Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt

Use this file to discover all available pages before exploring further.

Every call to POST /api/v1/analyze/ produces a structured analysis log record: the policy that ran, every analyzer’s output, the decision, the request ID, and the wall-clock metrics. The log is the ground truth for observability, post-incident review, threat-intel ingestion, and tuning policies.

Where to read the log

What gets logged

Every record contains:
FieldDescription
request_idQuote this when filing a support ticket.
tenant_idAlways your tenant.
policy_id / policy_slugWhich combined policy ran.
overall_statusOK, TERMINATED_EARLY, or ERROR.
analyzer_resultsPer-analyzer output, metrics, and status.
aggregated_metricsSummed wall-clock and (when telemetry is on) cost.
created_atTimestamp of the request.
is_test_modetrue for sandbox keys; excludes the record from billing dashboards.
We do not persist the raw prompt by default. The log captures what fired, not what you sent. Customers who need raw payload retention should ingest specific events into the Workbench, which stores the prompt under the tenant’s prompt_injections table for threat-intel use.

Searching and filtering

The dashboard search supports the most common filters out of the box:
  • Time range — last 1h / 24h / 7d / 30d, or custom.
  • Decisionterminated_early (blocked) vs OK (passed).
  • Analyzer — events where a given analyzer fired or terminated.
  • Severity — high / medium / low (driven by the threat-intel analyzer).
  • Free-text — searches the analyzer outputs.
Behind the scenes, the dashboard talks to POST /api/v1/analyzer-logs/search (Elasticsearch-backed when configured) and GET /api/v1/analyzer-logs/events_summary for aggregate counts.

Programmatic access

Both SDKs expose the log API. Example (Python, paginated iteration over flagged events in the last 24 hours): 
from agnes import Agnes

agnes = Agnes()

flagged = agnes.raw.get(
    "/api/v1/analyzer-logs/events_summary",
    params={"time_gte": "now-24h", "size": 100, "terminated_only": True},
)

for event in flagged["events"]:
    print(event["request_id"], event["overall_status"], event["policy_slug"])
The agnes.raw escape hatch gives you the auto-generated low-level client for any endpoint not yet wrapped by the ergonomic surface. The TypeScript SDK has agnes.raw.request(...) for the same purpose.

Threat summaries and dashboard charts

GET /api/v1/analyzer-logs/threat_summary returns rollups suitable for charting:
  • Per-analyzer block / flag counts over time.
  • Top-N rules / categories / threat types fired.
  • Severity distribution.
The dashboard’s threat-intelligence page renders these directly. If you want to ship the same view in your own ops dashboard, hit this endpoint and chart whatever subset is relevant.

Retention

  • Hot retention (queryable from the dashboard / API): 30 days by default for paid tiers, 7 days for sandbox.
  • Cold retention is plan-dependent; ask sales@lasscyber.com if your compliance requirement exceeds the hot window.

Exporting

The dashboard has a Download CSV action on the analysis log table that exports the current filter view. For larger exports use the API and stream pages with skip / limit.

Privacy reminders

  • Sandbox traffic carries X-Agnes-Test-Mode: true and is flagged in the log. Exclude sandbox events from billing or threat-trend dashboards.
  • Logs are tenant-scoped end to end; an admin in tenant A cannot read tenant B’s logs even with elevated platform access.
  • The dashboard never displays your API key value; quoting an request_id to support staff is safe.

Next