Link Search Menu Expand Document Documentation Menu
文档

警报和发现结果 API

威胁情报警报和发现 API 从威胁情报源中检索有关警报和发现的信息。

获取威胁情报警报

检索与威胁情报监视器相关的任何警报。

端点

GET /_plugins/_security_analytics/threat_intel/alerts

路径参数

请求警报时,您可以指定以下参数。

参数 描述
severityLevel 按严重级别过滤警报。可选。
alertState 用于按警报状态过滤。可能的值有 ACTIVEACKNOWLEDGEDCOMPLETEDERRORDELETED。可选。
sortString 安全分析用于对警报进行排序的字符串。可选。
sortOrder 用于对警报列表进行排序的顺序。可能的值有 ascdesc。可选。
missing 未找到别名映射的字段列表。可选。
size 响应中返回的最大结果数。可选。
startIndex 分页指示器。可选。
searchString 您希望在搜索中返回的警报属性。可选。

请求示例

GET /_plugins/_security_analytics/threat_intel/alerts

示例响应

{
    "alerts": [{
      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
      "version": 1,
      "schema_version": 0,
      "seq_no": 0,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACTIVE",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722038395105,
      "last_updated_time": null,
      "start_time": 1722038395105,
      "end_time": null
    }],
    "total_alerts": 1
}

响应正文字段

威胁情报警报可以具有以下状态之一。

状态 描述
ACTIVE 警报正在进行中且未被确认。警报将保持此状态,直到被确认、与警报关联的触发器被删除或威胁情报监视器被完全删除。
ACKNOWLEDGED 警报已确认,但警报的根本原因尚未解决。
COMPLETED 警报不再进行中。当相应的触发器评估为 false 后,警报进入此状态。
DELETED 在警报处于活动状态时,警报的监视器或触发器已被删除。

更新警报状态 API

将指定警报的状态更新为 ACKNOWLEDGEDCOMPLETED。只有处于 ACTIVE 状态的警报才能被更新。

端点

PUT /plugins/security_analytics/threat_intel/alerts/status

示例请求

以下示例将指定警报的状态更新为 ACKNOWLEDGED

PUT /plugins/security_analytics/threat_intel/alerts/status?state=ACKNOWLEDGED&alert_ids=<alert-id>,<alert-id>

以下示例将指定警报的状态更新为 COMPLETED

PUT /plugins/security_analytics/threat_intel/alerts/status?state=COMPLETED&alert_ids=alert_ids=<alert-id>,<alert-id>

示例响应

{
  "updated_alerts": [
    {
      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
      "version": 1,
      "schema_version": 0,
      "seq_no": 2,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACKNOWLEDGED",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722039091209,
      "last_updated_time": 1722039091209,
      "start_time": 1722038395105,
      "end_time": null
    },
    {
      "id": "56e8-4f40-a12f-ab4c274d7521-906669ee",
      "version": 1,
      "schema_version": 0,
      "seq_no": 2,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACKNOWLEDGED",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722039091209,
      "last_updated_time": 1722039091209,
      "start_time": 1722038395105,
      "end_time": null
    }
  ],
  "failure_messages": []
}

获取发现

返回威胁情报入侵指标 (IOC) 发现。当威胁情报监视器在数据扫描期间发现恶意 IOC 时,会自动生成一个发现。

端点

GET /_plugins/_security_analytics/threat_intel/findings/

路径参数

参数 描述
sortString 指定安全分析用于对警报进行排序的字符串。可选。
sortOrder 用于对发现列表进行排序的顺序。可能的值有 ascdesc。可选。
missing 未找到别名映射的字段列表。可选。
size 响应中返回的最大结果数。可选。
startIndex 分页指示器。可选。
searchString 您希望在搜索中返回的警报属性。可选。

请求示例

GET /_plugins/_security_analytics/threat_intel/findings/_search?size=3

{
  "total_findings": 10,
  "ioc_findings": [
    {
      "id": "a9c10094-6139-42b3-81a8-867dffbe381d",
      "related_doc_ids": [
        "Ccp88ZAB1vBjq44wmTEu:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722038394501,
      "execution_id": "01cae635-93dc-4f07-9e39-31076b9535d1"
    },
    {
      "id": "8d87aee0-aaa4-4c12-b4e2-b4b1f4ec80f9",
      "related_doc_ids": [
        "GsqI8ZAB1vBjq44wXTHa:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722039165824,
      "execution_id": "54899e32-aeeb-401e-a031-b1728772f0aa"
    },
    {
      "id": "2419f624-ba1a-4873-978c-760183b449b7",
      "related_doc_ids": [
        "H8qI8ZAB1vBjq44woDHU:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722039182616,
      "execution_id": "32ad2544-4b8b-4c9b-b2b4-2ba6d31ece12"
    }
  ]
}
剩余 350 字符

有问题?

想做贡献?