Detect and Respond Traffic Detection Models

List Traffic Detection Models

get

Returns an array of Traffic Detection Models.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Responses

200

List of Requested Traffic Detection Models

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/rule-engine/algorithms

GET /api/v1/rule-engine/algorithms HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Create Traffic Detection Model

post

Creates a traffic detection model from the data that's been supplied. Do not provide an id. IDs are auto generated

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Body

Traffic Detection Model Create or Update Config

bypassdisplaybooleanOptional

If true, portal and API will not display new events

Example: false

bypassrulebooleanOptional

If true, alerts will not be processed by policies and integrations

Example: false

categoriesstring[]Required

Categories for the detection model

Example: ["system"]

descriptionstringRequired

Detection model description

Example: detection model description

discardsstring[]Optional

Discard lists are NQL statements that if matched do not get processed through the event. It enables skipping certain combinations without disabling the detection model

Example: ["bits > 10000"]

enabledbooleanOptional

If true, the detection model is enabled

Example: true

factorsstring[]Optional

Factors for the detection model

Example: ["srcip"]

namestringRequired

Name of the detection model

Example: new_ndm_name

rollupperiodintegerRequired

The lookback period for the detection model. Min 15 seconds. Max 1 hour (3600)

Example: 300

updateintervalintegerOptional

When ongoing updates should be sent. Max 6 hours (21600). 0 for disabled

Example: 0

algo_record_typestring · enumRequired

The context of record to be used for the detection model

Example: flowPossible values:

Responses

201

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

post

/api/v1/rule-engine/algorithm

POST /api/v1/rule-engine/algorithm HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 408

{
  "bypassdisplay": false,
  "bypassrule": false,
  "categories": [
    "system"
  ],
  "description": "detection model description",
  "discards": [
    "bits > 10000"
  ],
  "enabled": true,
  "factors": [
    "srcip"
  ],
  "name": "new_ndm_name",
  "rollupperiod": 300,
  "search_by": [
    {
      "search": [
        "bits > 10000"
      ],
      "type": "all"
    }
  ],
  "thresholds": [
    {
      "severity": "medium",
      "threshold": "average(bits) > 500"
    }
  ],
  "track_by": [
    [
      "srcip"
    ]
  ],
  "updateinterval": 0,
  "algo_record_type": "flow"
}

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Fetch Traffic Detection Model

get

Fetches a specific traffic detection model from the ID supplied in the path.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be returned.

Responses

200

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/rule-engine/algorithm/{id}

GET /api/v1/rule-engine/algorithm/{id} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Update Traffic Detection Model

put

Update a traffic detection model given the provided object. This does not do a diff. You must send the complete object.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be updated

Body

Traffic Detection Model Create or Update Config

bypassdisplaybooleanOptional

If true, portal and API will not display new events

Example: false

bypassrulebooleanOptional

If true, alerts will not be processed by policies and integrations

Example: false

categoriesstring[]Required

Categories for the detection model

Example: ["system"]

descriptionstringRequired

Detection model description

Example: detection model description

discardsstring[]Optional

Discard lists are NQL statements that if matched do not get processed through the event. It enables skipping certain combinations without disabling the detection model

Example: ["bits > 10000"]

enabledbooleanOptional

If true, the detection model is enabled

Example: true

factorsstring[]Optional

Factors for the detection model

Example: ["srcip"]

namestringRequired

Name of the detection model

Example: new_ndm_name

rollupperiodintegerRequired

The lookback period for the detection model. Min 15 seconds. Max 1 hour (3600)

Example: 300

updateintervalintegerOptional

When ongoing updates should be sent. Max 6 hours (21600). 0 for disabled

Example: 0

algo_record_typestring · enumRequired

The context of record to be used for the detection model

Example: flowPossible values:

Responses

200

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

put

/api/v1/rule-engine/algorithm/{id}

PUT /api/v1/rule-engine/algorithm/{id} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 408

{
  "bypassdisplay": false,
  "bypassrule": false,
  "categories": [
    "system"
  ],
  "description": "detection model description",
  "discards": [
    "bits > 10000"
  ],
  "enabled": true,
  "factors": [
    "srcip"
  ],
  "name": "new_ndm_name",
  "rollupperiod": 300,
  "search_by": [
    {
      "search": [
        "bits > 10000"
      ],
      "type": "all"
    }
  ],
  "thresholds": [
    {
      "severity": "medium",
      "threshold": "average(bits) > 500"
    }
  ],
  "track_by": [
    [
      "srcip"
    ]
  ],
  "updateinterval": 0,
  "algo_record_type": "flow"
}

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Delete Traffic Detection Model

delete

Deletes a traffic detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be deleted

Responses

204

An empty array

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

delete

/api/v1/rule-engine/algorithm/{id}

DELETE /api/v1/rule-engine/algorithm/{id} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

No content

Enable Traffic Detection Model

put

Enables a traffic detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be enabled

Responses

200

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

put

/api/v1/rule-engine/algorithm/{id}/enable

PUT /api/v1/rule-engine/algorithm/{id}/enable HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Disable Traffic Detection Model

put

Disables a traffic detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be disabled

Responses

200

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

put

/api/v1/rule-engine/algorithm/{id}/disable

PUT /api/v1/rule-engine/algorithm/{id}/disable HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

Reset Traffic Detection Model

put

Resets a customized system traffic detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

idstringRequired

The ID of the traffic detection model to be reseted

Responses

200

Requested Traffic Detection Model

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

put

/api/v1/rule-engine/algorithm/{id}/reset

PUT /api/v1/rule-engine/algorithm/{id}/reset HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "algo_type": "TDM",
      "beta": false,
      "created": 1640995200,
      "id": "127e5619-5c3c-4314-9d74-c11d07c9361e",
      "recommended": false,
      "subscription": {
        "all": "subscribed"
      },
      "subscriptiontype": "optout",
      "system": false,
      "systemdefault": false,
      "updated": 1641995200,
      "bypassdisplay": false,
      "bypassrule": false,
      "categories": [
        "system"
      ],
      "description": "detection model description",
      "discards": [
        "bits > 10000"
      ],
      "enabled": true,
      "factors": [
        "srcip"
      ],
      "name": "new_ndm_name",
      "rollupperiod": 300,
      "search_by": [
        {
          "search": [
            "bits > 10000"
          ],
          "type": "all"
        }
      ],
      "thresholds": [
        {
          "severity": "medium",
          "threshold": "average(bits) > 500"
        }
      ],
      "track_by": [
        [
          "srcip"
        ]
      ],
      "updateinterval": 0,
      "algo_record_type": "flow"
    }
  ]
}

PreviousDetect and Respond Detection Categories NextDetect and Respond Context Creation Models

Last updated 5 months ago