警报和发现结果 API
以下 API 可用于警报和发现相关任务。
获取警报
提供用于检索与特定检测器类型或检测器 ID 相关的警报的选项。
参数
请求警报时可以指定以下参数。
| 参数 | 描述 |
|---|---|
detector_id | 用于获取警报的检测器 ID。当指定 detectorType 时为可选。否则为必填。 |
detectorType | 用于获取警报的检测器类型。当指定 detector_Id 时为可选。否则为必填。 |
severityLevel | 用于按警报严重性级别筛选。可选。 |
alertState | 用于按警报状态筛选。可能的值为 ACTIVE、ACKNOWLEDGED、COMPLETED、ERROR 或 DELETED。可选。 |
sortString | 此字段指定安全分析使用哪个字符串对警报进行排序。可选。 |
sortOrder | 用于对发现列表进行排序的顺序。可能的值为 asc 或 desc。可选。 |
missing | 没有找到别名映射的字段列表。可选。 |
size | 响应中返回的最大结果数的可选限制。可选。 |
startIndex | 分页指示器。可选。 |
searchString | 您希望在搜索中返回的警报属性。可选。 |
请求示例
GET /_plugins/_security_analytics/alerts?detectorType=windows
示例响应
{
"alerts": [{
"detector_id": "detector_12345",
"id": "alert_id_1",
"version": -3,
"schema_version": 0,
"trigger_id": "trigger_id_1",
"trigger_name": "my_trigger",
"finding_ids": ["finding_id_1"],
"related_doc_ids": ["docId1"],
"state": "ACTIVE",
"error_message": null,
"alert_history": [],
"severity": null,
"action_execution_results": [{
"action_id": "action_id_1",
"last_execution_time": 1665693544996,
"throttled_count": 0
}],
"start_time": "2022-10-13T20:39:04.995023Z",
"last_notification_time": "2022-10-13T20:39:04.995028Z",
"end_time": "2022-10-13T20:39:04.995027Z",
"acknowledged_time": "2022-10-13T20:39:04.995028Z"
}],
"total_alerts": 1,
"detectorType": "windows"
}
响应正文字段
警报会一直存在,直到您解决根本原因并具有以下状态:
| 状态 | 描述 |
|---|---|
ACTIVE | 警报正在进行中且未确认。警报会保持此状态,直到您确认它们、删除与警报关联的触发器,或完全删除监视器。 |
ACKNOWLEDGED | 有人已确认警报但未修复根本原因。 |
COMPLETED | 警报不再进行中。在相应触发器评估为 false 后,警报进入此状态。 |
ERROR | 执行触发器时发生错误。此错误通常是由于错误的触发器或目标造成的。 |
DELETED | 警报正在进行时,有人删除了与此警报关联的检测器或触发器。 |
确认警报
当警报触发时发送确认。
请求示例
POST /_plugins/_security_analytics/detectors/<detector_id>/_acknowledge/alerts
{"alerts":["4dc7f5a9-2c82-4786-81ca-433a209d5205"]}
示例响应
{
"acknowledged": [
{
"detector_id": "8YT5fYQBZ8IUM4axics6",
"id": "4dc7f5a9-2c82-4786-81ca-433a209d5205",
"version": 1,
"schema_version": 4,
"trigger_id": "1TP5fYQBMkkIGY6Pg-q8",
"trigger_name": "test-trigger",
"finding_ids": [
"2e167f4b-8063-40ef-80f8-2afd9bf095b8"
],
"related_doc_ids": [
"1|windows"
],
"state": "ACTIVE",
"error_message": null,
"alert_history": [],
"severity": "1",
"action_execution_results": [
{
"action_id": "BopdoIJKXd",
"last_execution_time": 1668560817925,
"throttled_count": 0
}
],
"start_time": "2022-11-16T01:06:57.748Z",
"last_notification_time": "2022-11-16T01:06:57.748Z",
"end_time": null,
"acknowledged_time": null
}
],
"failed": [],
"missing": []
}
获取发现
获取发现 API 根据检测器属性返回发现。
参数
获取发现时可以指定以下参数。
| 参数 | 描述 |
|---|---|
detector_id | 用于获取警报的检测器 ID。可选。 |
detectorType | 用于获取警报的检测器类型。可选。 |
sortOrder | 用于对发现列表进行排序的顺序。可能的值为 asc 或 desc。可选。 |
size | 响应中返回的最大结果数的可选限制。可选。 |
startIndex | 分页指示器。可选。 |
detectionType | 决定发现检索类型的检测规则类型。当检测类型为 threat 时,它获取威胁情报源。当检测类型为 rule 时,发现是根据检测器的规则获取的。可选。 |
severity | 用于获取警报的检测器规则的严重性。严重性可以是 critical、high、medium 或 low。可选。 |
请求示例
GET /_plugins/_security_analytics/findings/_search
{
"total_findings": 2,
"findings": [
{
"detectorId": "b9ZN040Bjlggkcgx1d1W",
"id": "35efb736-c5d9-499d-b9b5-31f0a7d61251",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "QdZN040Bjlggkcgxdd3X",
"name": "QdZN040Bjlggkcgxdd3X",
"fields": [],
"query": "field1: *value1*",
"tags": [
"high",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
},
{
"detectorId": "O9ZM040Bjlggkcgx6N1S",
"id": "a5022930-4503-4ca8-bf0a-320a2b1fb433",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "KtZM040Bjlggkcgxkd04",
"name": "KtZM040Bjlggkcgxkd04",
"fields": [],
"query": "field1: *value1*",
"tags": [
"critical",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
}
]
}
GET /_plugins/_security_analytics/findings/_search?severity=high
{
"total_findings": 1,
"findings": [
{
"detectorId": "b9ZN040Bjlggkcgx1d1W",
"id": "35efb736-c5d9-499d-b9b5-31f0a7d61251",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "QdZN040Bjlggkcgxdd3X",
"name": "QdZN040Bjlggkcgxdd3X",
"fields": [],
"query": "field1: *value1*",
"tags": [
"high",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
}
]
}
GET /_plugins/_security_analytics/findings/_search?detectionType=rule
{
"total_findings": 2,
"findings": [
{
"detectorId": "b9ZN040Bjlggkcgx1d1W",
"id": "35efb736-c5d9-499d-b9b5-31f0a7d61251",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "QdZN040Bjlggkcgxdd3X",
"name": "QdZN040Bjlggkcgxdd3X",
"fields": [],
"query": "field1: *value1*",
"tags": [
"high",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
},
{
"detectorId": "O9ZM040Bjlggkcgx6N1S",
"id": "a5022930-4503-4ca8-bf0a-320a2b1fb433",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "KtZM040Bjlggkcgxkd04",
"name": "KtZM040Bjlggkcgxkd04",
"fields": [],
"query": "field1: *value1*",
"tags": [
"critical",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
}
]
}
GET /_plugins/_security_analytics/findings/_search?detectionType=rule&severity=high
{
"total_findings": 1,
"findings": [
{
"detectorId": "b9ZN040Bjlggkcgx1d1W",
"id": "35efb736-c5d9-499d-b9b5-31f0a7d61251",
"related_doc_ids": [
"1"
],
"index": "smallidx",
"queries": [
{
"id": "QdZN040Bjlggkcgxdd3X",
"name": "QdZN040Bjlggkcgxdd3X",
"fields": [],
"query": "field1: *value1*",
"tags": [
"high",
"ad_ldap"
]
}
],
"timestamp": 1708647166500,
"document_list": [
{
"index": "smallidx",
"id": "1",
"found": true,
"document": "{\n \"field1\": \"value1\"\n}\n"
}
]
}
]
}
GET /_plugins/_security_analytics/findings/_search?*detectorType*=
{
"total_findings":2,
"findings":[
{
"detectorId":"12345",
"id":"2b9663f4-ae77-4df8-b84f-688a0195723b",
"related_doc_ids":[
"5"
],
"index":"sbwhrzgdlg",
"queries":[
{
"id":"f1bff160-587b-4500-b60c-ab22c7abc652",
"name":"3",
"query":"test_field:\"us-west-2\"",
"tags":[
]
}
],
"timestamp":1664401088804,
"document_list":[
{
"index":"sbwhrzgdlg",
"id":"5",
"found":true,
"document":"{\n \"message\" : \"This is an error from IAD region\",\n \"test_strict_date_time\" : \"2022-09-28T21:38:02.888Z\",\n \"test_field\" : \"us-west-2\"\n }"
}
]
},
{
"detectorId":"12345",
"id":"f43a2701-0ef5-4931-8254-bdf510f73952",
"related_doc_ids":[
"1"
],
"index":"sbwhrzgdlg",
"queries":[
{
"id":"f1bff160-587b-4500-b60c-ab22c7abc652",
"name":"3",
"query":"test_field:\"us-west-2\"",
"tags":[
]
}
],
"timestamp":1664401088746,
"document_list":[
{
"index":"sbwhrzgdlg",
"id":"1",
"found":true,
"document":"{\n \"message\" : \"This is an error from IAD region\",\n \"test_strict_date_time\" : \"2022-09-28T21:38:02.888Z\",\n \"test_field\" : \"us-west-2\"\n }"
}
]
}
]
}