Monitor API
You can use the threat intelligence Monitor API to create, search, and update monitors for your threat intelligence feeds.
Create or update a threat intelligence monitor
Creates or updates a threat intelligence monitor.
Endpoints
The POST
method creates a new monitor. The PUT
method updates a monitor.
POST _plugins/_security_analytics/threat_intel/monitors
PUT _plugins/_security_analytics/threat_intel/monitors/<monitor_id>
Request body fields
You can specify the following fields in the request body.
Field | Type | Description |
---|---|---|
name | String | The name of the monitor. Required. |
schedule | Object | The schedule that determines how often the monitor runs. Required. |
schedule.period | Object | Information about the frequency of the schedule. Required. |
schedule.period.interval | Integer | The interval at which the monitor runs. Required. |
schedule.period.unit | String | The unit of time for the interval. |
enabled | Object | Information about the user who created the monitor. Required. |
user.backend_roles | Array | The backend roles associated with the user. Optional. |
user.roles | Array | The roles associated with the user. Optional. |
user.custom_attribute_names | Array | Custom attribute names associated with the user. Optional. |
user.user_requested_tenant | String | The tenant requested by the user. Optional. |
indices | Array | The log data sources used for the monitor. Required. |
per_ioc_type_scan_input_list | Array | A list of inputs to scan based on the indicator of compromise (IOC) types. Required. |
per_ioc_type_scan_input_list.ioc_type | String | The type of IOC (for example, hashes). Required. |
per_ioc_type_scan_input_list.index_to_fields_map | Object | The index field mappings that contain values for the given IOC type. Required. |
per_ioc_type_scan_input_list.index_to_fields_map.<index> | Array | A list of fields contained in the specified index. Required. |
triggers | Array | The trigger settings for alerts. Required. |
triggers.data_sources | Array | A list of data sources associated with the trigger. Required. |
triggers.name | String | The name of the trigger. Required. |
triggers.severity | String | The severity level of the trigger (for example, high, medium, or low). Required. |
Example requests
The following section provides example requests for the Monitor API.
Create a monitor
{
"name": "Threat intel monitor",
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"enabled": false,
"user": {
"name": "",
"backend_roles": [],
"roles": [],
"custom_attribute_names": [],
"user_requested_tenant": null
},
"indices": [
"windows"
],
"per_ioc_type_scan_input_list": [
{
"ioc_type": "hashes",
"index_to_fields_map": {
"windows": [
"file_hash"
]
}
}
],
"triggers": [
{
"data_sources": [
"windows",
"random"
],
"name": "regwarg",
"severity": "high"
}
]
}
Update a monitor
{
"name": "Threat intel monitor",
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"enabled": false,
"user": {
"name": "",
"backend_roles": [],
"roles": [],
"custom_attribute_names": [],
"user_requested_tenant": null
},
"indices": [
"windows"
],
"per_ioc_type_scan_input_list": [
{
"ioc_type": "hashes",
"index_to_fields_map": {
"windows": [
"file_hash"
]
}
}
],
"triggers": [
{
"data_sources": [
"windows",
"random"
],
"name": "regwarg",
"severity": "high"
}
]
}
Example response
{
"id": "B8p88ZAB1vBjq44wkjEy",
"name": 1,
"seq_no": 0,
"primary_term": 1,
"monitor": {
"id": "B8p88ZAB1vBjq44wkjEy",
"name": "Threat intel monitor",
"per_ioc_type_scan_input_list": [
{
"ioc_type": "hashes",
"index_to_fields_map": {
"windows": [
"file_hash"
]
}
}
],
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"enabled": false,
"user": {
"name": "",
"backend_roles": [],
"roles": [],
"custom_attribute_names": [],
"user_requested_tenant": null
},
"indices": [
"windows"
],
"triggers": [
{
"data_sources": [
"windows",
"random"
],
"ioc_types": [],
"actions": [],
"id": "afdd80cc-a669-4487-98a0-d84bea8e1e39",
"name": "regwarg",
"severity": "high"
}
]
}
}
Delete a monitor
Deletes an existing threat intelligence monitor.
Endpoints
DELETE /_plugins/_security_analytics/threat_intel/monitors/<monitor_id>
Example request
DELETE /_plugins/_security_analytics/threat_intel/monitors/B8p88ZAB1vBjq44wkjEy
Example response
{
"_id" : "B8p88ZAB1vBjq44wkjEy",
"_version" : 1
}
Search for a monitor
Searches for an existing monitor using a query. The request body expects a search query. For query options, see Query DSL.
Example request
The following example request using a match query with the monitor’s ID to search for the monitor:
POST /_plugins/_security_analytics/detectors/_search
{
"query": {
"match": {
"_id": "HMqq_5AB1vBjq44wpTIN"
}
}
}
Example response
{
"took": 11,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 2.0,
"hits": [
{
"_index": ".opendistro-alerting-config",
"_id": "HMqq_5AB1vBjq44wpTIN",
"_version": 1,
"_seq_no": 8,
"_primary_term": 1,
"_score": 2.0,
"_source": {
"id": "HMqq_5AB1vBjq44wpTIN",
"name": "Threat intel monitor",
"per_ioc_type_scan_input_list": [
{
"ioc_type": "hashes",
"index_to_fields_map": {
"windows": [
"file_hash"
]
}
}
],
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"enabled": false,
"user": {
"name": "",
"backend_roles": [],
"roles": [],
"custom_attribute_names": [],
"user_requested_tenant": null
},
"indices": [
"windows"
],
"triggers": [
{
"data_sources": [
"windows",
"random"
],
"ioc_types": [],
"actions": [],
"id": "63426758-c82d-4c87-a52c-f86ee6a8a06d",
"name": "regwarg",
"severity": "high"
}
]
}
}
]
}
}