Threat intelligence

A POST request to /api/open/threat_intelligence allows you to create indicators.

Requirements and restrictions

1. An authenticated user must be in an admin role group or belong to a Threat Intelligence group with the Allow configuration option switched to ON in the group settings.
2. JavaScript Object Notation (JSON) content is represented as a array of contents that allows you to insert more than one (1) indicator at a time.
3. Type of content must be specified in the type parameter and the value must be: packet_rules, yara_rules or stix_indicators.
4. Content name must be specified in the name parameter.
5. The content must be specified in the content parameter.
6. If the request is accepted, the result contains the result with an identifier (ID) as value.
7. The request is rejected if the sensor is connected to a Central Management Console (CMC).

A GET request to /api/open/threat_intelligence allows you to list indicators created by the user.

Requirements and Restrictions

1. An authenticated user must be in an admin role group or belong to a Threat Intelligence group.
2. If the request is accepted, the result contains a Json array of contents with id, name and type.

A DELETE request to /api/open/threat_intelligence allows you to remove indicators.

Requirements and restrictions

1. An authenticated user must be in an admin role group or belong to a Threat Intelligence group with the Allow configuration option switched to ON in the group settings.
2. The Json content is represented as an array of contents that allows you to remove more than one (1) indicator at a time
3. The type of content must be specified in the type parameter and the value must be: packet_rules, yara_rules or stix_indicators.
4. The content id must be specified in the id parameter.
5. If the request is accepted, the result contains contents with id and type.
6. The request is rejected if the sensor is connected to a CMC.