List security events from Defender, Guardian, and Architect.

External Documentation

To learn more, visit the Tessian documentation.

Parameters

ParameterDescription
Created AfterOnly include events that were created after this time. You should use either this parameter, or the after_checkpoint parameter, but not both at once.If this parameter is provided, but no events are returned, the checkpoint will behave as if no checkpoint was provided at all.
LimitThe maximum number of events to return.
Pagination CursorUse with the output of the checkpoint field to retrieve the next set of events.

Example Output

{
	"additional_results": false,
	"checkpoint": "This value can be provided to a subsequent request via the `after_checkpoint` query parameter to ensure that events from this request are not returned in  future responses. This allows clients to paginate through results.\n",
	"results": [
		{
			"created_at": "When the event was created in UTC.",
			"guardian_details": {
				"admin_action": "The most recent action taken by an admin on this event.",
				"anomalous_attachments": [
					"string"
				],
				"anomalous_recipients": [
					"email"
				],
				"breach_prevented": false,
				"final_outcome": "The final outcome of the email. `null` if it has not yet been determined.",
				"flag_reason": "The reason that Guardian flagged this email as being misdirected.",
				"justifications": [
					"string"
				],
				"misattached_file_reasons": [
					"string"
				],
				"suggested_recipients": [
					"email"
				],
				"triggered_filter_ids": [
					"string"
				],
				"triggered_filter_names": [
					"string"
				],
				"type": "The type of Guardian event.",
				"user_responses": [
					"string"
				],
				"user_shown_message": false
			},
			"id": "A unique identifier for the event.",
			"outbound_email_details": {
				"attachments": {
					"bytes": 0,
					"count": 0,
					"names": [
						"string"
					]
				},
				"changes_made": {},
				"final_outcome": "The final outcome of the email. `null` if it has not yet been determined.",
				"from": "email",
				"message_id": "The email's Message-ID. This field is `null` if no Message-ID was ever assigned to the email (for example if the Tessian outlook addin prevented the email from ever being sent).\n",
				"recipients": {
					"all": [
						"email"
					],
					"bcc": [
						"email"
					],
					"cc": [
						"email"
					],
					"count": 0,
					"to": [
						"email"
					]
				},
				"reply_to": [
					"email"
				],
				"send_time": "The time that the email was sent or a send attempt was made in UTC.",
				"subject": "The subject of the email.",
				"subsequent_action": "The user's subsequent action after responding to the Tessian warning message.",
				"tessian_action": "The action Tessian took when the user tried to send the email. If multiple modules triggered, the action might be the result of another module (i.e. not the module described by this event).\n",
				"tessian_id": "A unique identifier assigned to the email by Tessian. Similar in concept to an email's Message-ID except it is guaranteed to always be assigned (even if the email was never sent).\n",
				"transmitter": "email"
			},
			"portal_link": "A HTTP link to the Tessian portal where further information about to this event can be viewed.\n",
			"type": "The type of event.",
			"updated_at": "When the event was last updated in UTC. Creation is counted as an update."
		}
	]
}

Workflow Library Example

List Security Events with Tessian and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?