Link Search Menu Expand Document Documentation Menu

Alerts and Findings API

The threat intelligence Alerts and Findings API retrieves information about alerts and findings from threat intelligence feeds.


Get threat intelligence alerts

Retrieves any alerts related to threat intelligence monitors.

Endpoints

GET /_plugins/_security_analytics/threat_intel/alerts

Path parameters

You can specify the following parameters when requesting an alert.

Parameter Description
severityLevel Filter alerts by severity level. Optional.
alertState Used to filter by alert state. Possible values are ACTIVE, ACKNOWLEDGED, COMPLETED, ERROR, or DELETED. Optional.
sortString The string Security Analytics uses to sort the alerts. Optional.
sortOrder The order used to sort the list of alerts. Possible values are asc or desc. Optional.
missing A list of fields for which no alias mappings were found. Optional.
size An optional maximum number of results to be returned in the response. Optional.
startIndex The pagination indicator. Optional.
searchString The alert attribute you want returned in the search. Optional.

Example request

GET /_plugins/_security_analytics/threat_intel/alerts

Example response

{
    "alerts": [{
      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
      "version": 1,
      "schema_version": 0,
      "seq_no": 0,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACTIVE",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722038395105,
      "last_updated_time": null,
      "start_time": 1722038395105,
      "end_time": null
    }],
    "total_alerts": 1
}

Response body fields

A threat intelligence alert can have one of the following states.

State Description
ACTIVE The alert is ongoing and unacknowledged. Alerts remain in this state until they are acknowledged, the trigger associated with the alert is deleted, or the threat intelligence monitor is deleted entirely.
ACKNOWLEDGED The alert is acknowledged, but the root cause of the alert has not been addressed.
COMPLETED The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to false.
DELETED The monitor or trigger for the alert was deleted while the alert was active.

Update Alerts Status API

Updates the status of the specified alerts to ACKNOWLEDGED or COMPLETED. Only alerts in the ACTIVE state can be updated.

Endpoints

PUT /plugins/security_analytics/threat_intel/alerts/status

Example requests

The following example updates the status of the specified alerts to ACKNOWLEDGED:

PUT /plugins/security_analytics/threat_intel/alerts/status?state=ACKNOWLEDGED&alert_ids=<alert-id>,<alert-id>

The following example updates the status of the specified alerts to COMPLETED:

PUT /plugins/security_analytics/threat_intel/alerts/status?state=COMPLETED&alert_ids=alert_ids=<alert-id>,<alert-id>

Example response

{
  "updated_alerts": [
    {
      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
      "version": 1,
      "schema_version": 0,
      "seq_no": 2,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACKNOWLEDGED",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722039091209,
      "last_updated_time": 1722039091209,
      "start_time": 1722038395105,
      "end_time": null
    },
    {
      "id": "56e8-4f40-a12f-ab4c274d7521-906669ee",
      "version": 1,
      "schema_version": 0,
      "seq_no": 2,
      "primary_term": 1,
      "trigger_id": "regwarg",
      "trigger_name": "regwarg",
      "state": "ACKNOWLEDGED",
      "error_message": null,
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "severity": "high",
      "finding_ids": [
        "a9c10094-6139-42b3-81a8-867dffbe381d"
      ],
      "acknowledged_time": 1722039091209,
      "last_updated_time": 1722039091209,
      "start_time": 1722038395105,
      "end_time": null
    }
  ],
  "failure_messages": []
}

Get findings

Returns threat intelligence indicator of compromise (IOC) findings. When the threat intelligence monitor finds a malicious IOC during a data scan, a finding is automatically generated.

Endpoints

GET /_plugins/_security_analytics/threat_intel/findings/

Path parameters

Parameter Description
sortString Specifies which string Security Analytics uses to sort the alerts. Optional.
sortOrder The order used to sort the list of findings. Possible values are asc or desc. Optional.
missing A list of fields for which there were no alias mappings found. Optional.
size The maximum number of results to be returned in the response. Optional.
startIndex The pagination indicator. Optional.
searchString The alert attribute you want returned in the search. Optional.

Example request

GET /_plugins/_security_analytics/threat_intel/findings/_search?size=3
{
  "total_findings": 10,
  "ioc_findings": [
    {
      "id": "a9c10094-6139-42b3-81a8-867dffbe381d",
      "related_doc_ids": [
        "Ccp88ZAB1vBjq44wmTEu:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722038394501,
      "execution_id": "01cae635-93dc-4f07-9e39-31076b9535d1"
    },
    {
      "id": "8d87aee0-aaa4-4c12-b4e2-b4b1f4ec80f9",
      "related_doc_ids": [
        "GsqI8ZAB1vBjq44wXTHa:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722039165824,
      "execution_id": "54899e32-aeeb-401e-a031-b1728772f0aa"
    },
    {
      "id": "2419f624-ba1a-4873-978c-760183b449b7",
      "related_doc_ids": [
        "H8qI8ZAB1vBjq44woDHU:windows"
      ],
      "ioc_feed_ids": [
        {
          "ioc_id": "2",
          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
          "feed_name": "my_custom_feed",
          "index": ""
        }
      ],
      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
      "monitor_name": "Threat intelligence monitor",
      "ioc_value": "example-has00001",
      "ioc_type": "hashes",
      "timestamp": 1722039182616,
      "execution_id": "32ad2544-4b8b-4c9b-b2b4-2ba6d31ece12"
    }
  ]
}