Ionix
- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Ionix connector integrates with the Ionix External Attack Surface Management (EASM) platform. It synchronizes asset inventory data (domains, subdomains, managed domains, IPs, cloud assets), action items (mapped as vulnerabilities), and action item definitions into the Brinqa platform.
Data retrieved from Ionix
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Domain | Yes | Site |
| Action Item | Yes | Vulnerability |
| Action Item Definition | Yes | Vulnerability Definition |
Model relationships
For detailed steps on how to view the data retrieved from Ionix in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Ionix from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | — | Ionix API URL |
| API token | Yes | — | Ionix API token |
| Page size | No | 100 | Maximum number of records to get per API request |
| Request timeout (secs) | No | 120 | The maximum seconds allotted before a request will time out. Maximum allowed value 1800 |
| Parallelism level | No | min(4, CPUs) | Number of parallel threads for concurrent API requests. Default is min(4, available CPUs) |
Authentication
Method
Bearer Token authentication using an API token.
Endpoint
| Method | URL |
|---|---|
GET | https://<instance>/api/v1/discovery/org-assets/?limit=1 |
Request Headers
| Header | Value |
|---|---|
Authorization | Bearer <api_token> |
Content-Type | application/json |
Sample Response
The connection test issues a lightweight, paginated GET against the org-assets endpoint. A successful response returns a paginated envelope:
{
"count": 1,
"next": "https://<instance>/api/v1/discovery/org-assets/?limit=1&offset=1",
"previous": null,
"results": [
{
"asset": "example.com",
"type": "Domain"
}
]
}
Response Fields
| Field | Description |
|---|---|
count | Total number of records matching the query (used to compute pagination offsets) |
next | URL of the next page, or null when on the last page |
previous | URL of the previous page, or null |
results | Array of records for the current page |
Usage
The bearer token is read from the connector configuration and added to every request. All API requests include the token in the Authorization header:
Authorization: Bearer <api_token>
A 2xx response to the test request confirms the token and base URL are valid; a non-success status surfaces the platform's error message.
How to obtain Ionix credentials
Generate an Ionix API token
To generate an API token for use with the Brinqa connector, follow these steps:
-
Log in to the Ionix portal.
-
Navigate to the API settings or token management section of your Ionix account.
-
Generate a new API token with the necessary permissions to access discovery and remediation data.
-
Copy the token and provide it in the API Token field in the integration configuration.
Note: If you do not have the permissions to create API tokens, contact your Ionix administrator. For additional information, see the Ionix API documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Domain
| Source Field Name | SDM Attribute |
|---|---|
AssetResource.asset | UID |
AssetResource.asset | Name |
AssetResource.badMaintenanceIndicators | Bad maintenance indicators |
AssetResource.cloudAssetType | Cloud asset type |
AssetResource.cloudRegion | Region |
AssetResource.confidenceLevel.confidenceLevel | Confidence level |
AssetResource.confidenceLevel.type | Confidence type |
AssetResource.cves | CVE IDs |
AssetResource.devAssetOf | Dev asset of |
AssetResource.devAssets | Dev assets |
AssetResource.domainExpirationDate | Domain expiration date |
AssetResource.firstSeen | First seen |
AssetResource.groups | Groups |
AssetResource.hostingProvider | Hosting provider |
AssetResource.httpsTitle | HTTPS title |
AssetResource.httpTitle | HTTP title |
AssetResource.importance.importance | Importance |
AssetResource.importance.type | Importance type |
AssetResource.ipNetwork | IP network |
AssetResource.ipNetworkCountry | IP network country |
AssetResource.ipNetworkName | IP network name |
AssetResource.ipNetworkOrgId | IP network org ID |
AssetResource.ipNetworkOrgName | IP network org name |
AssetResource.ipNetworkSource | IP network source |
AssetResource.ips | IP addresses |
AssetResource.isParkedDomain | Is parked domain |
AssetResource.lastSeen | Last seen |
AssetResource.maintenanceGrade.riskGrade | Maintenance risk grade |
AssetResource.maintenanceGrade.type | Maintenance grade type |
AssetResource.majesticRank | Majestic rank |
AssetResource.openPorts | Open ports |
AssetResource.operatedBy | Operated by |
AssetResource.originIps | Origin IP addresses |
AssetResource.parkedDomainSource | Parked domain source |
AssetResource.protocols | Protocols |
AssetResource.registrantContactName | Registrant contact name |
AssetResource.registrantOrganization | Registrant organization |
AssetResource.registrar | Registrar |
AssetResource.resourceId | Resource ID |
AssetResource.riskScore.riskScore | Risk score |
AssetResource.riskScore.type | Risk score type |
AssetResource.seenAt | Seen at |
AssetResource.service | Services |
AssetResource.serviceType | Service type |
AssetResource.subscriptionId | Subscription ID |
AssetResource.subsidiaries | Subsidiaries |
AssetResource.tags + AssetResource.cloudTags | Tags |
AssetResource.technologies | Technology |
AssetResource.technologyVersionsLabels | Technology versions |
AssetResource.tlsSupportedCiphers | TLS supported ciphers |
AssetResource.tlsSupportedProtocols | TLS supported protocols |
AssetResource.type | Asset type |
AssetResource.umbrellaRank | Umbrella rank |
AssetResource.waf | WAF |
AssetResource.webTrafficVisits | Web traffic visits |
AssetResource.whoisEmails | Emails |
AssetResource.whoisNameServers | WHOIS name servers |
AssetResource.whoisStatus | WHOIS status |
Instant.now() | Last captured |
Action Item
| Source Field Name | SDM Attribute |
|---|---|
ActionItemResource.acknowledgedBy | Acknowledged by |
ActionItemResource.acknowledgedDate | Acknowledged date |
ActionItemResource.acknowledgementReason | Acknowledgement reason |
ActionItemResource.apexDomain | Apex domain |
ActionItemResource.asset | Targets |
ActionItemResource.asset | Asset |
ActionItemResource.assetImportance.assetImportance | Asset importance |
ActionItemResource.assetType | Asset type |
ActionItemResource.closedReason | Closed reason |
ActionItemResource.currentState | Provider status |
ActionItemResource.discoveryConfidenceLevel | Discovery confidence level |
ActionItemResource.evidence | Evidence |
ActionItemResource.evidence | Results |
ActionItemResource.firstOpenedAt | First found |
ActionItemResource.groups | Groups |
ActionItemResource.handleTogetherGroup | Handle together group |
ActionItemResource.id | UID |
ActionItemResource.ips | IP addresses |
ActionItemResource.isOpen | Is open |
ActionItemResource.isParkedDomain | Is parked domain |
ActionItemResource.lastClosedAt | Last fixed |
ActionItemResource.lastOpenedAt | Last found |
ActionItemResource.lastRescanBy | Last rescan by |
ActionItemResource.lastRescanTime | Last rescan time |
ActionItemResource.lastValidate | Last validate |
ActionItemResource.legacyGeo | Legacy geo |
ActionItemResource.legacyRegion | Legacy region |
ActionItemResource.linkToAsset | Link to asset |
ActionItemResource.operatedBy | Operated by |
ActionItemResource.parkedDomainSource | Parked domain source |
ActionItemResource.potentialDependency | Potential dependency |
ActionItemResource.primaryAi | Primary AI |
ActionItemResource.rescanStatus | Rescan status |
ActionItemResource.resolutionTime | Resolution time |
ActionItemResource.service | Services |
ActionItemResource.serviceType | Service type |
ActionItemResource.sscTest | SSC test |
ActionItemResource.stateUpdateTimestamp | State update timestamp |
ActionItemResource.stateUpdateUser | State update user |
ActionItemResource.subsidiaries | Subsidiaries |
ActionItemResource.supportsRescan | Supports rescan |
ActionItemResource.tags | Tags |
ActionItemResource.title.label | Type |
ActionItemResource.updatedTime | Source last modified |
ActionItemResource.userCommentsCount | User comments count |
ActionItemResource.waf | WAF |
ActionItemResource.webTrafficVisits | Web traffic visits |
Derived from isOpen (true → open, false → closed), falling back to currentState, then active | Source status |
Instant.now() | Last captured |
Action Item Definition
| Source Field Name | SDM Attribute |
|---|---|
ActionItemResource.bsCategory | BS category |
ActionItemResource.bsSubcategory | BS subcategory |
ActionItemResource.complianceFrameworks | Compliance frameworks |
ActionItemResource.cves[].cve | CVE IDs |
ActionItemResource.cves[].cve | CVE Records |
ActionItemResource.description | Description |
ActionItemResource.impact | Impact |
ActionItemResource.mitreTechniques | MITRE techniques |
ActionItemResource.requiredAction | Recommendation |
ActionItemResource.requiredAction | Required action |
ActionItemResource.sscCategory | SSC category |
ActionItemResource.tags | Tags |
ActionItemResource.technicalDetails | Technical details |
ActionItemResource.title.label | UID |
ActionItemResource.title.label | Name |
ActionItemResource.type | Categories |
ActionItemResource.type | Action item type |
ActionItemResource.urgency.isActiveProtection | Is active protection |
ActionItemResource.urgency.type | Source severity |
ActionItemResource.urgency.type | Urgency type |
ActionItemResource.urgency.urgency | Urgency |
Derived from ActionItemResource.urgency.type via normalizeFindingSeverity | Severity |
| Derived from severity via getFindingSeverityScore | Severity score |
Instant.now() | Last captured |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Domain
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
risk_score | String | — | Filter by risk score (e.g., low,medium,high,no_risk) |
asset | String | — | Filter by asset name |
technologies | String | — | Filter by technology |
hosting_provider | String | — | Filter by hosting provider |
pageSize | String | pageSize config value | Per-operation override of the page limit query parameter |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/discovery/org-assets/?type__in=0
Action Item
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
urgency | String | — | Filter by urgency (e.g., low,medium,high,critical) |
asset_type | String | — | Filter by asset type |
type | String | — | Filter by action item type |
pageSize | String | pageSize config value | Per-operation override of the page limit query parameter |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/remediation/action-items/all/detailed
Action Item Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (shared data with the Action Item model) · Endpoint:
GET /api/v1/remediation/action-items/all/detailed
Changelog
The Ionix connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.4 | Improvements - Scalar attributes across all models now participate in attribute consolidation at the standard connector priority, ensuring Ionix-sourced values take precedence over non-connector data channels (manual imports, bulk uploads, UI edits) when the same record is reported by multiple sources | N/A |
| 3.0.3 | New Features - Cloud Asset model — ingests cloud resources (Azure, AWS, GCP) mapped to the Cloud Resource UDM target, capturing subscription IDs, resource IDs, cloud regions, cloud asset types, and cloud tags - Cloud tags are automatically merged into the standard Tags attribute as key:value pairs for unified tag-based filtering - New Dev assets and Dev asset of attributes on all asset models, capturing development asset relationships from Ionix Bug Fixes - Fixed sync failures when cloud tags contain null values — null entries are now safely filtered during ingestion - Sync now correctly fails when API pages return deserialization errors, instead of silently skipping the affected pages | N/A |
| 3.0.2 | New Features - ActionItem is now mapped to the Vulnerability UDM target, enabling ticket creation and vulnerability workflows for Blackrock - New ActionItemDefinition model mapped to VulnerabilityDefinition UDM — deduplicates action items by title and collects CVE identifiers, severity, MITRE techniques, and compliance framework data - 8 new attributes captured from the detailed endpoint: Is open, Closed reason, Resolution time, Discovery confidence level, Is parked domain, Parked domain source, Evidence, Link to asset Improvements - Consolidated to single /remediation/action-items/all/detailed endpoint (was separate /open + /closed calls), reducing API overhead - ActionItem and ActionItemDefinition share a local KV store per transaction — API is only called once regardless of sync order - Finding and definition attributes are now properly separated: instance-level data (status, dates, acknowledgement) stays on ActionItem; type-level data (severity, description, CVEs, MITRE, compliance) lives on ActionItemDefinition - Impact attribute added to ActionItemDefinition - Provider status now uses raw currentState from the API without a default — no longer misrepresents the source as "active" when no status is sent - Source status is now derived from isOpen field first (true → active, false → fixed), then falls back to currentState, then defaults to active - Current state attribute removed — provider status and source status are sufficient - New Results attribute renders detection evidence as a readable Markdown table (columns: Type, Value, Operator, Reference Value, Reference Type) instead of raw JSON - Evidence attribute retained for raw JSON storage; Results provides the human-readable representation - Evidence data is now deserialized into a typed Evidence interface instead of generic Map<String, Object> Bug Fixes - Fixed SERVICE attribute cardinality mismatch causing data warehouse failures — replaced single-valued SERVICE from AttributeInfos with custom multi-valued SERVICES on BaseAsset and ActionItem models | • ActionItem: Now a Finding model mapped to Vulnerability UDM. Existing data will gain new attributes (Targets, Type, Provider status, Source status, Results) and additional instance-level attributes. Definition-level attributes (Summary, Description, CVE IDs, Urgency, etc.) are no longer on ActionItem — they are inherited from ActionItemDefinition via TYPE linkage. • Vulnerability / VulnerabilityDefinition: Removed. Data sourced from /api/v1/discovery/digital-supply-chain/ will no longer be refreshed. ActionItemDefinition replaces VulnerabilityDefinition using title strings as definition keys. • Service attribute: The Service attribute on all asset models (Domain, SubDomain, ManagedDomain, IP) and ActionItem is now multi-valued with title "Services". Existing single-valued Service data in the warehouse will need schema evolution to support array values. • Last closed → Last fixed: The Last closed attribute has been replaced with the standard Last fixed attribute. • Current state → removed: The Current state attribute has been removed. Status is now represented by Provider status (raw API value) and Source status (normalized from isOpen). • Evidence → Evidence + Results: The Evidence attribute now stores raw JSON. A new Results attribute provides the same data as a formatted Markdown table for readability. |
| 3.0.1 | New Features - Full asset inventory synchronization for the Ionix External Attack Surface Management (EASM) platform: Domain, Sub Domain, Managed Domain, and IP assets are now ingested with complete attribute mapping (risk scores, importance, discovery confidence, tags, technologies, and hosting provider) - Remediation Action Items are now synchronized, capturing open and closed items along with their status, urgency, summary, and affected assets - Vulnerabilities and Vulnerability Definitions from the Ionix digital supply chain are now ingested, including CVE identifiers and per-asset assessments - New Parallelism level configuration option lets you tune the number of concurrent API request threads (defaults to the lesser of 4 or available CPUs) for faster syncs against large Ionix tenants Improvements - More descriptive API error reporting now surfaces the underlying Ionix error message when a request fails | N/A |