
op_state - String!
|
State of pentest. |
op_name - String!
|
Name of pentest. |
scheduled_timestamp_iso - String!
|
Timestamp of pentest scheduling, in ISO format (UTC). |
scheduled_at - Datetime!
|
Timestamp of pentest scheduling |
scheduled_at_date - Date!
|
Date of pentest scheduling |
completed_timestamp_iso - String
|
Timestamp of pentest completion, in ISO format (UTC). |
launched_timestamp_iso - String
|
Timestamp of pentest launch, in ISO format (UTC). |
confirmed_credentials_count - Int
|
Number of confirmed credentials found. |
weaknesses_count - Int
|
Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs). |
weaknesses_page - WeaknessesPage!
|
Returns the list of weaknesses found in this op. |
Arguments
|
|
in_scope_hosts_count - Int
|
Number of hosts found in scope. |
feature_flags - [FeatureFlag]
|
Advanced configuration settings for this pentest. |
nodezero_script_url - String
|
URL of the script that downloads and launches NodeZero. |
duration_hms - String
|
Pentest duration in HH:MM:SS format. |
duration_humanize - String
|
Pentest duration in "humanized" format . |
op_template_uuid - String
|
ID of OpTemplate used for this pentest. |
op_template_name - String
|
Name of OpTemplate used for this pentest. |
impact_paths_count - Int
|
Number of impact paths in the pentest. Alias of attack_paths_count. |
attack_paths_count - Int
|
Number of attack paths in the pentest. Alias of impact_paths_count. |
attack_paths_page - AttackPathsPage!
|
Returns the list of attack paths for this op. |
Arguments
|
|
phished_impact_paths_count - Int!
|
Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count |
phished_attack_paths_count - Int!
|
Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count. |
runner_uuid - String
|
ID of NodeZero Runner the op is assigned to. |
runner_name - String
|
Name of NodeZero Runner the op is assigned to. |
runner - Agent
|
NodeZero Runner the op is assigned to. |
schedule_uuid - String
|
ID of schedule the op is associated with. |
schedule_name - String
|
Name of schedule the op is associated with. |
Example
{
"op_id": "12341234-1234-1234-1234-123412341234",
"op_type": "NodeZero",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-04-24T18:28:22.119Z",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"confirmed_credentials_count": 123,
"weaknesses_count": 987,
"weaknesses_page": WeaknessesPage,
"in_scope_hosts_count": 123,
"feature_flags": [FeatureFlag],
"nodezero_script_url": "https://example.com/example",
"duration_hms": "22:05:21",
"duration_humanize": "2 hours, 23 minutes",
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "abc123",
"impact_paths_count": 123,
"attack_paths_count": 123,
"attack_paths_page": AttackPathsPage,
"phished_impact_paths_count": 987,
"phished_attack_paths_count": 123,
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "abc123",
"runner": Agent,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "xyz789"
}
OpDiffInput
Description
Input for Query.weaknesses_diff_page and other diff-related APIs.
Example
{
"op_id_1": "xyz789",
"op_id_2": "xyz789"
}
OpInput
Description
Pentest input arguments.
Fields
| Input Field | Description |
|---|---|
op_id - String!
|
ID of pentest. |
Example
{"op_id": "12341234-1234-1234-1234-123412341234"}
OpTab
Description
Pentest data.
Fields
| Field Name | Description |
|---|---|
uuid - String
|
ID of pentest. |
op_id - String
|
ID of pentest. Same as uuid. |
op_state - String!
|
State of pentest:
|
op_name - String!
|
Name of pentest. |
scheduled_timestamp - Float!
|
Timestamp of pentest scheduling, in epoch seconds. |
scheduled_at - Datetime!
|
Timestamp of pentest scheduling |
scheduled_at_date - Date!
|
Date of pentest scheduling |
scheduled_timestamp_iso - String!
|
Timestamp of pentest scheduling, in ISO format (UTC). |
create_timestamp - Int!
|
Timestamp of pentest creation, in epoch seconds. |
create_timestamp_iso - String!
|
Timestamp of pentest creation, in ISO format (UTC). |
launched_timestamp - Int
|
Timestamp of pentest launching, in epoch seconds. |
launched_timestamp_iso - String
|
Timestamp of pentest launching, in ISO format (UTC). |
launched_at - Datetime
|
Timestamp of pentest launching |
completed_at - Datetime
|
Timestamp of pentest completion. |
completed_timestamp - Float
|
Timestamp of pentest completion, in epoch seconds. |
completed_timestamp_iso - String
|
Timestamp of pentest completion, in ISO format (UTC). |
canceled_at - Datetime
|
Timestamp of pentest cancellation. |
canceled_timestamp - Int
|
Timestamp of pentest cancellation, in epoch seconds. |
canceled_timestamp_iso - String
|
Timestamp of pentest cancellation, in ISO format (UTC). |
duration_hms - String
|
Pentest duration in HH:MM:SS format . |
duration_humanize - String
|
Pentest duration in "humanized" format . |
op_type - OpType
|
Type of pentest. |
weakness_types_count - Int
|
Number of unique weakness IDs found. |
weaknesses_count - Int
|
Number of weaknesses found (weakness INSTANCEs, not unique weakness IDs). |
host_tabs_count - Int
|
Number of hosts found in scope. Same as in_scope_endpoints_count. |
domain_controllers_count - Int
|
Number of domain controllers found in scope. |
credentials_count - Int
|
Number of credentials and potential credentials found. |
proven_credentials_count - Int
|
Number of credentials and potential credentials found with proof. |
confirmed_credentials_count - Int
|
Number of credentials with proof. Alias of proven_credentials_count. |
unproven_credentials_count - Int
|
Number of credentials without proof. |
activedir_passwords_count - Int
|
Number of credentials found in Active Directory Password Audit(s). |
enabled_activedir_passwords_count - Int
|
Number of enabled credentials found in Active Directory Password Audit(s). |
disabled_activedir_passwords_count - Int
|
Number of disabled credentials found in Active Directory Password Audit(s). |
feature_flags - [FeatureFlag]
|
Advanced configuration settings for this pentest. |
impacts_headline_count - Int
|
Number of impacts in the pentest, which generally refers to the number of assets affected by an impact. |
impact_paths_count - Int
|
Number of impact paths in the pentest. Alias of attack_paths_count. |
attack_paths_count - Int
|
Number of attack paths in the pentest. Alias of impact_paths_count. |
phished_impact_paths_count - Int!
|
Number of impact paths downstream of phished credentials in the pentest. Alias of phished_attack_paths_count |
phished_attack_paths_count - Int!
|
Number of attack paths downstream of phished credentials in the pentest. Alias of phished_impact_paths_count. |
nodezero_script_url - String
|
URL of the script that downloads and launches NodeZero. |
nodezero_ip - String
|
The IP address where NodeZero was launched. |
etl_completed_at - Datetime
|
Timestamp of pentest post-processing completion, in ISO format (UTC). |
start_paused - Boolean
|
Start paused. |
minimum_run_time - Int
|
Op minimum run-time, in minutes. |
maximum_run_time - Int
|
Op maximum run-time, in minutes. |
paused_at - Datetime
|
Time when the pentest was most recently paused. |
paused_by_user_account_uuid - String
|
ID of the user that most recently paused the pentest. |
paused_by_user_account - UserAccount
|
Data of user account that most recently paused the pentest. |
op_template_uuid - String
|
ID of OpTemplate used for this pentest. |
op_template_name - String
|
Name of OpTemplate used for this pentest. |
excluded_ips - [ExcludedIP]
|
IPs that were excluded from the pentest scope. Applies to external pentests only. |
excluded_domains - [ExcludedDomain]
|
Domains that were excluded from the pentest scope. Applies to external pentests only. |
runner_uuid - String
|
ID of NodeZero Runner the op is assigned to. |
runner_name - String
|
Name of NodeZero Runner the op is assigned to. |
runner - Agent
|
The NodeZero Runner the op is assigned to. |
run_nodezero_command - AgentCommand
|
The run-nodezero command sent to the NodeZero Runner. This field can be used to track status. |
schedule_uuid - String
|
ID of schedule the op is associated with. |
schedule_name - String
|
Name of schedule the op is associated with. |
auto_injected_credential_uuids - [String]
|
The set of credentials to be auto-injected (by a NodeZero Runner) into the op. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"op_id": "12341234-1234-1234-1234-123412341234",
"op_state": "running",
"op_name": "your op name",
"scheduled_timestamp": "1600793100.0",
"scheduled_at": "2021-07-22T05:02:40.294996",
"scheduled_at_date": "2024-10-24T18:28:22.119Z",
"scheduled_timestamp_iso": "2021-07-22T05:02:40.294996",
"create_timestamp": "1600793100.0",
"create_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_timestamp": "1600793100.0",
"launched_timestamp_iso": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"completed_timestamp": "1600793100.0",
"completed_timestamp_iso": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"canceled_timestamp": "1600793100.0",
"canceled_timestamp_iso": "2021-07-22T05:02:40.294996",
"duration_hms": "22:35:09",
"duration_humanize": "2 hours, 23 minutes",
"op_type": "NodeZero",
"weakness_types_count": 987,
"weaknesses_count": 123,
"host_tabs_count": 987,
"domain_controllers_count": 987,
"credentials_count": 123,
"proven_credentials_count": 987,
"confirmed_credentials_count": 123,
"unproven_credentials_count": 123,
"activedir_passwords_count": 123,
"enabled_activedir_passwords_count": 987,
"disabled_activedir_passwords_count": 987,
"feature_flags": [FeatureFlag],
"impacts_headline_count": 987,
"impact_paths_count": 123,
"attack_paths_count": 123,
"phished_impact_paths_count": 987,
"phished_attack_paths_count": 123,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"start_paused": false,
"minimum_run_time": 987,
"maximum_run_time": 123,
"paused_at": "2021-07-22T05:02:40.294996",
"paused_by_user_account_uuid": "12341234-1234-1234-1234-123412341234",
"paused_by_user_account": UserAccount,
"op_template_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"excluded_ips": [ExcludedIP],
"excluded_domains": [ExcludedDomain],
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"runner_name": "xyz789",
"runner": Agent,
"run_nodezero_command": AgentCommand,
"schedule_uuid": "12341234-1234-1234-1234-123412341234",
"schedule_name": "abc123",
"auto_injected_credential_uuids": [
"xyz789"
]
}
OpTabsPage
OpTemplate
Description
Pentest (aka "Op") template information.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
ID of pentest template. |
user_account_uuid - String!
|
ID of user account that created the pentest template. |
client_account_uuid - String!
|
ID of client account that created pentest template. |
op_template_name - String!
|
Name of template. |
op_type - OpType!
|
Type of pentest this template applies to. "NodeZero" for internal pentests; "ExternalAttack" for external pentests. |
schedule_op_form - ScheduleOpForm!
|
Template data for scheduling pentests. |
row_created_at - Datetime!
|
Timestamp when the template was created. |
row_updated_at - Datetime
|
Timestamp when the template was last updated. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"user_account_uuid": "12341234-1234-1234-1234-123412341234",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"op_template_name": "xyz789",
"op_type": "NodeZero",
"schedule_op_form": ScheduleOpForm,
"row_created_at": "2021-07-22T05:02:40.294996",
"row_updated_at": "2021-07-22T05:02:40.294996"
}
OpTemplatesPage
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Information about the page. |
op_templates - [OpTemplate!]!
|
List of pentest templates. |
Example
{
"page_info": PageInfo,
"op_templates": [OpTemplate]
}
OpType
Description
Operation type.
Values
| Enum Value | Description |
|---|---|
|
|
Internal pentest. |
|
|
External asset discovery. |
|
|
External pentest. |
|
|
Network Enumeration. |
|
|
AD Password Audit. |
|
|
Phishing. |
|
|
AWS pentest. |
|
|
Azure pentest. |
Example
"NodeZero"
PageInfo
Description
Pagination of response data.
Fields
| Field Name | Description |
|---|---|
page_num - Int
|
Page number returned by query. |
page_size - Int
|
Maximum number of items in page. |
text_search - String
|
Text searched across all text columns in the target table. |
filter_by_inputs - [FilterBy]
|
List of filters used with AND condition. |
Example
{
"page_num": 1,
"page_size": 20,
"text_search": "xyz789",
"filter_by_inputs": [FilterBy]
}
PageInput
Description
Pagination inputs.
Fields
| Input Field | Description |
|---|---|
page_num - Int
|
Page number to query. |
page_size - Int
|
Maximum number of items per page. |
order_by - String
|
Name of parameter to order by. |
sort_order - SortOrder
|
Method to order by. |
sort_inputs - [SortInput]
|
List of parameters to sort by. |
filter_by_inputs - [FilterByInput]
|
List of filters to use with AND condition. |
text_search - String
|
Searches across all text columns in the target table. |
Example
{
"page_num": 1,
"page_size": 10,
"order_by": "name",
"sort_order": "ASC",
"sort_inputs": [SortInput],
"filter_by_inputs": [FilterByInput],
"text_search": "abc123"
}
Pentest
Description
Pentest data.
Fields
| Field Name | Description |
|---|---|
op_id - String!
|
ID of pentest. |
op_type - OpType
|
Type of pentest. |
name - String!
|
Name assigned to the pentest. |
state - PortalOpState!
|
op state used exclusively in portal |
user_name - String!
|
The user who scheduled the pentest. |
client_name - String!
|
The client account that owns the pentest. |
min_scope - [String]
|
The "minimum" scope is used in combination with "auto-expand scope" to specify the set of IPs and CIDR ranges that positively should be scanned, in addition to whatever other IPs are discovered during the pentest (up to and including the max_scope, if defined). |
max_scope - [String]
|
The "maximum" scope specifies the full range of IPs and CIDR ranges that are allowed to be discovered and scanned during the pentest. |
exclude_scope - [String]
|
IPs and CIDR ranges that are excluded from the pentest. |
git_accounts - [GitAccount]
|
List of Git accounts to include in pentest. |
aws_account_ids - [AWSAccountId]
|
List of AWS accounts to include in pentest. |
feature_flags - [FeatureFlag]
|
Advanced configuration options. |
scheduled_at - Datetime!
|
Timestamp of pentest scheduling. |
launched_at - Datetime
|
Timestamp of pentest launching. |
completed_at - Datetime
|
Timestamp of pentest completion. |
canceled_at - Datetime
|
Timestamp of pentest cancellation. |
etl_completed_at - Datetime
|
Timestamp of pentest ETL completion. |
duration_s - Int
|
Pentest duration in seconds. |
impacts_count - Int
|
Number of impacts found. Technically counts up the number of unique impact type + affected asset combinations. |
impact_paths_count - Int
|
Number of impact paths found. Alias of `attack_paths_count. |
attack_paths_count - Int
|
Number of attack paths found. Alias of `impact_paths_count. |
attack_paths_page - AttackPathsPage!
|
Returns the list of attack paths for this op. |
Arguments
|
|
phished_impact_paths_count - Int!
|
Number of impact paths found downstream of phished credentials. Alias of phished_attack_paths_count |
phished_attack_paths_count - Int!
|
Number of attack paths found downstream of phished credentials. Alias of phished_impact_paths_count. |
weakness_types_count - Int
|
Number of unique weakness IDs found. |
weaknesses_count - Int
|
Number of weaknesses found. |
weaknesses_page - WeaknessesPage!
|
Returns the list of weaknesses for this op. |
Arguments
|
|
hosts_count - Int
|
Number of in-scope hosts (IPs) scanned during the pentest |
out_of_scope_hosts_count - Int
|
Number of out-of-scope hosts (IPs) found during the pentest. |
external_domains_count - Int
|
Number of domains found. |
services_count - Int
|
Number of services found. |
credentials_count - Int
|
Number of credentials found, both discovered and confirmed. |
users_count - Int
|
Number of users found. |
cred_access_count - Int
|
Counts the number of unique combinations of credential + accessed asset. |
data_stores_count - Int
|
Number of data stores found, eg FileShares, DatabaseRepos, S3Buckets, GitRepos, etc. Excludes websites. |
websites_count - Int
|
Number of websites found. |
data_resources_count - Long
|
Count of all data resources (files, DB records, etc) across all data stores. |
nodezero_script_url - String
|
URL of the script that downloads and launches NodeZero. |
nodezero_ip - String
|
IP address of NodeZero. |
runner - Agent
|
The NodeZero Runner the op is assigned to. |
Example
{
"op_id": "12341234-1234-1234-1234-123412341234",
"op_type": "NodeZero",
"name": "abc123",
"state": "done",
"user_name": "abc123",
"client_name": "abc123",
"min_scope": ["abc123"],
"max_scope": ["abc123"],
"exclude_scope": ["abc123"],
"git_accounts": [GitAccount],
"aws_account_ids": [AWSAccountId],
"feature_flags": [FeatureFlag],
"scheduled_at": "2021-07-22T05:02:40.294996",
"launched_at": "2021-07-22T05:02:40.294996",
"completed_at": "2021-07-22T05:02:40.294996",
"canceled_at": "2021-07-22T05:02:40.294996",
"etl_completed_at": "2021-07-22T05:02:40.294996",
"duration_s": 123,
"impacts_count": 123,
"impact_paths_count": 123,
"attack_paths_count": 123,
"attack_paths_page": AttackPathsPage,
"phished_impact_paths_count": 987,
"phished_attack_paths_count": 987,
"weakness_types_count": 123,
"weaknesses_count": 987,
"weaknesses_page": WeaknessesPage,
"hosts_count": 987,
"out_of_scope_hosts_count": 123,
"external_domains_count": 987,
"services_count": 987,
"credentials_count": 123,
"users_count": 987,
"cred_access_count": 123,
"data_stores_count": 987,
"websites_count": 123,
"data_resources_count": Long,
"nodezero_script_url": "https://example.com/example",
"nodezero_ip": "123.45.67.89",
"runner": Agent
}
PentestableEntitiesBulkOutput
Description
Output type for several Mutations that authorize assets for external pentesting.
Fields
| Field Name | Description |
|---|---|
pentestable_entities_count - Int!
|
Number of domain and IP assets that were updated by this request. |
Example
{"pentestable_entities_count": 123}
PentestableEntitiesOutput
Description
Output type for several Mutations that authorize assets for external pentesting.
Fields
| Field Name | Description |
|---|---|
pentestable_entities - [PentestableEntity]
|
List of domain and IP assets, along with their authorization status, that were modified by this request. |
blocked_pentestable_entities - [BlockedPentestableEntity]
|
List of domain and IP assets that were BLOCKED from authorization. Assets are blocked if we determine they are owned by providers that do not permit pentesting. See BlockedPentestableEntity.pentestable_rules.authz_warning for more details. |
Example
{
"pentestable_entities": [PentestableEntity],
"blocked_pentestable_entities": [
BlockedPentestableEntity
]
}
PentestableEntity
Description
A PentestableEntity links a domain (ExternalDomainXop) or IP (HostTabXop) to its authorization status for external pentesting.
Example
{"uuid": "12341234-1234-1234-1234-123412341234", "is_authorized": false}
PentestableRules
Description
The result of applying the rules for allowing ExternalDomains/HostTabs to be pentested via ExternalAttack.
Fields
| Field Name | Description |
|---|---|
action_tooltip - String
|
Tooltip text explaining why an asset was BLOCKED. |
authz_warning - String
|
Tooltip text warning the user about authorizing this asset and extra vetting of asset ownership that may be required. |
authz_warning_label - String
|
Label for auth_warning |
is_allowed - Boolean!
|
The final, ultimate result of applying the authz rules. |
Example
{
"action_tooltip": "abc123",
"authz_warning": "abc123",
"authz_warning_label": "xyz789",
"is_allowed": true
}
PentestsPage
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Pagination of response. |
pentests - [Pentest!]!
|
List of asset groups. |
Example
{
"page_info": PageInfo,
"pentests": [Pentest]
}
PortalOpState
Description
Op states used in portal
Values
| Enum Value | Description |
|---|---|
|
|
The pentest is fully complete and results are available in Portal. |
|
|
The pentest was ended early by the user. Results are available in Portal. |
|
|
The pentest suffered an error. The H3 team is working on it! |
|
|
The pentest is waiting for NodeZero to be launched. |
|
|
The pentest was configured to start in a paused state. |
|
|
The pentest is paused by a user. |
|
|
The pentest is paused, possibly due to connectivity issues with NodeZero. |
|
|
The pentest is in the process of pausing. |
|
|
Resources are being provisioned for the pentest. |
|
|
Resources are being provisioned for the pentest. Once provisioning is complete, the pentest will start in a paused state. |
|
|
The pentest results are being processed. |
|
|
The pentest is resuming from a paused state. |
|
|
The pentest is live and running. |
|
|
The pentest has been queued up and will begin provisioning resources shortly. |
|
|
The pentest has been queued up and will begin provisioning resources shortly. |
|
|
The pentest is in an unknown state. |
Example
"done"
SaveOpTemplateOutput
Fields
| Field Name | Description |
|---|---|
op_template - OpTemplate!
|
The saved op template |
Example
{"op_template": OpTemplate}
ScheduleOpForm
Description
Data to schedule pentest.
Fields
| Field Name | Description |
|---|---|
op_name - String!
|
Name of pentest. |
op_type - OpType
|
Type of pentest. Defaults to NodeZero. |
op_param_blacklist - String
|
This scope is EXCLUDED from the pentest. Hosts and subnets that fall within this scope will NOT be pentested. Scope is defined as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
op_param_min_scope - String
|
Minimum scope is used in combination with Intelligent Scope and Auto-Expand Scope. It specifies the scope that will be explicitly pentested, in addition to any other hosts and subnets that are organically discovered by NodeZero during the pentest. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
op_param_max_scope - String
|
Maximum scope of pentest. This represents the upper limits of the pentest scope. Only hosts and subnets that fall within the maximum scope will be pentested. If not defined, the pentest will default to Intelligent Scope. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
feature_flags - [FeatureFlag]
|
Advanced configuration settings that control the types of attacks conducted during the pentest. |
osint_domains - [String]
|
List of company domains that will be scanned for OSINT (open-source intelligence). |
osint_company_names - [String]
|
List of company names that will be used for discovering OSINT (open-source intelligence). |
passwords_to_spray - [String]
|
A set of passwords to use for password spraying. |
git_accounts - [GitAccount]
|
List of Git accounts to scan during the pentest. |
aws_account_ids - [AWSAccountId]
|
List of AWS accounts to scan during the pentest. |
asset_group_uuid - String
|
ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack). |
start_paused - Boolean
|
Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls. |
minimum_run_time - Int
|
Op minimum run-time, in minutes. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks. |
maximum_run_time - Int
|
Op maximum run-time, in minutes. |
runner_name - String
|
Name of NodeZero Runner that will launch the op. |
runner_uuid - String
|
ID of NodeZero Runner that will launch the op. |
auto_injected_credential_uuids - [String!]
|
The set of credentials to be auto-injected (by a NodeZero Runner) into the op. |
targeted_test_id - String
|
ID of the targeted test to use for the pentest. |
Example
{
"op_name": "your op name",
"op_type": "NodeZero",
"op_param_blacklist": "123.45.67.89, 12.3.4.56",
"op_param_min_scope": "123.45.67.89, 12.3.4.56",
"op_param_max_scope": "123.45.67.89, 12.3.4.56",
"feature_flags": [FeatureFlag],
"osint_domains": ["example.com"],
"osint_company_names": ["Horizon3"],
"passwords_to_spray": ["passw0rd!"],
"git_accounts": [GitAccount],
"aws_account_ids": [AWSAccountId],
"asset_group_uuid": "12341234-1234-1234-1234-123412341234",
"start_paused": true,
"minimum_run_time": 987,
"maximum_run_time": 987,
"runner_name": "abc123",
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"auto_injected_credential_uuids": [
"xyz789"
],
"targeted_test_id": "xyz789"
}
ScheduleOpFormInput
Description
Inputs to schedule pentest.
Fields
| Input Field | Description |
|---|---|
op_name - String
|
Name of pentest. |
op_type - OpType
|
Type of pentest. Defaults to NodeZero. |
op_param_blacklist - String
|
This scope is EXCLUDED from the pentest. Hosts and subnets that fall within this scope will NOT be pentested. Scope is defined as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
op_param_min_scope - String
|
Minimum scope is used in combination with Intelligent Scope and Auto-Expand Scope. It specifies the scope that will be explicitly pentested, in addition to any other hosts and subnets that are organically discovered by NodeZero during the pentest. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
op_param_max_scope - String
|
Maximum scope of pentest. This represents the upper limits of the pentest scope. Only hosts and subnets that fall within the maximum scope will be pentested. If not defined, the pentest will default to Intelligent Scope. Scope is specified as comma-separated values. Accepts CIDR ranges or plain IP addresses. |
feature_flags - [FeatureFlagInput]
|
Advanced configuration settings that control the types of attacks conducted during the pentest. |
osint_domains - [String]
|
List of company domains that will be scanned for OSINT (open-source intelligence). |
osint_company_names - [String]
|
List of company names that will be used for discovering OSINT (open-source intelligence). |
passwords_to_spray - [String]
|
A set of passwords to use for password spraying. |
git_accounts - [GitAccountInput]
|
List of Git accounts to scan during the pentest. |
aws_account_ids - [AWSAccountId]
|
List of AWS accounts to scan during the pentest. |
asset_group_uuid - String
|
ID of asset group containing authorized assets that will be pentested. Applies to external pentests only (op_type=ExternalAttack). |
start_paused - Boolean
|
Start the pentest in paused state. This option is useful for external pentests when NodeZero's IP address must first be known in order to open up firewalls. |
minimum_run_time - Int
|
Op minimum run-time, in minutes. This option is useful to give extra time for password spraying and/or man-in-the-middle relay attacks. |
maximum_run_time - Int
|
Op maximum run-time, in minutes. |
runner_name - String
|
Name of NodeZero Runner that will launch the op. |
runner_uuid - String
|
ID of NodeZero Runner that will launch the op. |
auto_injected_credential_uuids - [String!]
|
The set of credentials to be auto-injected (by a NodeZero Runner) into the op. |
targeted_test_id - String
|
ID of the targeted test to use for the pentest. |
Example
{
"op_name": "your op name",
"op_type": "NodeZero",
"op_param_blacklist": "123.45.67.89, 12.3.4.56",
"op_param_min_scope": "123.45.67.89, 12.3.4.56",
"op_param_max_scope": "123.45.67.89, 12.3.4.56",
"feature_flags": [FeatureFlagInput],
"osint_domains": ["example.com"],
"osint_company_names": ["xyz789"],
"passwords_to_spray": ["abc123"],
"git_accounts": [GitAccountInput],
"aws_account_ids": [AWSAccountId],
"asset_group_uuid": "12341234-1234-1234-1234-123412341234",
"start_paused": false,
"minimum_run_time": 123,
"maximum_run_time": 987,
"runner_name": "xyz789",
"runner_uuid": "12341234-1234-1234-1234-123412341234",
"auto_injected_credential_uuids": [
"xyz789"
],
"targeted_test_id": "xyz789"
}
ScheduleOpOutput
Description
Scheduled pentest data.
Fields
| Field Name | Description |
|---|---|
op - Op!
|
Data for a pentest. |
Example
{"op": Op}
Severity
Description
Severity levels associated with a finding's risk score.
score <= 0 : INFO
0 < score < 4.0: LOW
4.0 <= score < 7.0: MEDIUM
7.0 <= score < 9.0: HIGH
9.0 <= score : CRITICAL
Values
| Enum Value | Description |
|---|---|
|
|
score <= 0 |
|
|
0 < score < 4.0 |
|
|
4.0 <= score < 7.0 |
|
|
7.0 <= score < 9.0 |
|
|
9.0 <= score |
Example
"INFO"
SignInType
Values
| Enum Value | Description |
|---|---|
|
|
Basic authentiation using username and password. |
|
|
Federated authentication via Google. |
|
|
Federated authentication via LinkedIn. |
|
|
Federated authentication via Microsoft. |
|
|
Private SSO. |
Example
"BASIC"
SortInput
Description
Parameter to sort by.
Fields
| Input Field | Description |
|---|---|
order_by - StringNoWhitespace!
|
Name of parameter to order by. |
sort_order - SortOrder
|
Method to order by. |
nulls_first - Boolean
|
Flag to control if nulls are ordered first or last. |
Example
{"order_by": "name", "sort_order": "ASC", "nulls_first": true}
SortOrder
Description
Method to order by.
Values
| Enum Value | Description |
|---|---|
|
|
Ascending order. |
|
|
Descending order. |
Example
"ASC"
String
Description
The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Example
"xyz789"
StringNoWhitespace
Description
String scalar type that cannot be an empty string or contain whitespace.
Example
StringNoWhitespace
StringNotEmpty
Description
String scalar type that cannot be an empty string.
Example
StringNotEmpty
UpdateOpTemplateOutput
Fields
| Field Name | Description |
|---|---|
op_template - OpTemplate!
|
The updated op template |
Example
{"op_template": OpTemplate}
UpdateUserAccountInput
Description
Arguments to update user account.
Fields
| Input Field | Description |
|---|---|
email - EmailAddress!
|
Email of user to update. |
client_account_uuid - String
|
ID of client account to update the user for, when applicable. Defaults to the current user client account. |
user_role_id - AuthzRole!
|
Role of user in the given client account. |
name - String!
|
Name of user. |
Example
{
"email": "john.smith@example.com",
"client_account_uuid": "12341234-1234-1234-1234-123412341234",
"user_role_id": "USER",
"name": "John Smith"
}
UserAccount
Description
User account data.
Fields
| Field Name | Description |
|---|---|
uuid - String
|
ID of user account. |
email - EmailAddress
|
User email address. |
name - String
|
User name. |
user_role_id - AuthzRole
|
Role of this user in the calling user's ClientAccount. |
sign_in_type - SignInType
|
Indicates the type of sign-in credentials used by this specific UserAccount |
last_signed_in_at - Datetime
|
Timestamp of last time this user signed in under the current user's ClientAccount. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"email": "john.smith@example.com",
"name": "John Smith",
"user_role_id": "USER",
"sign_in_type": "BASIC",
"last_signed_in_at": "2021-07-22T05:02:40.294996"
}
VulnCategory
Description
Vuln categories.
Values
| Enum Value | Description |
|---|---|
|
|
The vuln is related to a security misconfiguration of an asset. |
|
|
A product/asset vulnerability. |
|
|
The vuln is related to ineffective or insufficient security policies. |
|
|
The vuln is related to ineffective or insufficient security controls or policies. |
|
|
The vuln is related to credential management or policies. |
Example
"SECURITY_MISCONFIGURATION"
Weakness
Description
A Weakness record represents an observed vulnerability on an affected asset; ie. there is one Weakness record per unique vuln_id + affected asset combination.
Fields
| Field Name | Description |
|---|---|
uuid - String!
|
Unique ID for this Weakness instance. |
created_at - Datetime!
|
When this Weakness was observed. |
vuln_id - String!
|
The Weakness's vuln ID. |
vuln_aliases - [String!]
|
Well-known aliases for this vuln. |
vuln_category - VulnCategory
|
The vuln's category |
vuln_name - String
|
The vuln's official name. |
vuln_short_name - String
|
A convenient short name for the vuln. |
vuln_cisa_kev - Boolean
|
True if the vuln is a CISA Known Exploited Vulnerability |
vuln_known_ransomware_campaign_use - Boolean
|
True if the vuln is a CISA Known to be Used in Ransomware Campaigns. |
op_id - String!
|
The op_id for the Op in which this Weakness was observed. |
ip - String
|
The IP address where this Weakness was observed. |
has_proof - Boolean
|
Indicates whether or not we captured proof of the Weakness. |
proof_failure_code - String
|
The reason why we failed to capture proof, if applicable. One of: exploit_failed, not_configured, no_exploit, timeout. |
proof_failure_reason - String
|
The reason why we failed to capture proof, if applicable. |
score - Float
|
The risk score for this Weakness (equal to context_score if set, otherwise base_score). |
severity - Severity
|
Severity level associated with the score. |
base_score - Float
|
Base risk score associated with the vuln ID. |
base_severity - Severity
|
Severity level associated with the base risk score. |
context_score - Float
|
Risk score based on the weakness's total impact on the environment. |
context_severity - Severity
|
Severity level associated with the context score. |
context_score_description_md - String
|
Description explaining the context score/downstream impact for this weakness (in markdown format). |
context_score_description - String
|
Description explaining the context score/downstream impact for this weakness. |
time_to_finding_hms - String
|
Time-to-finding in hh:mm:ss format |
time_to_finding_s - Int
|
Time-to-finding in seconds |
affected_asset_text - String
|
The display name of the asset directly affected by this weakness. |
affected_asset_short_text - String
|
The short name of the asset directly affected by this weakness. |
downstream_impact_types - [ImpactType!]
|
List of ImpactTypes found downstream of this weakness, equivalent to related impacts. |
downstream_impact_types_and_counts - [String!]
|
List of ImpactTypes and associated counts found downstream of this weakness, equivalent to related impacts. Each array element is formatted as ImpactType,count, e.g. ["RansomwareExposure,2", "SensitiveDataExposure,2"] |
impact_paths_count - Int!
|
The number of Impact paths the weakness is included in. This should sum up to downstream_impact_types_and_counts. Alias of attack_paths_count. |
attack_paths_count - Int!
|
The number of attack paths the weakness is included in. This should sum up to downstream_impact_types_and_counts. Alias of impact_paths_count. |
diff_status - DiffStatus
|
This field is only used when performing a diff between ops, for example via If a weakness was present in the first op, but not the second op, its If a weakness was present in the second op, but not the first op, its |
mitre_mappings - [MitreMapping!]
|
The set of MITRE techniques associated with the discovery of this weakness. |
Example
{
"uuid": "12341234-1234-1234-1234-123412341234",
"created_at": "2021-07-22T05:02:40.294996",
"vuln_id": "abc123",
"vuln_aliases": ["xyz789"],
"vuln_category": "SECURITY_MISCONFIGURATION",
"vuln_name": "xyz789",
"vuln_short_name": "xyz789",
"vuln_cisa_kev": false,
"vuln_known_ransomware_campaign_use": true,
"op_id": "12341234-1234-1234-1234-123412341234",
"ip": "123.45.67.89",
"has_proof": false,
"proof_failure_code": "xyz789",
"proof_failure_reason": "abc123",
"score": 123.45,
"severity": "INFO",
"base_score": 987.65,
"base_severity": "INFO",
"context_score": 987.65,
"context_severity": "INFO",
"context_score_description_md": "abc123",
"context_score_description": "abc123",
"time_to_finding_hms": "22:05:31",
"time_to_finding_s": 987,
"affected_asset_text": "abc123",
"affected_asset_short_text": "xyz789",
"downstream_impact_types": ["AWSUserRoleCompromise"],
"downstream_impact_types_and_counts": [
"xyz789"
],
"impact_paths_count": 123,
"attack_paths_count": 987,
"diff_status": "ADDED",
"mitre_mappings": [MitreMapping]
}
WeaknessCSV
Description
String scalar type representing a WeaknessCSV row with columns:
- WeaknessID: String
- FirstSeen: Datetime
- Name: String
- RootCause: String
- Severity: String
- ContextScore: Float
- ContextScoreDescription: String
- Confirmed: Boolean
- Hostname: String
- CNAME: String
- OS: String
- IP: String
- Port: Int
- Protocol: String
- ProtocolPort: String
- Service: String
- ServiceType: String
- Product: String
- OpID: String
- Description: String
- AssetID: String
- AllHostnames: String
- Repo: String
- Vhost: String
- ResourceUri: String
- UserName: String
- UserDomainName: String
- ProvenEntityEid: String
- Impact: String
- Mitigations: String
- References: String
Example
WeaknessCSV
WeaknessesDiffPage
Description
Contains a page of Weakness records, as fetched via Query.weaknesses_diff_page.
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Information about the current page. |
weaknesses - [Weakness!]!
|
List of weaknesses for the current page. |
Example
{
"page_info": PageInfo,
"weaknesses": [Weakness]
}
WeaknessesPage
Description
Contains a page of Weakness records, as fetched via Query.weaknesses_page.
Fields
| Field Name | Description |
|---|---|
page_info - PageInfo
|
Information about the current page. |
weaknesses - [Weakness!]!
|
List of weaknesses for the current page. |
Example
{
"page_info": PageInfo,
"weaknesses": [Weakness]
}