/services/data/threat_intel/item/{threat_intel_collection}
Perform CRUD operations on an existing threat intelligence collection.
Syntax
https://<host>:<mPort>/services/data/threat_intel/item/{threat_intel_collection}
Usage details
The collection name must be one of the following:- ip_intel
- file_intel
- user_intel
- http_intel
- email_intel
- service_intel
- process_intel
- registry_intel
- certificate_intel
Some methods require the _key field. To find the key for a row in a collection, run a search using the inputlookup command and the relevant threat_intel_collection and use eval to display the _key field for each row. For example:
| inputlookup ip_intel | eval item_key=_keyGET
List one or more rows from a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| itemrequired | JSON encoded string | The field/value pairs to match. For example, {'ip':'41.41.41.41'} returns rows that have ip=41.41.41.41 and {'file_name':'threat.trt', 'file_extension':'trt'} returns all the rows that match file_name=threat.trt and file_extension=trt.
|
Data payload
The item field must contain at least one of the important fields for the threat collection to use as search criteria, in a JSON encoded string.| Collection name | Important fields |
|---|---|
| user_intel |
user
|
| file_intel | file_name, file_hash |
| ip_intel | ip, domain |
| http_intel | http_user_agent, ip, http_referrer, url, domain |
| email_intel | embedded_domain, src_user, subject, file_hash, file_name, embedded_ip |
| service_intel | service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service |
| process_intel | dest, src, process_file_name, process |
| registry_intel | registry_path, registry_value_name, registry_value_text, user |
| certificate_intel | certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain |
Response
If the request is successful, the endpoint returns all the rows that match the values supplied in the item parameter. If the request fails, the endpoint returns an error message.
Example 1: request
Retrieve a single intelligence item.curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='{"ip":"10.10.1.1 "}' -G -X GET
Example 1: response
A single intelligence item is returned.{"message": [{"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d|stix_file.xml.xml", "ip": "10.10.1.1", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d"}], "status": true}
Example 2: request
Retrieve multiple intelligence items.curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/ip_intel -d item='[{"ip":"5.5.5.5"},{"domain":"example.com"}]' -G -X GET
Example 2: response
Multiple intelligence items are returned.{"message": [{"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d|stix_file.xml.xml", "ip": "5.5.5.5", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b5d"}, {"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491724d|stix_file.xml.xml", "domain": "example.com", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491724d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d"}], "status": true}
PUT
Update one or more rows in a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| itemrequired | JSON encoded string | The field/value pairs to update in one or more rows in a collection, accompanied by the _key for those rows. To update multiple rows with a single call, separate the JSON encoded strings with commas inside a set of brackets.
|
|
| autofill_time_fieldoptional | epoch | true | When set to "false", provides the current time for each row that you add to the KVStore collection. The value provided in this field is used for retention to phase out unused items instead of ingestion time. When set to "true" or if no value is provided, the time is automatically set for each row to the current time. |
Data payload
The item field must contain at least one of the important fields for the threat collection being modified, in a JSON encoded string. The item field must also contain the_key value(s) of the rows you want to modify, in a JSON encoded string. You can update a single row or multiple rows.
| Collection name | Important fields |
|---|---|
| user_intel |
user
|
| file_intel | file_name, file_hash |
| ip_intel | ip, domain |
| http_intel | http_user_agent, ip, http_referrer, url, domain |
| email_intel | embedded_domain, src_user, subject, file_hash, file_name, embedded_ip |
| service_intel | service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service |
| process_intel | dest, src, process_file_name, process |
| registry_intel | registry_path, registry_value_name, registry_value_text, user |
| certificate_intel | certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain |
Response
The endpoint returns one of two responses:
{"status": true, "message": "Update operation successful."}
{"status": false, "message": <failure_cause>}
Example request
curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"src_user": "user_new1", "subject":"click this new update", "time": 1620762180, "_key":"126b0fd6d5c548fbb9a31107a4acddc1"}, {"src_user": "user_new2", "subject":"click this update", "time": 1620762180, "_key":"46cdf4a3579244f4a409c69af02d5101"}]' -d autofill_time_field="false" -X PUT
Example response
{"status": true, "message": "Update operation successful."}
POST
Create one or more rows in a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| itemrequired | JSON encoded string | The field/value pairs to insert as a new row in a collection. To create multiple rows with a single call, separate the JSON encoded strings with commas inside a set of brackets. Examples: {'file_name':'threat.trt', 'file_extension':'trt'} creates one new row that has file_name=threat.trt and file_extension=trt.{'ip':'41.41.41.41'} creates one new row with ip=41.41.41.41. [{'ip':'41.41.41.41'}, {'ip':'10.10.10.10'}] creates two new rows: one with ip=41.41.41.41 and the other with ip=10.10.10.10. See the Data payload information for a list of important fields. The item must include at least one of the important fields for the relevant collection name, or the API returns an error.
|
|
| autofill_time_fieldoptional | epoch | true |
When set to "false", provides the current time for each row that you add to the KVStore collection. The value provided in this field is used for retention to phase out unused items instead of ingestion time. When set to "true" or if no value is provided, the time is automatically set for each row to the current time. |
Data payload
The item field must contain at least one of the important fields for the threat collection being modified, in a JSON encoded string.| Collection name | Important fields |
|---|---|
| user_intel |
user
|
| file_intel | file_name, file_hash |
| ip_intel | ip, domain |
| http_intel | http_user_agent, ip, http_referrer, url, domain |
| email_intel | embedded_domain, src_user, subject, file_hash, file_name, embedded_ip |
| service_intel | service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service |
| process_intel | dest, src, process_file_name, process |
| registry_intel | registry_path, registry_value_name, registry_value_text, user |
| certificate_intel | certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain |
Response
The endpoint returns one of two responses:
{"status": true, "message": "Create operation successful."}
{"status": false, "message": <failure_cause>}
Example request
Create a single row.
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel -d item='{"src_user": "user_new", "subject":"click this", "time": 1620762180}' -d autofill_time_field="false"
Create two rows.
curl -k -u admin:pass https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"src_user": "user_new", "subject":"click this"},{"src_user": "user2_new", "subject":"click this"}]'
Example response
{"status": true, "message": "Create operation successful."}
DELETE
Delete one or more rows from a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| itemrequired | JSON encoded string | The _key values of the rows to delete from a threat collection.
|
Data payload
The item field must contain_key values of the rows you intend to delete in a threat collection, in a JSON encoded string. You can delete a single row or multiple rows.
Response
The endpoint returns one of two responses:
{"message": "Delete operation successful.", "status": true}
{"status": false, "message": <failure_cause>}
Example request
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel -d item='[{"_key":"2e58177235804a739d4d768c26077b24"},{"_key":"2e58177235804a739d4d768c26077bd4"}]' -G -X DELETE
Example response
{"message": "Delete operation successful.", "status": true}