/services/data/threat_intel/item/{threat_intel_collection}/{item_key}
Perform read, update, and delete operations on a row of an existing threat intelligence collection.
Syntax
https://<host>:<mPort>/services/data/threat_intel/item/{threat_intel_collection}/{item_key}
Usage details
The threat_intel_collection must be one of the following:
- ip_intel
- file_intel
- user_intel
- http_intel
- email_intel
- service_intel
- process_intel
- registry_intel
- certificate_intel
The item_key must be a valid key. To find the key for a row in a collection, run a search using the inputlookup command and the relevant threat_intel_collection and use eval to display the _key field for each row. For example:
| inputlookup ip_intel | eval item_key=_key
GET
Access a row from a collection.
Request parameters
NoneData payload
NoneResponse
The endpoint returns one of two responses:
{"message":<The row of the collection you requested, as a JSON object>, "status": true}
{"message": "No matching entries found in kvstore.", "status": false}
Example request
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/ip_intel/fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d
Example response
{"message": [{"_user": "nobody", "time": 1481566235.98246, "threat_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d|stix_file.xml.xml", "ip": "58.64.179.144", "_key": "fireeye:stix-b7b16e67-4292-46a3-ba64-60c1a491723d:fireeye:observable-00375905-04b4-4255-b453-2a5875c20b6d"}], "status": true}
PUT
Update a row in a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| itemrequired | JSON encoded string | The field/value pairs in the row to be updated. For example, {'ip':'41.41.41.41'} updates the ip to 41.41.41.41. See the Data payload information for a list of important fields. The item must include at least one of the important fields for the relevant collection name, or the API returns an error.
|
|
| autofill_time_fieldoptional | epoch | true | When set to "false", provides the current time for each row that you add to the KVStore collection. The value provided in this field is used for retention to phase out unused items instead of ingestion time. When set to "true" or if no value is provided, the time is automatically set for each row to the current time. |
Data payload
The item field must contain at least one of the important fields for the threat collection being modified.| Collection name | Important fields |
|---|---|
| user_intel |
user
|
| file_intel | file_name, file_hash |
| ip_intel | ip, domain |
| http_intel | http_user_agent, ip, http_referrer, url, domain |
| email_intel | embedded_domain, src_user, subject, file_hash, file_name, embedded_ip |
| service_intel | service_file_hash, service_dll_file_hash, service_dll_file_name, service_file_name, service |
| process_intel | dest, src, process_file_name, process |
| registry_intel | registry_path, registry_value_name, registry_value_text, user |
| certificate_intel | certificate_issuer_common_name, certificate_subject_common_name, certificate_common_name, certificate_issuer_organization, certificate_subject_organization, certificate_serial, certificate_issuer, certificate_subject, certificate_issuer_unit, certificate_subject_unit, certificate_issuer_email, certificate_subject_email, ip, domain |
Response
The endpoint returns one of two responses:
{"status": true, "message": "Update operation successful."}
{"status": false, "message": <failure_cause>}
Example request
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel/7bce624696ad4bc48cc781d8c8204c8f -d item='{"src_user": "user_new1", "subject":"click this!", "time": 123123123}' -d autofill_time_field="false" -X PUT
Example response
{"status": true, "message": "Update operation successful."}
POST
Create one or more rows in a collection.
Request parameters
| Field | Type | Default | Description |
|---|---|---|---|
| autofill_time_fieldoptional | boolean | true | When set to "false", provides a valid time for each row that you add to the KVStore collection. The value provided in this field is used for retention to phase out unused items instead of ingestion time. When set to "true" or if no value is provided, the time is automatically set for each row to the current time. |
DELETE
Delete a row from a collection.
Usage details
The delete operation does not delete the row from the KV Store. Instead, the entry is disabled from participating in threat intelligence matching.Request parameters
NoneData payload
NoneResponse
The endpoint returns one of two responses:
{"message": "Delete operation successful.", "status": true}
{"message": <failure_reason>, "status": false}
Example request
curl -k -u admin:changeme https://localhost:8089/services/data/threat_intel/item/email_intel/af8e379623f643a3be149c014b977e6b -X DELETE
Example response
{"message": "Delete operation successful.", "status": true}