Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Threat Intelligence Section #7905

Merged
merged 54 commits into from
Aug 7, 2024
Merged

Add Threat Intelligence Section #7905

Show file tree
Hide file tree
Changes from 44 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
d004861
added threat intel source apis for create delete get search operations
eirsep Jul 26, 2024
053a4a1
add threat intel findings and alerts APIs
eirsep Jul 27, 2024
4b86238
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
db61dbc
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
674b1d8
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
08dd633
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
757d97c
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
56a1579
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
209ce29
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
8061ff3
Update _security-analytics/api-tools/threat-intel/threat-intel-source.md
eirsep Jul 27, 2024
3ac502b
change the word intel to intelligence across files
eirsep Jul 29, 2024
02f49eb
threat intel monitors apis
eirsep Jul 29, 2024
e3d7111
add threat intelligence analytics overview documentation
eirsep Jul 30, 2024
f8efffc
adds threat intel iocs example file for S3 or local file upload
eirsep Aug 1, 2024
40b13a5
Merge branch 'main' into threat-intel
Naarcha-AWS Aug 5, 2024
bbd772a
Edit alert-findings page
Naarcha-AWS Aug 5, 2024
b7e4ec1
Edit and streamline monitor APIs
Naarcha-AWS Aug 5, 2024
b18e865
Update source API.
Naarcha-AWS Aug 5, 2024
19acc65
Add threat intelligence directory and default pages
Naarcha-AWS Aug 5, 2024
fb8605e
Fix broken link.
Naarcha-AWS Aug 5, 2024
e23989a
Fix metadata.
Naarcha-AWS Aug 5, 2024
cb059c8
Fix parent relationship
Naarcha-AWS Aug 5, 2024
42629f9
Add UI text
Naarcha-AWS Aug 6, 2024
4f9f595
Add additional info about Threat intel view
Naarcha-AWS Aug 6, 2024
7a3032e
Fix capitalization. Add more consistent formatting
Naarcha-AWS Aug 6, 2024
d0e3980
Delete redundant file
Naarcha-AWS Aug 6, 2024
beee133
Add example link
Naarcha-AWS Aug 6, 2024
700a4b0
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
c9d8726
A couple more typo fixes.
Naarcha-AWS Aug 6, 2024
c5a9b23
Fix title
Naarcha-AWS Aug 6, 2024
f601649
Update _security-analytics/threat-intelligence/api/monitor.md
Naarcha-AWS Aug 6, 2024
eab43f5
Update _security-analytics/threat-intelligence/api/monitor.md
Naarcha-AWS Aug 6, 2024
7573c99
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
e0c91e1
Delete redundant section.
Naarcha-AWS Aug 6, 2024
f80808d
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
a304696
Update _security-analytics/threat-intelligence/api/source.md
Naarcha-AWS Aug 6, 2024
465406f
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
234da29
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
b77b76f
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
a9acd73
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
ea96af4
Fix IOC acryonym to be in line with AWS
Naarcha-AWS Aug 6, 2024
338523c
Fix remaining typos
Naarcha-AWS Aug 6, 2024
7b7db2e
Fix example link
Naarcha-AWS Aug 6, 2024
87215f0
Apply suggestions from code review
Naarcha-AWS Aug 6, 2024
e49f0ae
Apply suggestions from code review
Naarcha-AWS Aug 7, 2024
8e952f0
Apply suggestions from code review
Naarcha-AWS Aug 7, 2024
1005bef
Apply suggestions from code review
Naarcha-AWS Aug 7, 2024
e31ed20
Update _security-analytics/threat-intelligence/index.md
Naarcha-AWS Aug 7, 2024
252e227
Update _security-analytics/threat-intelligence/api/findings.md
Naarcha-AWS Aug 7, 2024
8443833
Update _security-analytics/threat-intelligence/api/monitor.md
Naarcha-AWS Aug 7, 2024
2cca1de
Update _security-analytics/threat-intelligence/api/source.md
Naarcha-AWS Aug 7, 2024
ba1c836
Update _security-analytics/threat-intelligence/api/source.md
Naarcha-AWS Aug 7, 2024
9849edd
Apply suggestions from code review
Naarcha-AWS Aug 7, 2024
d88d3ff
Fix header
Naarcha-AWS Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
267 changes: 267 additions & 0 deletions _security-analytics/threat-intelligence/api/findings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,267 @@
---
layout: default
title: Alerts and Findings API
parent: Threat intelligence APIs
grand_parent: Threat intelligence
nav_order: 50
---


# Alerts and Findings API

Check failure on line 10 in _security-analytics/threat-intelligence/api/findings.md

View workflow job for this annotation

GitHub Actions / vale

[vale] _security-analytics/threat-intelligence/api/findings.md#L10 

[OpenSearch.HeadingCapitalization] 'Alerts and Findings API' is a heading and should be in sentence case.
Raw output 
{"message": "[OpenSearch.HeadingCapitalization] 'Alerts and Findings API' is a heading and should be in sentence case.", "location": {"path": "_security-analytics/threat-intelligence/api/findings.md", "range": {"start": {"line": 10, "column": 3}}}, "severity": "ERROR"}

The threat intelligence Alerts and Findings API retrieves information about alerts and findings found in threat intelligence feeds.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The threat intelligence Alerts and Findings API retrieves information about alerts and findings found in threat intelligence feeds.
The threat intelligence Alerts and Findings API retrieves information about alerts and findings from threat intelligence feeds.



---

## Get threat intelligence alerts

Retrieves any alerts related to threat intelligence monitors.

### Path and HTTP methods

```json
GET /_plugins/_security_analytics/threat_intel/alerts
```
{% include copy-curl.html %}


### Path parameters

You can specify the following parameters when requesting an alert.

Parameter | Description
:--- | :----
`severityLevel` | Filter alerts by severity level. Optional.
`alertState` | Used to filter by alert state. Possible values are `ACTIVE`, `ACKNOWLEDGED`, `COMPLETED`, `ERROR`, or `DELETED`. Optional.
`sortString` | The string Security Analytics uses to sort the alerts. Optional.
`sortOrder` | The order used to sort the list of alerts. Possible values are `asc` or `desc`. Optional.
`missing` | A list of fields for which no alias mappings are found. Optional.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
`size` | An optional limit for the maximum number of results returned in the response. Optional.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`size` | An optional limit for the maximum number of results returned in the response. Optional.
`size` | An optional maximum number of results to be returned in the response. Optional.

`startIndex` | The pagination indicator. Optional.
`searchString` | The alert attribute you want returned in the search. Optional.

### Example request
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

```json
GET /_plugins/_security_analytics/threat_intel/alerts
```
{% include copy-curl.html %}

### Example response

```json
{
"alerts": [{
"id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
"version": 1,
"schema_version": 0,
"seq_no": 0,
"primary_term": 1,
"trigger_id": "regwarg",
"trigger_name": "regwarg",
"state": "ACTIVE",
"error_message": null,
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"severity": "high",
"finding_ids": [
"a9c10094-6139-42b3-81a8-867dffbe381d"
],
"acknowledged_time": 1722038395105,
"last_updated_time": null,
"start_time": 1722038395105,
"end_time": null
}],
"total_alerts": 1
}
```

### Response fields

Threat intelligence alerts can have one of the following states.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Threat intelligence alerts can have one of the following states.
A threat intelligence alert can have one of the following states.


| State | Description |
| :---- | :--- |
| `ACTIVE` | The alert is ongoing and unacknowledged. Alerts remain in this state until they are acknowledged, the trigger associated with the alert is deleted, or the threat intelligence monitor is deleted entirely. |
| `ACKNOWLEDGED` | The alert is acknowledged but the root cause of the alert has not been addressed. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `ACKNOWLEDGED` | The alert is acknowledged but the root cause of the alert has not been addressed. |
| `ACKNOWLEDGED` | The alert is acknowledged, but the root cause of the alert has not been addressed. |

| `COMPLETED` | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to `false`. |
| `DELETED` | The monitor or trigger for the alert was deleted while the alert was active. |

---

## Update alerts status API
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Update alerts status API
## Update Alerts Status API


Updates the status of the specified alerts to `ACKNOWLEDGED` or `COMPLETED`. Only alerts in the `ACTIVE` state can be updated.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Updates the status of the specified alerts to `ACKNOWLEDGED` or `COMPLETED`. Only alerts in the `ACTIVE` state can be updated.
Updates the status of the specified alerts to `ACKNOWLEDGED` or `COMPLETED`. Only alerts in the `ACTIVE` state can be updated.


## Path and HTTP methods
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Path and HTTP methods
### Path and HTTP methods


```json
PUT /plugins/security_analytics/threat_intel/alerts/status
```

### Example requests

The following example updates status of the specified alerts to `ACKNOWLEDGED`:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The following example updates status of the specified alerts to `ACKNOWLEDGED`:
The following example updates the status of the specified alerts to `ACKNOWLEDGED`:


```json
PUT /plugins/security_analytics/threat_intel/alerts/status?state=ACKNOWLEDGED&alert_ids=<alert-id>,<alert-id>
```

The following example updates status of the specified alerts to `COMPLETED`:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The following example updates status of the specified alerts to `COMPLETED`:
The following example updates the status of the specified alerts to `COMPLETED`:


```json
PUT /plugins/security_analytics/threat_intel/alerts/status?state=COMPLETED&alert_ids=alert_ids=<alert-id>,<alert-id>
```

### Example response

```json
{
"updated_alerts": [
{
"id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
"version": 1,
"schema_version": 0,
"seq_no": 2,
"primary_term": 1,
"trigger_id": "regwarg",
"trigger_name": "regwarg",
"state": "ACKNOWLEDGED",
"error_message": null,
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"severity": "high",
"finding_ids": [
"a9c10094-6139-42b3-81a8-867dffbe381d"
],
"acknowledged_time": 1722039091209,
"last_updated_time": 1722039091209,
"start_time": 1722038395105,
"end_time": null
},
{
"id": "56e8-4f40-a12f-ab4c274d7521-906669ee",
"version": 1,
"schema_version": 0,
"seq_no": 2,
"primary_term": 1,
"trigger_id": "regwarg",
"trigger_name": "regwarg",
"state": "ACKNOWLEDGED",
"error_message": null,
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"severity": "high",
"finding_ids": [
"a9c10094-6139-42b3-81a8-867dffbe381d"
],
"acknowledged_time": 1722039091209,
"last_updated_time": 1722039091209,
"start_time": 1722038395105,
"end_time": null
}
],
"failure_messages": []
}
```



---

## Get findings

Returns threat intelligence Indicators of compromise (IOCs) findings. When the threat intelligence monitor finds a malicious IoC during a data scan, a finding is automatically added to the threat intelligence feed.
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved

### Path and HTTP method
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Path and HTTP method
### Path and HTTP methods


Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if there's only one, please leave the template heading as is.

```json
GET /_plugins/_security_analytics/threat_intel/findings/
```

### Path parameters

| Parameter | Description |
|:---------------|:--------------------------------------------------------------------------------------------|
| `sortString` | Specifies which string Security Analytics uses to sort the alerts. Optional. |
| `sortOrder` | The order used to sort the list of findings. Possible values are `asc` or `desc`. Optional. |
| `missing` | A list of fields for which there are no found alias mappings. Optional. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `missing` | A list of fields for which there are no found alias mappings. Optional. |
| `missing` | A list of fields for which there were no alias mappings found. Optional. |

| `size` | An optional limit for the maximum number of results returned in the response. Optional. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Optional" is mentioned in the description twice.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eirsep @amsiglan
The max size that can be returned is 10,000, correct? Should we call that out?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Naarcha-AWS marked this conversation as resolved.
Show resolved Hide resolved
| `startIndex` | The pagination indicator. Optional. |
| `searchString` | The alert attribute you want returned in the search. Optional. |

### Example request

```json
GET /_plugins/_security_analytics/threat_intel/findings/_search?size=3
```

```json
{
"total_findings": 10,
"ioc_findings": [
{
"id": "a9c10094-6139-42b3-81a8-867dffbe381d",
"related_doc_ids": [
"Ccp88ZAB1vBjq44wmTEu:windows"
],
"ioc_feed_ids": [
{
"ioc_id": "2",
"feed_id": "Bsp88ZAB1vBjq44wiDGo",
"feed_name": "my_custom_feed",
"index": ""
}
],
"monitor_id": "B8p88ZAB1vBjq44wkjEy",
"monitor_name": "Threat intelligence monitor",
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"timestamp": 1722038394501,
"execution_id": "01cae635-93dc-4f07-9e39-31076b9535d1"
},
{
"id": "8d87aee0-aaa4-4c12-b4e2-b4b1f4ec80f9",
"related_doc_ids": [
"GsqI8ZAB1vBjq44wXTHa:windows"
],
"ioc_feed_ids": [
{
"ioc_id": "2",
"feed_id": "Bsp88ZAB1vBjq44wiDGo",
"feed_name": "my_custom_feed",
"index": ""
}
],
"monitor_id": "B8p88ZAB1vBjq44wkjEy",
"monitor_name": "Threat intelligence monitor",
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"timestamp": 1722039165824,
"execution_id": "54899e32-aeeb-401e-a031-b1728772f0aa"
},
{
"id": "2419f624-ba1a-4873-978c-760183b449b7",
"related_doc_ids": [
"H8qI8ZAB1vBjq44woDHU:windows"
],
"ioc_feed_ids": [
{
"ioc_id": "2",
"feed_id": "Bsp88ZAB1vBjq44wiDGo",
"feed_name": "my_custom_feed",
"index": ""
}
],
"monitor_id": "B8p88ZAB1vBjq44wkjEy",
"monitor_name": "Threat intelligence monitor",
"ioc_value": "example-has00001",
"ioc_type": "hashes",
"timestamp": 1722039182616,
"execution_id": "32ad2544-4b8b-4c9b-b2b4-2ba6d31ece12"
}
]
}

```
Loading
Loading