This document describes the official AlphaSOC REST API.
The primary purpose of the API is to allow a wide variety of clients for sending
network telemetry and receiving alerts.
API endpoints are complementary to other data sources and alert escalations in a way
that alerts generated for network telemetry submitted outside of the API are available
to download via API and vice versa.
Schema
The API can be accessed at https://api.alphasoc.net over HTTPS. All requests and responses
are encoded in JSON.
Compression
As the amount of data transmitted via API can be high, it's advisable to use the compression both ways.
Usually HTTP clients transparently support compression when fetching data (by providing Accept-Encoding header),
but the upload needs to be handled manually. AlphaSOC API supports gzip and deflate compression algorithms
and it's recommended to compress large chunks of data (telemetry) before sending, along with attaching corresponding
Content-Encoding header.
Rate limiting
API counts and limits number of requests from a single API key. The limits are not strictly defined and designed
to protect from flooding and accidental errors in client's implementation. In the unlikely case of hitting the limit
API returns 429 Too Many Requests response and expects the client to retry after some time.
Authentication��
All the API requests should be authenticated using Basic Authentication where API key
is provided as a username and leaving the password empty.
You can generate API keys in the console .
Responses
Account management
GET /v1/account/status
This call can be used to fetch general information about the account, e.g. registration status, key expiration time, and current license usage. Human-readable messages from the system are also included in the response, so they can be presented in the UI.
Responses
Example 200 response
{ "today" : "2018-08-28T10:33:37.137110423Z" , "registered" : false , "expired" : false , "expirationDate" : "2018-09-27T10:31:32.196658Z" , "endpointsSeenToday" : 2338 , "messages" : [ { "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." } ] } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/account/status \ -H 'Accept: application/json' Detection management
POST /v1/detections
Handles the upload of Sigma detection rules via a zip archive.
The import_mode query parameter controls how rules are processed: merge adds new rules and updates existing ones, while replace removes all existing customer-provided Sigma rules before adding the new ones.
The zip archive must contain Sigma rule files with .yaml or .yml extensions.
The following limits apply:
Maximum number of files in archive: 1000
Maximum size of a single rule file: 100KB
Maximum total decompressed size of all rules: 10MB
Parameters
Name In Type Required Description import_mode query string false Specifies the import mode. merge adds new rules and updates existing ones. replace replaces all existing customer-provided Sigma rules. dry_run query boolean false Specifies if the request will be run in dry run mode. If true, the request will be validated, but no changes will be persisted. body body binary true A zip archive containing Sigma rule files (.yaml or .yml).
Enumerated Values
Parameter Value import_mode merge (default) import_mode replace dry_run false (default) dry_run true
Responses
Example 200 response
Example 400 response
{ "message" : "One or more detection files failed." , "validationResult" : { "valid" : 5 , "invalid" : 2 , "errors" : [ { "fileName" : "malformed_rule.yml" , "error" : "invalid Sigma rule: missing required field 'detection'" } ] } } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/detections \ -H 'Content-Type: application/zip' \ -H 'Accept: application/json' \ --data-binary @./path/to/rules.zip Retrieving Findings
GET /v1/findings
This endpoint allows for fetching findings generated from logs submitted to the AlphaSOC Analytics Engine
(via API or other sources). Each finding includes detections along with the associated resources and context.
It might also include sampled log entries that triggered the detection.
Threat details can be accessed via additional threats dictionary, but note that for a given
threat ID the description and severity can be amended at any time – in such the case the changes are valid for all the
historical findings already retrieved. The full and most recent threat dictionary is also available using (inventory endpoints)[#inventory].
The API uses stream pagination to limit the size of individual responses and allow reading stream of data in continuous manner.
Each response includes a follow bookmark, which should be passed as a parameter in subsequent requests to retrieve only new results.
When the last page is reached, the more property in the response is set to false.
Usually the flow for retrieving findings looks like this:
Fetch new findings via /v1/findings?schema=ocsf&follow={lastFollowBookmark}.
If response.More == true then go back to [1] immediately.
If response.More == false then sleep for some time and go back to [1].
It is also possible to use ndjson format for findings. In such case, the stream pagination values are returned
in x-stream-more and x-stream-follow headers.
Parameters
Name In Type Required Description follow query string false Bookmark provided by one of the previous responses. Only new findings since the bookmark will be returned. schema query string false Returned schema of the findings. Currently only ocsf value is supported. maxAge query string false Specifies maximum age of alerts to return. Accept header string false Specifies the format of the response. Defaults to application/json.
Detailed descriptions
schema : Returned schema of the findings. Currently only ocsf value is supported.
maxAge : Specifies maximum age of alerts to return.
Value can be represented in seconds (s), minutes (m), hours (h) or days (d) up to 30d. Defaults to 3 days.
Accept : Specifies the format of the response. Defaults to application/json.
Enumerated Values
Parameter Value schema ocsf Accept application/json Accept application/x-ndjson
Responses
Example 200 response
{ "follow" : "string" , "more" : true , "records" : [ { "category_name" : "Findings" , "category_uid" : 2 , "class_name" : "DetectionFinding" , "class_uid" : 2004 , "type_name" : "DetectionFinding: Create" , "type_uid" : 200401 , "count" : 4 , "time" : 1725679437 , "time_dt" : "2024-09-07T03:23:57Z" , "enrichments" : [ { "data" : { "aggregation" : { "key" : { "workspaceID" : "9269f7ee-115c-46da-8445-62ebff28217e" , "srcIP" : "192.168.40.17" , "detections" : [ { "id" : "c2" , "key" : "LokiBot" , "severity" : 5 , "observations" : [ ] , "mitreAttack" : [ ] , "threat" : "c2_communication" } Status Header Type Format Description 200 X-Stream-Follow string Follow bookmark to be used in subsequent requests 200 X-Stream-More boolean Indicator whether there are more findings to retrieve
To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/findings \ -H 'Accept: application/json' \ -H 'Accept: application/x-ndjson' Retrieving Alerts
GET /v1/alerts
Deprecated: it is recomended to use /v1/findings
This endpoint allows for fetching alerts generated by network telemetry submitted to the
AlphaSOC Analytics Engine (via API or other sources). Each alert includes the original (although normalized) event
along with the associated threats and context.
Threat details can be accessed via additional threats dictionary included in the response, but note that for a given
threat ID the description and severity can be amended at any time – in such the case the changes are valid for all the
historical alerts already retrieved. The full and most recent threat dictionary is also available using (inventory endpoints)[#inventory].
The API uses pagination to limit the size of individual responses. Each response includes a follow bookmark,
which should be passed as a parameter in subsequent requests to retrieve only new results. When the last page
is reached, the more property in the response is set to false.
Usually the flow for retrieving alerts looks like this:
Fetch new alerts via /v1/alerts?follow={lastFollowBookmark}.
If response.More == true then go back to [1] immediately.
If response.More == false then sleep for some time and go back to [1].
Parameters
Name In Type Required Description follow query string false Page bookmark as provided by one of the previous responses. Only new alerts since the bookmark will be returned. maxAge query string false Specifies maximum age of alerts to return.
Detailed descriptions
maxAge : Specifies maximum age of alerts to return.
Value can be represented in seconds (s), minutes (m) or hours (h) up to 720h (30 days).
Responses
Status Meaning Description Schema 200 OK OK alerts
Example 200 response
{ "follow" : "string" , "more" : true , "alerts" : [ { "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" --compressed https://api.alphasoc.net/v1/alerts \ -H 'Accept: application/json' Sending Telemetry
Network telemetry can be submitted for scoring using multiple endpoints – each one for specific type of events (DNS, IP, etc.).
Events are submitted in batches containing a stream of JSON objects with every object representing an individual network event.
For example:
{dnsEvent1}{dnsEvent2}{dnsEvent3}... There is no limit for number of events one can send, but there is a limit of uncompressed body size (currently 10MB).
It is advisable to compress the data before uploading, see Compression for details.
POST /v1/events/dns
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body dnsEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/dns \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","query":"www.example.com","qtype":"A"}' # With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/dns \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","query":"www.example.com","qtype":"A"}' | gzip) POST /v1/events/ip
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body ipEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "destIP" : "8.8.8.8" , "destPort" : 23 , "proto" : "udp" , "bytesIn" : 3911 , "bytesOut" : 2512 , "packetsIn" : 11 , "packetsOut" : 7 , "app" : "ssl" , "action" : "allowed" , "duration" : 7.2 } Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/ip \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","destIP":"8.8.8.8","destPort":23,"proto":"udp","bytesIn":3911,"bytesOut":2512,"packetsIn":11,"packetsOut":7,"app":"ssl","action":"allowed","duration":7.2}' # With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/ip \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","destIP":"8.8.8.8","destPort":23,"proto":"udp","bytesIn":3911,"bytesOut":2512,"packetsIn":11,"packetsOut":7,"app":"ssl","action":"allowed","duration":7.2}' | gzip) POST /v1/events/tls
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body tlsEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "certHash" : "9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946" , "issuer" : "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018" , "subject" : "C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com" , "validFrom" : "2021-03-30T00:34:02Z" , "validTo" : "2021-05-29T00:34:02Z" , "destIP" : "188.68.55.50" , "destPort" : 9001 , "ja3" : "724dedf93fb5a3636a0f1ee8fcec8801" , "ja3s" : "015535be754766257f9bfdf3470cd428e0f1cfd4" } Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/tls \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","certHash":"9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946","issuer":"C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018","subject":"C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com","validFrom":"2021-03-30T00:34:02Z","validTo":"2021-05-29T00:34:02Z","destIP":"188.68.55.50","destPort":9001,"ja3":"724dedf93fb5a3636a0f1ee8fcec8801","ja3s":"015535be754766257f9bfdf3470cd428e0f1cfd4"}' # With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/tls \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","certHash":"9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946","issuer":"C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018","subject":"C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com","validFrom":"2021-03-30T00:34:02Z","validTo":"2021-05-29T00:34:02Z","destIP":"188.68.55.50","destPort":9001,"ja3":"724dedf93fb5a3636a0f1ee8fcec8801","ja3s":"015535be754766257f9bfdf3470cd428e0f1cfd4"}' | gzip) POST /v1/events/http
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body httpEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "url" : "http://microsoft775.com/wpad.dat" , "method" : "GET" , "status" : 200 , "app" : "http" , "action" : "allowed" , "bytesIn" : 4321 , "bytesOut" : 1234 , "contentType" : "text/html; charset=utf-8" , "referrer" : "someone.com" , "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" } Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/http \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","url":"http://microsoft775.com/wpad.dat","method":"GET","status":200,"app":"http","action":"allowed","bytesIn":4321,"bytesOut":1234,"contentType":"text/html; charset=utf-8","referrer":"someone.com","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}' # With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/http \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","url":"http://microsoft775.com/wpad.dat","method":"GET","status":200,"app":"http","action":"allowed","bytesIn":4321,"bytesOut":1234,"contentType":"text/html; charset=utf-8","referrer":"someone.com","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"}' | gzip) POST /v1/events/lease
Parameters
Name In Type Required Description Content-Encoding header string false Sets compression body body leaseEvent false none
Body parameter
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "type" : "string" , "termination" : true , "duration" : 5.4 } Responses
Example 200 response
{ "received" : 100 , "accepted" : 100 } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
# Without compression curl -X POST -u "<your-api-key>:" https://api.alphasoc.net/v1/events/lease \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","type":"string","termination":true,"duration":5.4}' # With compression curl -u "<your-api-key>:" https://api.alphasoc.net/v1/events/lease \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -H 'Content-Encoding: gzip' \ --data-binary @<(echo '{"ts":"2018-03-01T10:31:59Z","srcIP":"192.168.20.5","srcPort":32876,"srcHost":"john-pc","srcMac":"16:c8:60:26:09:a6","srcUser":"john","srcID":"string","type":"string","termination":true,"duration":5.4}' | gzip) Inventory
GET /v1/ae/inventory/threats
Responses
Example 200 response
{ "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/ae/inventory/threats \ -H 'Accept: application/json' GET /v1/ae/inventory/flags
Responses
Example 200 response
{ "flags" : { "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } } } To perform this operation, you must be authenticated by means of one of the following methods:
basicAuth
Code samples
curl -X GET -u "<your-api-key>:" https://api.alphasoc.net/v1/ae/inventory/flags \ -H 'Accept: application/json' Schemas
accountStatus
Properties
Name Type Required Description today string(date-time) false Today's date registered boolean false Registration status expired boolean false Key expiration status expirationDate string(date-time) false Key expiration date endpointsSeenToday integer false Key usage status messages [message ] false Human readable messages from the system
Example
{ "today" : "2018-08-28T10:33:37.137110423Z" , "registered" : false , "expired" : false , "expirationDate" : "2018-09-27T10:31:32.196658Z" , "endpointsSeenToday" : 2338 , "messages" : [ { "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." } ] } message
Properties
Name Type Required Description level integer false Message level body string false Message text
Enumerated Values
Property Value Description level 1 1 - INFO level 2 2 - WARN level 3 3 - ERROR
Example
{ "level" : 2 , "body" : "Your API key is not activated. Alerts are suppressed until you have activated your account." } alerts
Properties
Name Type Required Description follow string false Page bookmark. Can be passed to consecutive request to retrieve only new alerts since the last query. more boolean false Indicates if there are more alerts to retrieve. alerts [alert ] false Array of alerts. threats threats false Dictionary containing definition of threats.
Example
{ "follow" : "string" , "more" : true , "alerts" : [ { "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } alert
Properties
Name Type Required Description eventType string false EventType describes type of event object ("dns", "ip", "http", "tls"). threats [string] false Threats associated with alert. wisdom wisdom false Wisdom context of alert. event any false One of the *Event schema described in the table below.
oneOf
Example
{ "eventType" : "string" , "threats" : [ "c2_communication" ] , "wisdom" : { "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } , "event" : { "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } } findings
Properties
Name Type Required Description follow string false Page bookmark. Can be passed to consecutive request to retrieve only new findings since the last query. more boolean false Indicates if there are more findings to retrieve. records [finding ] false [OCSF v1.2.0 Detection Finding. For more information about the schema see OCSF specification.]
Example
{ "follow" : "string" , "more" : true , "records" : [ { "category_name" : "Findings" , "category_uid" : 2 , "class_name" : "DetectionFinding" , "class_uid" : 2004 , "type_name" : "DetectionFinding: Create" , "type_uid" : 200401 , "count" : 4 , "time" : 1725679437 , "time_dt" : "2024-09-07T03:23:57Z" , "enrichments" : [ { "data" : { "aggregation" : { "key" : { "workspaceID" : "9269f7ee-115c-46da-8445-62ebff28217e" , "srcIP" : "192.168.40.17" , "detections" : [ { "id" : "c2" , "key" : "LokiBot" , "severity" : 5 , "observations" : [ ] , "mitreAttack" : [ ] , "threat" : "c2_communication" } finding
OCSF v1.2.0 Detection Finding. For more information about the schema see OCSF specification.
Example
{ "category_name" : "Findings" , "category_uid" : 2 , "class_name" : "DetectionFinding" , "class_uid" : 2004 , "type_name" : "DetectionFinding: Create" , "type_uid" : 200401 , "count" : 4 , "time" : 1725679437 , "time_dt" : "2024-09-07T03:23:57Z" , "enrichments" : [ { "data" : { "aggregation" : { "key" : { "workspaceID" : "9269f7ee-115c-46da-8445-62ebff28217e" , "srcIP" : "192.168.40.17" , "detections" : [ { "id" : "c2" , "key" : "LokiBot" , "severity" : 5 , "observations" : [ "bad" ] , "mitreAttack" : [ "TA0011:T1071" ] , "threat" : "c2_communication" } detectionsUpload
Properties
Name Type Required Description accepted integer false Number of Sigma rules that were successfully processed and accepted.
Example
detectionsBadRequest
Properties
Name Type Required Description message string false Message text validationResult object false Detailed validation results when validation errors occur valid integer false Number of detections that passed validation and were stored invalid integer false Number of detections that failed validation or storage errors [object] false Detailed validation errors for each invalid rule »fileName string false Name of the Sigma rule file that caused the error »error string false Error message describing the issue
Example
{ "message" : "One or more detection files failed." , "validationResult" : { "valid" : 5 , "invalid" : 2 , "errors" : [ { "fileName" : "malformed_rule.yml" , "error" : "invalid Sigma rule: missing required field 'detection'" } ] } } wisdom
Properties
Name Type Required Description flags [string] false none labels [string] false none domain string false none
Example
{ "flags" : [ "c2" , "young_domain" ] , "labels" : [ "c2:TrickBot" ] , "domain" : "example.com" } Common properties for each type of event
Properties
Name Type Required Description ts string(date-time) false Event timestamp srcIP string(ip) false Source IP srcPort integer false Source port srcHost string false Source host srcMac string false Source mac address srcUser string false Source user srcID string false Source ID
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" } dnsEvent
DNS query event
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none query string false DNS query qtype string false Query type
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "query" : "www.example.com" , "qtype" : "A" } ipEvent
IP traffic event
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none destIP string(ip) false Destination IP destPort integer false Destination port proto string false Transport layer protocol bytesIn integer(int64) false Number of incoming bytes bytesOut integer(int64) false Number of outgoing bytes packetsIn integer(int64) false Number of incoming packets packetsOut integer(int64) false Number of outgoing packets app string false Application layer protocol action string false Defines if event was allowed or denied duration number(double) false Duration of connection
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "destIP" : "8.8.8.8" , "destPort" : 23 , "proto" : "udp" , "bytesIn" : 3911 , "bytesOut" : 2512 , "packetsIn" : 11 , "packetsOut" : 7 , "app" : "ssl" , "action" : "allowed" , "duration" : 7.2 } httpEvent
HTTP request event
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none url string false HTTP request URL method string false HTTP method status integer(int64) false HTTP response status code app string false Application layer protocol action string false Defines if event was allowed or denied bytesIn integer(int64) false Number of incoming bytes bytesOut integer(int64) false Number of outgoing bytes contentType string false Content type of HTTP event referrer string false none userAgent string false User Agent used in HTTP event
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "url" : "http://microsoft775.com/wpad.dat" , "method" : "GET" , "status" : 200 , "app" : "http" , "action" : "allowed" , "bytesIn" : 4321 , "bytesOut" : 1234 , "contentType" : "text/html; charset=utf-8" , "referrer" : "someone.com" , "userAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" } tlsEvent
TLS event
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none certHash string false Certificate hash issuer string false Certificate issuer subject string false Certificate subject validFrom string(date-time) false From when certificate is valid validTo string(date-time) false Certificate expiration date destIP string(ip) false Destination IP destPort integer false Destination port ja3 string false JA3 fingerprint ja3s string false JA3S fingerprint
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "certHash" : "9fcc5c1e8ec32f56e975ba43c923dbfa16a8f946" , "issuer" : "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018" , "subject" : "C=US,ST=TX,L=Texas,O=lol,OU=,CN=example.com" , "validFrom" : "2021-03-30T00:34:02Z" , "validTo" : "2021-05-29T00:34:02Z" , "destIP" : "188.68.55.50" , "destPort" : 9001 , "ja3" : "724dedf93fb5a3636a0f1ee8fcec8801" , "ja3s" : "015535be754766257f9bfdf3470cd428e0f1cfd4" } leaseEvent
DHCP query event
allOf
Name Type Required Description - eventHeader false Common properties for each type of event
and
Name Type Required Description - object false none type string false none termination boolean false none duration integer(int64) false Duration of the event
Example
{ "ts" : "2018-03-01T10:31:59Z" , "srcIP" : "192.168.20.5" , "srcPort" : 32876 , "srcHost" : "john-pc" , "srcMac" : "16:c8:60:26:09:a6" , "srcUser" : "john" , "srcID" : "string" , "type" : "string" , "termination" : true , "duration" : 5.4 } aeThreats
Properties
Name Type Required Description threats threats false Dictionary containing definition of threats.
Example
{ "threats" : { "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } } threats
Dictionary containing definition of threats.
Properties
Name Type Required Description threatID threat false none
Example
{ "c2_communication" : { "title" : "C2 communication attempt indicating infection" , "severity" : 5 } , "cryptomining" : { "title" : "Cryptomining indicating infection or resource abuse" , "severity" : 4 } } threat
Properties
Name Type Required Description title string true Human readable description of the threat severity integer true Severity of the threat policy boolean false none
Example
{ "title" : "human readable description" , "severity" : 5 , "policy" : true } aeFlags
Properties
Name Type Required Description flags flags false Dictionary that contains flags descriptions
Example
{ "flags" : { "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } } } flags
Dictionary that contains flags descriptions
Properties
Name Type Required Description flagID flag false none
Example
{ "c2" : { "title" : "Known C2 callback destination" , "type" : "category" } , "freedns" : { "title" : "Parent domain is a dynamic DNS provider" , "type" : "feature" } } flag
Properties
Name Type Required Description title string false Flag description type string false Flag type
Example
{ "title" : "Known blockchain API destination" , "type" : "feature" } eventsResponseBody
Properties
Name Type Required Description received integer false Number of received events accepted integer false Number of accepted events
Example
{ "received" : 100 , "accepted" : 100 } errorMessage
Properties
Name Type Required Description message string false Error message
Example