Alerts and Findings API

The threat intelligence Alerts and Findings API retrieves information about alerts and findings from threat intelligence feeds.


Get threat intelligence alerts

Retrieves any alerts related to threat intelligence monitors.

Path and HTTP methods

  1. GET /_plugins/_security_analytics/threat_intel/alerts

copy

Path parameters

You can specify the following parameters when requesting an alert.

ParameterDescription
severityLevelFilter alerts by severity level. Optional.
alertStateUsed to filter by alert state. Possible values are ACTIVE, ACKNOWLEDGED, COMPLETED, ERROR, or DELETED. Optional.
sortStringThe string Security Analytics uses to sort the alerts. Optional.
sortOrderThe order used to sort the list of alerts. Possible values are asc or desc. Optional.
missingA list of fields for which no alias mappings were found. Optional.
sizeAn optional maximum number of results to be returned in the response. Optional.
startIndexThe pagination indicator. Optional.
searchStringThe alert attribute you want returned in the search. Optional.

Example request

  1. GET /_plugins/_security_analytics/threat_intel/alerts

copy

Example response

  1. {
  2. "alerts": [{
  3. "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
  4. "version": 1,
  5. "schema_version": 0,
  6. "seq_no": 0,
  7. "primary_term": 1,
  8. "trigger_id": "regwarg",
  9. "trigger_name": "regwarg",
  10. "state": "ACTIVE",
  11. "error_message": null,
  12. "ioc_value": "example-has00001",
  13. "ioc_type": "hashes",
  14. "severity": "high",
  15. "finding_ids": [
  16. "a9c10094-6139-42b3-81a8-867dffbe381d"
  17. ],
  18. "acknowledged_time": 1722038395105,
  19. "last_updated_time": null,
  20. "start_time": 1722038395105,
  21. "end_time": null
  22. }],
  23. "total_alerts": 1
  24. }

Response fields

A threat intelligence alert can have one of the following states.

StateDescription
ACTIVEThe alert is ongoing and unacknowledged. Alerts remain in this state until they are acknowledged, the trigger associated with the alert is deleted, or the threat intelligence monitor is deleted entirely.
ACKNOWLEDGEDThe alert is acknowledged, but the root cause of the alert has not been addressed.
COMPLETEDThe alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to false.
DELETEDThe monitor or trigger for the alert was deleted while the alert was active.

Update Alerts Status API

Updates the status of the specified alerts to ACKNOWLEDGED or COMPLETED. Only alerts in the ACTIVE state can be updated.

Path and HTTP methods

  1. PUT /plugins/security_analytics/threat_intel/alerts/status

Example requests

The following example updates the status of the specified alerts to ACKNOWLEDGED:

  1. PUT /plugins/security_analytics/threat_intel/alerts/status?state=ACKNOWLEDGED&alert_ids=<alert-id>,<alert-id>

The following example updates the status of the specified alerts to COMPLETED:

  1. PUT /plugins/security_analytics/threat_intel/alerts/status?state=COMPLETED&alert_ids=alert_ids=<alert-id>,<alert-id>

Example response

  1. {
  2. "updated_alerts": [
  3. {
  4. "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
  5. "version": 1,
  6. "schema_version": 0,
  7. "seq_no": 2,
  8. "primary_term": 1,
  9. "trigger_id": "regwarg",
  10. "trigger_name": "regwarg",
  11. "state": "ACKNOWLEDGED",
  12. "error_message": null,
  13. "ioc_value": "example-has00001",
  14. "ioc_type": "hashes",
  15. "severity": "high",
  16. "finding_ids": [
  17. "a9c10094-6139-42b3-81a8-867dffbe381d"
  18. ],
  19. "acknowledged_time": 1722039091209,
  20. "last_updated_time": 1722039091209,
  21. "start_time": 1722038395105,
  22. "end_time": null
  23. },
  24. {
  25. "id": "56e8-4f40-a12f-ab4c274d7521-906669ee",
  26. "version": 1,
  27. "schema_version": 0,
  28. "seq_no": 2,
  29. "primary_term": 1,
  30. "trigger_id": "regwarg",
  31. "trigger_name": "regwarg",
  32. "state": "ACKNOWLEDGED",
  33. "error_message": null,
  34. "ioc_value": "example-has00001",
  35. "ioc_type": "hashes",
  36. "severity": "high",
  37. "finding_ids": [
  38. "a9c10094-6139-42b3-81a8-867dffbe381d"
  39. ],
  40. "acknowledged_time": 1722039091209,
  41. "last_updated_time": 1722039091209,
  42. "start_time": 1722038395105,
  43. "end_time": null
  44. }
  45. ],
  46. "failure_messages": []
  47. }

Get findings

Returns threat intelligence indicator of compromise (IOC) findings. When the threat intelligence monitor finds a malicious IOC during a data scan, a finding is automatically generated.

Path and HTTP methods

  1. GET /_plugins/_security_analytics/threat_intel/findings/

Path parameters

ParameterDescription
sortStringSpecifies which string Security Analytics uses to sort the alerts. Optional.
sortOrderThe order used to sort the list of findings. Possible values are asc or desc. Optional.
missingA list of fields for which there were no alias mappings found. Optional.
sizeThe maximum number of results to be returned in the response. Optional.
startIndexThe pagination indicator. Optional.
searchStringThe alert attribute you want returned in the search. Optional.

Example request

  1. GET /_plugins/_security_analytics/threat_intel/findings/_search?size=3
  1. {
  2. "total_findings": 10,
  3. "ioc_findings": [
  4. {
  5. "id": "a9c10094-6139-42b3-81a8-867dffbe381d",
  6. "related_doc_ids": [
  7. "Ccp88ZAB1vBjq44wmTEu:windows"
  8. ],
  9. "ioc_feed_ids": [
  10. {
  11. "ioc_id": "2",
  12. "feed_id": "Bsp88ZAB1vBjq44wiDGo",
  13. "feed_name": "my_custom_feed",
  14. "index": ""
  15. }
  16. ],
  17. "monitor_id": "B8p88ZAB1vBjq44wkjEy",
  18. "monitor_name": "Threat intelligence monitor",
  19. "ioc_value": "example-has00001",
  20. "ioc_type": "hashes",
  21. "timestamp": 1722038394501,
  22. "execution_id": "01cae635-93dc-4f07-9e39-31076b9535d1"
  23. },
  24. {
  25. "id": "8d87aee0-aaa4-4c12-b4e2-b4b1f4ec80f9",
  26. "related_doc_ids": [
  27. "GsqI8ZAB1vBjq44wXTHa:windows"
  28. ],
  29. "ioc_feed_ids": [
  30. {
  31. "ioc_id": "2",
  32. "feed_id": "Bsp88ZAB1vBjq44wiDGo",
  33. "feed_name": "my_custom_feed",
  34. "index": ""
  35. }
  36. ],
  37. "monitor_id": "B8p88ZAB1vBjq44wkjEy",
  38. "monitor_name": "Threat intelligence monitor",
  39. "ioc_value": "example-has00001",
  40. "ioc_type": "hashes",
  41. "timestamp": 1722039165824,
  42. "execution_id": "54899e32-aeeb-401e-a031-b1728772f0aa"
  43. },
  44. {
  45. "id": "2419f624-ba1a-4873-978c-760183b449b7",
  46. "related_doc_ids": [
  47. "H8qI8ZAB1vBjq44woDHU:windows"
  48. ],
  49. "ioc_feed_ids": [
  50. {
  51. "ioc_id": "2",
  52. "feed_id": "Bsp88ZAB1vBjq44wiDGo",
  53. "feed_name": "my_custom_feed",
  54. "index": ""
  55. }
  56. ],
  57. "monitor_id": "B8p88ZAB1vBjq44wkjEy",
  58. "monitor_name": "Threat intelligence monitor",
  59. "ioc_value": "example-has00001",
  60. "ioc_type": "hashes",
  61. "timestamp": 1722039182616,
  62. "execution_id": "32ad2544-4b8b-4c9b-b2b4-2ba6d31ece12"
  63. }
  64. ]
  65. }