This method enables you to list and filter anomalies for your organization. If you do not add parameters to your query, then Threat Stack returns all anomalies.
By default, anomalies are ordered by time in descending order so you see the most recent anomalies first. If there are more than 20 results in the query, then the API automatically paginates the results. You access the additional pages through a token number that Threat Stack provides.
List all anomalies:
https://api.threatstack.com/v2/anomalies/process
List all anomalies associated with events that matched at least one rule
https://api.threatstack.com/v2/anomalies/process/?hasRuleMatch=true
The 400 error code means that the request was unable to be fulfilled due to invalid data in the request body. Sample Error messages:
{- "hasRuleMatch": true,
- "user": "string",
- "hostname": "string",
- "agentId": "string",
- "maxUserScore.gt": 1,
- "orgScore.gt": 1,
- "token": "string"
}
{- "anomaly": [
- { }
], - "id": "string",
- "date": "string",
- "exe": "string",
- "orgScore": 1,
- "trainingDays": 0,
- "maxUserScore": 1,
- "numEvents": 0,
- "numCovered": 0,
- "numAgents": 0,
- "firstSeen": "string",
- "lastSeen": "string",
- "timesRuleMatched": 0,
- "completeTrainingDays": 0
}
This method enables you to get details and additional context for a specific anomaly. Additional context includes:
NOTES
Get details and full context for an anomaly by Id
https://api.threatstack.com/v2/anomalies/process/f0a3a677-b265-4654-af31-1effd5cba063
Get the anomaly details without additional context
https://api.threatstack.com/v2/anomalies/process/f0a3a677-b265-4654-af31-1effd5cba063?verbose=false
The 400 error code means that the request was unable to be fulfilled due to invalid data in the request body.
Sample Error Messages
anomalyId
parameter should be a valid UUID.anomalyId
which has been passed in was not found in the database.{- "verbose": true
}
{- "anomaly": [
- { }
], - "id": "string",
- "date": "string",
- "exe": "string",
- "orgScore": 1,
- "trainingDays": 0,
- "maxUserScore": 1,
- "numEvents": 0,
- "numCovered": 0,
- "numAgents": 0,
- "firstSeen": "string",
- "lastSeen": "string",
- "timesRuleMatched": 0,
- "completeTrainingDays": 0
}
This method enables you to view the Notification Configuration in your organization.
View the Notification Configuration in your organization
https://api.threatstack.com/v2/integrations/notification
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to update an existing Notification Configuration for threatML in your organization.
Update an existing Notification Configuration in your organization
https://api.threatstack.com/v2/integrations/notification
400:
404: Could not find Notification Configuration that matched the uniqueID parameter value.
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "name": "string",
- "url": "string",
- "enabled": true,
- "description": "string"
}
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to add a new Notification Configuration for ThreatML to your organization. Threat Stack supports a single ThreatML Notification Configuration per organization.
Add a new Notification Configuration to your organization
https://api.threatstack.com/v2/integrations/notification
400: The url parameter should contain a valid domain value. The only supported value is “threatML”."
{- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enabled": true,
- "description": "string"
}
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to delete an existing Notification Configuration for threatML in your organization.
Delete an existing Notification Configuration in your organization:
https://api.threatstack.com/v2/integrations/notification
400: The uniqueID parameter should be a valid UUID. 404: Could not find Notification Configuration that matched the uniqueID parameter value.
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a"
}
{- "Notification message": "string"
}