Machine learning predicts future behavior based on previous behavior. As a result, machine learning can identify behavior that falls outside of predicted behavior. Distributed Cloud AIP with ThreatML predicts the future behavior of your infrastructure through two different data models, which collect 30 days of specific information from your infrastructure to create a baseline of normal, predictable behavior. After ThreatML establishes a baseline, it compares your environment's baseline to your current environment and reports any behavior that deviates from the models' predictions as anaomalous.
This method enables you to list and filter anomalies for your organization. If you do not add parameters to your query, then Distributed Cloud AIP returns all anomalies.
By default, anomalies are ordered by time in descending order so you see the most recent anomalies first. If there are more than 20 results in the query, then the API automatically paginates the results. You access the additional pages through a token number that Distributed Cloud AIP provides.
List all anomalies:
https://api.threatstack.com/v2/anomalies/process
List all anomalies associated with events that matched at least one rule:
https://api.threatstack.com/v2/anomalies/process/?hasRuleMatch=true
The 400 error code means that the request was unable to be fulfilled due to invalid data in the request body. Sample Error messages:
OK
Bad parameters
Unauthorized response
The resource was not found
Rate limit hit
An internal error has occurred
{- "anomaly": [
- { }
], - "id": "string",
- "date": "string",
- "exe": "string",
- "orgScore": 1,
- "trainingDays": 0,
- "maxUserScore": 1,
- "numEvents": 0,
- "numCovered": 0,
- "numAgents": 0,
- "firstSeen": "string",
- "lastSeen": "string",
- "timesRuleMatched": 0,
- "completeTrainingDays": 0
}
This method enables you to get details and additional context for a specific anomaly. Additional context includes:
NOTE
false
Get details and full context for an anomaly by ID:
https://api.threatstack.com/v2/anomalies/process/f0a3a677-b265-4654-af31-1effd5cba063
Get the anomaly details without additional context:
https://api.threatstack.com/v2/anomalies/process/f0a3a677-b265-4654-af31-1effd5cba063?verbose=false
The 400 error code means that the request was unable to be fulfilled due to invalid data in the request body.
Sample Error Messages
anomalyId
parameter should be a valid UUID.anomalyId
which has been passed in was not found in the database.OK
Bad parameters
Unauthorized response
The resource was not found
Rate limit hit
An internal error has occurred
{- "anomaly": [
- { }
], - "id": "string",
- "date": "string",
- "exe": "string",
- "orgScore": 1,
- "trainingDays": 0,
- "maxUserScore": 1,
- "numEvents": 0,
- "numCovered": 0,
- "numAgents": 0,
- "firstSeen": "string",
- "lastSeen": "string",
- "timesRuleMatched": 0,
- "completeTrainingDays": 0
}
This method enables you to view the Notification Configuration in your organization.
View the Notification Configuration in your organization:
https://api.threatstack.com/v2/integrations/notification
OK
Bad parameters
Unauthorized response
The resource was not found
Rate limit hit
An internal error has occurred
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to update an existing Notification Configuration for threatML in your organization.
Update an existing Notification Configuration in your organization:
https://api.threatstack.com/v2/integrations/notification
400:
404: Could not find Notification Configuration that matched the uniqueID parameter value.
OK
Bad parameters
Unauthorized response
The resource was not found
Rate limit hit
An internal error has occurred
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "name": "string",
- "url": "string",
- "enabled": true,
- "description": "string"
}
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to add a new Notification Configuration for ThreatML to your organization. Distributed Cloud AIP supports a single ThreatML Notification Configuration per organization.
Add a new Notification Configuration to your organization:
https://api.threatstack.com/v2/integrations/notification
400: The url parameter should contain a valid domain value. The only supported value is “threatML”."
OK
Bad parameters
Unauthorized response
Resource already exists
Rate limit hit
An internal error has occurred
{- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enabled": true,
- "description": "string"
}
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a",
- "domain": "threatML",
- "name": "string",
- "url": "string",
- "enrolledAt": "2019-08-24T14:15:22Z",
- "enabled": true,
- "updatedAt": "2019-08-24T14:15:22Z",
- "description": "string"
}
This method enables you to delete an existing Notification Configuration for threatML in your organization.
Delete an existing Notification Configuration in your organization:
https://api.threatstack.com/v2/integrations/notification
400: The uniqueID parameter should be a valid UUID. 404: Could not find Notification Configuration that matched the uniqueID parameter value.
OK
Bad parameters
Unauthorized response
The resource was not found
Rate limit hit
An internal error has occurred
{- "uniqueID": "a1dd802f-555b-4616-ba06-8f3aebecd52a"
}
{- "Notification message": "string"
}