Documentation Index
Fetch the complete documentation index at: https://mintlify.com/samkit511/SAW---Security-Analyst-Workspace/llms.txt
Use this file to discover all available pages before exploring further.
POST /ingest-log is the main entry point for feeding raw security events into SAW. You can send a structured JSON object with individual fields (IP address, HTTP method, path, payload) or post a plain-text log line directly. Either way, the server runs the full four-agent triage pipeline and returns a decorated result with the threat classification, decision, and any mitigation actions taken.
Authentication
Include your API key in thex-api-key request header. The default key for local development is demo.
Request
HeadersAPI key for authentication. Requests without a valid key return
401 unauthorized.Optional idempotency key for replay prevention. If a request with the same
x-event-id arrives within 30 seconds of a prior request, the server returns 409 replay_detected without re-processing the log. You can also set this field inside the JSON body as event_id.Set to
application/json when sending structured log fields. Omit or use any other value to send a plain-text log body.Source IP address of the event (e.g.,
"192.168.1.55").HTTP method associated with the event (e.g.,
"POST"). Normalized to uppercase.Request path associated with the event (e.g.,
"/api/login").Body or parameter string from the original request (e.g.,
"username=admin' OR 1=1--").A pre-formatted raw log string. When present, all other structured fields are ignored and this string is used as the triage input.
Label identifying the upstream system that submitted the log. Stored on the incident record for audit purposes.
Idempotency key for replay prevention. Equivalent to the
x-event-id header; the body field takes precedence if both are provided.Content-Type is not application/json, the entire body is treated as a raw log string. The server sets source to "web_app_login_endpoint" automatically.
Examples
Structured JSON logResponse
On success the server returns200 with the decorated triage result.
Unique identifier for this request, prefixed with
req_. Use this for log correlation and support inquiries.Identifier of the incident record created in the SAW database for this event.
"COMPLETED" if all agents executed without errors. "DEGRADED" if one or more agents failed mid-pipeline; the trace.agent_orchestration.failures array contains details.One sentence per agent in execution order, describing the action each agent took.
The final triage decision:
"EXECUTE" (mitigations applied), "OBSERVE" (analyst task created), or "IGNORE" (logged for reference only).Per-agent outcome objects keyed by agent name (
DetectionAgent, RiskAgent, MitigationAgent, AuditAgent).Full multi-stage execution trace including threat detection, risk assessment, ADK review, and mitigation output.
Decorator metadata including
trace_id, schema_version, mode, timestamp, source_ip, model_info, feature_flags, system_metrics, and resilience fields.Error codes
| Status | Code | Description |
|---|---|---|
400 | empty_log | The request body resolved to an empty string after parsing. |
400 | invalid_json | The Content-Type is application/json but the body is not valid JSON. |
401 | unauthorized | The x-api-key header is missing or incorrect. |
409 | replay_detected | The event_id (body or header) matches a request seen within the last 30 seconds. |
413 | payload_too_large | The request body exceeds ASA_MAX_REQUEST_BYTES (default: 16 384 bytes). |
422 | invalid_json_schema | The body is valid JSON but does not match the IngestLogRequest schema. |
429 | rate_limited | This IP has exceeded 12 requests within the 60-second window. The response includes retry_after_seconds. |
503 | overloaded | The server has reached ASA_MAX_INFLIGHT (default: 8) concurrent requests. Retry after 1 second. |