The ProtectWise API provides access to your ProtectWise accounts and data.
The request URL will always begin with https://api.protectwise.com/api/v1.
All API requests, except as noted, require an authentication header. To authenticate, add a header
X-Access-Token: youraccess@@tokenrandomstring
If this is your first time using the ProtectWise API, there is a Getting Started guide available that describes the basic process to access the API and get threat data.
Generate an access token associated with your account login that you can use for future API requests
This API does not require an access token header for authentication.
To create or replace your access token, provide a JSON hash of your email address and password.
Example:
curl -H "Content-Type: application/json" -d '{"email":"john.doe@protectwise.com","password":"@ProtectWise1"}' https://api.protectwise.com/api/v1/tokenContent-Type: application/json
{
"email": "john.doe@protectwise.com",
"password": "@ProtectWise1"
}201ToggleContent-Type: application/json
{
"token": "yourtoken@@randomtokenstring"
}Sensor-set related resources
Collection of all available sensor-sets
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensor-sets200Toggle[
{
"id": "42",
"name": "Display name",
"customer_id": "1",
"default_set": false
}
]Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensor-sets/775string (required) Example: 775the id of the sensor set
200ToggleContent-Type: application/json
{
"id": 775,
"name": "Display name",
"customer_id": "1",
"default_set": false
}Sensor related resources
Collection of all available sensors
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensors200Toggle[
{
"id": 513,
"uuid": "69e82447-d3b2-4e7f-a9ec-20e531a03f84",
"customer_id": 1,
"agent_set_id": 775,
"friendly_name": "sensor name",
"enabled": true,
"updated_at": "2014-02-22T09:30:08.371Z",
"last_seen": "2014-02-22T09:30:08.371Z",
"is_active": true,
"downloaded": false
}
]Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" https://api.protectwise.com/api/v1/sensors/513string (required) Example: 513the id of the individual sensor
200ToggleContent-Type: application/json
{
"id": 513,
"uuid": "69e82447-d3b2-4e7f-a9ec-20e531a03f84",
"customer_id": 1,
"agent_set_id": 775,
"friendly_name": "bens computer1377-active",
"enabled": true,
"updated_at": "2014-02-22T09:30:08.371Z",
"last_seen": "2014-02-22T09:30:08.371Z",
"is_active": true,
"downloaded": false
}Generate an install token for a sensor
string (required) Example: 301the ID or UUID of the sensor
200Toggle{
"installToken": "production:zawi55ien1n8i7c3dmxndfaoksuzq6p4zscte10deoaq2pt15d3bw9ar9"
}Query for counts of past events.
See Counter Details for a detailed explanation of the query parameters.
Sum all sensors and counter types into a single value
number (required) Example: 513the sensor id. May supply a comma seperated list.
string (required) Example: eventsLowthe type of counter. May supply a comma seperated list. Details
number (required) Example: 1408069629555the start observed time
number (required) Example: 1408069659555the end observed time
string (required) Example: 3HOURSthe interval multiple and unit Details
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200ToggleContent-Type: application/json
[
{
"timestamp": 1408069659555,
"value": 43
}
]To include counters for specified counter types as a separate property, provide stackBy=type in the query string.
number (required) Example: 1314,1315,1316A comma-delimited list of sensor ids
string (required) Example: eventsLow,eventsMedium,eventsHigha comma-delimited list of counter types to stack
number (required) Example: 1408069629555the start observed time
number (required) Example: 1408069659555the end observed time
string (required) Example: 3HOURSthe interval multiple and unit Details
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200ToggleContent-Type: application/json
[
{
"timestamp": 1408069659555,
"eventsLow": 30,
"eventsMedium": 10,
"eventsHigh": 3,
"value": 43
}
]To include counters for specified sensors as a separate property, provide stackBy=sensor in the query string.
number (required) Example: 1314,1315,1316include a comma seperated list of sensor ids
string (required) Example: eventsLow,eventsMedium,eventsHigha comma seperated list of counter types to stack
number (required) Example: 1408069629555the start observed time
number (required) Example: 1408069659555the end observed time
string (required) Example: 3HOURSthe interval multiple and unit Details
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200ToggleContent-Type: application/json
[
{
"1314": 20,
"1315": 15,
"1316": 8,
"timestamp": 1408069659555,
"value": 43
}
]Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/counters
number (required) Example: 513the sensor id. May supply a comma seperated list.
string (required) Example: eventsLowthe type of counter. May supply a comma seperated list. Details
number (required) Example: 1408069629555the start (inclusive) of the observed time range to find
number (required) Example: 1408069659555the end (exclusive) of the observed time range to find
string (required) Example: 3HOURSthe interval multiple and unit Details
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle[
{
"timestamp": 1408069659555,
"value": 43
}
]Get a top-hosts summary.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/top-hosts?sensorId=1&type=observation.external,protocol&start=1477447688583&end=1477534088583
number (required) Example: 513the sensor id. May supply a comma seperated list.
string (required) Example: protocol,observation.externalthe type(s) of counter. One or more of observation.internal, observation.external, event.internal, event.external, protocol, protocol_family, bandwidth, internal.severity, external.severity
number (required) Example: 1408069629555the start observed time
number (required) Example: 1408069659555the end observed time
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle[
{
"type": "observation.external",
"hosts": [
{
"ip": "8.8.8.8",
"count": 25749
},
{
"ip": "1.0.63.78",
"count": 2743
}
]
},
{
"type": "protocol",
"hosts": [
{
"ip": "0.0.0.2",
"count": 505566729
},
{
"ip": "0.0.0.0",
"count": 214629048
}
]
}
]Get a unique-hosts summary.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/summaries/top-hosts?sensorId=1&type=observation.external,protocol&start=1477447688583&end=1477534088583
number (required) Example: 513the sensor id. May supply a comma seperated list.
string (required) Example: allthe type(s) of counter. One or more of all,external,internal,threat.high
number (required) Example: 1408069629555the start observed time
number (required) Example: 1408069659555the end observed time
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle[
{
"type": "all",
"count": 22508
}
]Events are resources that describe a threat and contains a collection of observations.
Get a collection of events by start time and optional filters.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/events?start=1407962796988&end=1407963396988&ip=205.32.56.14&maxLimit=30"number (required) Example: 1401451200000unix timestamp with milliseconds for the start time of the search (inclusive)
number (required) Example: 1401451500000unix timestamp with milliseconds for the end time of the search (exclusive)
string (optional) Example: KillChainEscalationFilter by one or more event types Details
string (optional) Example: DeliveryFilter by killchain stage Details
string (optional) Example: HighFilter by Low, Medium, or High threats Details
string (optional) Example: Malicious_WebpageFilter by threat category Details
string (optional) Example: RetrospectiveFilter by Realtime or Retrospective Details
string (optional) Example: 162.202.10.4Filter by events that are affected by a specific IP address
boolean (optional) Example: falseInclude observation records
number (optional) Example: 30Try to return at least this many results per page
number (optional) Example: 100Do not return more than this many results
boolean (optional) Example: trueReturn results sorted by descending timestamp (default = TRUE)
string (optional) Example: ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2An identifier to fetch the next page in the result set
200ToggleContent-Type: application/json
{
"events": [
{
"cid": 1,
"agentId": 1770,
"id": "dccf25a8b3923e1c233220fe4ec57aa1",
"type": "KillChainEscalation",
"message": "Remote Buffer Overflow Exploit",
"observations": [],
"netflows": [],
"confidence": 80,
"threatScore": 50,
"threatLevel": "Medium",
"killChainStage": "CnC",
"category": "Malware",
"threatSubCategory": "MalwareURL",
"observedStage": "Retrospective",
"startedAt": 1408400860770,
"endedAt": 1408400971436,
"observedAt": 1412630707730,
"isUpdate": false,
"observationCount": 4,
"netflowCount": 4
}
],
"nextPage": "ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2"
}Lookup a single event and its associated observations
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/events/dccf25a8b3923e1c233220fe4ec57aa1"string (required) Example: dccf25a8b3923e1c233220fe4ec57aa1The event id
Content-Type: application/json
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Type: application/json
{
"cid": 1,
"agentId": 1770,
"id": "dccf25a8b3923e1c233220fe4ec57aa1",
"type": "KillChainEscalation",
"message": "`Data Loss via Poison Ivy`",
"observations": [ { /* observation data */ } ],
"netflows": [ { /* netflow data */ } ],
"confidence": 80,
"threatScore": 50,
"threatLevel": "Medium",
"killChainStage": "CnC",
"category": "Malware",
"threatSubCategory": "None",
"observedStage": "Retrospective",
"startedAt": 1408400860770,
"endedAt": 1408400971436,
"observedAt": 1412630707730,
"isUpdate": false,
"observationCount": 4,
"netflowCount": 4
}Add a tag, or remove one from an event
{
"add": [
"tag_1",
5
],
"remove": [
121,
"tag_2"
]
}200Toggle{
"success": true
}Observation related resources
Collection of all available observations
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/observations?sensorId=1743,1744&start=1407962796988&end=1407963396988&hasKillChain=true"See Details for the data property to see the structure of the data property in the response
string (required) Example: 513the sensor id or a comma-separated list of sensor ids
number (required) Example: 1407962796988unix timestamp with milliseconds for the start time of the search (inclusive)
number (required) Example: 1407963396988unix timestamp with milliseconds for the end time of the search (exclusive)
boolean (optional) Example: trueSearch for observations in every kill chain stage
string (optional) Example: DELIVERY,EXPLOITA comma separated list of kill chain stages Details
string (optional) Example: 10.0.0.1Filter observations by IP address in the src/dst fields
string (optional) Example: idsFilter by observation type Details
string (optional) Example: HIGHFilter by categories threat level Details
string (optional) Example: MaliciousWebpageFilter by threat category Details
number (optional) Example: 69020504Filter by threat signature (find observations of the same type of threat)
boolean (optional) Example: trueInclude expanded netflow information in the response
number (optional) Example: 30Try to return at least this many results per page
number (optional) Example: 100Do not return more than this many results
boolean (optional) Example: trueReturn results sorted by descending timestamp
string (optional) Example: ce08d2e5d8e95d9d207762f6874fd2767068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0b7068137daa2f6f0bd37bfcf88246fba2An identifier to fetch the next page in the result set
200Toggle{
"observations": [
{
"id": "cf62aef82f40ccc49b2572b702bd4ffe",
"agentId": 1713,
"cid": 1,
"data": {
"idsEvent": null,
"protocol": null,
"ipReputation": null,
"httpRequest": null,
"urlReputation": {
"url": "Url(89.253.247.168,/fortification,,80)",
"category": 101,
"partnerCategory": "Malware Sites",
"urlData": null
},
"fileReputation": null,
"file": null,
"dns": null,
"dnsReputation": null,
"httpTransaction": null
},
"threatLevel": "Low",
"killChainStage": "Recon",
"category": "Malicious_Webpage",
"threatSubCategory": "None",
"observedStage": "Realtime",
"source": "Webroot",
"occurredAt": 1411419661265,
"observedAt": 1411419748829,
"confidence": 85,
"threatScore": 25,
"severity": 20
}
]
}Download extracted file data for an observation with associated file reputation data.
string (required) Example: 70031a003503180129246f2a4f1e576ethe id of the observation
number (required) Example: 513the sensor id or comma-separated list of ids
200ToggleContent-Disposition: attachment; filename=threaty-file.exe
Content-Type: application/x-msdownload
Transfer-Encoding: chunked
string (required) Example: 70031a003503180129246f2a4f1e576ethe id of the observation
number (required) Example: 513the sensor id or comma-separated list of ids
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200ToggleContent-Type: application/json
{
"agentId": 1713,
"data": {
"idsEvent": null,
"protocol": null,
"ipReputation": null,
"httpRequest": null,
"urlReputation": {
"url": "Url(a.triggit.com,/px,fast=true&u=fF&tpuid=df6877b71995ac8f9b62d808eae3f051538638a9398a65dabce39da5c299782a82fc461902db816a,-1)",
"category": "zDEPRECATEDMaliciousHost_MalwareURL",
"partnerCategory": "Malware Sites",
"urlData": null
},
"fileReputation": null,
"file": null
},
"occurredAt": 1412630707730,
"observedAt": 1408400861651,
"threatLevel": "None",
"confidence": 93,
"killChainStage": "Recon",
"severity": 20,
"category": "Malicious_webpage",
"threatScore": null,
"cid": -1,
"observedStage": "Realtime",
"source": "Webroot",
"id": "dccf25a8b3922e1c233220fe4ec57aa0",
"threatSubCategory": "None",
"netflow": {
"agentId": 1713,
"id": {
"srcMac": "00:50:56:3A:6D:D7",
"dstMac": "00:50:56:EC:5B:38",
"srcIp": "192.168.70.128",
"dstIp": "63.131.141.97",
"srcPort": 59714,
"dstPort": 80,
"proto": "TCP/IPv4"
},
"key": "0df55eec05a4d784dce70c50e078d9c0",
"details": {
"startTime": 1408400860770,
"tos": 0,
"tcpFlags": null,
"vlan": null,
"classId": null,
"srcAsn": null,
"dstAsn": null,
"endTime": 1408400971436,
"applicationProtocols": []
},
"stats": {
"bytesSrc": 3273,
"bytesDst": 3490,
"bytesSrcIncluded": 2698,
"bytesDstIncluded": 3490,
"packetsSrc": 12,
"packetsDst": 11,
"packetsSrcIncluded": 11,
"packetsDstIncluded": 11,
"updatedTime": 1408400860770
},
"state": "New",
"cid": 1713
},
"geo": {
"dst": {
"continent": {
"confidence": 0,
"code": "NA",
"name": "North America"
},
"country": {
"confidence": 0,
"isoCode": null,
"name": "United States"
},
"location": {
"accuracyRadius": 0,
"latitude": 40.7209,
"longitude": -74.0468,
"timeZone": null
},
"postal": {
"code": "07302",
"confidence": 0
},
"city": {
"confidence": 0,
"isoCode": null,
"name": "Jersey City"
},
"organization": "DataPipe"
}
}
}Add or delete a tag for an observation
{
"add": [
"tag_1",
5
],
"remove": [
121,
"tag_2"
]
}200Toggle{
"success": true
}Reputation endpoints allow retrieval of threat data about IP addresses, domain names, and files.
Notes:
These endpoints behave similarly, but have subtle differences. Be sure you’re looking at the documentation for the correct endpoint.
Arrays of objects within sample response bodies have been dramatically abbreviated.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/ips/8.8.8.8?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"number (required) Example: 8.8.8.8the IP about which to retrieve threat details. May supply a comma seperated list.
number (optional) Example: 1408069629555the start observed time. Required when details contains threat.
number (optional) Example: 1408069659555the end observed time. Required when details contains threat.
string (optional) Example: threat,ipa comma-delimited list of threat properties to retrieve about this IP. May contain one or more of threat, ip, device, domain, and geo. Defaults to ip.
string (optional) Example: netflowsA comma-delimited list of sub-resources to retrieve and include in the response. Only netflows is supported.
string (required) Example: hostInfoA list of internal source names to query for this request.
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle{
"threat": {
"observations": {
"maxThreatLevel": "Medium",
"maxThreatScore": 50,
"types": {
"Ids": 93659,
"CertReputation": 4999,
"DnsReputation": 896
},
"timeSeries": {
"timeRange": {
"interval": "Day",
"intervalSize": 1,
"start": 1476057600000,
"end": 1476316800000
},
"values": [
{
"timestamp": 1476057600000,
"count": 14852
},
{
"timestamp": 1476144000000,
"count": 29248
},
{
"timestamp": 1476230400000,
"count": 27354
}
]
},
"top": [
{
"tags": null,
"sensorId": 1,
"agentId": 1,
"flowId": null,
"netflowId": "000001578cfc85c0939468d6f3c986df",
"associatedId": {
"flowId": {
"key": "000001578cfc85c0939468d6f3c986df",
"startTime": 1475539142080,
"srcGeo": null,
"dstGeo": {
"lat": 37.386,
"lon": -122.0838
},
"direction": "None",
"flowStates": [],
"srcDeviceId": null,
"dstDeviceId": null,
"ip": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.169.59.5",
"dstIp": "8.8.8.8",
"srcPort": 57953,
"dstPort": 53,
"proto": "UDP",
"layer3Proto": "IPv4",
"layer4Proto": "Udp"
}
}
},
"data": {
"idsEvent": {
"timestampSeconds": 0,
"timestampMicros": 0,
"signatureId": 68114153,
"generatorId": 0,
"revision": 2,
"classification": "trojan-activity",
"priorityId": 1,
"description": "Exploit Test Observation"
}
},
"occurredAt": 1475539142080,
"observedAt": 1475539151103,
"threatLevel": "Medium",
"confidence": 100,
"killChainStage": "Exploit",
"severity": 50,
"category": "Malware",
"threatScore": 50,
"cid": 1,
"observedStage": "Realtime",
"source": "Surricata",
"id": "000001578cfc85c0939468d6f3c986df809d4f2c0000",
"threatSubCategory": null,
"netflow": null,
"srcGeo": null,
"dstGeo": {
"lat": 37.386,
"lon": -122.0838
},
"analysisId": null,
"observationDirection": null,
"endedAt": null,
"info": {
"ips": [
"8.8.8.8",
"10.169.59.5"
],
"ports": [
53,
57953
],
"coordinates": [
{
"lat": 37.386,
"lon": -122.0838
}
],
"protocols": [],
"properties": {},
"hostIds": []
},
"connectionInfo": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.169.59.5",
"dstIp": "8.8.8.8",
"srcPort": 57953,
"dstPort": 53,
"proto": "UDP",
"layer3Proto": "IPv4",
"layer4Proto": "Udp"
}
},
{
"tags": null,
"sensorId": 1,
"agentId": 1,
"flowId": null,
"netflowId": "000001578cfc85c00cc0473a32b7b79c",
"associatedId": {
"flowId": {
"key": "000001578cfc85c00cc0473a32b7b79c",
"startTime": 1475539142080,
"srcGeo": null,
"dstGeo": {
"lat": 37.386,
"lon": -122.0838
},
"direction": "None",
"flowStates": [],
"srcDeviceId": null,
"dstDeviceId": null,
"ip": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.169.59.5",
"dstIp": "8.8.8.8",
"srcPort": 45702,
"dstPort": 53,
"proto": "UDP",
"layer3Proto": "IPv4",
"layer4Proto": "Udp"
}
}
},
"data": {
"idsEvent": {
"timestampSeconds": 0,
"timestampMicros": 0,
"signatureId": 68114153,
"generatorId": 0,
"revision": 2,
"classification": "trojan-activity",
"priorityId": 1,
"description": "Exploit Test Observation"
}
},
"occurredAt": 1475539142080,
"observedAt": 1475539151103,
"threatLevel": "Medium",
"confidence": 100,
"killChainStage": "Exploit",
"severity": 50,
"category": "Malware",
"threatScore": 50,
"cid": 1,
"observedStage": "Realtime",
"source": "Surricata",
"id": "000001578cfc85c00cc0473a32b7b79c271e52870000",
"threatSubCategory": "None",
"netflow": null,
"srcGeo": null,
"dstGeo": {
"lat": 37.386,
"lon": -122.0838
},
"analysisId": null,
"observationDirection": "None",
"endedAt": null,
"info": {
"ips": [
"8.8.8.8",
"10.169.59.5"
],
"ports": [
53,
45702
],
"coordinates": [
{
"lat": 37.386,
"lon": -122.0838
}
],
"protocols": [],
"properties": {},
"hostIds": []
},
"connectionInfo": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.169.59.5",
"dstIp": "8.8.8.8",
"srcPort": 45702,
"dstPort": 53,
"proto": "UDP",
"layer3Proto": "IPv4",
"layer4Proto": "Udp"
}
}
]
}
},
"device": {
"deviceType": null,
"deviceCategory": null,
"deviceOs": null,
"extendedInfo": {
"cbDeviceInfo": {
"networkAdapters": {
"10.1.1.214": "60:f8:1d:b3:6d:8c",
"10.1.1.217": "ac:87:a3:11:14:62",
"192.168.169.1": "00:50:56:c0:00:01",
"192.168.183.1": "00:50:56:c0:00:08",
"192.168.251.38": "00:00:00:00:00:00"
},
"computerName": "Johns-MacBook-Pro.local",
"firstName": "John",
"hostName": "davids-macbook-pro.local",
"lastName": "Doe",
"physicalMemorySize": 17179869184,
"systemFreeSize": 73624133632,
"systemTotalSize": 499080364032,
"userName": "admin"
}
},
"intelSource": "CarbonBlack",
"lastUpdated": null
},
"ip": {
"host": "8.8.8.8",
"organization": "Google",
"isp": null,
"asName": null,
"asNumber": null
},
"domain": {
"registrar": null,
"organization": null,
"firstSeen": null,
"lastSeen": null,
"resolveData": [
{
"resolvesTo": "gigabad.de.",
"firstSeen": 1474560069000,
"lastSeen": 1476952710000
},
{
"resolvesTo": "uslock.cn.",
"firstSeen": 1415621353000,
"lastSeen": 1456379387000
}
]
},
"geo": {
"country": "US",
"region": null,
"city": null,
"latitude": 37.751,
"longitude": -97.822,
"isp": null,
"organization": "Google"
}
}Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/domains/www.protectwise.com?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"string (required) Example: www.protectwise.comA lower-case domain name to retrieve reputation information about.
number (optional) Example: 1408069629555the start observed time. Required when details contains threat.
number (optional) Example: 1408069659555the end observed time. Required when details contains threat.
string (optional) Example: threat,domaina comma-delimited list of threat properties to retrieve about this IP. May contain one or more of threat, device, domain, and geo. Defaults to domain.
string (optional) Example: netflowsA comma-delimited list of sub-resources to retrieve and include in the response. Only netflows is supported.
string (required) Example: hostInfoA list of internal source names to query for this request.
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle{
"threat": {
"ipAddresses": [
"192.254.190.20"
],
"observations": {
"maxThreatLevel": "Medium",
"maxThreatScore": 35,
"types": {
"Ids": 21868
},
"timeSeries": {
"timeRange": {
"interval": "Day",
"intervalSize": 1,
"start": 1474761600000,
"end": 1477353600000
},
"values": [
{
"timestamp": 1474761600000,
"count": 272
},
{
"timestamp": 1474848000000,
"count": 280
},
{
"timestamp": 1474934400000,
"count": 328
}
]
},
"top": [
{
"state": null,
"resolvedReason": null,
"assignee": null,
"priority": false,
"tags": null,
"sensorId": 16,
"sensorIds": [
16
],
"cid": 1,
"agentId": 16,
"id": "00053d57843741002d825aba03c3d940a1664a0e47fbbb98c246fed0",
"type": "KillChainEscalation",
"message": "Attack Progression on Host: 10.166.72.249",
"observations": [],
"netflows": [],
"confidence": 100,
"threatScore": 55,
"threatLevel": "Medium",
"killChainStage": "Beacon",
"category": "MaliciousHost",
"startedAt": 1474820973216,
"endedAt": 1474821070658,
"observedAt": 1474821100357,
"observedStage": "Realtime",
"isUpdate": true,
"threatSubCategory": "None",
"observationCount": 14,
"netflowCount": 11,
"analysisId": null
},
{
"state": null,
"resolvedReason": null,
"assignee": null,
"priority": false,
"tags": null,
"sensorId": 16,
"sensorIds": [
16
],
"cid": 1,
"agentId": 16,
"id": "00053d63ca337d70ad3ed4a360a9bea0da295642e88fe19b13a08b2e",
"type": "KillChainEscalation",
"message": "Attack Progression on Host: 10.118.220.181",
"observations": [],
"netflows": [],
"confidence": 100,
"threatScore": 55,
"threatLevel": "Medium",
"killChainStage": "Beacon",
"category": "MaliciousHost",
"startedAt": 1474873686982,
"endedAt": 1474873784968,
"observedAt": 1474873812021,
"observedStage": "Realtime",
"isUpdate": true,
"threatSubCategory": "None",
"observationCount": 14,
"netflowCount": 11,
"analysisId": null
}
]
}
},
"device": {
"deviceType": null,
"deviceCategory": null,
"deviceOs": null,
"extendedInfo": {
"cbDeviceInfo": {
"networkAdapters": {
"10.1.1.214": "60:f8:1d:b3:6d:8c",
"10.1.1.217": "ac:87:a3:11:14:62",
"192.168.169.1": "00:50:56:c0:00:01",
"192.168.183.1": "00:50:56:c0:00:08",
"192.168.251.38": "00:00:00:00:00:00"
},
"computerName": "Johns-MacBook-Pro.local",
"firstName": "John",
"hostName": "davids-macbook-pro.local",
"lastName": "Doe",
"physicalMemorySize":17179869184,
"systemFreeSize":73624133632,
"systemTotalSize":499080364032,
"userName": "admin"
}
},
"intelSource": "CarbonBlack",
"lastUpdated": null
},
"domain": {
"registrar": null,
"organization": null,
"firstSeen": null,
"lastSeen": null,
"resolveData": [
{
"resolvesTo": "174.132.162.187",
"firstSeen": 1308426845000,
"lastSeen": 1337411175000
},
{
"resolvesTo": "192.254.190.20",
"firstSeen": 1414296315000,
"lastSeen": 1477302081000
}
]
},
"geo": {
country: 'United States',
region: 'VIRGINIA',
city: 'Ashburn',
latitude: 39.0437,
longitude: 0,
isp: 'Amazon.Com Inc.',
organization: 'Amazon.Com Inc.'
}
}Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/reputations/files/4a26a57b87f21e2dc3bb417d9c24be18?details=threat,device,ip,domain,geo&start=1473552000000&end=1476144000000"string (required) Example: 4a26a57b87f21e2dc3bb417d9c24be18An MD5, SHA-1, SHA-256 or SHA-512 hash of the file about which to retrieve reputation information.
number (optional) Example: 1408069629555The earliest occurred time of observations to retrieve. Only valid when sources contains observations.
number (optional) Example: 1408069629555The latest occurred time of observations to retrieve. Only valid when sources contains observations.
string (optional) Example: observations,behavior,infoWhat types of details to retrieve about the file. Defaults to all.
Content-Type: application/json
X-Access-Token: youraccess@@tokenrandomstring
200Toggle{
"behavior": {
"network": {
"http": [
{
"body": "data=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
"uri": "http://drlarrybenovitz.com/qhcka/templates/binarystings.php",
"user-agent": "Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko",
"method": "POST",
"host": "drlarrybenovitz.com",
"version": "1.1",
"path": "/qhcka/templates/binarystings.php",
"data": "POST /qhcka/templates/binarystings.php HTTP/1.1\r\nAccept: \\xf0, xw\\x98, , , , , , , , , , , , , , , , , , , , \r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko\r\nHost: drlarrybenovitz.com\r\nContent-Length: 645\r\nCache-Control: no-cache\r\n\r\ndata=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
"port": 80
},
{
"body": "data=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
"uri": "http://holishit.in/wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php",
"user-agent": "Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko",
"method": "POST",
"host": "holishit.in",
"version": "1.1",
"path": "/wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php",
"data": "POST /wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php HTTP/1.1\r\nAccept: \\xf0, 8x\\x98, , , , , , , , , , , , , , , , , , , , \r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko\r\nHost: holishit.in\r\nContent-Length: 645\r\nCache-Control: no-cache\r\n\r\ndata=051BB49D89C321CAAF054797D7AAE5D95531CC49E804A1A9CD73AA1E8F4A620290C8F4202DDA9C4EE35FFAAC7FBAF04F2797837E5A88890CF2D5625C551815337FD4FB0F2E9662764522CA18D5681598C14A57CF02A3FE4B69ACA3F4532A330A55126D86F8ABC5C11DBE3BA8690EBB8F53A7BEAC8B539AE34E6176C4443B7B5B288D63B80293460F2ED147B475012F78550149AA15C3CFDCB42C0149E5D637BD92EDEC600FA05BDF98E03DD6BD3CC11E4CADEC66EA05F15FAB9E948CADEF1B6B82308DE84F1F287D0B9B5CD37C5AFA7615ABC4F940E1A6F24745CA3C6DC2C9B4266CCA4AB9379C0CA072285EA30FE20667CA0684E84B9811959B63E27CA2532E5DEBD4555BB81689CAADC98977F3D443B312EF22696DEE6C03D579DEDE2101FFB894F5352982F53D0B2985B8B34745DBEA2CA2B15AEBB1710A31DF717FEA8688",
"port": 80
}
],
"udp": [
{
"dport": 67,
"src": "0.0.0.0",
"dst": "255.255.255.255",
"sport": 68
},
{
"dport": 68,
"src": "10.0.2.2",
"dst": "10.0.2.15",
"sport": 67
},
{
"dport": 67,
"src": "0.0.0.0",
"dst": "255.255.255.255",
"sport": 68
},
{
"dport": 68,
"src": "10.0.2.2",
"dst": "10.0.2.15",
"sport": 67
}
],
"hosts": [
"0.0.0.0",
"255.255.255.255",
"10.0.2.2",
"10.0.2.15",
"239.255.255.250",
"8.8.8.8",
"224.0.0.22",
"191.233.81.105",
"10.0.2.255",
"23.229.240.164",
"160.153.63.4",
"166.62.28.102",
"67.169.109.82",
"107.180.34.199"
],
"dns": [
{
"ip": "23.229.240.164",
"hostname": "drlarrybenovitz.com"
},
{
"ip": "160.153.63.4",
"hostname": "holishit.in"
},
{
"ip": "166.62.28.102",
"hostname": "starsoftheworld.org"
},
{
"ip": "67.169.109.82",
"hostname": "hknsjsu.org"
},
{
"ip": "107.180.34.199",
"hostname": "vtc360.com"
}
],
"tcp": [
{
"dport": 80,
"src": "10.0.2.15",
"dst": "23.229.240.164",
"sport": 1045
},
{
"dport": 1045,
"src": "23.229.240.164",
"dst": "10.0.2.15",
"sport": 80
},
{
"dport": 80,
"src": "10.0.2.15",
"dst": "107.180.34.199",
"sport": 1053
},
{
"dport": 1053,
"src": "107.180.34.199",
"dst": "10.0.2.15",
"sport": 80
}
]
}
},
"info": {
"id": "d5ccdd04f3ac06e83f4aa008a6c9d4f92db2dd83",
"detectedType": "application/x-dosexec",
"detectedFileSize": 225792,
"hashes": {
"md5": "4a26a57b87f21e2dc3bb417d9c24be18",
"sha1": "3e84f1d77d09e221789e3c29c456809b42d42dd7",
"sha256": "3a3f80700786fa89575d2f4cdc73ae57566ba0368620eaa8882ba59bd48b6071",
"sha512": "eb1a084e67871ab46372f5b47ea20507d58f57335c30b1bdc0cd9e38d358cec879b275206d7869d249ebe0389d0d96c41eda1fcc6cd054d0da640295684ab0ba",
"additionalHashes": {}
},
"type": "PE",
"isArchive": false,
"isEncrypted": false,
"detectedDescription": null,
"recapInfo": null
},
"observations": {
"results": [
{
"tags": null,
"sensorId": 16,
"agentId": 16,
"flowId": null,
"netflowId": "00000157682f62728a715fd0420fbde8",
"associatedId": {
"flowId": {
"key": "00000157682f62728a715fd0420fbde8",
"startTime": 1474921718386,
"srcGeo": null,
"dstGeo": {
"lat": 42.9864,
"lon": -78.7279
},
"direction": "None",
"flowStates": [],
"srcDeviceId": null,
"dstDeviceId": null,
"ip": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.3.81.112",
"dstIp": "192.227.172.136",
"srcPort": 50786,
"dstPort": 80,
"proto": "TCP",
"layer3Proto": "IPv4",
"layer4Proto": "Tcp"
}
}
},
"data": {
"fileReputation": {
"transportProtocol": "Http",
"isTruncated": false,
"advertisedType": "application/octet-stream",
"isTypeMismatched": true,
"extractedName": "23.exe",
"extractedPath": "/",
"advertisedSize": null,
"id": "d5ccdd04f3ac06e83f4aa008a6c9d4f92db2dd83",
"detectedType": "application/x-dosexec",
"detectedFileSize": 225792,
"hashes": {
"md5": "4a26a57b87f21e2dc3bb417d9c24be18",
"sha1": "3e84f1d77d09e221789e3c29c456809b42d42dd7",
"sha256": "3a3f80700786fa89575d2f4cdc73ae57566ba0368620eaa8882ba59bd48b6071",
"sha512": "eb1a084e67871ab46372f5b47ea20507d58f57335c30b1bdc0cd9e38d358cec879b275206d7869d249ebe0389d0d96c41eda1fcc6cd054d0da640295684ab0ba",
"additionalHashes": {}
},
"type": "PE",
"isArchive": false,
"isEncrypted": false,
"detectedDescription": null,
"recapInfo": null,
"start": 1474921721137,
"end": 1474921721137,
"serviceType": "Static",
"category": "Malware",
"finding": {
"score": 0
},
"findings": []
}
},
"occurredAt": 1474921721137,
"observedAt": 1474921795377,
"threatLevel": "Medium",
"confidence": 99,
"killChainStage": "Delivery",
"severity": 55,
"category": "Malware",
"threatScore": 55,
"cid": 1,
"observedStage": "Realtime",
"source": "Cylance",
"id": "00000157682f62728a715fd0420fbde85f94f7eb0007",
"threatSubCategory": "MaliciousFile",
"netflow": null,
"srcGeo": null,
"dstGeo": {
"lat": 42.9864,
"lon": -78.7279
},
"analysisId": null,
"observationDirection": "Dst_to_src",
"endedAt": null,
"info": {
"ips": [
"10.3.81.112",
"192.227.172.136"
],
"ports": [
80,
50786
],
"coordinates": [
{
"lat": 42.9864,
"lon": -78.7279
}
],
"protocols": [],
"properties": {},
"hostIds": []
},
"connectionInfo": {
"srcMac": "",
"dstMac": "",
"srcIp": "10.3.81.112",
"dstIp": "192.227.172.136",
"srcPort": 50786,
"dstPort": 80,
"proto": "TCP",
"layer3Proto": "IPv4",
"layer4Proto": "Tcp"
}
}
],
"nextOffset": "c1b470d4aebe2c91",
"count": 3007,
"facets": {
"fields": {
"fileExtractedName": {
"23.exe": 3007
}
},
"results": []
}
}
}Collection of tags belonging to your account.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags"200Toggle[
{
"id": 1,
"customer_id": 1,
"name": "tag_1",
"count": 10,
"created_at": "2016-10-26T22:38:06.879Z",
"updated_at": "2016-10-26T22:38:06.879Z"
},
{
"id": 2,
"customer_id": 1,
"name": "tag_2",
"count": 5,
"created_at": "2016-10-26T23:38:05.224Z",
"updated_at": "2016-10-26T23:42:02.119Z"
}
]Creates a tag. Multiple spaces and colons are not allowed in tag names.
Example:
curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "tag_1" }' "https://api.protectwise.com/api/v1/tags"201Toggle{
"id": 3,
"customer_id": 1,
"name": "tag_1",
"count": 0,
"created_at": "2016-10-26T23:47:53.921Z",
"updated_at": "2016-10-26T23:47:53.921Z"
}Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags/123"200Toggle{
"id": 123,
"customer_id": 1,
"name": "tag_1",
"count": 0,
"created_at": "2016-10-26T22:38:06.879Z",
"updated_at": "2016-10-27T03:28:24.021Z"
}Example:
curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/tags/123"204Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" -O -J "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c"string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896cThe event ID
string (optional) Example: download.pcapOptionally provide a filename for the download
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Disposition: attachment; filename=event-00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c.pcap
Content-Type: application/vnd.tcpdump.pcap
Transfer-Encoding: chunked
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c/info"string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896cThe event id
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Type: application/json
{
"id": "00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c",
"estimatedSize": 9206,
"netflows": [
{
"flowId": "00000149535bdc6019076c9779dab34d",
"startTime": 1414442769504,
"endTime": 1414442783762,
"sensorId": 1713
}
]
}Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" -O -J "https://api.protectwise.com/api/v1/pcaps/observations/00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743b"string (required) Example: 1713The sensor ID
string (required) Example: 00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743bThe observation ID
string (optional) Example: download.pcapOptionally provide a filename for the download
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Disposition: attachment; filename=observation-00050c7a6c1773c8641bd6d6a10af5e3e39c827833acbc2feb8a743b.pcap
Content-Type: application/vnd.tcpdump.pcap
Transfer-Encoding: chunked
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/pcaps/events/00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c/info"string (required) Example: 1713The sensor id
string (required) Example: 00050c3f4e534028597991b91e4761ef394965348203a3e298c8896cThe observation id
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Type: application/json
{
"id": "00050c3f4e534028597991b91e4761ef394965348203a3e298c8896c",
"estimatedSize": 9206,
"netflows": [
{
"flowId": "00000149535bdc6019076c9779dab34d",
"startTime": 1414442769504,
"endTime": 1414442783762,
"sensorId": 1713
}
]
}The sensor can be configured what and how to process data. This API provides a list of protocols that the sensor can recognize and filter.
Protocols are assigned to families.
Get the name of a protocol by id
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols/2?include=families
number (required) Example: 2The id of the protocol
string (optional) Example: familiesEmbed the protocol’s family in the response
200Toggle{
"id": 2,
"protocol_family_id": 15,
"name": "POP3",
"display": "POP3",
"family": {
"id": 15,
"name": "Mail",
"description": "Email exchange protocols"
}
}Collection of all available capture protocols
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols?family_id=2&inclue=families"number (optional) Example: 2Only show protocols that are assigned to a specific family
string (optional) Example: familiesEmbed the protocol’s family in the response
200Toggle[
{
"id": 12,
"name": "SSDP",
"display": "SSDP",
"protocol_family_id": 2,
"family": {
"id": 2,
"name": "Application Service",
"description": "Background services"
}
},
{
"id": 17,
"name": "Syslog",
"display": "Syslog",
"protocol_family_id": 2,
"family": {
"id": 2,
"name": "Application Service",
"description": "Background services"
}
}
]Get a single protocol family record and optionally include child protocols
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocols/families/1?include=protocols"number (required) Example: 2The id of the protocol family
string (optional) Example: protocolsEmbed the protocols associated the family
200ToggleContent-Type: application/json
{
"id": 2,
"name": "Application Service",
"description": "Background services",
"protocols": [
{
"id": 12,
"name": "SSDP",
"display": "SSDP",
"protocol_family_id": 2
},
{
"id": 17,
"name": "Syslog",
"display": "Syslog",
"protocol_family_id": 2
},
{
"id": 112,
"name": "LDAP",
"display": "LDAP",
"protocol_family_id": 2
},
{
"id": 143,
"name": "AppleiCloud",
"display": "AppleiCloud",
"protocol_family_id": 2
}
]
}Collection of available protocol families
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/protocol-families?include=protocols"string (optional) Example: protocolsEmbed the protocols associated with each family
200Toggle[
{
"id": 2,
"name": "Application Service",
"description": "Background services",
"protocols": [
{
"id": 12,
"name": "SSDP",
"display": "SSDP",
"protocol_family_id": 2
},
{
"id": 17,
"name": "Syslog",
"display": "Syslog",
"protocol_family_id": 2
}
]
},
{
"id": 3,
"name": "Audio/Video",
"description": "Application/Protocols used to transport audio or video content",
"protocols": [
{
"id": 24,
"name": "AppleJuice",
"display": "AppleJuice",
"protocol_family_id": 3
},
{
"id": 32,
"name": "Kontiki",
"display": "Kontiki",
"protocol_family_id": 3
}
]
]
A capture profile applies the default_mode capture mode to every available protocol.
Create exceptions records to change the capture mode for a specific protocol
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1"number (required) Example: 1The id of the capture profile
200ToggleContent-Type: application/json
{
"id": 1,
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"id": 1,
"protocol_id": 1,
"family_id": null,
"capture_mode": "netflow"
},
{
"id": 2,
"protocol_id": 3,
"family_id": null,
"capture_mode": "none"
}
]
}Update the capture profile name, default capture mode, and/or exceptions. Note: If you supply an exceptions property, it will REPLACE all existing exceptions
Example:
curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Default Profile", "default_mode": "packet", "exceptions": [] }' "https://api.protectwise.com/api/v1/capture-profiles/1"number (required) Example: 1The id of the capture profile
{
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"protocol_id": 1,
"capture_mode": "netflow"
},
{
"protocol_id": 3,
"capture_mode": "none"
}
]
}200ToggleContent-Type: application/json
{
"id": 1,
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"id": 1,
"protocol_id": 1,
"family_id": null,
"capture_mode": "netflow"
},
{
"id": 2,
"protocol_id": 3,
"family_id": null,
"capture_mode": "none"
}
]
}A capture profile MUST NOT be associated with any sensors in order to be eligible for deletion
Example:
curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1"number (required) Example: 1The id of the capture profile
204Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles"200ToggleContent-Type: application/json
[
{
"id": 1,
"customer_id": 1,
"name": "Default Profile",
"default_mode": "packet"
},
{
"id": 2,
"customer_id": 1,
"name": "Stream Heads",
"default_mode": "head"
}
]Example:
curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Default Profile", "default_mode": "packet" }' "https://api.protectwise.com/api/v1/capture-profiles"Content-Type: application/json
{
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"protocol_id": 1,
"capture_mode": "netflow"
},
{
"protocol_id": 3,
"capture_mode": "none"
}
]
}201Toggle{
"id": 1,
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"id": 1,
"protocol_id": 1,
"family_id": null,
"capture_mode": "netflow"
},
{
"id": 2,
"protocol_id": 3,
"family_id": null,
"capture_mode": "none"
}
]
}The capture profile applies its default capture mode to all available protocols on the sensor. An exception defines a different capture mode for a specific protocol or protocol family.
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions/5"number (required) Example: 1The id value for the capture profile
number (required) Example: 5The id of the capture profile’s exception
200ToggleContent-Type: application/json
{
"id": 5,
"protocol_id": 13,
"capture_mode": "none"
}Example:
curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "capture_mode": "netflow" }' "https://api.protectwise.com/api/v1/capture-profiles/13/exceptions/5"number (required) Example: 1The id value for the capture profile
number (required) Example: 5The id of the capture profile’s exception
Content-Type: application/json
{
"capture_mode": "netflow"
}200ToggleContent-Type: application/json
{
"id": 5,
"protocol_id": 13,
"capture_mode": "netflow"
}Example:
curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions/5"number (required) Example: 1The id value for the capture profile
number (required) Example: 5The id of the capture profile’s exception
204Collection of exceptions to the capture profile defaults
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"number (optional) Example: 1Only show exceptions that apply to a specific protocol
number (optional) Example: 1Only show exceptions that apply to a specific protocol family
string (optional) Example: packetOnly show exceptions that are set to specific capture mode
200Toggle[
{
"id": 1,
"protocol_id": 1,
"family_id": null,
"capture_mode": "netflow"
},
{
"id": 2,
"protocol_id": null,
"family_id": 1,
"capture_mode": "none"
}
]Example:
curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "mode": "packet", "protocol_id": 11 }' "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"with a protocol_idToggleContent-Type: application/json
{
"mode": "packet",
"protocol_id": 1
}201Toggle{
"id": 1,
"name": "Default Profile",
"default_mode": "packet",
"exceptions": [
{
"id": 1,
"protocol_id": 1,
"family_id": null,
"capture_mode": "netflow"
},
{
"id": 2,
"protocol_id": 3,
"family_id": null,
"capture_mode": "none"
}
]
}with a family_idToggleContent-Type: application/json
{
"mode": "packet",
"family_id": 2
}201Toggle[
{
"capture_profile_id": 1,
"mode": "packet",
"protocol_id": 12
},
{
"capture_profile_id": 1,
"mode": "packet",
"protocol_id": 17
},
{
"capture_profile_id": 1,
"mode": "packet",
"protocol_id": 112
},
{
"capture_profile_id": 1,
"mode": "packet",
"protocol_id": 143
},
]Example:
curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "family_id": 2 }' "https://api.protectwise.com/api/v1/capture-profiles/1/exceptions"Content-Type: application/json
{
"family_id": 2
}204Notifications are a mechanism to receive alerts outside of the web interface, such as receiving an email when a new event is generated.
Get a notification profile by id
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications/1
number (required) Example: 2The id of the notification profile
200Toggle{
"id": 1,
"customer_id": 1,
"user_id": null,
"name": "Email Event",
"source": "events",
"options": {
"threatLevel": "high"
},
"enabled": true,
"transports": [
{
"id": 1,
"notification_id": 1,
"name": "Email",
"type": "email",
"options": {
"subject": "[ProtectWise Event Alert] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [
"Alerts <alerts@protectwise.com>"
]
},
"users": [
{
"id": 1,
"email": "john.doe@protectwise.com",
"customer_id": 1,
"firstname": "John",
"lastname": "Doe"
}
]
}
]
}Update a notification profile.
NOTE: transports and users define the final state after the update. For example,
if you want to add just one transport you have to include all existing transports in
your PUT request or the previous requests will be deleted.
Example:
curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "enabled": false }' "https://api.protectwise.com/api/v1/notifications/1"number (required) Example: 2The id of the notification profile
{
"name": "Email Event Renamed",
"transports": [
{
// Update an existing transport using the "id" property
"id": 1,
"options": {
"subject": "[Changed Subject] {{message}}",
"body": "{{message}}\n{{urlLink}}"
},
"users": [1]
},
{
// Create a new transport
"name": "Daily email",
"type": "email",
"options": {
"subject": "[ProtectWise Daily Email] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [ "alerts@protectwise.com" ]
},
"users": [1]
}
]
}200ToggleContent-Type: application/json
{
"id": 1,
"customer_id": 1,
"user_id": null,
"name": "Email Event",
"source": "events",
"options": {
"threatLevel": "high"
},
"enabled": true,
"transports": [
{
"id": 1,
"notification_id": 1,
"name": "Email",
"type": "email",
"options": {
"subject": "[ProtectWise Event Alert] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [
"Alerts <alerts@protectwise.com>"
]
},
"users": [
{
"id": 1,
"email": "john.doe@protectwise.com",
"customer_id": 1,
"firstname": "John",
"lastname": "Doe"
}
]
}
]
}Delete a notification
Example:
curl -X DELETE -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications/1"number (required) Example: 2The id of the notification profile
204Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/notifications"200ToggleContent-Type: application/json
[
{
"id": 1,
"customer_id": 1,
"user_id": null,
"name": "Email Event",
"source": "events",
"options": {
"threatLevel": "high"
},
"enabled": true,
"transports": [
{
"id": 1,
"notification_id": 1,
"name": "Email",
"type": "email",
"options": {
"subject": "[ProtectWise Event Alert] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [
"Alerts <alerts@protectwise.com>"
]
},
"users": [
{
"id": 1,
"email": "john.doe@protectwise.com",
"customer_id": 1,
"firstname": "John",
"lastname": "Doe"
}
]
}
]
}
]Create a new notification and create subscriptions
Schema
options - An event property and a value. Currently supported: { "threatLevel": "high" }
transports.options
subject - The text to use as the subject of the email
body - The body of the email. This is repeated for all events included in the email. Supports variable substitution.
additionalEmails - An array of arbitrary email addresses to include in the notification
Example:
curl -X POST -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{ "name": "Email Event", "source": "events", "transports": [ { "name": "Email", "type": "email", "users": [1] } ] }' "https://api.protectwise.com/api/v1/notifications"Content-Type: application/json
{
"name": "Email Event",
"source": "events",
"options": {
"threatLevel": "high"
},
"transports": [
{
"name": "Email",
"type": "email",
"options": {
"subject": "[ProtectWise Event Alert] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [
"Alerts <alerts@protectwise.com>"
]
},
"users": [
1,
2,
3
]
}
]
}201Toggle{
"id": 1,
"customer_id": 1,
"user_id": null,
"name": "Email Event",
"source": "events",
"options": {
"threatLevel": "high"
},
"enabled": true,
"transports": [
{
"id": 1,
"notification_id": 1,
"name": "Email",
"type": "email",
"options": {
"subject": "[ProtectWise Event Alert] {{message}}",
"body": "{{message}}\n{{urlLink}}",
"additionalEmails": [
"Alerts <alerts@protectwise.com>"
]
},
"users": [
{
"id": 1,
"email": "john.doe@protectwise.com",
"customer_id": 1,
"firstname": "John",
"lastname": "Doe"
}
]
}
]
}A customer settings object maintains various customer specific settings
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/customers/1770/settings"number (required) Example: 1The customer id
200ToggleContent-Type: application/json
{
"customer_id": 1770,
"login_ip_whitelist": [
"216.58.216.0/24",
"204.79.0.0/16"
],
"require_mfa": false,
"retention_days": 90,
"eula_accepted": "v1.1",
"updated_at": "2015-05-24T17:23:40.622Z"
}Update customer specific settings
You do not need to include id or customer_id in the PUT body.
Example:
curl -X PUT -H "X-Access-Token: youraccess@@tokenrandomstring" -H "Content-Type: application/json" -d '{"login_ip_whitelist": ["216.58.216.0/24", "204.79.0.0/16"], "require_mfa": true, "retention_days": 90}' "https://api.protectwise.com/api/v1/customers/1770/settings"number (required) Example: 1The customer id
{
"login_ip_whitelist": ["216.58.216.0/24", "204.79.0.0/16"],
"require_mfa": true,
"retention_days": 90,
}200ToggleContent-Type: application/json
{
"customer_id": 1770,
"login_ip_whitelist": [
"216.58.216.0/24",
"204.79.0.0/16"
],
"require_mfa": false,
"retention_days": 90,
"eula_accepted": "v1.1",
"updated_at": "2015-05-24T17:23:40.622Z"
}Audit logs are a history of actions taken by users that had a material impact on customer data
Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/audits?user_id=503&sort=-timestamp&page=2"number (optional) Example: 142..250Filter by audit ID
number (optional) Example: 1401451500000Timestamp of when the action occurred
string (optional) Example: b6807bd9-bc74-4a44-b798-c635619e52b5Filter by request UUID
number (optional) Example: 16Filter by user
string (optional) Example: tokenFilter by authentication method (no-auth, token, session)
string (optional) Example: 162.202.10.4Filter by IP address from which the request was made
string (optional) Example: sensorsFilter by the resource that was effected (login, sensors, sensor-sets)
string (optional) Example: updateFilter by the action that was taken (create, update, delete, retrieve)
number (optional) Example: 1Get a certain page from the result set (default is page 1)
number (optional) Example: 25Set the number of audits returned per page (default is 25)
string (optional) Example: id,resource,action,detailsReturn only the specified resource fields (by default, GET /audits excludes details for brevity, but you can use this parameter to include it)
string (optional) Example: -timestampSort by a field (add - for descending sort)
200ToggleContent-Type: application/json
[
{
id: 193401,
timestamp: '2014-01-01T07:00:00.000Z',
uuid: 'a5807bd9-bc74-4a44-b798-c635619e52b5',
customer_id: 1,
user_id: 1,
auth_method: 'token',
ip: '127.0.0.1',
resource: 'sensor-sets',
action: 'create'
},
{
id: 193445,
timestamp: '2014-01-01T07:01:00.000Z',
uuid: 'b6807bd9-bc74-4a44-b798-c635619e52b5',
customer_id: 1,
user_id: 1,
auth_method: 'token',
ip: '127.0.0.1',
resource: 'sensors',
action: 'update'
},
{
id: 193497,
timestamp: '2014-01-01T07:03:00.000Z',
uuid: 'd8807bd9-bc74-4a44-b798-c635619e52b5',
customer_id: 1,
user_id: 3,
auth_method: 'sensors',
ip: '127.0.0.2',
resource: 'sensors',
action: 'delete'
}
]Example:
curl -H "X-Access-Token: youraccess@@tokenrandomstring" "https://api.protectwise.com/api/v1/audits/193401"Lookup a single audit record
string (required) Example: 193401The audit id
Content-Type: application/json
X-Access-Token: youraccess@@tokenstring
200ToggleContent-Type: application/json
{
id: 193401,
timestamp: '2014-01-01T07:00:00.000Z',
uuid: 'a5807bd9-bc74-4a44-b798-c635619e52b5',
customer_id: 1,
user_id: 1,
auth_method: 'token',
ip: '127.0.0.1',
resource: 'sensor-sets',
action: 'update',
details: {
previous: {
id: 775,
name: "Display name",
customer_id: 1,
default_set: false
},
current: {
id: 775,
name: "Denver Sensors",
customer_id: 1,
default_set: false
}
}
}Generated by aglio on 19 Oct 2020