Edge Defense Manager API
Use the Edge Defense Manager API to access data collected by our services.
An API token is required to access these endpoints.
To use the token, include it in the X-Arbux-APIToken header of the request.
Example:
curl -X GET -H "X-Arbux-APIToken: <token>" https://hostname/api/v1/devicesAlerts ¶
The Alerts API provides access to an aggregation of the alerts that are generated by the Arbor Edge Defense (AED) devices that are connected to Edge Defense Manager.
Threats ¶
GET /api/v1/alerts/threats?size=1000&skip=0&descriptions=true&sort=-time,pkt.src,-pkt.dport&start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z&q=pkt.proto:tcp and -pkt.appStr:http&aggregate=reason&agg_type=groupby
Responses
Headers
Content-Type: application/jsonBody
{
"message": "",
"data": {
"hits": [
{
"pkt": {
"src": "1.2.3.4",
"dst": "5.6.7.8",
"srcPort": 18440,
"dstPort": 80,
"proto": "tcp",
"appStr": "http",
"direction": "inbound"
},
"threatIntel": {
"indicatorUid": 11851842,
"threatTypes": [
"FormBook"
],
"threatDstPorts": [
80
],
"confidence": 81,
"direction": "inbound",
"indicator": "http%3A//www.bibliographyqvco.party/ne/",
"threatCategories": [
"Credential Theft",
"Spyware",
"Banking",
"HTTP"
],
"threatClassifications": [
"Command and Control",
"Malware"
],
"severity": 5,
"indicatorType": "http.request.uri"
},
"reason": "ATLAS Threat Categories",
"pgid": 42,
"pgName": "Default Protection Group",
"pgServerName": "Generic Server",
"time": "2018-07-31T20:00:30Z",
"hostname": "my-aed",
"hostIp": "10.1.2.3",
"_id": "AWTx7ZUFVkcUx98hsmLI"
}
],
"totalSize": 123,
"currSize": 5,
"threatDescriptions": {},
"timeline": {
"interval": 3600,
"windows": [
{
"window": "2018-08-08T00:00:00Z",
"bins": {}
}
]
},
"_app_distro": {
"connectionCount": 0,
"uniqueSrcCount": 0,
"uniqueDstCount": 0,
"destinations": [
{
"dst": "",
"connectionCount": 0,
"uniqueSrcCount": 0
}
]
},
"_app_distro_timeline": {
"interval": 3600,
"windows": [
{
"window": "2018-08-08T00:00:00Z",
"_app_distro": {}
}
]
}
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"message": {
"type": "string"
},
"data": {
"type": "object",
"properties": {
"hits": {
"type": "array",
"items": {
"type": "object",
"properties": {
"pkt": {
"type": "object",
"properties": {
"src": {
"type": "string"
},
"dst": {
"type": "string"
},
"srcPort": {
"type": "number"
},
"dstPort": {
"type": "number"
},
"proto": {
"type": "string"
},
"appStr": {
"type": "string"
},
"direction": {
"type": "string"
}
},
"required": [
"src",
"dst",
"srcPort",
"dstPort",
"proto",
"appStr",
"direction"
],
"description": "The packet that triggered the message."
},
"threatIntel": {
"type": "object",
"properties": {
"indicatorUid": {
"type": [
"number",
"null"
]
},
"threatTypes": {
"type": "array"
},
"threatDstPorts": {
"type": "array"
},
"confidence": {
"type": [
"number",
"null"
],
"description": "The confidence of the threat intel. 1-59: Low, 60-79: Medium, 80-100: High."
},
"direction": {
"type": [
"string",
"null"
]
},
"indicator": {
"type": [
"string",
"null"
]
},
"threatCategories": {
"type": "array"
},
"threatClassifications": {
"type": "array"
},
"severity": {
"type": [
"number",
"null"
],
"description": "The severity of the threat. 1-3: Low, 4-6: Medium, 7-9: High."
},
"indicatorType": {
"type": [
"string",
"null"
]
}
},
"required": [
"indicatorUid",
"threatTypes",
"threatDstPorts",
"confidence",
"direction",
"indicator",
"threatCategories",
"threatClassifications",
"severity",
"indicatorType"
],
"description": "Intelligence gathered from AIF, which is present only if the packet matches an ATLAS Threat Category."
},
"reason": {
"type": "string",
"description": "The reason why the message was generated."
},
"pgid": {
"type": [
"number",
"null"
],
"description": "The AED protection group that is associated with the message, if any."
},
"pgName": {
"type": [
"string",
"null"
],
"description": "The name of the associated protection group, if any.`"
},
"pgServerName": {
"type": [
"string",
"null"
],
"description": "The server type for the associated protection group, if any."
},
"time": {
"type": "string",
"description": "The time at which the message was generated."
},
"hostname": {
"type": "string",
"description": "The hostname of the AED device from which the message was collected."
},
"hostIp": {
"type": "string",
"description": "The IP address of the AED device from which the message was collected."
},
"_id": {
"type": "string",
"description": "An internal identifier for the message."
}
},
"required": [
"pkt",
"threatIntel",
"reason",
"time",
"hostname",
"hostIp",
"_id"
]
},
"description": "An array of messages where each message is a specific type of alert"
},
"totalSize": {
"type": "number",
"description": "The total number of alerts that matched the query parameters."
},
"currSize": {
"type": "number",
"description": "The number of alerts returned (length of `hits`)."
},
"threatDescriptions": {
"type": "object",
"properties": {},
"description": "Long descriptions of threatIntel.threatTypes for ATLAS matches, one entry for each unique threat type returned in the results."
},
"bins": {
"type": "object",
"properties": {},
"description": "An object that contains aggregated field counts by the specified `aggregate` parameter. This object is included only if `aggregate` is defined and `agg_type=groupby`."
},
"timeline": {
"type": "object",
"properties": {
"interval": {
"type": "number",
"description": "The number of seconds that each window encompasses."
},
"windows": {
"type": "array",
"items": {
"type": "object",
"properties": {
"window": {
"type": "string",
"description": "The timestamp that marks this window."
},
"bins": {
"type": "object",
"properties": {},
"description": "The value counts for the field that is aggregated"
}
},
"required": [
"window",
"bins"
]
}
}
},
"required": [
"interval",
"windows"
],
"description": "An object that contains timeseries data for a field that is specified by the `aggregate` parameter. This object is included only if `aggregate` is defined and `agg_type=timeline`."
},
"_app_distro": {
"type": "object",
"properties": {
"connectionCount": {
"type": "number",
"description": "The number of blocked connections."
},
"uniqueSrcCount": {
"type": "number",
"description": "The number of unique source connections."
},
"uniqueDstCount": {
"type": "number",
"description": "The number of unique destination connections."
},
"destinations": {
"type": "array",
"description": "An array of the top 100 destination IP addresses."
}
},
"required": [
"connectionCount",
"uniqueSrcCount",
"uniqueDstCount",
"destinations"
],
"description": "An object that contains the counts of blocked connections, unique sources, and unique destinations for each of the top 100 applications. For each destination IP address in each application, the object also contains the number of blocked connections and unique sources."
},
"_app_distro_timeline": {
"type": "object",
"properties": {
"interval": {
"type": "number",
"description": "The number of seconds that each window encompasses."
},
"windows": {
"type": "array",
"items": {
"type": "object",
"properties": {
"window": {
"type": "string",
"description": "The timestamp that marks this window."
},
"_app_distro": {
"type": "object",
"properties": {},
"description": "The value counts for the field that is aggregated."
}
},
"required": [
"window",
"_app_distro"
]
}
}
},
"required": [
"interval",
"windows"
],
"description": "An object that contains timeseries data for the blocked connections, unique sources, and unique destinations for each of the top 100 applications. The timeseries data includes the blocked connections and unique sources for each destination IP address in each application."
}
},
"required": [
"hits",
"totalSize",
"currSize"
]
}
},
"required": [
"message",
"data"
]
}ThreatsGET/api/v1/alerts/threats{?size,skip,descriptions,sort,start,end,q,aggregate,agg_type}
Get the threats that were blocked by the connected AED devices.
If the q parameter is not used, then any field that is not a static parameter will be used as a filter field.
All dynamic parameters are joined with ANDs. Example:
/api/v1/alerts/threats?size=5&pkt.src=102.91.47.69&pkt.sport=53URI Parameters
- size
number(optional) Default: 100 Example: 1000The maximum number of matches to return.
- skip
number(optional) Example: 0The number of records to skip before returning results. You can use this parameter to paginate the results.
- descriptions
boolean(optional) Default: true Example: trueIndicates whether the response should include
threatDescriptions.- sort
string(optional) Default: -time Example: -time,pkt.src,-pkt.dportA comma-separated list of field names for sorting the query results. The fields are sorted from left to right. Prefix a field name with
-to sort that field’s values in descending order, otherwise the field values are sorted in ascending order.- start
string or number(optional) Default: 24 hours ago Example: 2018-08-08T00:00:00ZThe start of the query time period. ISO 8601 format or epoch seconds is required.
- end
string or number(optional) Default: now Example: 2018-08-09T00:00:00ZThe end of the query time period. ISO 8601 format or epoch seconds is required.
- q
string(optional) Example: pkt.proto:tcp and -pkt.appStr:httpA Lucene-syntax query string. If this string is provided, then the dynamic parameters are ignored and only the Lucene query is used to filter the results.
- aggregate
string(optional) Example: reasonGenerates an aggregation for the specified field within the requested time period. This feature requires that the
agg_typeparameter is included._app_distroA predefined aggregation that counts the number of blocked connections by application. The aggregation also examines the distribution of the unique connection endpoints by doing a cardinality count of the source and destination IP addresses.- If specified with
agg_type=groupby, the results appear indata._app_distro. - If specified with
agg_type=timeline, the results appear indata._app_distro_timeline.
- If specified with
- agg_type
string(optional) Example: groupbyThe aggregation method to use if the
aggregateparameter is included.-
groupbygenerates an aggregated count for all members of the specified field within the requested time period. The results appear indata.bins. -
timelinegenerates a timeseries that breaks down counts for the specified field within the requested time period. The results appear indata.timeline.
Choices:
groupbytimeline-
DDoS ¶
Data regarding DDoS Alerts gathered from Arbor Edge Defence (AED) devices that are connected to Edge Defense Manager.
GET /api/v1/alerts/ddos?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z&page=1&pageSize=100
Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 42,
"targets": [
{
"id": 42,
"name": "Default PG",
"devices": []
}
],
"devices": [
{
"id": 42,
"name": "AED 001",
"host": "aed-001.vm.arbor.net"
}
],
"categories": [
{
"id": 42,
"type": "Total Traffic",
"description": "TBD"
}
],
"volume": 32789,
"bps": 1.24234,
"peakBpsBlocked": 1234.1234,
"peakBpsPassed": 1234.1234,
"packets": 2341234,
"peakPpsBlocked": 1234.1234,
"peakPpsPassed": 1234.1234,
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
},
"start": "2018-08-08T00:00:00Z",
"lastSeen": "2018-08-08T00:00:00Z",
"end": "2018-08-08T00:00:00Z",
"errors": []
},
"page": 1,
"totalCount": 34534,
"errors": {
"[fieldName]": "Generic Error"
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The alert's unique ID."
},
"targets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The target protection group's unique ID."
},
"name": {
"type": "string",
"description": "The name of the target protection group."
},
"devices": {
"type": "array",
"description": "The IDs of the devices that contain this target protection group."
}
},
"required": [
"id",
"name",
"devices"
]
},
"description": "The target protection groups that triggered the alert."
},
"devices": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The device's unique ID."
},
"name": {
"type": "string",
"description": "The name of the device."
},
"host": {
"type": "string",
"description": "The device's IP address or hostname."
}
},
"required": [
"id",
"name",
"host"
]
},
"description": "The devices that triggered the alert."
},
"categories": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The category's unique ID."
},
"type": {
"type": "string",
"description": "The name of the category."
},
"description": {
"type": "string",
"description": "A description of the category."
}
},
"required": [
"id",
"type",
"description"
]
},
"description": "The category of the policy violation that triggered the alert."
},
"volume": {
"type": "number",
"description": "The total amount of traffic that was observed for the alert, in bytes."
},
"bps": {
"type": "number",
"description": "The highest bit rate of traffic that was observed for the alert during the requested time period, in bps."
},
"peakBpsBlocked": {
"type": "number",
"description": "The maximum bits per second that were blocked during the alert time period."
},
"peakBpsPassed": {
"type": "number",
"description": "The maximum bits per second that were passed during the alert time period."
},
"packets": {
"type": "number",
"description": "The total number of packets that were observed for the alert."
},
"peakPpsBlocked": {
"type": "number",
"description": "The maximum number of packets per second that were blocked during the alert time period."
},
"peakPpsPassed": {
"type": "number",
"description": "The maximum number of packets per second that were passed during the alert time period."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for pps and bps over the requested time period."
},
"start": {
"type": "string",
"description": "The start time of the alert, in ISO-8601 format."
},
"lastSeen": {
"type": "string",
"description": "The time of the last seen piece of the alert, in ISO-8601 format."
},
"end": {
"type": "string",
"description": "The end time of the alert, in ISO-8601 format, null if the alert is ongoing."
},
"errors": {
"type": "array",
"description": "Error messages for the devices that were involved in the alert."
}
},
"required": [
"id",
"targets",
"devices",
"categories",
"volume",
"bps",
"peakBpsBlocked",
"peakBpsPassed",
"packets",
"peakPpsBlocked",
"peakPpsPassed",
"timeseries",
"start",
"lastSeen"
]
},
"page": {
"type": "number",
"description": "The page number of this result set."
},
"totalCount": {
"type": "number",
"description": "The total size of the result set."
},
"errors": {
"type": "object",
"properties": {
"[fieldName]": {
"type": "string",
"description": "An error message related to the field name."
}
},
"description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start."
}
},
"required": [
"data",
"page",
"totalCount",
"errors"
]
}List all DDoS AlertsGET/api/v1/alerts/ddos{?start,end,page,pageSize}
Get a list of the aggregated DDoS alerts that are reported by the connected AED devices.
URI Parameters
- start
string(required) Example: 2018-08-08T00:00:00ZThe start of the search time period, based on the alert timestamp. ISO 8601 format is required.
- end
string(optional) Example: 2018-08-09T00:00:00ZThe end of the search time period, based on the alert timestamp. ISO 8601 format is required.
- page
number(optional) Default: 1 Example: 1The page number to start with when returning results.
- pageSize
number(optional) Default: 25 Example: 100The number of alerts to include per page of results.
GET /api/v1/alerts/ddos/42
Responses
Headers
Content-Type: application/jsonBody
{
"id": 42,
"targets": [
{
"id": 42,
"name": "Default PG",
"devices": []
}
],
"devices": [
{
"id": 42,
"name": "AED 001",
"host": "aed-001.vm.arbor.net"
}
],
"categories": [
{
"id": 42,
"type": "Total Traffic",
"description": "TBD"
}
],
"volume": 32789,
"bps": 1.24234,
"peakBpsBlocked": 1234.1234,
"peakBpsPassed": 1234.1234,
"packets": 2341234,
"peakPpsBlocked": 1234.1234,
"peakPpsPassed": 1234.1234,
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
},
"start": "2018-08-08T00:00:00Z",
"lastSeen": "2018-08-08T00:00:00Z",
"end": "2018-08-08T00:00:00Z",
"errors": [],
"connections": {
"isPktDirectionUnknown": false,
"sources": {
"blocked": [
{
"host": "8.8.8.8",
"count": 217
}
]
},
"destinations": {
"blocked": [
{
"host": "8.8.8.8",
"count": 217
}
]
},
"services": {
"blocked": [
{
"service": "DNS",
"connectionCount": 217,
"uniqueSourceCount": 2034,
"uniqueDestinationCount": 1757,
"topDestinations": [
{
"host": "8.8.8.8",
"count": 217
}
]
}
]
}
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The alert's unique ID."
},
"targets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The target protection group's unique ID."
},
"name": {
"type": "string",
"description": "The name of the target protection group."
},
"devices": {
"type": "array",
"description": "The IDs of the devices that contain this target protection group."
}
},
"required": [
"id",
"name",
"devices"
]
},
"description": "The target protection groups that triggered the alert."
},
"devices": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The device's unique ID."
},
"name": {
"type": "string",
"description": "The name of the device."
},
"host": {
"type": "string",
"description": "The device's IP address or hostname."
}
},
"required": [
"id",
"name",
"host"
]
},
"description": "The devices that triggered the alert."
},
"categories": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The category's unique ID."
},
"type": {
"type": "string",
"description": "The name of the category."
},
"description": {
"type": "string",
"description": "A description of the category."
}
},
"required": [
"id",
"type",
"description"
]
},
"description": "The category of the policy violation that triggered the alert."
},
"volume": {
"type": "number",
"description": "The total amount of traffic that was observed for the alert, in bytes."
},
"bps": {
"type": "number",
"description": "The highest bit rate of traffic that was observed for the alert during the requested time period, in bps."
},
"peakBpsBlocked": {
"type": "number",
"description": "The maximum bits per second that were blocked during the alert time period."
},
"peakBpsPassed": {
"type": "number",
"description": "The maximum bits per second that were passed during the alert time period."
},
"packets": {
"type": "number",
"description": "The total number of packets that were observed for the alert."
},
"peakPpsBlocked": {
"type": "number",
"description": "The maximum number of packets per second that were blocked during the alert time period."
},
"peakPpsPassed": {
"type": "number",
"description": "The maximum number of packets per second that were passed during the alert time period."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
},
"start": {
"type": "string",
"description": "The start time of the alert, in ISO-8601 format."
},
"lastSeen": {
"type": "string",
"description": "The time of the last seen piece of the alert, in ISO-8601 format."
},
"end": {
"type": "string",
"description": "The end time of the alert, in ISO-8601 format, null if the alert is ongoing."
},
"errors": {
"type": "array",
"description": "Error messages for the devices that were involved in the alert."
},
"connections": {
"type": "object",
"properties": {
"isPktDirectionUnknown": {
"type": "boolean",
"description": "True if one or more of the packets that are involved in the calculations do not have a direction."
},
"sources": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the source."
},
"count": {
"type": "number",
"description": "The number of connections from the source that were blocked."
}
},
"required": [
"host",
"count"
]
},
"description": "The source addresses with the most blocked connections."
}
},
"required": [
"blocked"
],
"description": "The top source addresses by key."
},
"destinations": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the destination."
},
"count": {
"type": "number",
"description": "The number of connections to the destination that were blocked."
}
},
"required": [
"host",
"count"
]
},
"description": "The destination addresses with the most blocked connections."
}
},
"required": [
"blocked"
],
"description": "The top destination addresses by key."
},
"services": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"service": {
"type": "string",
"description": "The service that was used."
},
"connectionCount": {
"type": "number",
"description": "The number of blocked connections that used service."
},
"uniqueSourceCount": {
"type": "number",
"description": "Number of unique source IPs or hostnames for this service."
},
"uniqueDestinationCount": {
"type": "number",
"description": "Number of unique source IPs or hostnames for this service."
},
"topDestinations": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the destination."
},
"count": {
"type": "number",
"description": "The number of connections to the destination that were blocked for this service."
}
},
"required": [
"host",
"count"
]
},
"description": "Top blocked destinations for this service."
}
},
"required": [
"service",
"connectionCount",
"uniqueSourceCount",
"uniqueDestinationCount",
"topDestinations"
]
},
"description": "The services on which the most connections were blocked."
}
},
"required": [
"blocked"
],
"description": "The top services by key."
}
},
"required": [
"isPktDirectionUnknown",
"sources",
"destinations",
"services"
],
"description": "Connection information related to this alert."
}
},
"required": [
"id",
"targets",
"devices",
"categories",
"volume",
"bps",
"peakBpsBlocked",
"peakBpsPassed",
"packets",
"peakPpsBlocked",
"peakPpsPassed",
"timeseries",
"start",
"lastSeen",
"connections"
]
}Get a Single DDoS AlertGET/api/v1/alerts/ddos/{id}
Get a single aggregated DDoS alert.
URI Parameters
- id
number(required) Example: 42The unique ID that Edge Defense Manager assigned to the alert.
GET /api/v1/alerts/ddos/counts?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z
Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"binSizeMinutes": 60,
"counts": [
{
"timestamp": "2018-02-01T00:00:00.000Z",
"data": {
"total": 42,
"blocked": 42,
"botnet": 42
}
}
]
},
"errors": {
"[fieldName]": "Generic Error"
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"binSizeMinutes": {
"type": "number",
"description": "The size of the time bins in minutes."
},
"counts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The end time of this bin of alert counts."
},
"data": {
"type": "object",
"properties": {
"total": {
"type": "number",
"description": "The number of alerts that were triggered by the total traffic in the time bin."
},
"blocked": {
"type": "number",
"description": "The number of the alerts that were triggered by blocked traffic in the time bin."
},
"botnet": {
"type": "number",
"description": "The number of the alerts that were triggered by botnet traffic in the time bin."
}
},
"required": [
"total",
"blocked",
"botnet"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The number of new DDoS alerts, aggregated and organized into binned timeseries data, where the bin size is determined by the report date range."
}
},
"required": [
"binSizeMinutes",
"counts"
]
},
"errors": {
"type": "object",
"properties": {
"[fieldName]": {
"type": "string",
"description": "An error message related to the field name."
}
},
"description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start."
}
},
"required": [
"data",
"errors"
]
}Get DDoS Alert CountsGET/api/v1/alerts/ddos/counts{?start,end}
Get a count of all the new DDoS alerts that were triggered by the connected AED devices. The alerts are aggregated and organized into binned timeseries data, where the bin size is determined by the requested date range.
URI Parameters
- start
string(required) Example: 2018-08-08T00:00:00ZThe start of the search time period, based on the alert timestamp. ISO 8601 format is required.
- end
string(optional) Example: 2018-08-09T00:00:00ZThe end of the search time period, based on the alert timestamp. ISO 8601 format is required.
Devices ¶
The Devices API allows you to add, update, and delete Arbor Edge Defense (AED) devices in Edge Defense Manager.
Devices List ¶
GET /api/v1/devices?start=2018-08-01T00:00:00Z&end=2018-08-02T00:00:00Z&liveData=true
Responses
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": "42",
"host": "my-aed.ops.my-company.com",
"apiToken": "********",
"name": "my-aed",
"ddosAlertCount": 5,
"systemAlertCount": 5,
"peakBpsBlocked": 123456789,
"peakPpsBlocked": 9001,
"protectionLevel": "high",
"protectionMode": "Active",
"lastSeen": "2018-08-10T00:00:00+00:00",
"otf": {
"enabled": true,
"active": true
},
"asertFeedbackEnabled": true,
"syslogNotificationsEnabled": true,
"warnings": [
{
"code": "warning",
"field": "syslog",
"message": "Unable to get syslog for abc."
}
],
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
}
}
]
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"ddosAlertCount": {
"type": "number"
},
"systemAlertCount": {
"type": "number"
},
"peakBpsBlocked": {
"type": "number"
},
"peakPpsBlocked": {
"type": "number"
},
"protectionLevel": {
"type": "string",
"enum": [
"low",
"medium",
"high"
]
},
"protectionMode": {
"type": "string",
"enum": [
"Active",
"Inactive",
"Monitor"
]
},
"lastSeen": {
"type": "string"
},
"otf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "The current status of the Outbound Threat Filter for this device."
},
"active": {
"type": "boolean",
"description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
}
},
"required": [
"enabled",
"active"
]
},
"asertFeedbackEnabled": {
"type": "boolean",
"description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
},
"warnings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "A code that indicates the type of warning."
},
"field": {
"type": "string",
"description": "The field that triggered the warning."
},
"message": {
"type": "string",
"description": "An explanation of the warning."
}
},
"required": [
"code",
"field",
"message"
]
},
"description": "A list of warnings that can occur during attempts to retrieve data for the device."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
}
},
"required": [
"host",
"apiToken",
"name",
"ddosAlertCount",
"systemAlertCount",
"peakBpsBlocked",
"peakPpsBlocked",
"protectionLevel",
"protectionMode",
"lastSeen",
"otf",
"syslogNotificationsEnabled",
"timeseries"
]
}
}
},
"required": [
"data"
]
}Devices ListGET/api/v1/devices{?start,end,liveData}
Find all of the devices that are connected to Edge Defense Manager.
URI Parameters
- start
string(optional) Example: 2018-08-01T00:00:00ZThe start of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.
- end
string(optional) Default: now Example: 2018-08-02T00:00:00ZThe end of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.
- liveData
boolean(optional) Default: true Example: trueIndicates whether the response should include live data from the connected devices.
Device ¶
Operations for fetching, creating, updating, and deleting the devices that are connected to Edge Defense Manager.
GET /api/v1/devices/42?start=2018-08-01T00:00:00Z&end=2018-08-02T00:00:00Z&liveData=true
Responses
Headers
Content-Type: application/jsonBody
{
"id": "42",
"host": "my-aed.ops.my-company.com",
"apiToken": "********",
"name": "my-aed",
"ddosAlertCount": 5,
"systemAlertCount": 5,
"peakBpsBlocked": 123456789,
"peakPpsBlocked": 9001,
"protectionLevel": "high",
"protectionMode": "Active",
"lastSeen": "2018-08-10T00:00:00+00:00",
"otf": {
"enabled": true,
"active": true
},
"asertFeedbackEnabled": true,
"syslogNotificationsEnabled": true,
"warnings": [
{
"code": "warning",
"field": "syslog",
"message": "Unable to get syslog for abc."
}
],
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"ddosAlertCount": {
"type": "number"
},
"systemAlertCount": {
"type": "number"
},
"peakBpsBlocked": {
"type": "number"
},
"peakPpsBlocked": {
"type": "number"
},
"protectionLevel": {
"type": "string",
"enum": [
"low",
"medium",
"high"
]
},
"protectionMode": {
"type": "string",
"enum": [
"Active",
"Inactive",
"Monitor"
]
},
"lastSeen": {
"type": "string"
},
"otf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "The current status of the Outbound Threat Filter for this device."
},
"active": {
"type": "boolean",
"description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
}
},
"required": [
"enabled",
"active"
]
},
"asertFeedbackEnabled": {
"type": "boolean",
"description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
},
"warnings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "A code that indicates the type of warning."
},
"field": {
"type": "string",
"description": "The field that triggered the warning."
},
"message": {
"type": "string",
"description": "An explanation of the warning."
}
},
"required": [
"code",
"field",
"message"
]
},
"description": "A list of warnings that can occur during attempts to retrieve data for the device."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
}
},
"required": [
"host",
"apiToken",
"name",
"ddosAlertCount",
"systemAlertCount",
"peakBpsBlocked",
"peakPpsBlocked",
"protectionLevel",
"protectionMode",
"lastSeen",
"otf",
"syslogNotificationsEnabled",
"timeseries"
]
}Headers
Content-Type: application/jsonBody
{
"errors": [
{
"code": "NotFound",
"field": "Specified APS [42] does not exist",
"message": "Specified APS [42] does not exist"
}
],
"message": "Not Found."
}Get a DeviceGET/api/v1/devices/{id}{?start,end,liveData}
Get a device that is connected to Edge Defense Manager.
URI Parameters
- id
number(required) Example: 42The unique ID that Edge Defense Manager assigned to the device.
- start
string(optional) Example: 2018-08-01T00:00:00ZThe start of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.
- end
string(optional) Default: now Example: 2018-08-02T00:00:00ZThe end of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.
- liveData
boolean(optional) Default: true Example: trueIndicates whether the response should include live data from the connected device.
POST /api/v1/devices
Requests
Headers
Content-Type: application/jsonBody
{
"host": "my-aed.ops.my-company.com",
"apiToken": "secret-api-token",
"name": "my-aed",
"syslogNotificationsEnabled": true
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The hostname or IP address of the AED device."
},
"apiToken": {
"type": "string",
"description": "An API token that is generated by the AED device that you are adding."
},
"name": {
"type": "string",
"description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether to configure the collection of syslog notifications from the AED device.",
"default": true
}
},
"required": [
"host",
"apiToken"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"id": "42",
"host": "my-aed.ops.my-company.com",
"apiToken": "********",
"name": "my-aed",
"ddosAlertCount": 5,
"systemAlertCount": 5,
"peakBpsBlocked": 123456789,
"peakPpsBlocked": 9001,
"protectionLevel": "high",
"protectionMode": "Active",
"lastSeen": "2018-08-10T00:00:00+00:00",
"otf": {
"enabled": true,
"active": true
},
"asertFeedbackEnabled": true,
"syslogNotificationsEnabled": true,
"warnings": [
{
"code": "warning",
"field": "syslog",
"message": "Unable to get syslog for abc."
}
],
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"ddosAlertCount": {
"type": "number"
},
"systemAlertCount": {
"type": "number"
},
"peakBpsBlocked": {
"type": "number"
},
"peakPpsBlocked": {
"type": "number"
},
"protectionLevel": {
"type": "string",
"enum": [
"low",
"medium",
"high"
]
},
"protectionMode": {
"type": "string",
"enum": [
"Active",
"Inactive",
"Monitor"
]
},
"lastSeen": {
"type": "string"
},
"otf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "The current status of the Outbound Threat Filter for this device."
},
"active": {
"type": "boolean",
"description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
}
},
"required": [
"enabled",
"active"
]
},
"asertFeedbackEnabled": {
"type": "boolean",
"description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
},
"warnings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "A code that indicates the type of warning."
},
"field": {
"type": "string",
"description": "The field that triggered the warning."
},
"message": {
"type": "string",
"description": "An explanation of the warning."
}
},
"required": [
"code",
"field",
"message"
]
},
"description": "A list of warnings that can occur during attempts to retrieve data for the device."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
}
},
"required": [
"host",
"apiToken",
"name",
"ddosAlertCount",
"systemAlertCount",
"peakBpsBlocked",
"peakPpsBlocked",
"protectionLevel",
"protectionMode",
"lastSeen",
"otf",
"syslogNotificationsEnabled",
"timeseries"
]
}Headers
Content-Type: application/jsonBody
{
"host": "already-configured.ops.my-company.com",
"apiToken": "secret-api-token",
"name": "already-configured",
"syslogNotificationsEnabled": true
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"syslogNotificationsEnabled": {
"type": "boolean"
}
},
"required": [
"host",
"apiToken"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"errors": [
{
"code": "DuplicateError",
"field": "host",
"message": "Object already exists."
}
],
"message": "Validation Error"
}Headers
Content-Type: application/jsonBody
{
"host": "my-aed.ops.my-company.com",
"apiToken": "something-invalid",
"name": "my-aed",
"syslogNotificationsEnabled": true
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"syslogNotificationsEnabled": {
"type": "boolean"
}
},
"required": [
"host",
"apiToken"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"message": "Invalid token."
}Add a New DevicePOST/api/v1/devices
Add a new device to Edge Defense Manager.
After you add a device, Edge Defense Manager imports alerts from that device and aggregates them with data from the other connected AED devices.
PUT /api/v1/devices/42
Requests
Headers
Content-Type: application/jsonBody
{
"host": "new-host.ops.my-company.com",
"apiToken": "updated-token",
"name": "Updated Name",
"syslogNotificationsEnabled": true
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The hostname or IP address of the AED device."
},
"apiToken": {
"type": "string",
"description": "An API token that is generated by the AED device that you are adding."
},
"name": {
"type": "string",
"description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether to configure the collection of syslog notifications from the AED device."
}
},
"required": [
"host",
"apiToken"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"id": "42",
"host": "new-host.ops.my-company.com",
"apiToken": "updated-token",
"name": "Updated Name",
"ddosAlertCount": 5,
"systemAlertCount": 5,
"peakBpsBlocked": 123456789,
"peakPpsBlocked": 9001,
"protectionLevel": "high",
"protectionMode": "Active",
"lastSeen": "2018-08-10T00:00:00+00:00",
"otf": {
"enabled": true,
"active": true
},
"asertFeedbackEnabled": true,
"syslogNotificationsEnabled": "true",
"warnings": [
{
"code": "warning",
"field": "syslog",
"message": "Unable to get syslog for abc."
}
],
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"ddosAlertCount": {
"type": "number"
},
"systemAlertCount": {
"type": "number"
},
"peakBpsBlocked": {
"type": "number"
},
"peakPpsBlocked": {
"type": "number"
},
"protectionLevel": {
"type": "string",
"enum": [
"low",
"medium",
"high"
]
},
"protectionMode": {
"type": "string",
"enum": [
"Active",
"Inactive",
"Monitor"
]
},
"lastSeen": {
"type": "string"
},
"otf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "The current status of the Outbound Threat Filter for this device."
},
"active": {
"type": "boolean",
"description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
}
},
"required": [
"enabled",
"active"
]
},
"asertFeedbackEnabled": {
"type": "boolean",
"description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
},
"syslogNotificationsEnabled": {
"type": "string",
"description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
},
"warnings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "A code that indicates the type of warning."
},
"field": {
"type": "string",
"description": "The field that triggered the warning."
},
"message": {
"type": "string",
"description": "An explanation of the warning."
}
},
"required": [
"code",
"field",
"message"
]
},
"description": "A list of warnings that can occur during attempts to retrieve data for the device."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
}
},
"required": [
"host",
"apiToken",
"name",
"ddosAlertCount",
"systemAlertCount",
"peakBpsBlocked",
"peakPpsBlocked",
"protectionLevel",
"protectionMode",
"lastSeen",
"otf",
"syslogNotificationsEnabled",
"timeseries"
]
}Update an Existing DevicePUT/api/v1/devices/{id}
Update a device that is connected to Edge Defense Manager.
URI Parameters
- id
number(required) Example: 42The unique ID that Edge Defense Manager assigned to the device.
PATCH /api/v1/devices/42
Requests
Headers
Content-Type: application/jsonBody
{
"apiToken": "updated-token"
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The hostname or IP address of the AED device."
},
"apiToken": {
"type": "string",
"description": "An API token that is generated by the AED device that you are adding."
},
"name": {
"type": "string",
"description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
}
}
}Responses
Headers
Content-Type: application/jsonBody
{
"id": "42",
"host": "my-aed.ops.my-company.com",
"apiToken": "updated-token",
"name": "my-aed",
"ddosAlertCount": 5,
"systemAlertCount": 5,
"peakBpsBlocked": 123456789,
"peakPpsBlocked": 9001,
"protectionLevel": "high",
"protectionMode": "Active",
"lastSeen": "2018-08-10T00:00:00+00:00",
"otf": {
"enabled": true,
"active": true
},
"asertFeedbackEnabled": true,
"syslogNotificationsEnabled": true,
"warnings": [
{
"code": "warning",
"field": "syslog",
"message": "Unable to get syslog for abc."
}
],
"timeseries": {
"bps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 587712787,
"passed": 15341424
}
}
],
"pps": [
{
"timestamp": "2018-08-09T00:00:00Z",
"data": {
"blocked": 71710,
"passed": 6500
}
}
]
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"host": {
"type": "string"
},
"apiToken": {
"type": "string"
},
"name": {
"type": "string"
},
"ddosAlertCount": {
"type": "number"
},
"systemAlertCount": {
"type": "number"
},
"peakBpsBlocked": {
"type": "number"
},
"peakPpsBlocked": {
"type": "number"
},
"protectionLevel": {
"type": "string",
"enum": [
"low",
"medium",
"high"
]
},
"protectionMode": {
"type": "string",
"enum": [
"Active",
"Inactive",
"Monitor"
]
},
"lastSeen": {
"type": "string"
},
"otf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "The current status of the Outbound Threat Filter for this device."
},
"active": {
"type": "boolean",
"description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
}
},
"required": [
"enabled",
"active"
]
},
"asertFeedbackEnabled": {
"type": "boolean",
"description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
},
"syslogNotificationsEnabled": {
"type": "boolean",
"description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
},
"warnings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"code": {
"type": "string",
"description": "A code that indicates the type of warning."
},
"field": {
"type": "string",
"description": "The field that triggered the warning."
},
"message": {
"type": "string",
"description": "An explanation of the warning."
}
},
"required": [
"code",
"field",
"message"
]
},
"description": "A list of warnings that can occur during attempts to retrieve data for the device."
},
"timeseries": {
"type": "object",
"properties": {
"bps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of bits per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of bits per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in bits per second."
},
"pps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"blocked": {
"type": "number",
"description": "The number of packets per second that were blocked at the timestamp."
},
"passed": {
"type": "number",
"description": "The number of packets per second that were passed at the timestamp."
}
},
"required": [
"blocked",
"passed"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The data points in packets per second."
}
},
"required": [
"bps",
"pps"
],
"description": "Timeseries data for packets per second and bits per second over the requested time period."
}
},
"required": [
"host",
"apiToken",
"name",
"ddosAlertCount",
"systemAlertCount",
"peakBpsBlocked",
"peakPpsBlocked",
"protectionLevel",
"protectionMode",
"lastSeen",
"otf",
"syslogNotificationsEnabled",
"timeseries"
]
}Partially Update an Existing DevicePATCH/api/v1/devices/{id}
Make partial updates to a device that is connected to Edge Defense Manager.
The following fields are allowed in the request body:
-
host -
apiToken -
name -
syslogNotificationsEnabled
URI Parameters
- id
number(required) Example: 42The unique ID that Edge Defense Manager assigned to the device.
DELETE /api/v1/devices/42
Responses
This response has no content.
Delete a DeviceDELETE/api/v1/devices/{id}
Delete a device that is connected to Edge Defense Manager. This operation also deletes all of the alerts that are associated with the device.
Deleting a device can cause data loss and cannot be undone.
URI Parameters
- id
number(required) Example: 42The unique ID that Edge Defense Manager assigned to the device.
Total Traffic ¶
This endpoint provides timeseries data that represents the total blocked traffic and total passed traffic that is reported by the connected Arbor Edge Defense (AED) devices.
Get Total Traffic ¶
GET /api/v1/traffic/edge?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z
Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"pps": [
{
"timestamp": "2018-08-08T19:12:58.286Z",
"data": {
"blocked": 49692,
"passed": 89155
}
},
{
"timestamp": "2018-08-08T20:24:58.286Z",
"data": {
"blocked": 30479,
"passed": 36384
}
}
...
],
"bps": [
{
"timestamp": "2018-08-08T19:12:58.286Z",
"data": {
"blocked": 87166,
"passed": 71530
}
},
{
"timestamp": "2018-08-08T20:24:58.286Z",
"data": {
"blocked": 34653,
"passed": 47416
}
}
...
]
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "The total amount of traffic that was observed on all of the connected AED devices.",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"pps": {
"type": "array",
"description": "The data points within the time period at which a packets per second rate was observed.",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"passed": {
"type": "integer",
"description": "The number of packets per second that were passed at the timestamp."
},
"blocked": {
"type": "integer",
"description": "The number of packets per second that were blocked at the timestamp."
}
},
"required": ["passed", "blocked"]
}
},
"required": ["timestamp", "data"]
}
},
"bps": {
"type": "array",
"description": "The data points within the time period at which a bits per second rate was observed.",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The timestamp of the data point, in ISO-8601 format."
},
"data": {
"type": "object",
"properties": {
"passed": {
"type": "integer",
"description": "The number of bits per second that were passed at the timestamp."
},
"blocked": {
"type": "integer",
"description": "The number of bits per second that were blocked at the timestamp."
}
},
"required": ["passed", "blocked"]
}
},
"required": ["timestamp", "data"]
}
},
"peakBpsBlocked": {
"type": "integer",
"description": "The highest bit rate of traffic that was blocked during the requested time period, in bps."
},
"peakBpsPassed": {
"type": "integer",
"description": "The highest bit rate of traffic that was passed during the requested time period, in bps."
},
"peakPpsBlocked": {
"type": "integer",
"description": "The highest rate of packets that were blocked during the requested time period, in pps."
},
"peakPpsPassed": {
"type": "integer",
"description": "The highest rate of packets that were passed during the requested time period, in pps."
},
"totalBpsBlocked": {
"type": "number",
"description": "The average bit rate of traffic that was blocked during the requested time period, in bps."
},
"totalBpsPassed": {
"type": "number",
"description": "The average bit rate of traffic that was passed during the requested time period, in bps."
},
"totalBytesBlocked": {
"type": "integer",
"description": "The total amount of traffic that was blocked during the requested time period, in bytes."
},
"totalBytesPassed": {
"type": "integer",
"description": "The total amount of traffic that was passed during the requested time period, in bytes."
},
"totalPacketsBlocked": {
"type": "integer",
"description": "The total number of packets that were blocked during the requested time period."
},
"totalPacketsPassed": {
"type": "integer",
"description": "The total number of packets that were passed during the requested time period."
},
"totalPpsBlocked": {
"type": "number",
"description": "The average rate of packets that were blocked during the requested time period, in pps."
},
"totalPpsPassed": {
"type": "number",
"description": "The average rate of packets that were passed during the requested time period, in pps."
}
},
"required": [
"bps", "pps", "peakBpsBlocked", "peakBpsPassed",
"peakPpsBlocked", "peakPpsPassed", "totalBpsBlocked",
"totalBpsPassed", "totalBytesBlocked", "totalBytesPassed",
"totalPacketsBlocked", "totalPacketsPassed",
"totalPpsBlocked", "totalPpsPassed"
]
},
"errors": {
"type": "object",
"description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start.",
"properties": { },
"additionalProperties": { "type": "string" }
}
},
"required": ["data"]
}Get Total TrafficGET/api/v1/traffic/edge{?start,end}
Get timeseries data that represents the total amount of traffic within a given time period.
URI Parameters
- start
string(optional) Example: 2018-08-08T00:00:00ZThe start of the search time period, based on the alert timestamp. ISO 8601 format is required.
- end
string(optional) Example: 2018-08-09T00:00:00ZThe end of the search time period, based on the alert timestamp. ISO 8601 format is required.
Reports ¶
The Reports API allows access to the reporting features in Edge Defense Manager.
Reports List ¶
GET /api/v1/reports?page=1&pageSize=100&order=asc&orderBy=createdAt
Responses
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 1,
"name": "Saved Report",
"createdBy": "admin",
"createdAt": "2018-02-01T00:00:00Z",
"modifiedBy": "admin",
"modifiedAt": "2018-02-01T00:00:00Z",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"status": "queued",
"errors": []
}
],
"totalCount": 1234,
"errors": []
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"name": {
"type": "string",
"description": "The name of the report."
},
"createdBy": {
"type": "string",
"description": "The username of the user who created the report."
},
"createdAt": {
"type": "string",
"description": "The time at which the report was created. ISO 8601 format."
},
"modifiedBy": {
"type": "string",
"description": "The username of the user who most recently modified the report."
},
"modifiedAt": {
"type": "string",
"description": "The time of the most recent changes to the report. ISO 8601 format."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"status": {
"type": "string",
"enum": [
"queued",
"processing",
"complete",
"error"
],
"description": "The status of the report."
},
"errors": {
"description": "Errors that occurred with the report.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"id",
"name",
"createdBy",
"createdAt",
"modifiedBy",
"modifiedAt",
"start",
"end",
"status"
]
}
},
"totalCount": {
"type": "number",
"description": "Total number of saved reports."
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
}
}Reports ListGET/api/v1/reports{?page,pageSize,order,orderBy}
Get a condensed list of all reports.
URI Parameters
- page
number(optional) Default: 1 Example: 1The page number to return.
- pageSize
number(optional) Default: 25 Example: 100The number of records to return for each page.
- order
string(optional) Default: asc Example: ascThe sort direction.
- orderBy
string(optional) Default: id Example: createdAtThe field on which to sort.
Report ¶
Operations for fetching, creating, updating, and deleting reports.
GET /api/v1/reports/42
Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"name": "Saved Report",
"createdBy": "admin",
"createdAt": "2018-02-01T00:00:00Z",
"modifiedBy": "admin",
"modifiedAt": "2018-02-01T00:00:00Z",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"status": "queued",
"errors": []
},
"errors": []
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"name": {
"type": "string",
"description": "The name of the report."
},
"createdBy": {
"type": "string",
"description": "The username of the user who created the report."
},
"createdAt": {
"type": "string",
"description": "The time at which the report was created. ISO 8601 format."
},
"modifiedBy": {
"type": "string",
"description": "The username of the user who most recently modified the report."
},
"modifiedAt": {
"type": "string",
"description": "The time of the most recent changes to the report. ISO 8601 format."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"status": {
"type": "string",
"enum": [
"queued",
"processing",
"complete",
"error"
],
"description": "The status of the report."
},
"errors": {
"description": "Errors that occurred with the report.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"id",
"name",
"createdBy",
"createdAt",
"modifiedBy",
"modifiedAt",
"start",
"end",
"status"
]
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
}
}Headers
Content-Type: application/jsonBody
{
"errors": [
{
"code": "NotFound",
"field": "Specified report [42] does not exist",
"message": "Specified report [42] does not exist"
}
],
"message": "Not Found."
}Get report statusGET/api/v1/reports/{id}
Get a report status by ID.
URI Parameters
- id
number(required) Example: 42The ID of the report status to retrieve.
GET /api/v1/reports/42/result
Responses
Headers
Content-Type: application/jsonBody
{
"parameters": {
"name": "Report Name",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z"
},
"data": {
"id": 1,
"isEmpty": false,
"isPktDirectionUnknown": false,
"blockedConnectionCount": 4248977,
"alerts": {
"ddos": {
"total": 42,
"timeseries": [
{
"timestamp": "2018-02-01T00:00:00Z",
"data": {
"total": 42,
"blocked": 42,
"botnet": 42
}
}
],
"data": [
{
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"type": "blocked",
"pgName": "Default PG"
}
]
}
},
"protectionGroups": {
"alerts": [
{
"name": "Default PG",
"count": 42
}
]
},
"sources": {
"blocked": [
{
"host": "8.8.8.8",
"count": 217
}
]
},
"destinations": {
"blocked": [
{
"host": "8.8.8.8",
"count": 217
}
]
},
"services": {
"blocked": [
{
"service": "DNS",
"connectionCount": 217,
"uniqueSourceCount": 2034,
"uniqueDestinationCount": 1757,
"topDestinations": [
{
"host": "8.8.8.8",
"count": 217
}
]
}
]
},
"annotations": {
"ddosSummary": "Some annotations",
"newInboundAlertGraph": "Some annotations",
"alertsOverTimeGraphs": "Some annotations",
"protectionGroups": "Some annotations",
"sourcesAndDestinations": "Some annotations",
"services": "Some annotations",
"destinationsByService": "Some annotations"
}
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"parameters": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "The name given to the report."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in this report. ISO 8601 format is required.",
"default": "30 days before yesterday, midnight UTC."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in this report. ISO 8601 format is required.",
"default": "Yesterday, midnight UTC."
}
},
"required": [
"name",
"start",
"end"
],
"description": "The parameters that were used to run this report."
},
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"isEmpty": {
"type": "boolean",
"description": "True if the report contains no data."
},
"isPktDirectionUnknown": {
"type": "boolean",
"description": "True if one or more of the packets that are involved in the calculations do not have a direction."
},
"blockedConnectionCount": {
"type": "number",
"description": "The total number of blocked, flood-related connections."
},
"alerts": {
"type": "object",
"properties": {
"ddos": {
"type": "object",
"properties": {
"total": {
"type": "number",
"description": "An aggregated count of the new DDoS alerts that the connected AED devices triggered during the report time period."
},
"timeseries": {
"type": "array",
"items": {
"type": "object",
"properties": {
"timestamp": {
"type": "string",
"description": "The end time of this bin of alert counts. ISO 8601 format."
},
"data": {
"type": "object",
"properties": {
"total": {
"type": "number",
"description": "The number of alerts that were triggered by the total traffic in the time bin."
},
"blocked": {
"type": "number",
"description": "The number of the alerts that were triggered by blocked traffic in the time bin."
},
"botnet": {
"type": "number",
"description": "The number of the alerts that were triggered by botnet traffic in the time bin."
}
},
"required": [
"total",
"blocked",
"botnet"
]
}
},
"required": [
"timestamp",
"data"
]
},
"description": "The number of new DDoS alerts, aggregated and organized into binned timeseries data, where the bin size is determined by the report date range."
},
"data": {
"type": "array",
"items": {
"type": "object",
"properties": {
"start": {
"type": "string",
"description": "The time at which the alert started. ISO 8601 format."
},
"end": {
"type": "string",
"description": "The time at which the alert ended. ISO 8601 format. Empty if the alert is still ongoing."
},
"type": {
"type": "string",
"description": "The type of traffic that triggered the alert."
},
"pgName": {
"type": "string",
"description": "The name of the protection group associated with this alert."
}
},
"required": [
"start",
"end",
"type",
"pgName"
]
},
"description": "A list of all the DDoS alerts that were ongoing during the requested time period."
}
},
"required": [
"total",
"timeseries",
"data"
]
}
},
"required": [
"ddos"
]
},
"protectionGroups": {
"type": "object",
"properties": {
"alerts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "The name of the protection group."
},
"count": {
"type": "number",
"description": "The total number of alerts for this protection group."
}
},
"required": [
"name",
"count"
]
},
"description": "The protection groups with the highest alert counts."
}
},
"required": [
"alerts"
],
"description": "The top protection groups per criteria."
},
"sources": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the source."
},
"count": {
"type": "number",
"description": "The number of connections from the source that were blocked."
}
},
"required": [
"host",
"count"
]
},
"description": "The source addresses with the most blocked connections."
}
},
"required": [
"blocked"
],
"description": "The top source addresses by key."
},
"destinations": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the destination."
},
"count": {
"type": "number",
"description": "The number of connections to the destination that were blocked."
}
},
"required": [
"host",
"count"
]
},
"description": "The destination addresses with the most blocked connections."
}
},
"required": [
"blocked"
],
"description": "The top destination addresses by key."
},
"services": {
"type": "object",
"properties": {
"blocked": {
"type": "array",
"items": {
"type": "object",
"properties": {
"service": {
"type": "string",
"description": "The service that was used."
},
"connectionCount": {
"type": "number",
"description": "The number of blocked connections that used this service."
},
"uniqueSourceCount": {
"type": "number",
"description": "Number of unique source IPs or hostnames for this service."
},
"uniqueDestinationCount": {
"type": "number",
"description": "Number of unique source IPs or hostnames for this service."
},
"topDestinations": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The IP address or hostname of the destination."
},
"count": {
"type": "number",
"description": "The number of connections to the destination that were blocked for this service."
}
},
"required": [
"host",
"count"
]
},
"description": "Top blocked destinations for this service."
}
},
"required": [
"service",
"connectionCount",
"uniqueSourceCount",
"uniqueDestinationCount",
"topDestinations"
]
},
"description": "The services on which the most connections were blocked."
}
},
"required": [
"blocked"
],
"description": "The top services by key."
},
"annotations": {
"type": "object",
"properties": {
"ddosSummary": {
"type": "string",
"description": "Annotations for the DDoS summary section."
},
"newInboundAlertGraph": {
"type": "string",
"description": "Annotations for the section with the new inbound DDoS alert graph."
},
"alertsOverTimeGraphs": {
"type": "string",
"description": "Annotations for the section with the inbound DDoS alerts over time graphs."
},
"protectionGroups": {
"type": "string",
"description": "Annotations for the protection groups section."
},
"sourcesAndDestinations": {
"type": "string",
"description": "Annotations for the top blocked sources & destinations section."
},
"services": {
"type": "string",
"description": "Annotations for the top blocked services section."
},
"destinationsByService": {
"type": "string",
"description": "Annotations for the top blocked destinations by services section."
}
},
"description": "Annotations for each report section."
}
},
"required": [
"id",
"isEmpty",
"isPktDirectionUnknown",
"blockedConnectionCount",
"alerts",
"protectionGroups",
"sources",
"destinations",
"services"
]
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"parameters"
]
}Fetch report resultGET/api/v1/reports/{id}/result
Request the result for the specified summary report.
URI Parameters
- id
number(required) Example: 42The unique ID of the report to return or 0 to generate and return the results for a new 30-day report.
POST /api/v1/reports
Requests
Headers
Content-Type: application/jsonBody
{
"name": "Report Name",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z"
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "A name for the report."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required.",
"default": "30 days before yesterday, midnight UTC."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required.",
"default": "Yesterday, midnight UTC."
}
},
"required": [
"name"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"name": "Saved Report",
"createdBy": "admin",
"createdAt": "2018-02-01T00:00:00Z",
"modifiedBy": "admin",
"modifiedAt": "2018-02-01T00:00:00Z",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"status": "queued",
"errors": []
},
"errors": []
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"name": {
"type": "string",
"description": "The name of the report."
},
"createdBy": {
"type": "string",
"description": "The username of the user who created the report."
},
"createdAt": {
"type": "string",
"description": "The time at which the report was created. ISO 8601 format."
},
"modifiedBy": {
"type": "string",
"description": "The username of the user who most recently modified the report."
},
"modifiedAt": {
"type": "string",
"description": "The time of the most recent changes to the report. ISO 8601 format."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"status": {
"type": "string",
"enum": [
"queued",
"processing",
"complete",
"error"
],
"description": "The status of the report."
},
"errors": {
"description": "Errors that occurred with the report.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"id",
"name",
"createdBy",
"createdAt",
"modifiedBy",
"modifiedAt",
"start",
"end",
"status"
]
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
}
}Create Summary ReportPOST/api/v1/reports
Create a new summary report.
PUT /api/v1/reports/42
Requests
Headers
Content-Type: application/jsonBody
{
"name": "Report Name",
"annotations": {
"ddosSummary": "Some annotations",
"newInboundAlertGraph": "Some annotations",
"alertsOverTimeGraphs": "Some annotations",
"protectionGroups": "Some annotations",
"sourcesAndDestinations": "Some annotations",
"services": "Some annotations",
"destinationsByService": "Some annotations"
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "A new name for the report."
},
"annotations": {
"type": "object",
"properties": {
"ddosSummary": {
"type": "string",
"description": "Annotations for the DDoS summary section."
},
"newInboundAlertGraph": {
"type": "string",
"description": "Annotations for the section with the new inbound DDoS alert graph."
},
"alertsOverTimeGraphs": {
"type": "string",
"description": "Annotations for the section with the inbound DDoS alerts over time graphs."
},
"protectionGroups": {
"type": "string",
"description": "Annotations for the protection groups section."
},
"sourcesAndDestinations": {
"type": "string",
"description": "Annotations for the top blocked sources & destinations section."
},
"services": {
"type": "string",
"description": "Annotations for the top blocked services section."
},
"destinationsByService": {
"type": "string",
"description": "Annotations for the top blocked destinations by services section."
}
},
"required": [
"ddosSummary",
"newInboundAlertGraph",
"alertsOverTimeGraphs",
"protectionGroups",
"sourcesAndDestinations",
"services",
"destinationsByService"
]
}
},
"required": [
"name",
"annotations"
]
}Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"name": "Saved Report",
"createdBy": "admin",
"createdAt": "2018-02-01T00:00:00Z",
"modifiedBy": "admin",
"modifiedAt": "2018-02-01T00:00:00Z",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"status": "queued",
"errors": []
},
"errors": []
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"name": {
"type": "string",
"description": "The name of the report."
},
"createdBy": {
"type": "string",
"description": "The username of the user who created the report."
},
"createdAt": {
"type": "string",
"description": "The time at which the report was created. ISO 8601 format."
},
"modifiedBy": {
"type": "string",
"description": "The username of the user who most recently modified the report."
},
"modifiedAt": {
"type": "string",
"description": "The time of the most recent changes to the report. ISO 8601 format."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"status": {
"type": "string",
"enum": [
"queued",
"processing",
"complete",
"error"
],
"description": "The status of the report."
},
"errors": {
"description": "Errors that occurred with the report.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"id",
"name",
"createdBy",
"createdAt",
"modifiedBy",
"modifiedAt",
"start",
"end",
"status"
]
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
}
}Update Existing ReportPUT/api/v1/reports/{id}
Update a summary report.
URI Parameters
- id
number(required) Example: 42The ID of the report to update.
PATCH /api/v1/reports/42
Requests
Headers
Content-Type: application/jsonBody
{
"name": "Report Name",
"annotations": {
"ddosSummary": "Some annotations",
"newInboundAlertGraph": "Some annotations",
"alertsOverTimeGraphs": "Some annotations",
"protectionGroups": "Some annotations",
"sourcesAndDestinations": "Some annotations",
"services": "Some annotations",
"destinationsByService": "Some annotations"
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "A new name for the report."
},
"annotations": {
"type": "object",
"properties": {
"ddosSummary": {
"type": "string",
"description": "Annotations for the DDoS summary section."
},
"newInboundAlertGraph": {
"type": "string",
"description": "Annotations for the section with the new inbound DDoS alert graph."
},
"alertsOverTimeGraphs": {
"type": "string",
"description": "Annotations for the section with the inbound DDoS alerts over time graphs."
},
"protectionGroups": {
"type": "string",
"description": "Annotations for the protection groups section."
},
"sourcesAndDestinations": {
"type": "string",
"description": "Annotations for the top blocked sources & destinations section."
},
"services": {
"type": "string",
"description": "Annotations for the top blocked services section."
},
"destinationsByService": {
"type": "string",
"description": "Annotations for the top blocked destinations by services section."
}
}
}
}
}Responses
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"name": "Saved Report",
"createdBy": "admin",
"createdAt": "2018-02-01T00:00:00Z",
"modifiedBy": "admin",
"modifiedAt": "2018-02-01T00:00:00Z",
"start": "2018-02-01T00:00:00Z",
"end": "2018-02-01T00:00:00Z",
"status": "queued",
"errors": []
},
"errors": []
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"data": {
"type": "object",
"properties": {
"id": {
"type": "number",
"description": "The ID of the report."
},
"name": {
"type": "string",
"description": "The name of the report."
},
"createdBy": {
"type": "string",
"description": "The username of the user who created the report."
},
"createdAt": {
"type": "string",
"description": "The time at which the report was created. ISO 8601 format."
},
"modifiedBy": {
"type": "string",
"description": "The username of the user who most recently modified the report."
},
"modifiedAt": {
"type": "string",
"description": "The time of the most recent changes to the report. ISO 8601 format."
},
"start": {
"type": "string",
"description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"end": {
"type": "string",
"description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
},
"status": {
"type": "string",
"enum": [
"queued",
"processing",
"complete",
"error"
],
"description": "The status of the report."
},
"errors": {
"description": "Errors that occurred with the report.\n\n- Error message (string, required)\n An error message."
}
},
"required": [
"id",
"name",
"createdBy",
"createdAt",
"modifiedBy",
"modifiedAt",
"start",
"end",
"status"
]
},
"errors": {
"description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n An error message."
}
}
}Partially Update an Existing ReportPATCH/api/v1/reports/{id}
Make partial updates to a report that is connected to Edge Defense Manager.
URI Parameters
- id
number(required) Example: 42The ID of the report to update.
DELETE /api/v1/reports/42
Responses
This response has no content.
Delete a ReportDELETE/api/v1/reports/{id}
Delete a report by ID.
URI Parameters
- id
number(required) Example: 42The ID of the report to delete.
Contextual Threat Intelligence ¶
The CTI API provides access to contextual intelligence about the indicators that are reported in feeds from the Arbor Threat Intelligence Team (ASERT).
Get Indicator Insights ¶
GET /api/v1/cti/insights?indicatorValue=1.2.3.4
Responses
Headers
Content-Type: application/jsonBody
{
"message": "",
"data": {
"ecosystem": [
{
"time": "2018-02-01T00:00:00.000Z",
"numAedsSeenOn": 15,
"numCustomersSeenOn": 3,
"ecosystemSize": 0.679688,
"numVerticalsSeenOn": 5,
"verticalsSeenOn": []
}
],
"vertical": {
"results": {
"telecom": [
"2018-02-01T00:00:00.000Z",
"2018-03-01T00:00:00.000Z"
]
},
"status": {
"sources": [
"atlas"
]
}
},
"networkHistory": {
"results": [
{
"collected": "2018-08-24 20:54:31",
"firstSeen": "2014-09-10T17:42:06",
"lastSeen": "2018-08-24T01:16:21",
"recordHash": "8a84a47a4d7495678a957aeea219a4fdef811b085cac55fbd52e9d403f1d1069",
"recordType": "A",
"resolve": "69.46.38.42",
"resolveType": "ip",
"source": "riskiq",
"value": "littlepeople.net"
}
],
"status": {
"sources": [
"riskiq",
"asert"
],
"firstSeen": "2014-09-10T17:42:06",
"lastSeen": "2018-08-24T01:16:21",
"totalRecords": 7
}
},
"malwareHistory": {
"results": [
{
"md5": [
"b635b4dac7595ee7e4723416cf3307cd"
],
"sha1": [
"ccdc075a5c51aef0f382c701c873ae4fb23d4873"
],
"sha256": [
"fd9a64e31bd16b4733192054bf0cd63cc0acbf0d2b7d4a20ff1a3654e4723e81"
],
"dnsLookups": [
{
"host": "lidgeys.ru",
"cname": "null",
"addr": "91.223.82.29"
}
],
"avDetections": [
{
"engine": "Norman",
"detection": "Kryptik.CFAG"
}
],
"sampleTags": [
"pramro",
"gamarue",
"betabot"
],
"samples": [
{
"id": 19578643,
"submitted": "2015-04-09T13:28:04",
"md5": "b635b4dac7595ee7e4723416cf3307cd",
"sampleTags": [
"pramro",
"gamarue"
],
"dnsLookups": [
{
"host": "lidgeys.ru",
"cname": "null",
"addr": "91.223.82.29"
}
]
}
]
}
],
"status": {
"sources": [
"asert"
]
}
},
"dnsResolution": {
"results": [
{
"host": "69.46.38.42",
"recordType": "a"
}
],
"status": {
"sources": [
"84.200.69.80",
"37.235.1.174",
"84.200.70.40",
"37.235.1.177"
]
}
},
"openPorts": {
"results": [
{
"54.68.226.153": [
80,
443
]
}
],
"status": {
"sources": [
"shodan"
],
"totalRecords": 3
}
},
"geoLocation": {
"results": [
{
"103.53.40.33": "IN"
}
],
"status": {
"sources": [
"maxmind"
],
"totalRecords": 1
}
},
"sources": {
"asert": {
"creds": false,
"errors": "\"\"",
"success": false
},
"atlas": {
"creds": false,
"errors": "\"\"",
"success": false
},
"maxmind": {
"creds": false,
"errors": "\"\"",
"success": false
},
"riskiq": {
"creds": false,
"errors": "\"\"",
"success": false
},
"shodan": {
"creds": false,
"errors": "\"\"",
"success": false
}
}
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"message": {
"type": "string"
},
"data": {
"type": "object",
"properties": {
"ecosystem": {
"type": "array",
"items": {
"type": "object",
"properties": {
"time": {
"type": "string",
"description": "The start time of an individual observation period. Default = 1 observation period per month, going back 6 months."
},
"numAedsSeenOn": {
"type": "number"
},
"numCustomersSeenOn": {
"type": "number"
},
"ecosystemSize": {
"type": "number",
"description": "A number from 0.0 to 1.0, scaled based on the maximum number of AEDs in the ecosystem during all the observation periods."
},
"numVerticalsSeenOn": {
"type": "number"
},
"verticalsSeenOn": {}
},
"required": [
"time",
"numAedsSeenOn",
"numCustomersSeenOn",
"ecosystemSize",
"numVerticalsSeenOn",
"verticalsSeenOn"
]
}
},
"vertical": {
"type": "object",
"properties": {
"results": {
"type": "object",
"properties": {
"telecom": {
"type": "array",
"description": "The vertical markets in which the indicator was seen, as a key-value pair of vertical name: observation periods."
}
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array"
}
},
"required": [
"sources"
]
}
},
"required": [
"results",
"status"
]
},
"networkHistory": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"type": "object",
"properties": {
"collected": {
"type": "string",
"description": "The date on which the results were collected, returned with riskiq results only."
},
"firstSeen": {
"type": "string"
},
"lastSeen": {
"type": "string"
},
"recordHash": {
"type": "string",
"description": "A hash of the entire JSON record, returned with riskiq results only."
},
"recordType": {
"type": "string",
"description": "The type of DNS record, returned with riskiq results only."
},
"resolve": {
"type": "string",
"description": "An individual DNS resolution."
},
"resolveType": {
"type": "string",
"enum": [
"ip",
"domain"
]
},
"source": {
"type": "string",
"enum": [
"riskiq",
"asert"
],
"description": "Indicates whether the correlations are from riskIQ or ASERT's malware sandboxing pipeline."
},
"value": {
"type": "string"
}
},
"required": [
"firstSeen",
"lastSeen",
"resolve",
"resolveType",
"source",
"value"
]
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array"
},
"firstSeen": {
"type": "string"
},
"lastSeen": {
"type": "string"
},
"totalRecords": {
"type": "number"
}
},
"required": [
"sources",
"totalRecords"
]
}
},
"required": [
"results",
"status"
]
},
"malwareHistory": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"type": "object",
"properties": {
"md5": {
"type": "array"
},
"sha1": {
"type": "array"
},
"sha256": {
"type": "array"
},
"dnsLookups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The domain or hostname that was looked up during sandboxing."
},
"cname": {
"type": [
"string",
"null"
],
"description": "The CNAME DNS reponse."
},
"addr": {
"type": "string",
"description": "The IP address that was resolved from the DNS lookup."
}
}
}
},
"avDetections": {
"type": "array"
},
"sampleTags": {
"type": "array"
},
"samples": {
"type": "array"
}
},
"required": [
"md5",
"sha1",
"sha256",
"dnsLookups",
"avDetections",
"sampleTags",
"samples"
]
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array"
}
},
"required": [
"sources"
]
}
},
"required": [
"results",
"status"
]
},
"dnsResolution": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string",
"description": "The result of DNS resolution of the indicator, as an IP address if the indicator is a domain or hostname, or as a hostname if the indicator an IP address."
},
"recordType": {
"type": "string",
"enum": [
"a",
"ptr"
],
"description": "Indicates the type of record: A if resolving a domain or hostname, or PTR if resolving an IP address."
}
},
"required": [
"host",
"recordType"
]
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array",
"description": "A list of the DNS servers that were used to look up a domain, hostname, or IP address."
}
},
"required": [
"sources"
],
"additionalProperties": false
}
},
"required": [
"results",
"status"
]
},
"openPorts": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"type": "object",
"properties": {
"54.68.226.153": {
"type": "array",
"description": "The open ports on the IP address resolved from the indicator, as a key-value pair of IP address: list of open ports."
}
},
"required": [
"54.68.226.153"
]
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array"
},
"totalRecords": {
"type": "number"
}
},
"required": [
"sources",
"totalRecords"
]
}
},
"required": [
"results",
"status"
]
},
"geoLocation": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"type": "object",
"properties": {
"103.53.40.33": {
"type": "string",
"description": "The location of the indicator based on resolved IP address, as a key-value pair of IP address: country code."
}
},
"required": [
"103.53.40.33"
]
}
},
"status": {
"type": "object",
"properties": {
"sources": {
"type": "array"
},
"totalRecords": {
"type": "number"
}
},
"required": [
"sources",
"totalRecords"
]
}
},
"required": [
"results",
"status"
]
},
"sources": {
"type": "object",
"properties": {
"asert": {
"type": "object",
"properties": {
"creds": {
"type": "boolean"
},
"errors": {
"type": "string"
},
"success": {
"type": "boolean"
}
},
"required": [
"creds",
"errors",
"success"
]
},
"atlas": {
"type": "object",
"properties": {
"creds": {
"type": "boolean"
},
"errors": {
"type": "string"
},
"success": {
"type": "boolean"
}
},
"required": [
"creds",
"errors",
"success"
]
},
"maxmind": {
"type": "object",
"properties": {
"creds": {
"type": "boolean"
},
"errors": {
"type": "string"
},
"success": {
"type": "boolean"
}
},
"required": [
"creds",
"errors",
"success"
]
},
"riskiq": {
"type": "object",
"properties": {
"creds": {
"type": "boolean"
},
"errors": {
"type": "string"
},
"success": {
"type": "boolean"
}
},
"required": [
"creds",
"errors",
"success"
]
},
"shodan": {
"type": "object",
"properties": {
"creds": {
"type": "boolean"
},
"errors": {
"type": "string"
},
"success": {
"type": "boolean"
}
},
"required": [
"creds",
"errors",
"success"
]
}
},
"required": [
"asert",
"atlas",
"maxmind",
"riskiq",
"shodan"
],
"description": "A list of data sources and their responsiveness."
}
},
"required": [
"ecosystem",
"vertical",
"networkHistory",
"malwareHistory",
"dnsResolution",
"openPorts",
"geoLocation",
"sources"
]
}
},
"required": [
"message",
"data"
]
}Get Indicator InsightsGET/api/v1/cti/insights{?indicatorValue}
Collect contextual intelligence from the ASERT sandbox, ATLAS data, live DNS lookups, and other third party APIs to obtain more information about an indicator. For data to be returned, users must configure API tokens in Edge Defense Manager for the third party APIs.
URI Parameters
- indicatorValue
string(required) Example: 1.2.3.4The domain, IP address, or HTTP URI for which to receive intelligence.
CTI Configuration ¶
GET /api/v1/configuration/cti
Responses
Headers
Content-Type: application/jsonBody
{
"message": "",
"data": {
"cti_token": "secret-cti-token",
"passivetotal_token": "secret-passivetotal-token",
"passivetotal_user": "you@my-company.com",
"shodan_token": "secret-shodan-token"
}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"message": {
"type": "string"
},
"data": {
"type": "object",
"properties": {
"cti_token": {
"type": "string",
"description": "An API token that is provided by the Arbor Threat Intelligence Team (ASERT) for access to the Contextual Threat Intelligence API."
},
"passivetotal_token": {
"type": "string",
"description": "An API token that is provided by RiskIQ for access to PassiveTotal data."
},
"passivetotal_user": {
"type": "string",
"description": "The user name or email address that is required to access RiskIQ PassiveTotal."
},
"shodan_token": {
"type": "string",
"description": "An API token that is provided by Shodan for access to its data."
}
},
"required": [
"cti_token",
"passivetotal_token",
"passivetotal_user",
"shodan_token"
]
}
},
"required": [
"message",
"data"
]
}Get CTI ConfigurationGET/api/v1/configuration/cti
Retrieve the current Contextual Threat Intelligence configuration.
POST /api/v1/configuration/cti
Requests
Headers
Content-Type: application/jsonBody
{
"cti_token": "secret-cti-token",
"passivetotal_token": "secret-passivetotal-token",
"passivetotal_user": "you@my-company.com",
"shodan_token": "secret-shodan-token"
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"cti_token": {
"type": "string",
"description": "An API token that is provided by the Arbor Threat Intelligence Team (ASERT) for access to the Contextual Threat Intelligence API."
},
"passivetotal_token": {
"type": "string",
"description": "An API token that is provided by RiskIQ for access to PassiveTotal data. You must obtain a PassiveTotal account."
},
"passivetotal_user": {
"type": "string",
"description": "The user name or email address that is required to access RiskIQ PassiveTotal. You must obtain a PassiveTotal account."
},
"shodan_token": {
"type": "string",
"description": "An API token that is provided by Shodan for access to its data. You must obtain a Shodan account."
}
}
}Responses
Headers
Content-Type: application/jsonBody
{
"message": "Success!",
"data": {}
}Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"message": {
"type": "string"
},
"data": {
"type": "object",
"properties": {}
}
}
}Update CTI ConfigurationPOST/api/v1/configuration/cti
Update the Contextual Threat Intelligence configuration. All fields are optional; however, some fields may be required for service functionality. For example, if you do not provide a CTI API token, then access to the Contextual Threat Intelligence Insights API is unavailable and the service is disabled.
Obtain accounts for RiskIQ PassiveTotal and Shodan, and then configure them during the Edge Defense Manager setup. NETSCOUT does not provide you with accounts for these services.
Generated by aglio on 04 Dec 2020