This document describes the official AlphaSOC REST API.
The primary purpose of the API is to allow a wide variety of clients for sending
network telemetry and receiving alerts.
API endpoints are complementary to other data sources and
alert escalations in a way that alerts generated for
network telemetry submitted outside of the API are available to download via API and vice versa.
Schema
The API can be accessed at https://api.alphasoc.net
over HTTPS. All requests and responses
are encoded in JSON.
Compression
As the amount of data transmitted via API can be high, it's advisable to use the compression both ways.
Usually HTTP clients transparently support compression when fetching data (by providing Accept-Encoding
header),
but the upload needs to be handled manually. AlphaSOC API supports gzip
and deflate
compression algorithms
and it's recommended to compress large chunks of data (telemetry) before sending, along with attaching corresponding
Content-Encoding
header.
Rate limiting
API counts and limits number of requests from a single API key. The limits are not strictly defined and designed
to protect from flooding and accidental errors in client's implementation. In the unlikely case of hitting the limit
API returns 429 Too Many Requests
response and expects the client to retry after some time.
Authentication
All the API requests should be authenticated using Basic Authentication where API key
is provided as a username and leaving the password empty.
You can generate API keys in the console .
Responses
Account management
GET /v1/account/status
This call can be used to fetch general information about the account, e.g. registration status, key expiration time, and current license usage. Human-readable messages from the system are also included in the response, so they can be presented in the UI.
Responses
Example 200 response
{ "today" : "2018-08-28T10:33:37.137110423Z" , "registered" : false , "expired" : false , "expirationDate" : "2018-09-27T10:31:32.196658Z" , "endpointsSeenToday" : 2338 , "messages" : [ { "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." } ] }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/account/status \ -H 'Accept: application/json'
Retrieving Alerts
GET /v1/alerts
This endpoint allows for fetching alerts generated by network telemetry submitted to the
AlphaSOC Analytics Engine (via API or other sources). Each alert includes the original (although normalized) event
along with the associated threats and context.
Threat details can be accessed via additional threats
dictionary included in the response, but note that for a given
threat ID the description and severity can be amended at any time – in such the case the changes are valid for all the
historical alerts already retrieved. The full and most recent threat dictionary is also available using (inventory endpoints)[#inventory].
As the number of alerts can be high, API uses pagination in order to limit individual responses.
In every response there is a follow
bookmark attached, which should be passed to consecutive requests
as a parameter, so only new alerts are being returned. Once the last page is returned more
property
in the response is set to false.
Usually the flow for retrieving alerts looks like this:
Fetch new alerts via /v1/alerts?follow={lastFollowBookmark}
.
If response.More == true
then go back to [1] immediately.
If response.More == false
then sleep for some time and go back to [1].
Parameters
Name In Type Required Description follow query string false Page bookmark as provided by one of the previous responses. Only new alerts since the bookmark will be returned.
Responses
Status Meaning Description Schema 200 OK OK alerts
Example 200 response
{ "follow" : "string" , "more" : true , "alerts" : [ { "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } } ] , "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" --compressed https://api.alphasoc.net/v1/alerts \ -H 'Accept: application/json'
Sending Telemetry
Network telemetry can be submitted for scoring using multiple endpoints – each one for specific type of events (DNS, IP, etc.).
Events are submitted in batches containing a stream of JSON objects with every object representing an individual network event.
For example:
{dnsEvent1}{dnsEvent2}{dnsEvent3}...
There is no limit for number of events one can send, but there is a limit of uncompressed body size (currently 10MB).
It is advisable to compress the data before uploading, see Compression for details.
POST /v1/events/dns
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body dnsEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" }
Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/dns \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","query":"www.example.com","qtype":"A"}'
# With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/dns \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","query":"www.example.com","qtype":"A"}' | gzip)
POST /v1/events/ip
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body ipEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "destIP" : "8.8.8.8" , "destPort" : 23 , "proto" : "udp" , "bytesIn" : 3911 , "bytesOut" : 2512 , "app" : "ssl" , "action" : "allowed" , "duration" : 7.2 }
Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/ip \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","destIP":"8.8.8.8","destPort":23,"proto":"udp","bytesIn":3911,"bytesOut":2512,"app":"ssl","action":"allowed","duration":7.2}'
# With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/ip \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","destIP":"8.8.8.8","destPort":23,"proto":"udp","bytesIn":3911,"bytesOut":2512,"app":"ssl","action":"allowed","duration":7.2}' | gzip)
POST /v1/events/tls
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body tlsEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "certHash" : "9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946" , "issuer" : "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018" , "subject" : "C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com" , "validFrom" : "2021-03-30T00:34:02Z" , "validTo" : "2021-05-29T00:34:02Z" , "destIP" : "188.68.55.50" , "destPort" : 9001 , "ja3" : "724dedf93fb5a3636a0f1ee8fcec8801" , "ja3s" : "015535be754766257f9bfdf3470cd428e0f1cfd4" }
Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/tls \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","certHash":"9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946","issuer":"C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018","subject":"C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com","validFrom":"2021-03-30T00:34:02Z","validTo":"2021-05-29T00:34:02Z","destIP":"188.68.55.50","destPort":9001,"ja3":"724dedf93fb5a3636a0f1ee8fcec8801","ja3s":"015535be754766257f9bfdf3470cd428e0f1cfd4"}'
# With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/tls \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","certHash":"9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946","issuer":"C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018","subject":"C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com","validFrom":"2021-03-30T00:34:02Z","validTo":"2021-05-29T00:34:02Z","destIP":"188.68.55.50","destPort":9001,"ja3":"724dedf93fb5a3636a0f1ee8fcec8801","ja3s":"015535be754766257f9bfdf3470cd428e0f1cfd4"}' | gzip)
POST /v1/events/http
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body httpEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "url" : "http://microsoft775.com/wpad.dat" , "method" : "GET" , "status" : 200 , "app" : "http" , "action" : "allowed" , "bytesIn" : 4321 , "bytesOut" : 1234 , "contentType" : "text/html; charset=utf-8" , "referrer" : "someone.com" , "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" }
Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/http \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","url":"http://microsoft775.com/wpad.dat","method":"GET","status":200,"app":"http","action":"allowed","bytesIn":4321,"bytesOut":1234,"contentType":"text/html; charset=utf-8","referrer":"someone.com","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}'
# With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/http \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","url":"http://microsoft775.com/wpad.dat","method":"GET","status":200,"app":"http","action":"allowed","bytesIn":4321,"bytesOut":1234,"contentType":"text/html; charset=utf-8","referrer":"someone.com","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}' | gzip)
POST /v1/events/lease
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body leaseEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "type" : "string" , "termination" : true , "duration" : 5.4 }
Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/lease \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","type":"string","termination":true,"duration":5.4}'
# With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/lease \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","type":"string","termination":true,"duration":5.4}' | gzip)
Inventory
GET /v1/ae/inventory/threats
Responses
Example 200 response
{ "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/ae/inventory/threats \ -H 'Accept: application/json'
GET /v1/ae/inventory/flags
Responses
Example 200 response
{ "flags" : { "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } } }
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/ae/inventory/flags \ -H 'Accept: application/json'
Schemas
accountStatus
Properties
Name Type Required Description today string(date-time) false Today's date registered boolean false Registration status expired boolean false Key expiration status expirationDate string(date-time) false Key expiration date endpointsSeenToday integer false Key usage status messages [message ] false Human readable messages from the system
Example
{ "today" : "2018-08-28T10:33:37.137110423Z" , "registered" : false , "expired" : false , "expirationDate" : "2018-09-27T10:31:32.196658Z" , "endpointsSeenToday" : 2338 , "messages" : [ { "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." } ] }
message
Properties
Name Type Required Description level integer false Message level body string false Message text
Enumerated Values
Property Value Description level 1 1 - INFO level 2 2 - WARN level 3 3 - ERROR
Example
{ "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." }
alerts
Properties
Name Type Required Description follow string false Page bookmark. Can be passed to consecutive request to retrieve only new alerts since the last query. more boolean false Indicates if there are more alerts to retrieve. alerts [alert ] false Array of alerts. threats threats false Dictionary containing definition of threats.
Example
{ "follow" : "string" , "more" : true , "alerts" : [ { "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } } ] , "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } }
alert
Properties
Name Type Required Description eventType string false EventType describes type of event object ("dns", "ip", "http", "tls"). threats [string] false Threats associated with alert. wisdom wisdom false Wisdom context of alert. event any false One of the *Event schema described in the table below.
oneOf
Example
{ "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } }
wisdom
Properties
Name Type Required Description flags [string] false none labels [string] false none domain string false none
Example
{ "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" }
Common properties for each type of event
Properties
Name Type Required Description ts string(date-time) false Event timestamp srcIP string(ip) false Source IP srcPort integer false Source port srcHost string false Source host srcMac string false Source mac address srcUser string false Source user srcID string false Source ID
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" }
dnsEvent
DNS query event
Properties
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none query string false DNS query qtype string false Query type
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" }
ipEvent
IP traffic event
Properties
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none destIP string(ip) false Destination IP destPort integer false Destination port proto string false Transport layer protocol bytesIn integer(int64) false Number of incoming bytes bytesOut integer(int64) false Number of outgoing bytes app string false Application layer protocol action string false Defines if event was allowed or denied duration number(double) false Duration of connection
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "destIP" : "8.8.8.8" , "destPort" : 23 , "proto" : "udp" , "bytesIn" : 3911 , "bytesOut" : 2512 , "app" : "ssl" , "action" : "allowed" , "duration" : 7.2 }
httpEvent
HTTP request event
Properties
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none url string false HTTP request URL method string false HTTP method status integer(int64) false HTTP response status code app string false Application layer protocol action string false Defines if event was allowed or denied bytesIn integer(int64) false Number of incoming bytes bytesOut integer(int64) false Number of outgoing bytes contentType string false Content type of HTTP event referrer string false none userAgent string false User Agent used in HTTP event
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "url" : "http://microsoft775.com/wpad.dat" , "method" : "GET" , "status" : 200 , "app" : "http" , "action" : "allowed" , "bytesIn" : 4321 , "bytesOut" : 1234 , "contentType" : "text/html; charset=utf-8" , "referrer" : "someone.com" , "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" }
tlsEvent
TLS event
Properties
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none certHash string false Certificate hash issuer string false Certificate issuer subject string false Certificate subject validFrom string(date-time) false From when certificate is valid validTo string(date-time) false Certificate expiration date destIP string(ip) false Destination IP destPort integer false Destination port ja3 string false JA3 fingerprint ja3s string false JA3S fingerprint
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "certHash" : "9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946" , "issuer" : "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018" , "subject" : "C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com" , "validFrom" : "2021-03-30T00:34:02Z" , "validTo" : "2021-05-29T00:34:02Z" , "destIP" : "188.68.55.50" , "destPort" : 9001 , "ja3" : "724dedf93fb5a3636a0f1ee8fcec8801" , "ja3s" : "015535be754766257f9bfdf3470cd428e0f1cfd4" }
leaseEvent
DHCP query event
Properties
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none type string false none termination boolean false none duration integer(int64) false Duration of the event
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "type" : "string" , "termination" : true , "duration" : 5.4 }
aeThreats
Properties
Name Type Required Description threats threats false Dictionary containing definition of threats.
Example
{ "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } }
threats
Dictionary containing definition of threats.
Properties
Name Type Required Description threatID threat false none
Example
{ "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } }
threat
Properties
Name Type Required Description title string true Human readable description of the threat severity integer true Severity of the threat policy boolean false none
Example
{ "title" : "human readable description" , "severity" : 5 , "policy" : true }
aeFlags
Properties
Name Type Required Description flags flags false Dictionary that contains flags descriptions
Example
{ "flags" : { "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } } }
flags
Dictionary that contains flags descriptions
Properties
Name Type Required Description flagID flag false none
Example
{ "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } }
flag
Properties
Name Type Required Description title string false Flag description type string false Flag type
Example
{ "title" : "Known blockchain API destination" , "type" : "feature" }
eventsResponseBody
Properties
Name Type Required Description received integer false Number of received events accepted integer false Number of accepted events
Example
{ "received" : 100 , "accepted" : 100 }
errorMessage
Properties
Name Type Required Description message string false Error message
Example