Edge Defense Manager API

API Endpoint

Use the Edge Defense Manager API to access data collected by our services.

An API token is required to access these endpoints.

To use the token, include it in the X-Arbux-APIToken header of the request.

Example:

curl -X GET -H "X-Arbux-APIToken: <token>" https://hostname/api/v1/devices

Alerts

The Alerts API provides access to an aggregation of the alerts that are generated by the Arbor Edge Defense (AED) devices that are connected to Edge Defense Manager.

Threats

GET /api/v1/alerts/threats?size=1000&skip=0&descriptions=true&sort=-time,pkt.src,-pkt.dport&start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z&q=pkt.proto:tcp and -pkt.appStr:http&aggregate=reason&agg_type=groupby
Responses200
Headers
Content-Type: application/json
Body
{
  "message": "",
  "data": {
    "hits": [
      {
        "pkt": {
          "src": "1.2.3.4",
          "dst": "5.6.7.8",
          "srcPort": 18440,
          "dstPort": 80,
          "proto": "tcp",
          "appStr": "http",
          "direction": "inbound"
        },
        "threatIntel": {
          "indicatorUid": 11851842,
          "threatTypes": [
            "FormBook"
          ],
          "threatDstPorts": [
            80
          ],
          "confidence": 81,
          "direction": "inbound",
          "indicator": "http%3A//www.bibliographyqvco.party/ne/",
          "threatCategories": [
            "Credential Theft",
            "Spyware",
            "Banking",
            "HTTP"
          ],
          "threatClassifications": [
            "Command and Control",
            "Malware"
          ],
          "severity": 5,
          "indicatorType": "http.request.uri"
        },
        "reason": "ATLAS Threat Categories",
        "pgid": 42,
        "pgName": "Default Protection Group",
        "pgServerName": "Generic Server",
        "time": "2018-07-31T20:00:30Z",
        "hostname": "my-aed",
        "hostIp": "10.1.2.3",
        "_id": "AWTx7ZUFVkcUx98hsmLI"
      }
    ],
    "totalSize": 123,
    "currSize": 5,
    "threatDescriptions": {},
    "timeline": {
      "interval": 3600,
      "windows": [
        {
          "window": "2018-08-08T00:00:00Z",
          "bins": {}
        }
      ]
    },
    "_app_distro": {
      "connectionCount": 0,
      "uniqueSrcCount": 0,
      "uniqueDstCount": 0,
      "destinations": [
        {
          "dst": "",
          "connectionCount": 0,
          "uniqueSrcCount": 0
        }
      ]
    },
    "_app_distro_timeline": {
      "interval": 3600,
      "windows": [
        {
          "window": "2018-08-08T00:00:00Z",
          "_app_distro": {}
        }
      ]
    }
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "message": {
      "type": "string"
    },
    "data": {
      "type": "object",
      "properties": {
        "hits": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "pkt": {
                "type": "object",
                "properties": {
                  "src": {
                    "type": "string"
                  },
                  "dst": {
                    "type": "string"
                  },
                  "srcPort": {
                    "type": "number"
                  },
                  "dstPort": {
                    "type": "number"
                  },
                  "proto": {
                    "type": "string"
                  },
                  "appStr": {
                    "type": "string"
                  },
                  "direction": {
                    "type": "string"
                  }
                },
                "required": [
                  "src",
                  "dst",
                  "srcPort",
                  "dstPort",
                  "proto",
                  "appStr",
                  "direction"
                ],
                "description": "The packet that triggered the message."
              },
              "threatIntel": {
                "type": "object",
                "properties": {
                  "indicatorUid": {
                    "type": [
                      "number",
                      "null"
                    ]
                  },
                  "threatTypes": {
                    "type": "array"
                  },
                  "threatDstPorts": {
                    "type": "array"
                  },
                  "confidence": {
                    "type": [
                      "number",
                      "null"
                    ],
                    "description": "The confidence of the threat intel. 1-59: Low, 60-79: Medium, 80-100: High."
                  },
                  "direction": {
                    "type": [
                      "string",
                      "null"
                    ]
                  },
                  "indicator": {
                    "type": [
                      "string",
                      "null"
                    ]
                  },
                  "threatCategories": {
                    "type": "array"
                  },
                  "threatClassifications": {
                    "type": "array"
                  },
                  "severity": {
                    "type": [
                      "number",
                      "null"
                    ],
                    "description": "The severity of the threat. 1-3: Low, 4-6: Medium, 7-9: High."
                  },
                  "indicatorType": {
                    "type": [
                      "string",
                      "null"
                    ]
                  }
                },
                "required": [
                  "indicatorUid",
                  "threatTypes",
                  "threatDstPorts",
                  "confidence",
                  "direction",
                  "indicator",
                  "threatCategories",
                  "threatClassifications",
                  "severity",
                  "indicatorType"
                ],
                "description": "Intelligence gathered from AIF, which is present only if the packet matches an ATLAS Threat Category."
              },
              "reason": {
                "type": "string",
                "description": "The reason why the message was generated."
              },
              "pgid": {
                "type": [
                  "number",
                  "null"
                ],
                "description": "The AED protection group that is associated with the message, if any."
              },
              "pgName": {
                "type": [
                  "string",
                  "null"
                ],
                "description": "The name of the associated protection group, if any.`"
              },
              "pgServerName": {
                "type": [
                  "string",
                  "null"
                ],
                "description": "The server type for the associated protection group, if any."
              },
              "time": {
                "type": "string",
                "description": "The time at which the message was generated."
              },
              "hostname": {
                "type": "string",
                "description": "The hostname of the AED device from which the message was collected."
              },
              "hostIp": {
                "type": "string",
                "description": "The IP address of the AED device from which the message was collected."
              },
              "_id": {
                "type": "string",
                "description": "An internal identifier for the message."
              }
            },
            "required": [
              "pkt",
              "threatIntel",
              "reason",
              "time",
              "hostname",
              "hostIp",
              "_id"
            ]
          },
          "description": "An array of messages where each message is a specific type of alert"
        },
        "totalSize": {
          "type": "number",
          "description": "The total number of alerts that matched the query parameters."
        },
        "currSize": {
          "type": "number",
          "description": "The number of alerts returned (length of `hits`)."
        },
        "threatDescriptions": {
          "type": "object",
          "properties": {},
          "description": "Long descriptions of threatIntel.threatTypes for ATLAS matches, one entry for each unique threat type returned in the results."
        },
        "bins": {
          "type": "object",
          "properties": {},
          "description": "An object that contains aggregated field counts by the specified `aggregate` parameter. This object is included only if `aggregate` is defined and `agg_type=groupby`."
        },
        "timeline": {
          "type": "object",
          "properties": {
            "interval": {
              "type": "number",
              "description": "The number of seconds that each window encompasses."
            },
            "windows": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "window": {
                    "type": "string",
                    "description": "The timestamp that marks this window."
                  },
                  "bins": {
                    "type": "object",
                    "properties": {},
                    "description": "The value counts for the field that is aggregated"
                  }
                },
                "required": [
                  "window",
                  "bins"
                ]
              }
            }
          },
          "required": [
            "interval",
            "windows"
          ],
          "description": "An object that contains timeseries data for a field that is specified by the `aggregate` parameter. This object is included only if `aggregate` is defined and `agg_type=timeline`."
        },
        "_app_distro": {
          "type": "object",
          "properties": {
            "connectionCount": {
              "type": "number",
              "description": "The number of blocked connections."
            },
            "uniqueSrcCount": {
              "type": "number",
              "description": "The number of unique source connections."
            },
            "uniqueDstCount": {
              "type": "number",
              "description": "The number of unique destination connections."
            },
            "destinations": {
              "type": "array",
              "description": "An array of the top 100 destination IP addresses."
            }
          },
          "required": [
            "connectionCount",
            "uniqueSrcCount",
            "uniqueDstCount",
            "destinations"
          ],
          "description": "An object that contains the counts of blocked connections, unique sources, and unique destinations for each of the top 100 applications. For each destination IP address in each application, the object also contains the number of blocked connections and unique sources."
        },
        "_app_distro_timeline": {
          "type": "object",
          "properties": {
            "interval": {
              "type": "number",
              "description": "The number of seconds that each window encompasses."
            },
            "windows": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "window": {
                    "type": "string",
                    "description": "The timestamp that marks this window."
                  },
                  "_app_distro": {
                    "type": "object",
                    "properties": {},
                    "description": "The value counts for the field that is aggregated."
                  }
                },
                "required": [
                  "window",
                  "_app_distro"
                ]
              }
            }
          },
          "required": [
            "interval",
            "windows"
          ],
          "description": "An object that contains timeseries data for the blocked connections, unique sources, and unique destinations for each of the top 100 applications. The timeseries data includes the blocked connections and unique sources for each destination IP address in each application."
        }
      },
      "required": [
        "hits",
        "totalSize",
        "currSize"
      ]
    }
  },
  "required": [
    "message",
    "data"
  ]
}

Threats
GET/api/v1/alerts/threats{?size,skip,descriptions,sort,start,end,q,aggregate,agg_type}

Get the threats that were blocked by the connected AED devices.

If the q parameter is not used, then any field that is not a static parameter will be used as a filter field. All dynamic parameters are joined with ANDs. Example:

/api/v1/alerts/threats?size=5&pkt.src=102.91.47.69&pkt.sport=53
URI Parameters
HideShow
size
number (optional) Default: 100 Example: 1000

The maximum number of matches to return.

skip
number (optional) Example: 0

The number of records to skip before returning results. You can use this parameter to paginate the results.

descriptions
boolean (optional) Default: true Example: true

Indicates whether the response should include threatDescriptions.

sort
string (optional) Default: -time Example: -time,pkt.src,-pkt.dport

A comma-separated list of field names for sorting the query results. The fields are sorted from left to right. Prefix a field name with - to sort that field’s values in descending order, otherwise the field values are sorted in ascending order.

start
string or number (optional) Default: 24 hours ago Example: 2018-08-08T00:00:00Z

The start of the query time period. ISO 8601 format or epoch seconds is required.

end
string or number (optional) Default: now Example: 2018-08-09T00:00:00Z

The end of the query time period. ISO 8601 format or epoch seconds is required.

q
string (optional) Example: pkt.proto:tcp and -pkt.appStr:http

A Lucene-syntax query string. If this string is provided, then the dynamic parameters are ignored and only the Lucene query is used to filter the results.

aggregate
string (optional) Example: reason

Generates an aggregation for the specified field within the requested time period. This feature requires that the agg_type parameter is included.

  • _app_distro A predefined aggregation that counts the number of blocked connections by application. The aggregation also examines the distribution of the unique connection endpoints by doing a cardinality count of the source and destination IP addresses.
    • If specified with agg_type=groupby, the results appear in data._app_distro.
    • If specified with agg_type=timeline, the results appear in data._app_distro_timeline.
agg_type
string (optional) Example: groupby

The aggregation method to use if the aggregate parameter is included.

  • groupby generates an aggregated count for all members of the specified field within the requested time period. The results appear in data.bins.

  • timeline generates a timeseries that breaks down counts for the specified field within the requested time period. The results appear in data.timeline.

Choices: groupby timeline


DDoS

Data regarding DDoS Alerts gathered from Arbor Edge Defence (AED) devices that are connected to Edge Defense Manager.

GET /api/v1/alerts/ddos?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z&page=1&pageSize=100
Responses200
Headers
Content-Type: application/json
Body
{
  "data": {
    "id": 42,
    "targets": [
      {
        "id": 42,
        "name": "Default PG",
        "devices": []
      }
    ],
    "devices": [
      {
        "id": 42,
        "name": "AED 001",
        "host": "aed-001.vm.arbor.net"
      }
    ],
    "categories": [
      {
        "id": 42,
        "type": "Total Traffic",
        "description": "TBD"
      }
    ],
    "volume": 32789,
    "bps": 1.24234,
    "peakBpsBlocked": 1234.1234,
    "peakBpsPassed": 1234.1234,
    "packets": 2341234,
    "peakPpsBlocked": 1234.1234,
    "peakPpsPassed": 1234.1234,
    "timeseries": {
      "bps": [
        {
          "timestamp": "2018-08-09T00:00:00Z",
          "data": {
            "blocked": 587712787,
            "passed": 15341424
          }
        }
      ],
      "pps": [
        {
          "timestamp": "2018-08-09T00:00:00Z",
          "data": {
            "blocked": 71710,
            "passed": 6500
          }
        }
      ]
    },
    "start": "2018-08-08T00:00:00Z",
    "lastSeen": "2018-08-08T00:00:00Z",
    "end": "2018-08-08T00:00:00Z",
    "errors": []
  },
  "page": 1,
  "totalCount": 34534,
  "errors": {
    "[fieldName]": "Generic Error"
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The alert's unique ID."
        },
        "targets": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "id": {
                "type": "number",
                "description": "The target protection group's unique ID."
              },
              "name": {
                "type": "string",
                "description": "The name of the target protection group."
              },
              "devices": {
                "type": "array",
                "description": "The IDs of the devices that contain this target protection group."
              }
            },
            "required": [
              "id",
              "name",
              "devices"
            ]
          },
          "description": "The target protection groups that triggered the alert."
        },
        "devices": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "id": {
                "type": "number",
                "description": "The device's unique ID."
              },
              "name": {
                "type": "string",
                "description": "The name of the device."
              },
              "host": {
                "type": "string",
                "description": "The device's IP address or hostname."
              }
            },
            "required": [
              "id",
              "name",
              "host"
            ]
          },
          "description": "The devices that triggered the alert."
        },
        "categories": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "id": {
                "type": "number",
                "description": "The category's unique ID."
              },
              "type": {
                "type": "string",
                "description": "The name of the category."
              },
              "description": {
                "type": "string",
                "description": "A description of the category."
              }
            },
            "required": [
              "id",
              "type",
              "description"
            ]
          },
          "description": "The category of the policy violation that triggered the alert."
        },
        "volume": {
          "type": "number",
          "description": "The total amount of traffic that was observed for the alert, in bytes."
        },
        "bps": {
          "type": "number",
          "description": "The highest bit rate of traffic that was observed for the alert during the requested time period, in bps."
        },
        "peakBpsBlocked": {
          "type": "number",
          "description": "The maximum bits per second that were blocked during the alert time period."
        },
        "peakBpsPassed": {
          "type": "number",
          "description": "The maximum bits per second that were passed during the alert time period."
        },
        "packets": {
          "type": "number",
          "description": "The total number of packets that were observed for the alert."
        },
        "peakPpsBlocked": {
          "type": "number",
          "description": "The maximum number of packets per second that were blocked during the alert time period."
        },
        "peakPpsPassed": {
          "type": "number",
          "description": "The maximum number of packets per second that were passed during the alert time period."
        },
        "timeseries": {
          "type": "object",
          "properties": {
            "bps": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "timestamp": {
                    "type": "string",
                    "description": "The timestamp of the data point, in ISO-8601 format."
                  },
                  "data": {
                    "type": "object",
                    "properties": {
                      "blocked": {
                        "type": "number",
                        "description": "The number of bits per second that were blocked at the timestamp."
                      },
                      "passed": {
                        "type": "number",
                        "description": "The number of bits per second that were passed at the timestamp."
                      }
                    },
                    "required": [
                      "blocked",
                      "passed"
                    ]
                  }
                },
                "required": [
                  "timestamp",
                  "data"
                ]
              },
              "description": "The data points in bits per second."
            },
            "pps": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "timestamp": {
                    "type": "string",
                    "description": "The timestamp of the data point, in ISO-8601 format."
                  },
                  "data": {
                    "type": "object",
                    "properties": {
                      "blocked": {
                        "type": "number",
                        "description": "The number of packets per second that were blocked at the timestamp."
                      },
                      "passed": {
                        "type": "number",
                        "description": "The number of packets per second that were passed at the timestamp."
                      }
                    },
                    "required": [
                      "blocked",
                      "passed"
                    ]
                  }
                },
                "required": [
                  "timestamp",
                  "data"
                ]
              },
              "description": "The data points in packets per second."
            }
          },
          "required": [
            "bps",
            "pps"
          ],
          "description": "Timeseries data for pps and bps over the requested time period."
        },
        "start": {
          "type": "string",
          "description": "The start time of the alert, in ISO-8601 format."
        },
        "lastSeen": {
          "type": "string",
          "description": "The time of the last seen piece of the alert, in ISO-8601 format."
        },
        "end": {
          "type": "string",
          "description": "The end time of the alert, in ISO-8601 format, null if the alert is ongoing."
        },
        "errors": {
          "type": "array",
          "description": "Error messages for the devices that were involved in the alert."
        }
      },
      "required": [
        "id",
        "targets",
        "devices",
        "categories",
        "volume",
        "bps",
        "peakBpsBlocked",
        "peakBpsPassed",
        "packets",
        "peakPpsBlocked",
        "peakPpsPassed",
        "timeseries",
        "start",
        "lastSeen"
      ]
    },
    "page": {
      "type": "number",
      "description": "The page number of this result set."
    },
    "totalCount": {
      "type": "number",
      "description": "The total size of the result set."
    },
    "errors": {
      "type": "object",
      "properties": {
        "[fieldName]": {
          "type": "string",
          "description": "An error message related to the field name."
        }
      },
      "description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start."
    }
  },
  "required": [
    "data",
    "page",
    "totalCount",
    "errors"
  ]
}

List all DDoS Alerts
GET/api/v1/alerts/ddos{?start,end,page,pageSize}

Get a list of the aggregated DDoS alerts that are reported by the connected AED devices.

URI Parameters
HideShow
start
string (required) Example: 2018-08-08T00:00:00Z

The start of the search time period, based on the alert timestamp. ISO 8601 format is required.

end
string (optional) Example: 2018-08-09T00:00:00Z

The end of the search time period, based on the alert timestamp. ISO 8601 format is required.

page
number (optional) Default: 1 Example: 1

The page number to start with when returning results.

pageSize
number (optional) Default: 25 Example: 100

The number of alerts to include per page of results.


GET /api/v1/alerts/ddos/42
Responses200
Headers
Content-Type: application/json
Body
{
  "id": 42,
  "targets": [
    {
      "id": 42,
      "name": "Default PG",
      "devices": []
    }
  ],
  "devices": [
    {
      "id": 42,
      "name": "AED 001",
      "host": "aed-001.vm.arbor.net"
    }
  ],
  "categories": [
    {
      "id": 42,
      "type": "Total Traffic",
      "description": "TBD"
    }
  ],
  "volume": 32789,
  "bps": 1.24234,
  "peakBpsBlocked": 1234.1234,
  "peakBpsPassed": 1234.1234,
  "packets": 2341234,
  "peakPpsBlocked": 1234.1234,
  "peakPpsPassed": 1234.1234,
  "timeseries": {
    "bps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 587712787,
          "passed": 15341424
        }
      }
    ],
    "pps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 71710,
          "passed": 6500
        }
      }
    ]
  },
  "start": "2018-08-08T00:00:00Z",
  "lastSeen": "2018-08-08T00:00:00Z",
  "end": "2018-08-08T00:00:00Z",
  "errors": [],
  "connections": {
    "isPktDirectionUnknown": false,
    "sources": {
      "blocked": [
        {
          "host": "8.8.8.8",
          "count": 217
        }
      ]
    },
    "destinations": {
      "blocked": [
        {
          "host": "8.8.8.8",
          "count": 217
        }
      ]
    },
    "services": {
      "blocked": [
        {
          "service": "DNS",
          "connectionCount": 217,
          "uniqueSourceCount": 2034,
          "uniqueDestinationCount": 1757,
          "topDestinations": [
            {
              "host": "8.8.8.8",
              "count": 217
            }
          ]
        }
      ]
    }
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "id": {
      "type": "number",
      "description": "The alert's unique ID."
    },
    "targets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "number",
            "description": "The target protection group's unique ID."
          },
          "name": {
            "type": "string",
            "description": "The name of the target protection group."
          },
          "devices": {
            "type": "array",
            "description": "The IDs of the devices that contain this target protection group."
          }
        },
        "required": [
          "id",
          "name",
          "devices"
        ]
      },
      "description": "The target protection groups that triggered the alert."
    },
    "devices": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "number",
            "description": "The device's unique ID."
          },
          "name": {
            "type": "string",
            "description": "The name of the device."
          },
          "host": {
            "type": "string",
            "description": "The device's IP address or hostname."
          }
        },
        "required": [
          "id",
          "name",
          "host"
        ]
      },
      "description": "The devices that triggered the alert."
    },
    "categories": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "number",
            "description": "The category's unique ID."
          },
          "type": {
            "type": "string",
            "description": "The name of the category."
          },
          "description": {
            "type": "string",
            "description": "A description of the category."
          }
        },
        "required": [
          "id",
          "type",
          "description"
        ]
      },
      "description": "The category of the policy violation that triggered the alert."
    },
    "volume": {
      "type": "number",
      "description": "The total amount of traffic that was observed for the alert, in bytes."
    },
    "bps": {
      "type": "number",
      "description": "The highest bit rate of traffic that was observed for the alert during the requested time period, in bps."
    },
    "peakBpsBlocked": {
      "type": "number",
      "description": "The maximum bits per second that were blocked during the alert time period."
    },
    "peakBpsPassed": {
      "type": "number",
      "description": "The maximum bits per second that were passed during the alert time period."
    },
    "packets": {
      "type": "number",
      "description": "The total number of packets that were observed for the alert."
    },
    "peakPpsBlocked": {
      "type": "number",
      "description": "The maximum number of packets per second that were blocked during the alert time period."
    },
    "peakPpsPassed": {
      "type": "number",
      "description": "The maximum number of packets per second that were passed during the alert time period."
    },
    "timeseries": {
      "type": "object",
      "properties": {
        "bps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of bits per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of bits per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in bits per second."
        },
        "pps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of packets per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of packets per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in packets per second."
        }
      },
      "required": [
        "bps",
        "pps"
      ],
      "description": "Timeseries data for packets per second and bits per second over the requested time period."
    },
    "start": {
      "type": "string",
      "description": "The start time of the alert, in ISO-8601 format."
    },
    "lastSeen": {
      "type": "string",
      "description": "The time of the last seen piece of the alert, in ISO-8601 format."
    },
    "end": {
      "type": "string",
      "description": "The end time of the alert, in ISO-8601 format, null if the alert is ongoing."
    },
    "errors": {
      "type": "array",
      "description": "Error messages for the devices that were involved in the alert."
    },
    "connections": {
      "type": "object",
      "properties": {
        "isPktDirectionUnknown": {
          "type": "boolean",
          "description": "True if one or more of the packets that are involved in the calculations do not have a direction."
        },
        "sources": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "host": {
                    "type": "string",
                    "description": "The IP address or hostname of the source."
                  },
                  "count": {
                    "type": "number",
                    "description": "The number of connections from the source that were blocked."
                  }
                },
                "required": [
                  "host",
                  "count"
                ]
              },
              "description": "The source addresses with the most blocked connections."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top source addresses by key."
        },
        "destinations": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "host": {
                    "type": "string",
                    "description": "The IP address or hostname of the destination."
                  },
                  "count": {
                    "type": "number",
                    "description": "The number of connections to the destination that were blocked."
                  }
                },
                "required": [
                  "host",
                  "count"
                ]
              },
              "description": "The destination addresses with the most blocked connections."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top destination addresses by key."
        },
        "services": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "service": {
                    "type": "string",
                    "description": "The service that was used."
                  },
                  "connectionCount": {
                    "type": "number",
                    "description": "The number of blocked connections that used service."
                  },
                  "uniqueSourceCount": {
                    "type": "number",
                    "description": "Number of unique source IPs or hostnames for this service."
                  },
                  "uniqueDestinationCount": {
                    "type": "number",
                    "description": "Number of unique source IPs or hostnames for this service."
                  },
                  "topDestinations": {
                    "type": "array",
                    "items": {
                      "type": "object",
                      "properties": {
                        "host": {
                          "type": "string",
                          "description": "The IP address or hostname of the destination."
                        },
                        "count": {
                          "type": "number",
                          "description": "The number of connections to the destination that were blocked for this service."
                        }
                      },
                      "required": [
                        "host",
                        "count"
                      ]
                    },
                    "description": "Top blocked destinations for this service."
                  }
                },
                "required": [
                  "service",
                  "connectionCount",
                  "uniqueSourceCount",
                  "uniqueDestinationCount",
                  "topDestinations"
                ]
              },
              "description": "The services on which the most connections were blocked."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top services by key."
        }
      },
      "required": [
        "isPktDirectionUnknown",
        "sources",
        "destinations",
        "services"
      ],
      "description": "Connection information related to this alert."
    }
  },
  "required": [
    "id",
    "targets",
    "devices",
    "categories",
    "volume",
    "bps",
    "peakBpsBlocked",
    "peakBpsPassed",
    "packets",
    "peakPpsBlocked",
    "peakPpsPassed",
    "timeseries",
    "start",
    "lastSeen",
    "connections"
  ]
}

Get a Single DDoS Alert
GET/api/v1/alerts/ddos/{id}

Get a single aggregated DDoS alert.

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID that Edge Defense Manager assigned to the alert.


GET /api/v1/alerts/ddos/counts?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z
Responses200
Headers
Content-Type: application/json
Body
{
  "data": {
    "binSizeMinutes": 60,
    "counts": [
      {
        "timestamp": "2018-02-01T00:00:00.000Z",
        "data": {
          "total": 42,
          "blocked": 42,
          "botnet": 42
        }
      }
    ]
  },
  "errors": {
    "[fieldName]": "Generic Error"
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "binSizeMinutes": {
          "type": "number",
          "description": "The size of the time bins in minutes."
        },
        "counts": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The end time of this bin of alert counts."
              },
              "data": {
                "type": "object",
                "properties": {
                  "total": {
                    "type": "number",
                    "description": "The number of alerts that were triggered by the total traffic in the time bin."
                  },
                  "blocked": {
                    "type": "number",
                    "description": "The number of the alerts that were triggered by blocked traffic in the time bin."
                  },
                  "botnet": {
                    "type": "number",
                    "description": "The number of the alerts that were triggered by botnet traffic in the time bin."
                  }
                },
                "required": [
                  "total",
                  "blocked",
                  "botnet"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The number of new DDoS alerts, aggregated and organized into binned timeseries data, where the bin size is determined by the report date range."
        }
      },
      "required": [
        "binSizeMinutes",
        "counts"
      ]
    },
    "errors": {
      "type": "object",
      "properties": {
        "[fieldName]": {
          "type": "string",
          "description": "An error message related to the field name."
        }
      },
      "description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start."
    }
  },
  "required": [
    "data",
    "errors"
  ]
}

Get DDoS Alert Counts
GET/api/v1/alerts/ddos/counts{?start,end}

Get a count of all the new DDoS alerts that were triggered by the connected AED devices. The alerts are aggregated and organized into binned timeseries data, where the bin size is determined by the requested date range.

URI Parameters
HideShow
start
string (required) Example: 2018-08-08T00:00:00Z

The start of the search time period, based on the alert timestamp. ISO 8601 format is required.

end
string (optional) Example: 2018-08-09T00:00:00Z

The end of the search time period, based on the alert timestamp. ISO 8601 format is required.


Devices

The Devices API allows you to add, update, and delete Arbor Edge Defense (AED) devices in Edge Defense Manager.

Devices List

GET /api/v1/devices?start=2018-08-01T00:00:00Z&end=2018-08-02T00:00:00Z&liveData=true
Responses200
Headers
Content-Type: application/json
Body
{
  "data": [
    {
      "id": "42",
      "host": "my-aed.ops.my-company.com",
      "apiToken": "********",
      "name": "my-aed",
      "ddosAlertCount": 5,
      "systemAlertCount": 5,
      "peakBpsBlocked": 123456789,
      "peakPpsBlocked": 9001,
      "protectionLevel": "high",
      "protectionMode": "Active",
      "lastSeen": "2018-08-10T00:00:00+00:00",
      "otf": {
        "enabled": true,
        "active": true
      },
      "asertFeedbackEnabled": true,
      "syslogNotificationsEnabled": true,
      "warnings": [
        {
          "code": "warning",
          "field": "syslog",
          "message": "Unable to get syslog for abc."
        }
      ],
      "timeseries": {
        "bps": [
          {
            "timestamp": "2018-08-09T00:00:00Z",
            "data": {
              "blocked": 587712787,
              "passed": 15341424
            }
          }
        ],
        "pps": [
          {
            "timestamp": "2018-08-09T00:00:00Z",
            "data": {
              "blocked": 71710,
              "passed": 6500
            }
          }
        ]
      }
    }
  ]
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "string"
          },
          "host": {
            "type": "string"
          },
          "apiToken": {
            "type": "string"
          },
          "name": {
            "type": "string"
          },
          "ddosAlertCount": {
            "type": "number"
          },
          "systemAlertCount": {
            "type": "number"
          },
          "peakBpsBlocked": {
            "type": "number"
          },
          "peakPpsBlocked": {
            "type": "number"
          },
          "protectionLevel": {
            "type": "string",
            "enum": [
              "low",
              "medium",
              "high"
            ]
          },
          "protectionMode": {
            "type": "string",
            "enum": [
              "Active",
              "Inactive",
              "Monitor"
            ]
          },
          "lastSeen": {
            "type": "string"
          },
          "otf": {
            "type": "object",
            "properties": {
              "enabled": {
                "type": "boolean",
                "description": "The current status of the Outbound Threat Filter for this device."
              },
              "active": {
                "type": "boolean",
                "description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
              }
            },
            "required": [
              "enabled",
              "active"
            ]
          },
          "asertFeedbackEnabled": {
            "type": "boolean",
            "description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
          },
          "syslogNotificationsEnabled": {
            "type": "boolean",
            "description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
          },
          "warnings": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "code": {
                  "type": "string",
                  "description": "A code that indicates the type of warning."
                },
                "field": {
                  "type": "string",
                  "description": "The field that triggered the warning."
                },
                "message": {
                  "type": "string",
                  "description": "An explanation of the warning."
                }
              },
              "required": [
                "code",
                "field",
                "message"
              ]
            },
            "description": "A list of warnings that can occur during attempts to retrieve data for the device."
          },
          "timeseries": {
            "type": "object",
            "properties": {
              "bps": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "timestamp": {
                      "type": "string",
                      "description": "The timestamp of the data point, in ISO-8601 format."
                    },
                    "data": {
                      "type": "object",
                      "properties": {
                        "blocked": {
                          "type": "number",
                          "description": "The number of bits per second that were blocked at the timestamp."
                        },
                        "passed": {
                          "type": "number",
                          "description": "The number of bits per second that were passed at the timestamp."
                        }
                      },
                      "required": [
                        "blocked",
                        "passed"
                      ]
                    }
                  },
                  "required": [
                    "timestamp",
                    "data"
                  ]
                },
                "description": "The data points in bits per second."
              },
              "pps": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "timestamp": {
                      "type": "string",
                      "description": "The timestamp of the data point, in ISO-8601 format."
                    },
                    "data": {
                      "type": "object",
                      "properties": {
                        "blocked": {
                          "type": "number",
                          "description": "The number of packets per second that were blocked at the timestamp."
                        },
                        "passed": {
                          "type": "number",
                          "description": "The number of packets per second that were passed at the timestamp."
                        }
                      },
                      "required": [
                        "blocked",
                        "passed"
                      ]
                    }
                  },
                  "required": [
                    "timestamp",
                    "data"
                  ]
                },
                "description": "The data points in packets per second."
              }
            },
            "required": [
              "bps",
              "pps"
            ],
            "description": "Timeseries data for packets per second and bits per second over the requested time period."
          }
        },
        "required": [
          "host",
          "apiToken",
          "name",
          "ddosAlertCount",
          "systemAlertCount",
          "peakBpsBlocked",
          "peakPpsBlocked",
          "protectionLevel",
          "protectionMode",
          "lastSeen",
          "otf",
          "syslogNotificationsEnabled",
          "timeseries"
        ]
      }
    }
  },
  "required": [
    "data"
  ]
}

Devices List
GET/api/v1/devices{?start,end,liveData}

Find all of the devices that are connected to Edge Defense Manager.

URI Parameters
HideShow
start
string (optional) Example: 2018-08-01T00:00:00Z

The start of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.

end
string (optional) Default: now Example: 2018-08-02T00:00:00Z

The end of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.

liveData
boolean (optional) Default: true Example: true

Indicates whether the response should include live data from the connected devices.


Device

Operations for fetching, creating, updating, and deleting the devices that are connected to Edge Defense Manager.

GET /api/v1/devices/42?start=2018-08-01T00:00:00Z&end=2018-08-02T00:00:00Z&liveData=true
Responses200404
Headers
Content-Type: application/json
Body
{
  "id": "42",
  "host": "my-aed.ops.my-company.com",
  "apiToken": "********",
  "name": "my-aed",
  "ddosAlertCount": 5,
  "systemAlertCount": 5,
  "peakBpsBlocked": 123456789,
  "peakPpsBlocked": 9001,
  "protectionLevel": "high",
  "protectionMode": "Active",
  "lastSeen": "2018-08-10T00:00:00+00:00",
  "otf": {
    "enabled": true,
    "active": true
  },
  "asertFeedbackEnabled": true,
  "syslogNotificationsEnabled": true,
  "warnings": [
    {
      "code": "warning",
      "field": "syslog",
      "message": "Unable to get syslog for abc."
    }
  ],
  "timeseries": {
    "bps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 587712787,
          "passed": 15341424
        }
      }
    ],
    "pps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 71710,
          "passed": 6500
        }
      }
    ]
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "id": {
      "type": "string"
    },
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "ddosAlertCount": {
      "type": "number"
    },
    "systemAlertCount": {
      "type": "number"
    },
    "peakBpsBlocked": {
      "type": "number"
    },
    "peakPpsBlocked": {
      "type": "number"
    },
    "protectionLevel": {
      "type": "string",
      "enum": [
        "low",
        "medium",
        "high"
      ]
    },
    "protectionMode": {
      "type": "string",
      "enum": [
        "Active",
        "Inactive",
        "Monitor"
      ]
    },
    "lastSeen": {
      "type": "string"
    },
    "otf": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "The current status of the Outbound Threat Filter for this device."
        },
        "active": {
          "type": "boolean",
          "description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
        }
      },
      "required": [
        "enabled",
        "active"
      ]
    },
    "asertFeedbackEnabled": {
      "type": "boolean",
      "description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
    },
    "syslogNotificationsEnabled": {
      "type": "boolean",
      "description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
    },
    "warnings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string",
            "description": "A code that indicates the type of warning."
          },
          "field": {
            "type": "string",
            "description": "The field that triggered the warning."
          },
          "message": {
            "type": "string",
            "description": "An explanation of the warning."
          }
        },
        "required": [
          "code",
          "field",
          "message"
        ]
      },
      "description": "A list of warnings that can occur during attempts to retrieve data for the device."
    },
    "timeseries": {
      "type": "object",
      "properties": {
        "bps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of bits per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of bits per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in bits per second."
        },
        "pps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of packets per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of packets per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in packets per second."
        }
      },
      "required": [
        "bps",
        "pps"
      ],
      "description": "Timeseries data for packets per second and bits per second over the requested time period."
    }
  },
  "required": [
    "host",
    "apiToken",
    "name",
    "ddosAlertCount",
    "systemAlertCount",
    "peakBpsBlocked",
    "peakPpsBlocked",
    "protectionLevel",
    "protectionMode",
    "lastSeen",
    "otf",
    "syslogNotificationsEnabled",
    "timeseries"
  ]
}
Headers
Content-Type: application/json
Body
{
  "errors": [
    {
      "code": "NotFound",
      "field": "Specified APS [42] does not exist",
      "message": "Specified APS [42] does not exist"
    }
  ],
  "message": "Not Found."
}

Get a Device
GET/api/v1/devices/{id}{?start,end,liveData}

Get a device that is connected to Edge Defense Manager.

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID that Edge Defense Manager assigned to the device.

start
string (optional) Example: 2018-08-01T00:00:00Z

The start of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.

end
string (optional) Default: now Example: 2018-08-02T00:00:00Z

The end of the time period for which to get alerts and traffic data from the device. ISO 8601 format is required.

liveData
boolean (optional) Default: true Example: true

Indicates whether the response should include live data from the connected device.


POST /api/v1/devices
RequestsAdd a new deviceDevice already existsInvalid API token
Headers
Content-Type: application/json
Body
{
  "host": "my-aed.ops.my-company.com",
  "apiToken": "secret-api-token",
  "name": "my-aed",
  "syslogNotificationsEnabled": true
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string",
      "description": "The hostname or IP address of the AED device."
    },
    "apiToken": {
      "type": "string",
      "description": "An API token that is generated by the AED device that you are adding."
    },
    "name": {
      "type": "string",
      "description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
    },
    "syslogNotificationsEnabled": {
      "type": "boolean",
      "description": "Indicates whether to configure the collection of syslog notifications from the AED device.",
      "default": true
    }
  },
  "required": [
    "host",
    "apiToken"
  ]
}
Responses201
Headers
Content-Type: application/json
Body
{
  "id": "42",
  "host": "my-aed.ops.my-company.com",
  "apiToken": "********",
  "name": "my-aed",
  "ddosAlertCount": 5,
  "systemAlertCount": 5,
  "peakBpsBlocked": 123456789,
  "peakPpsBlocked": 9001,
  "protectionLevel": "high",
  "protectionMode": "Active",
  "lastSeen": "2018-08-10T00:00:00+00:00",
  "otf": {
    "enabled": true,
    "active": true
  },
  "asertFeedbackEnabled": true,
  "syslogNotificationsEnabled": true,
  "warnings": [
    {
      "code": "warning",
      "field": "syslog",
      "message": "Unable to get syslog for abc."
    }
  ],
  "timeseries": {
    "bps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 587712787,
          "passed": 15341424
        }
      }
    ],
    "pps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 71710,
          "passed": 6500
        }
      }
    ]
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "id": {
      "type": "string"
    },
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "ddosAlertCount": {
      "type": "number"
    },
    "systemAlertCount": {
      "type": "number"
    },
    "peakBpsBlocked": {
      "type": "number"
    },
    "peakPpsBlocked": {
      "type": "number"
    },
    "protectionLevel": {
      "type": "string",
      "enum": [
        "low",
        "medium",
        "high"
      ]
    },
    "protectionMode": {
      "type": "string",
      "enum": [
        "Active",
        "Inactive",
        "Monitor"
      ]
    },
    "lastSeen": {
      "type": "string"
    },
    "otf": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "The current status of the Outbound Threat Filter for this device."
        },
        "active": {
          "type": "boolean",
          "description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
        }
      },
      "required": [
        "enabled",
        "active"
      ]
    },
    "asertFeedbackEnabled": {
      "type": "boolean",
      "description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
    },
    "syslogNotificationsEnabled": {
      "type": "boolean",
      "description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
    },
    "warnings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string",
            "description": "A code that indicates the type of warning."
          },
          "field": {
            "type": "string",
            "description": "The field that triggered the warning."
          },
          "message": {
            "type": "string",
            "description": "An explanation of the warning."
          }
        },
        "required": [
          "code",
          "field",
          "message"
        ]
      },
      "description": "A list of warnings that can occur during attempts to retrieve data for the device."
    },
    "timeseries": {
      "type": "object",
      "properties": {
        "bps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of bits per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of bits per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in bits per second."
        },
        "pps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of packets per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of packets per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in packets per second."
        }
      },
      "required": [
        "bps",
        "pps"
      ],
      "description": "Timeseries data for packets per second and bits per second over the requested time period."
    }
  },
  "required": [
    "host",
    "apiToken",
    "name",
    "ddosAlertCount",
    "systemAlertCount",
    "peakBpsBlocked",
    "peakPpsBlocked",
    "protectionLevel",
    "protectionMode",
    "lastSeen",
    "otf",
    "syslogNotificationsEnabled",
    "timeseries"
  ]
}
Headers
Content-Type: application/json
Body
{
  "host": "already-configured.ops.my-company.com",
  "apiToken": "secret-api-token",
  "name": "already-configured",
  "syslogNotificationsEnabled": true
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "syslogNotificationsEnabled": {
      "type": "boolean"
    }
  },
  "required": [
    "host",
    "apiToken"
  ]
}
Responses422
Headers
Content-Type: application/json
Body
{
  "errors": [
    {
      "code": "DuplicateError",
      "field": "host",
      "message": "Object already exists."
    }
  ],
  "message": "Validation Error"
}
Headers
Content-Type: application/json
Body
{
  "host": "my-aed.ops.my-company.com",
  "apiToken": "something-invalid",
  "name": "my-aed",
  "syslogNotificationsEnabled": true
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "syslogNotificationsEnabled": {
      "type": "boolean"
    }
  },
  "required": [
    "host",
    "apiToken"
  ]
}
Responses422
Headers
Content-Type: application/json
Body
{
  "message": "Invalid token."
}

Add a New Device
POST/api/v1/devices

Add a new device to Edge Defense Manager.

After you add a device, Edge Defense Manager imports alerts from that device and aggregates them with data from the other connected AED devices.


PUT /api/v1/devices/42
RequestsUpdate an existing device
Headers
Content-Type: application/json
Body
{
  "host": "new-host.ops.my-company.com",
  "apiToken": "updated-token",
  "name": "Updated Name",
  "syslogNotificationsEnabled": true
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string",
      "description": "The hostname or IP address of the AED device."
    },
    "apiToken": {
      "type": "string",
      "description": "An API token that is generated by the AED device that you are adding."
    },
    "name": {
      "type": "string",
      "description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
    },
    "syslogNotificationsEnabled": {
      "type": "boolean",
      "description": "Indicates whether to configure the collection of syslog notifications from the AED device."
    }
  },
  "required": [
    "host",
    "apiToken"
  ]
}
Responses200
Headers
Content-Type: application/json
Body
{
  "id": "42",
  "host": "new-host.ops.my-company.com",
  "apiToken": "updated-token",
  "name": "Updated Name",
  "ddosAlertCount": 5,
  "systemAlertCount": 5,
  "peakBpsBlocked": 123456789,
  "peakPpsBlocked": 9001,
  "protectionLevel": "high",
  "protectionMode": "Active",
  "lastSeen": "2018-08-10T00:00:00+00:00",
  "otf": {
    "enabled": true,
    "active": true
  },
  "asertFeedbackEnabled": true,
  "syslogNotificationsEnabled": "true",
  "warnings": [
    {
      "code": "warning",
      "field": "syslog",
      "message": "Unable to get syslog for abc."
    }
  ],
  "timeseries": {
    "bps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 587712787,
          "passed": 15341424
        }
      }
    ],
    "pps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 71710,
          "passed": 6500
        }
      }
    ]
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "id": {
      "type": "string"
    },
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "ddosAlertCount": {
      "type": "number"
    },
    "systemAlertCount": {
      "type": "number"
    },
    "peakBpsBlocked": {
      "type": "number"
    },
    "peakPpsBlocked": {
      "type": "number"
    },
    "protectionLevel": {
      "type": "string",
      "enum": [
        "low",
        "medium",
        "high"
      ]
    },
    "protectionMode": {
      "type": "string",
      "enum": [
        "Active",
        "Inactive",
        "Monitor"
      ]
    },
    "lastSeen": {
      "type": "string"
    },
    "otf": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "The current status of the Outbound Threat Filter for this device."
        },
        "active": {
          "type": "boolean",
          "description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
        }
      },
      "required": [
        "enabled",
        "active"
      ]
    },
    "asertFeedbackEnabled": {
      "type": "boolean",
      "description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
    },
    "syslogNotificationsEnabled": {
      "type": "string",
      "description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
    },
    "warnings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string",
            "description": "A code that indicates the type of warning."
          },
          "field": {
            "type": "string",
            "description": "The field that triggered the warning."
          },
          "message": {
            "type": "string",
            "description": "An explanation of the warning."
          }
        },
        "required": [
          "code",
          "field",
          "message"
        ]
      },
      "description": "A list of warnings that can occur during attempts to retrieve data for the device."
    },
    "timeseries": {
      "type": "object",
      "properties": {
        "bps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of bits per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of bits per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in bits per second."
        },
        "pps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of packets per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of packets per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in packets per second."
        }
      },
      "required": [
        "bps",
        "pps"
      ],
      "description": "Timeseries data for packets per second and bits per second over the requested time period."
    }
  },
  "required": [
    "host",
    "apiToken",
    "name",
    "ddosAlertCount",
    "systemAlertCount",
    "peakBpsBlocked",
    "peakPpsBlocked",
    "protectionLevel",
    "protectionMode",
    "lastSeen",
    "otf",
    "syslogNotificationsEnabled",
    "timeseries"
  ]
}

Update an Existing Device
PUT/api/v1/devices/{id}

Update a device that is connected to Edge Defense Manager.

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID that Edge Defense Manager assigned to the device.


PATCH /api/v1/devices/42
RequestsUpdate a device `apiToken`
Headers
Content-Type: application/json
Body
{
  "apiToken": "updated-token"
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string",
      "description": "The hostname or IP address of the AED device."
    },
    "apiToken": {
      "type": "string",
      "description": "An API token that is generated by the AED device that you are adding."
    },
    "name": {
      "type": "string",
      "description": "An optional, descriptive name for the AED device, which will appear in place of `host`."
    }
  }
}
Responses200
Headers
Content-Type: application/json
Body
{
  "id": "42",
  "host": "my-aed.ops.my-company.com",
  "apiToken": "updated-token",
  "name": "my-aed",
  "ddosAlertCount": 5,
  "systemAlertCount": 5,
  "peakBpsBlocked": 123456789,
  "peakPpsBlocked": 9001,
  "protectionLevel": "high",
  "protectionMode": "Active",
  "lastSeen": "2018-08-10T00:00:00+00:00",
  "otf": {
    "enabled": true,
    "active": true
  },
  "asertFeedbackEnabled": true,
  "syslogNotificationsEnabled": true,
  "warnings": [
    {
      "code": "warning",
      "field": "syslog",
      "message": "Unable to get syslog for abc."
    }
  ],
  "timeseries": {
    "bps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 587712787,
          "passed": 15341424
        }
      }
    ],
    "pps": [
      {
        "timestamp": "2018-08-09T00:00:00Z",
        "data": {
          "blocked": 71710,
          "passed": 6500
        }
      }
    ]
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "id": {
      "type": "string"
    },
    "host": {
      "type": "string"
    },
    "apiToken": {
      "type": "string"
    },
    "name": {
      "type": "string"
    },
    "ddosAlertCount": {
      "type": "number"
    },
    "systemAlertCount": {
      "type": "number"
    },
    "peakBpsBlocked": {
      "type": "number"
    },
    "peakPpsBlocked": {
      "type": "number"
    },
    "protectionLevel": {
      "type": "string",
      "enum": [
        "low",
        "medium",
        "high"
      ]
    },
    "protectionMode": {
      "type": "string",
      "enum": [
        "Active",
        "Inactive",
        "Monitor"
      ]
    },
    "lastSeen": {
      "type": "string"
    },
    "otf": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "The current status of the Outbound Threat Filter for this device."
        },
        "active": {
          "type": "boolean",
          "description": "Indicates whether the Protection Mode for the Outbound Threat Filter is active or inactive."
        }
      },
      "required": [
        "enabled",
        "active"
      ]
    },
    "asertFeedbackEnabled": {
      "type": "boolean",
      "description": "Indicates whether the device is sharing feedback with ASERT. Null if the device does not support checking for this status."
    },
    "syslogNotificationsEnabled": {
      "type": "boolean",
      "description": "Indicates whether 'blocked host' syslog notifications are being collected from this device."
    },
    "warnings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string",
            "description": "A code that indicates the type of warning."
          },
          "field": {
            "type": "string",
            "description": "The field that triggered the warning."
          },
          "message": {
            "type": "string",
            "description": "An explanation of the warning."
          }
        },
        "required": [
          "code",
          "field",
          "message"
        ]
      },
      "description": "A list of warnings that can occur during attempts to retrieve data for the device."
    },
    "timeseries": {
      "type": "object",
      "properties": {
        "bps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of bits per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of bits per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in bits per second."
        },
        "pps": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "timestamp": {
                "type": "string",
                "description": "The timestamp of the data point, in ISO-8601 format."
              },
              "data": {
                "type": "object",
                "properties": {
                  "blocked": {
                    "type": "number",
                    "description": "The number of packets per second that were blocked at the timestamp."
                  },
                  "passed": {
                    "type": "number",
                    "description": "The number of packets per second that were passed at the timestamp."
                  }
                },
                "required": [
                  "blocked",
                  "passed"
                ]
              }
            },
            "required": [
              "timestamp",
              "data"
            ]
          },
          "description": "The data points in packets per second."
        }
      },
      "required": [
        "bps",
        "pps"
      ],
      "description": "Timeseries data for packets per second and bits per second over the requested time period."
    }
  },
  "required": [
    "host",
    "apiToken",
    "name",
    "ddosAlertCount",
    "systemAlertCount",
    "peakBpsBlocked",
    "peakPpsBlocked",
    "protectionLevel",
    "protectionMode",
    "lastSeen",
    "otf",
    "syslogNotificationsEnabled",
    "timeseries"
  ]
}

Partially Update an Existing Device
PATCH/api/v1/devices/{id}

Make partial updates to a device that is connected to Edge Defense Manager.

The following fields are allowed in the request body:

  • host

  • apiToken

  • name

  • syslogNotificationsEnabled

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID that Edge Defense Manager assigned to the device.


DELETE /api/v1/devices/42
Responses204
This response has no content.

Delete a Device
DELETE/api/v1/devices/{id}

Delete a device that is connected to Edge Defense Manager. This operation also deletes all of the alerts that are associated with the device.

Deleting a device can cause data loss and cannot be undone.

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID that Edge Defense Manager assigned to the device.


Total Traffic

This endpoint provides timeseries data that represents the total blocked traffic and total passed traffic that is reported by the connected Arbor Edge Defense (AED) devices.

Get Total Traffic

GET /api/v1/traffic/edge?start=2018-08-08T00:00:00Z&end=2018-08-09T00:00:00Z
Responses200
Headers
Content-Type: application/json
Body
{
    "data": {
        "pps": [
            {
                "timestamp": "2018-08-08T19:12:58.286Z",
                "data": {
                    "blocked": 49692,
                    "passed": 89155
                }
            },
            {
                "timestamp": "2018-08-08T20:24:58.286Z",
                "data": {
                    "blocked": 30479,
                    "passed": 36384
                }
            }
            ...
        ],
        "bps": [
            {
                "timestamp": "2018-08-08T19:12:58.286Z",
                "data": {
                    "blocked": 87166,
                    "passed": 71530
                }
            },
            {
                "timestamp": "2018-08-08T20:24:58.286Z",
                "data": {
                    "blocked": 34653,
                    "passed": 47416
                }
            }
            ...
        ]
    }
}
Schema
{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "description": "The total amount of traffic that was observed on all of the connected AED devices.",
    "type": "object",
    "properties": {
        "data": {
            "type": "object",
            "properties": {
                "pps": {
                    "type": "array",
                    "description": "The data points within the time period at which a packets per second rate was observed.",
                    "items": {
                        "type": "object",
                        "properties": {
                            "timestamp": {
                                "type": "string",
                                "description": "The timestamp of the data point, in ISO-8601 format."
                            },
                            "data": {
                                "type": "object",
                                "properties": {
                                    "passed": {
                                        "type": "integer",
                                        "description": "The number of packets per second that were passed at the timestamp."
                                    },
                                    "blocked": {
                                        "type": "integer",
                                        "description": "The number of packets per second that were blocked at the timestamp."
                                    }
                                },
                                "required": ["passed", "blocked"]
                            }
                        },
                        "required": ["timestamp", "data"]
                    }
                },
                "bps": {
                    "type": "array",
                    "description": "The data points within the time period at which a bits per second rate was observed.",
                    "items": {
                        "type": "object",
                        "properties": {
                            "timestamp": {
                                "type": "string",
                                "description": "The timestamp of the data point, in ISO-8601 format."
                            },
                            "data": {
                                "type": "object",
                                "properties": {
                                    "passed": {
                                        "type": "integer",
                                        "description": "The number of bits per second that were passed at the timestamp."
                                    },
                                    "blocked": {
                                        "type": "integer",
                                        "description": "The number of bits per second that were blocked at the timestamp."
                                    }
                                },
                                "required": ["passed", "blocked"]
                            }
                        },
                        "required": ["timestamp", "data"]
                    }
                },
                "peakBpsBlocked": {
                    "type": "integer",
                    "description": "The highest bit rate of traffic that was blocked during the requested time period, in bps."
                },
                "peakBpsPassed": {
                    "type": "integer",
                    "description": "The highest bit rate of traffic that was passed during the requested time period, in bps."
                },
                "peakPpsBlocked": {
                    "type": "integer",
                    "description": "The highest rate of packets that were blocked during the requested time period, in pps."
                },
                "peakPpsPassed": {
                    "type": "integer",
                    "description": "The highest rate of packets that were passed during the requested time period, in pps."
                },
                "totalBpsBlocked": {
                    "type": "number",
                    "description": "The average bit rate of traffic that was blocked during the requested time period, in bps."
                },
                "totalBpsPassed": {
                    "type": "number",
                    "description": "The average bit rate of traffic that was passed during the requested time period, in bps."
                },
                "totalBytesBlocked": {
                    "type": "integer",
                    "description": "The total amount of traffic that was blocked during the requested time period, in bytes."
                },
                "totalBytesPassed": {
                    "type": "integer",
                    "description": "The total amount of traffic that was passed during the requested time period, in bytes."
                },
                "totalPacketsBlocked": {
                    "type": "integer",
                    "description": "The total number of packets that were blocked during the requested time period."
                },
                "totalPacketsPassed": {
                    "type": "integer",
                    "description": "The total number of packets that were passed during the requested time period."
                },
                "totalPpsBlocked": {
                    "type": "number",
                    "description": "The average rate of packets that were blocked during the requested time period, in pps."
                },
                "totalPpsPassed": {
                    "type": "number",
                    "description": "The average rate of packets that were passed during the requested time period, in pps."
                }
            },
            "required": [
                "bps", "pps", "peakBpsBlocked", "peakBpsPassed",
                "peakPpsBlocked", "peakPpsPassed", "totalBpsBlocked",
                "totalBpsPassed", "totalBytesBlocked", "totalBytesPassed",
                "totalPacketsBlocked", "totalPacketsPassed",
                "totalPpsBlocked", "totalPpsPassed"
            ]
        },
        "errors": {
            "type": "object",
            "description": "Errors that occurred during the request or response, keyed by the invalid field name. For example, start.",
            "properties": { },
            "additionalProperties": { "type": "string" }
        }
    },
     "required": ["data"]
}

Get Total Traffic
GET/api/v1/traffic/edge{?start,end}

Get timeseries data that represents the total amount of traffic within a given time period.

URI Parameters
HideShow
start
string (optional) Example: 2018-08-08T00:00:00Z

The start of the search time period, based on the alert timestamp. ISO 8601 format is required.

end
string (optional) Example: 2018-08-09T00:00:00Z

The end of the search time period, based on the alert timestamp. ISO 8601 format is required.


Reports

The Reports API allows access to the reporting features in Edge Defense Manager.

Reports List

GET /api/v1/reports?page=1&pageSize=100&order=asc&orderBy=createdAt
Responses200
Headers
Content-Type: application/json
Body
{
  "data": [
    {
      "id": 1,
      "name": "Saved Report",
      "createdBy": "admin",
      "createdAt": "2018-02-01T00:00:00Z",
      "modifiedBy": "admin",
      "modifiedAt": "2018-02-01T00:00:00Z",
      "start": "2018-02-01T00:00:00Z",
      "end": "2018-02-01T00:00:00Z",
      "status": "queued",
      "errors": []
    }
  ],
  "totalCount": 1234,
  "errors": []
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "number",
            "description": "The ID of the report."
          },
          "name": {
            "type": "string",
            "description": "The name of the report."
          },
          "createdBy": {
            "type": "string",
            "description": "The username of the user who created the report."
          },
          "createdAt": {
            "type": "string",
            "description": "The time at which the report was created. ISO 8601 format."
          },
          "modifiedBy": {
            "type": "string",
            "description": "The username of the user who most recently modified the report."
          },
          "modifiedAt": {
            "type": "string",
            "description": "The time of the most recent changes to the report. ISO 8601 format."
          },
          "start": {
            "type": "string",
            "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
          },
          "end": {
            "type": "string",
            "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
          },
          "status": {
            "type": "string",
            "enum": [
              "queued",
              "processing",
              "complete",
              "error"
            ],
            "description": "The status of the report."
          },
          "errors": {
            "description": "Errors that occurred with the report.\n\n- Error message (string, required)\n    An error message."
          }
        },
        "required": [
          "id",
          "name",
          "createdBy",
          "createdAt",
          "modifiedBy",
          "modifiedAt",
          "start",
          "end",
          "status"
        ]
      }
    },
    "totalCount": {
      "type": "number",
      "description": "Total number of saved reports."
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  }
}

Reports List
GET/api/v1/reports{?page,pageSize,order,orderBy}

Get a condensed list of all reports.

URI Parameters
HideShow
page
number (optional) Default: 1 Example: 1

The page number to return.

pageSize
number (optional) Default: 25 Example: 100

The number of records to return for each page.

order
string (optional) Default: asc Example: asc

The sort direction.

orderBy
string (optional) Default: id Example: createdAt

The field on which to sort.


Report

Operations for fetching, creating, updating, and deleting reports.

GET /api/v1/reports/42
Responses200404
Headers
Content-Type: application/json
Body
{
  "data": {
    "id": 1,
    "name": "Saved Report",
    "createdBy": "admin",
    "createdAt": "2018-02-01T00:00:00Z",
    "modifiedBy": "admin",
    "modifiedAt": "2018-02-01T00:00:00Z",
    "start": "2018-02-01T00:00:00Z",
    "end": "2018-02-01T00:00:00Z",
    "status": "queued",
    "errors": []
  },
  "errors": []
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The ID of the report."
        },
        "name": {
          "type": "string",
          "description": "The name of the report."
        },
        "createdBy": {
          "type": "string",
          "description": "The username of the user who created the report."
        },
        "createdAt": {
          "type": "string",
          "description": "The time at which the report was created. ISO 8601 format."
        },
        "modifiedBy": {
          "type": "string",
          "description": "The username of the user who most recently modified the report."
        },
        "modifiedAt": {
          "type": "string",
          "description": "The time of the most recent changes to the report. ISO 8601 format."
        },
        "start": {
          "type": "string",
          "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "end": {
          "type": "string",
          "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "status": {
          "type": "string",
          "enum": [
            "queued",
            "processing",
            "complete",
            "error"
          ],
          "description": "The status of the report."
        },
        "errors": {
          "description": "Errors that occurred with the report.\n\n- Error message (string, required)\n    An error message."
        }
      },
      "required": [
        "id",
        "name",
        "createdBy",
        "createdAt",
        "modifiedBy",
        "modifiedAt",
        "start",
        "end",
        "status"
      ]
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  }
}
Headers
Content-Type: application/json
Body
{
  "errors": [
    {
      "code": "NotFound",
      "field": "Specified report [42] does not exist",
      "message": "Specified report [42] does not exist"
    }
  ],
  "message": "Not Found."
}

Get report status
GET/api/v1/reports/{id}

Get a report status by ID.

URI Parameters
HideShow
id
number (required) Example: 42

The ID of the report status to retrieve.


GET /api/v1/reports/42/result
Responses200
Headers
Content-Type: application/json
Body
{
  "parameters": {
    "name": "Report Name",
    "start": "2018-02-01T00:00:00Z",
    "end": "2018-02-01T00:00:00Z"
  },
  "data": {
    "id": 1,
    "isEmpty": false,
    "isPktDirectionUnknown": false,
    "blockedConnectionCount": 4248977,
    "alerts": {
      "ddos": {
        "total": 42,
        "timeseries": [
          {
            "timestamp": "2018-02-01T00:00:00Z",
            "data": {
              "total": 42,
              "blocked": 42,
              "botnet": 42
            }
          }
        ],
        "data": [
          {
            "start": "2018-02-01T00:00:00Z",
            "end": "2018-02-01T00:00:00Z",
            "type": "blocked",
            "pgName": "Default PG"
          }
        ]
      }
    },
    "protectionGroups": {
      "alerts": [
        {
          "name": "Default PG",
          "count": 42
        }
      ]
    },
    "sources": {
      "blocked": [
        {
          "host": "8.8.8.8",
          "count": 217
        }
      ]
    },
    "destinations": {
      "blocked": [
        {
          "host": "8.8.8.8",
          "count": 217
        }
      ]
    },
    "services": {
      "blocked": [
        {
          "service": "DNS",
          "connectionCount": 217,
          "uniqueSourceCount": 2034,
          "uniqueDestinationCount": 1757,
          "topDestinations": [
            {
              "host": "8.8.8.8",
              "count": 217
            }
          ]
        }
      ]
    },
    "annotations": {
      "ddosSummary": "Some annotations",
      "newInboundAlertGraph": "Some annotations",
      "alertsOverTimeGraphs": "Some annotations",
      "protectionGroups": "Some annotations",
      "sourcesAndDestinations": "Some annotations",
      "services": "Some annotations",
      "destinationsByService": "Some annotations"
    }
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "parameters": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string",
          "description": "The name given to the report."
        },
        "start": {
          "type": "string",
          "description": "The start of the time period for collecting the summarized data in this report. ISO 8601 format is required.",
          "default": "30 days before yesterday, midnight UTC."
        },
        "end": {
          "type": "string",
          "description": "The end of the time period for collecting the summarized data in this report. ISO 8601 format is required.",
          "default": "Yesterday, midnight UTC."
        }
      },
      "required": [
        "name",
        "start",
        "end"
      ],
      "description": "The parameters that were used to run this report."
    },
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The ID of the report."
        },
        "isEmpty": {
          "type": "boolean",
          "description": "True if the report contains no data."
        },
        "isPktDirectionUnknown": {
          "type": "boolean",
          "description": "True if one or more of the packets that are involved in the calculations do not have a direction."
        },
        "blockedConnectionCount": {
          "type": "number",
          "description": "The total number of blocked, flood-related connections."
        },
        "alerts": {
          "type": "object",
          "properties": {
            "ddos": {
              "type": "object",
              "properties": {
                "total": {
                  "type": "number",
                  "description": "An aggregated count of the new DDoS alerts that the connected AED devices triggered during the report time period."
                },
                "timeseries": {
                  "type": "array",
                  "items": {
                    "type": "object",
                    "properties": {
                      "timestamp": {
                        "type": "string",
                        "description": "The end time of this bin of alert counts. ISO 8601 format."
                      },
                      "data": {
                        "type": "object",
                        "properties": {
                          "total": {
                            "type": "number",
                            "description": "The number of alerts that were triggered by the total traffic in the time bin."
                          },
                          "blocked": {
                            "type": "number",
                            "description": "The number of the alerts that were triggered by blocked traffic in the time bin."
                          },
                          "botnet": {
                            "type": "number",
                            "description": "The number of the alerts that were triggered by botnet traffic in the time bin."
                          }
                        },
                        "required": [
                          "total",
                          "blocked",
                          "botnet"
                        ]
                      }
                    },
                    "required": [
                      "timestamp",
                      "data"
                    ]
                  },
                  "description": "The number of new DDoS alerts, aggregated and organized into binned timeseries data, where the bin size is determined by the report date range."
                },
                "data": {
                  "type": "array",
                  "items": {
                    "type": "object",
                    "properties": {
                      "start": {
                        "type": "string",
                        "description": "The time at which the alert started. ISO 8601 format."
                      },
                      "end": {
                        "type": "string",
                        "description": "The time at which the alert ended. ISO 8601 format. Empty if the alert is still ongoing."
                      },
                      "type": {
                        "type": "string",
                        "description": "The type of traffic that triggered the alert."
                      },
                      "pgName": {
                        "type": "string",
                        "description": "The name of the protection group associated with this alert."
                      }
                    },
                    "required": [
                      "start",
                      "end",
                      "type",
                      "pgName"
                    ]
                  },
                  "description": "A list of all the DDoS alerts that were ongoing during the requested time period."
                }
              },
              "required": [
                "total",
                "timeseries",
                "data"
              ]
            }
          },
          "required": [
            "ddos"
          ]
        },
        "protectionGroups": {
          "type": "object",
          "properties": {
            "alerts": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "name": {
                    "type": "string",
                    "description": "The name of the protection group."
                  },
                  "count": {
                    "type": "number",
                    "description": "The total number of alerts for this protection group."
                  }
                },
                "required": [
                  "name",
                  "count"
                ]
              },
              "description": "The protection groups with the highest alert counts."
            }
          },
          "required": [
            "alerts"
          ],
          "description": "The top protection groups per criteria."
        },
        "sources": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "host": {
                    "type": "string",
                    "description": "The IP address or hostname of the source."
                  },
                  "count": {
                    "type": "number",
                    "description": "The number of connections from the source that were blocked."
                  }
                },
                "required": [
                  "host",
                  "count"
                ]
              },
              "description": "The source addresses with the most blocked connections."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top source addresses by key."
        },
        "destinations": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "host": {
                    "type": "string",
                    "description": "The IP address or hostname of the destination."
                  },
                  "count": {
                    "type": "number",
                    "description": "The number of connections to the destination that were blocked."
                  }
                },
                "required": [
                  "host",
                  "count"
                ]
              },
              "description": "The destination addresses with the most blocked connections."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top destination addresses by key."
        },
        "services": {
          "type": "object",
          "properties": {
            "blocked": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "service": {
                    "type": "string",
                    "description": "The service that was used."
                  },
                  "connectionCount": {
                    "type": "number",
                    "description": "The number of blocked connections that used this service."
                  },
                  "uniqueSourceCount": {
                    "type": "number",
                    "description": "Number of unique source IPs or hostnames for this service."
                  },
                  "uniqueDestinationCount": {
                    "type": "number",
                    "description": "Number of unique source IPs or hostnames for this service."
                  },
                  "topDestinations": {
                    "type": "array",
                    "items": {
                      "type": "object",
                      "properties": {
                        "host": {
                          "type": "string",
                          "description": "The IP address or hostname of the destination."
                        },
                        "count": {
                          "type": "number",
                          "description": "The number of connections to the destination that were blocked for this service."
                        }
                      },
                      "required": [
                        "host",
                        "count"
                      ]
                    },
                    "description": "Top blocked destinations for this service."
                  }
                },
                "required": [
                  "service",
                  "connectionCount",
                  "uniqueSourceCount",
                  "uniqueDestinationCount",
                  "topDestinations"
                ]
              },
              "description": "The services on which the most connections were blocked."
            }
          },
          "required": [
            "blocked"
          ],
          "description": "The top services by key."
        },
        "annotations": {
          "type": "object",
          "properties": {
            "ddosSummary": {
              "type": "string",
              "description": "Annotations for the DDoS summary section."
            },
            "newInboundAlertGraph": {
              "type": "string",
              "description": "Annotations for the section with the new inbound DDoS alert graph."
            },
            "alertsOverTimeGraphs": {
              "type": "string",
              "description": "Annotations for the section with the inbound DDoS alerts over time graphs."
            },
            "protectionGroups": {
              "type": "string",
              "description": "Annotations for the protection groups section."
            },
            "sourcesAndDestinations": {
              "type": "string",
              "description": "Annotations for the top blocked sources & destinations section."
            },
            "services": {
              "type": "string",
              "description": "Annotations for the top blocked services section."
            },
            "destinationsByService": {
              "type": "string",
              "description": "Annotations for the top blocked destinations by services section."
            }
          },
          "description": "Annotations for each report section."
        }
      },
      "required": [
        "id",
        "isEmpty",
        "isPktDirectionUnknown",
        "blockedConnectionCount",
        "alerts",
        "protectionGroups",
        "sources",
        "destinations",
        "services"
      ]
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  },
  "required": [
    "parameters"
  ]
}

Fetch report result
GET/api/v1/reports/{id}/result

Request the result for the specified summary report.

URI Parameters
HideShow
id
number (required) Example: 42

The unique ID of the report to return or 0 to generate and return the results for a new 30-day report.


POST /api/v1/reports
RequestsCreate a new report
Headers
Content-Type: application/json
Body
{
  "name": "Report Name",
  "start": "2018-02-01T00:00:00Z",
  "end": "2018-02-01T00:00:00Z"
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "A name for the report."
    },
    "start": {
      "type": "string",
      "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required.",
      "default": "30 days before yesterday, midnight UTC."
    },
    "end": {
      "type": "string",
      "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required.",
      "default": "Yesterday, midnight UTC."
    }
  },
  "required": [
    "name"
  ]
}
Responses202
Headers
Content-Type: application/json
Body
{
  "data": {
    "id": 1,
    "name": "Saved Report",
    "createdBy": "admin",
    "createdAt": "2018-02-01T00:00:00Z",
    "modifiedBy": "admin",
    "modifiedAt": "2018-02-01T00:00:00Z",
    "start": "2018-02-01T00:00:00Z",
    "end": "2018-02-01T00:00:00Z",
    "status": "queued",
    "errors": []
  },
  "errors": []
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The ID of the report."
        },
        "name": {
          "type": "string",
          "description": "The name of the report."
        },
        "createdBy": {
          "type": "string",
          "description": "The username of the user who created the report."
        },
        "createdAt": {
          "type": "string",
          "description": "The time at which the report was created. ISO 8601 format."
        },
        "modifiedBy": {
          "type": "string",
          "description": "The username of the user who most recently modified the report."
        },
        "modifiedAt": {
          "type": "string",
          "description": "The time of the most recent changes to the report. ISO 8601 format."
        },
        "start": {
          "type": "string",
          "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "end": {
          "type": "string",
          "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "status": {
          "type": "string",
          "enum": [
            "queued",
            "processing",
            "complete",
            "error"
          ],
          "description": "The status of the report."
        },
        "errors": {
          "description": "Errors that occurred with the report.\n\n- Error message (string, required)\n    An error message."
        }
      },
      "required": [
        "id",
        "name",
        "createdBy",
        "createdAt",
        "modifiedBy",
        "modifiedAt",
        "start",
        "end",
        "status"
      ]
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  }
}

Create Summary Report
POST/api/v1/reports

Create a new summary report.


PUT /api/v1/reports/42
RequestsUpdate a report
Headers
Content-Type: application/json
Body
{
  "name": "Report Name",
  "annotations": {
    "ddosSummary": "Some annotations",
    "newInboundAlertGraph": "Some annotations",
    "alertsOverTimeGraphs": "Some annotations",
    "protectionGroups": "Some annotations",
    "sourcesAndDestinations": "Some annotations",
    "services": "Some annotations",
    "destinationsByService": "Some annotations"
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "A new name for the report."
    },
    "annotations": {
      "type": "object",
      "properties": {
        "ddosSummary": {
          "type": "string",
          "description": "Annotations for the DDoS summary section."
        },
        "newInboundAlertGraph": {
          "type": "string",
          "description": "Annotations for the section with the new inbound DDoS alert graph."
        },
        "alertsOverTimeGraphs": {
          "type": "string",
          "description": "Annotations for the section with the inbound DDoS alerts over time graphs."
        },
        "protectionGroups": {
          "type": "string",
          "description": "Annotations for the protection groups section."
        },
        "sourcesAndDestinations": {
          "type": "string",
          "description": "Annotations for the top blocked sources & destinations section."
        },
        "services": {
          "type": "string",
          "description": "Annotations for the top blocked services section."
        },
        "destinationsByService": {
          "type": "string",
          "description": "Annotations for the top blocked destinations by services section."
        }
      },
      "required": [
        "ddosSummary",
        "newInboundAlertGraph",
        "alertsOverTimeGraphs",
        "protectionGroups",
        "sourcesAndDestinations",
        "services",
        "destinationsByService"
      ]
    }
  },
  "required": [
    "name",
    "annotations"
  ]
}
Responses200
Headers
Content-Type: application/json
Body
{
  "data": {
    "id": 1,
    "name": "Saved Report",
    "createdBy": "admin",
    "createdAt": "2018-02-01T00:00:00Z",
    "modifiedBy": "admin",
    "modifiedAt": "2018-02-01T00:00:00Z",
    "start": "2018-02-01T00:00:00Z",
    "end": "2018-02-01T00:00:00Z",
    "status": "queued",
    "errors": []
  },
  "errors": []
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The ID of the report."
        },
        "name": {
          "type": "string",
          "description": "The name of the report."
        },
        "createdBy": {
          "type": "string",
          "description": "The username of the user who created the report."
        },
        "createdAt": {
          "type": "string",
          "description": "The time at which the report was created. ISO 8601 format."
        },
        "modifiedBy": {
          "type": "string",
          "description": "The username of the user who most recently modified the report."
        },
        "modifiedAt": {
          "type": "string",
          "description": "The time of the most recent changes to the report. ISO 8601 format."
        },
        "start": {
          "type": "string",
          "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "end": {
          "type": "string",
          "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "status": {
          "type": "string",
          "enum": [
            "queued",
            "processing",
            "complete",
            "error"
          ],
          "description": "The status of the report."
        },
        "errors": {
          "description": "Errors that occurred with the report.\n\n- Error message (string, required)\n    An error message."
        }
      },
      "required": [
        "id",
        "name",
        "createdBy",
        "createdAt",
        "modifiedBy",
        "modifiedAt",
        "start",
        "end",
        "status"
      ]
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  }
}

Update Existing Report
PUT/api/v1/reports/{id}

Update a summary report.

URI Parameters
HideShow
id
number (required) Example: 42

The ID of the report to update.


PATCH /api/v1/reports/42
RequestsUpdate a report
Headers
Content-Type: application/json
Body
{
  "name": "Report Name",
  "annotations": {
    "ddosSummary": "Some annotations",
    "newInboundAlertGraph": "Some annotations",
    "alertsOverTimeGraphs": "Some annotations",
    "protectionGroups": "Some annotations",
    "sourcesAndDestinations": "Some annotations",
    "services": "Some annotations",
    "destinationsByService": "Some annotations"
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "A new name for the report."
    },
    "annotations": {
      "type": "object",
      "properties": {
        "ddosSummary": {
          "type": "string",
          "description": "Annotations for the DDoS summary section."
        },
        "newInboundAlertGraph": {
          "type": "string",
          "description": "Annotations for the section with the new inbound DDoS alert graph."
        },
        "alertsOverTimeGraphs": {
          "type": "string",
          "description": "Annotations for the section with the inbound DDoS alerts over time graphs."
        },
        "protectionGroups": {
          "type": "string",
          "description": "Annotations for the protection groups section."
        },
        "sourcesAndDestinations": {
          "type": "string",
          "description": "Annotations for the top blocked sources & destinations section."
        },
        "services": {
          "type": "string",
          "description": "Annotations for the top blocked services section."
        },
        "destinationsByService": {
          "type": "string",
          "description": "Annotations for the top blocked destinations by services section."
        }
      }
    }
  }
}
Responses200
Headers
Content-Type: application/json
Body
{
  "data": {
    "id": 1,
    "name": "Saved Report",
    "createdBy": "admin",
    "createdAt": "2018-02-01T00:00:00Z",
    "modifiedBy": "admin",
    "modifiedAt": "2018-02-01T00:00:00Z",
    "start": "2018-02-01T00:00:00Z",
    "end": "2018-02-01T00:00:00Z",
    "status": "queued",
    "errors": []
  },
  "errors": []
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "data": {
      "type": "object",
      "properties": {
        "id": {
          "type": "number",
          "description": "The ID of the report."
        },
        "name": {
          "type": "string",
          "description": "The name of the report."
        },
        "createdBy": {
          "type": "string",
          "description": "The username of the user who created the report."
        },
        "createdAt": {
          "type": "string",
          "description": "The time at which the report was created. ISO 8601 format."
        },
        "modifiedBy": {
          "type": "string",
          "description": "The username of the user who most recently modified the report."
        },
        "modifiedAt": {
          "type": "string",
          "description": "The time of the most recent changes to the report. ISO 8601 format."
        },
        "start": {
          "type": "string",
          "description": "The start of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "end": {
          "type": "string",
          "description": "The end of the time period for collecting the summarized data in the report. ISO 8601 format is required."
        },
        "status": {
          "type": "string",
          "enum": [
            "queued",
            "processing",
            "complete",
            "error"
          ],
          "description": "The status of the report."
        },
        "errors": {
          "description": "Errors that occurred with the report.\n\n- Error message (string, required)\n    An error message."
        }
      },
      "required": [
        "id",
        "name",
        "createdBy",
        "createdAt",
        "modifiedBy",
        "modifiedAt",
        "start",
        "end",
        "status"
      ]
    },
    "errors": {
      "description": "Errors that occurred during the request or response.\n\n- Error message (string, required)\n    An error message."
    }
  }
}

Partially Update an Existing Report
PATCH/api/v1/reports/{id}

Make partial updates to a report that is connected to Edge Defense Manager.

URI Parameters
HideShow
id
number (required) Example: 42

The ID of the report to update.


DELETE /api/v1/reports/42
Responses204
This response has no content.

Delete a Report
DELETE/api/v1/reports/{id}

Delete a report by ID.

URI Parameters
HideShow
id
number (required) Example: 42

The ID of the report to delete.


Contextual Threat Intelligence

The CTI API provides access to contextual intelligence about the indicators that are reported in feeds from the Arbor Threat Intelligence Team (ASERT).

Get Indicator Insights

GET /api/v1/cti/insights?indicatorValue=1.2.3.4
Responses200
Headers
Content-Type: application/json
Body
{
  "message": "",
  "data": {
    "ecosystem": [
      {
        "time": "2018-02-01T00:00:00.000Z",
        "numAedsSeenOn": 15,
        "numCustomersSeenOn": 3,
        "ecosystemSize": 0.679688,
        "numVerticalsSeenOn": 5,
        "verticalsSeenOn": []
      }
    ],
    "vertical": {
      "results": {
        "telecom": [
          "2018-02-01T00:00:00.000Z",
          "2018-03-01T00:00:00.000Z"
        ]
      },
      "status": {
        "sources": [
          "atlas"
        ]
      }
    },
    "networkHistory": {
      "results": [
        {
          "collected": "2018-08-24 20:54:31",
          "firstSeen": "2014-09-10T17:42:06",
          "lastSeen": "2018-08-24T01:16:21",
          "recordHash": "8a84a47a4d7495678a957aeea219a4fdef811b085cac55fbd52e9d403f1d1069",
          "recordType": "A",
          "resolve": "69.46.38.42",
          "resolveType": "ip",
          "source": "riskiq",
          "value": "littlepeople.net"
        }
      ],
      "status": {
        "sources": [
          "riskiq",
          "asert"
        ],
        "firstSeen": "2014-09-10T17:42:06",
        "lastSeen": "2018-08-24T01:16:21",
        "totalRecords": 7
      }
    },
    "malwareHistory": {
      "results": [
        {
          "md5": [
            "b635b4dac7595ee7e4723416cf3307cd"
          ],
          "sha1": [
            "ccdc075a5c51aef0f382c701c873ae4fb23d4873"
          ],
          "sha256": [
            "fd9a64e31bd16b4733192054bf0cd63cc0acbf0d2b7d4a20ff1a3654e4723e81"
          ],
          "dnsLookups": [
            {
              "host": "lidgeys.ru",
              "cname": "null",
              "addr": "91.223.82.29"
            }
          ],
          "avDetections": [
            {
              "engine": "Norman",
              "detection": "Kryptik.CFAG"
            }
          ],
          "sampleTags": [
            "pramro",
            "gamarue",
            "betabot"
          ],
          "samples": [
            {
              "id": 19578643,
              "submitted": "2015-04-09T13:28:04",
              "md5": "b635b4dac7595ee7e4723416cf3307cd",
              "sampleTags": [
                "pramro",
                "gamarue"
              ],
              "dnsLookups": [
                {
                  "host": "lidgeys.ru",
                  "cname": "null",
                  "addr": "91.223.82.29"
                }
              ]
            }
          ]
        }
      ],
      "status": {
        "sources": [
          "asert"
        ]
      }
    },
    "dnsResolution": {
      "results": [
        {
          "host": "69.46.38.42",
          "recordType": "a"
        }
      ],
      "status": {
        "sources": [
          "84.200.69.80",
          "37.235.1.174",
          "84.200.70.40",
          "37.235.1.177"
        ]
      }
    },
    "openPorts": {
      "results": [
        {
          "54.68.226.153": [
            80,
            443
          ]
        }
      ],
      "status": {
        "sources": [
          "shodan"
        ],
        "totalRecords": 3
      }
    },
    "geoLocation": {
      "results": [
        {
          "103.53.40.33": "IN"
        }
      ],
      "status": {
        "sources": [
          "maxmind"
        ],
        "totalRecords": 1
      }
    },
    "sources": {
      "asert": {
        "creds": false,
        "errors": "\"\"",
        "success": false
      },
      "atlas": {
        "creds": false,
        "errors": "\"\"",
        "success": false
      },
      "maxmind": {
        "creds": false,
        "errors": "\"\"",
        "success": false
      },
      "riskiq": {
        "creds": false,
        "errors": "\"\"",
        "success": false
      },
      "shodan": {
        "creds": false,
        "errors": "\"\"",
        "success": false
      }
    }
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "message": {
      "type": "string"
    },
    "data": {
      "type": "object",
      "properties": {
        "ecosystem": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "time": {
                "type": "string",
                "description": "The start time of an individual observation period.  Default = 1 observation period per month, going back 6 months."
              },
              "numAedsSeenOn": {
                "type": "number"
              },
              "numCustomersSeenOn": {
                "type": "number"
              },
              "ecosystemSize": {
                "type": "number",
                "description": "A number from 0.0 to 1.0, scaled based on the maximum number of AEDs in the ecosystem during all the observation periods."
              },
              "numVerticalsSeenOn": {
                "type": "number"
              },
              "verticalsSeenOn": {}
            },
            "required": [
              "time",
              "numAedsSeenOn",
              "numCustomersSeenOn",
              "ecosystemSize",
              "numVerticalsSeenOn",
              "verticalsSeenOn"
            ]
          }
        },
        "vertical": {
          "type": "object",
          "properties": {
            "results": {
              "type": "object",
              "properties": {
                "telecom": {
                  "type": "array",
                  "description": "The vertical markets in which the indicator was seen, as a key-value pair of vertical name: observation periods."
                }
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array"
                }
              },
              "required": [
                "sources"
              ]
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "networkHistory": {
          "type": "object",
          "properties": {
            "results": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "collected": {
                    "type": "string",
                    "description": "The date on which the results were collected, returned with riskiq results only."
                  },
                  "firstSeen": {
                    "type": "string"
                  },
                  "lastSeen": {
                    "type": "string"
                  },
                  "recordHash": {
                    "type": "string",
                    "description": "A hash of the entire JSON record, returned with riskiq results only."
                  },
                  "recordType": {
                    "type": "string",
                    "description": "The type of DNS record, returned with riskiq results only."
                  },
                  "resolve": {
                    "type": "string",
                    "description": "An individual DNS resolution."
                  },
                  "resolveType": {
                    "type": "string",
                    "enum": [
                      "ip",
                      "domain"
                    ]
                  },
                  "source": {
                    "type": "string",
                    "enum": [
                      "riskiq",
                      "asert"
                    ],
                    "description": "Indicates whether the correlations are from riskIQ or ASERT's malware sandboxing pipeline."
                  },
                  "value": {
                    "type": "string"
                  }
                },
                "required": [
                  "firstSeen",
                  "lastSeen",
                  "resolve",
                  "resolveType",
                  "source",
                  "value"
                ]
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array"
                },
                "firstSeen": {
                  "type": "string"
                },
                "lastSeen": {
                  "type": "string"
                },
                "totalRecords": {
                  "type": "number"
                }
              },
              "required": [
                "sources",
                "totalRecords"
              ]
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "malwareHistory": {
          "type": "object",
          "properties": {
            "results": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "md5": {
                    "type": "array"
                  },
                  "sha1": {
                    "type": "array"
                  },
                  "sha256": {
                    "type": "array"
                  },
                  "dnsLookups": {
                    "type": "array",
                    "items": {
                      "type": "object",
                      "properties": {
                        "host": {
                          "type": "string",
                          "description": "The domain or hostname that was looked up during sandboxing."
                        },
                        "cname": {
                          "type": [
                            "string",
                            "null"
                          ],
                          "description": "The CNAME DNS reponse."
                        },
                        "addr": {
                          "type": "string",
                          "description": "The IP address that was resolved from the DNS lookup."
                        }
                      }
                    }
                  },
                  "avDetections": {
                    "type": "array"
                  },
                  "sampleTags": {
                    "type": "array"
                  },
                  "samples": {
                    "type": "array"
                  }
                },
                "required": [
                  "md5",
                  "sha1",
                  "sha256",
                  "dnsLookups",
                  "avDetections",
                  "sampleTags",
                  "samples"
                ]
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array"
                }
              },
              "required": [
                "sources"
              ]
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "dnsResolution": {
          "type": "object",
          "properties": {
            "results": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "host": {
                    "type": "string",
                    "description": "The result of DNS resolution of the indicator, as an IP address if the indicator is a domain or hostname, or as a hostname if the indicator an IP address."
                  },
                  "recordType": {
                    "type": "string",
                    "enum": [
                      "a",
                      "ptr"
                    ],
                    "description": "Indicates the type of record: A if resolving a domain or hostname, or PTR if resolving an IP address."
                  }
                },
                "required": [
                  "host",
                  "recordType"
                ]
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array",
                  "description": "A list of the DNS servers that were used to look up a domain, hostname, or IP address."
                }
              },
              "required": [
                "sources"
              ],
              "additionalProperties": false
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "openPorts": {
          "type": "object",
          "properties": {
            "results": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "54.68.226.153": {
                    "type": "array",
                    "description": "The open ports on the IP address resolved from the indicator, as a key-value pair of IP address: list of open ports."
                  }
                },
                "required": [
                  "54.68.226.153"
                ]
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array"
                },
                "totalRecords": {
                  "type": "number"
                }
              },
              "required": [
                "sources",
                "totalRecords"
              ]
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "geoLocation": {
          "type": "object",
          "properties": {
            "results": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "103.53.40.33": {
                    "type": "string",
                    "description": "The location of the indicator based on resolved IP address, as a key-value pair of IP address: country code."
                  }
                },
                "required": [
                  "103.53.40.33"
                ]
              }
            },
            "status": {
              "type": "object",
              "properties": {
                "sources": {
                  "type": "array"
                },
                "totalRecords": {
                  "type": "number"
                }
              },
              "required": [
                "sources",
                "totalRecords"
              ]
            }
          },
          "required": [
            "results",
            "status"
          ]
        },
        "sources": {
          "type": "object",
          "properties": {
            "asert": {
              "type": "object",
              "properties": {
                "creds": {
                  "type": "boolean"
                },
                "errors": {
                  "type": "string"
                },
                "success": {
                  "type": "boolean"
                }
              },
              "required": [
                "creds",
                "errors",
                "success"
              ]
            },
            "atlas": {
              "type": "object",
              "properties": {
                "creds": {
                  "type": "boolean"
                },
                "errors": {
                  "type": "string"
                },
                "success": {
                  "type": "boolean"
                }
              },
              "required": [
                "creds",
                "errors",
                "success"
              ]
            },
            "maxmind": {
              "type": "object",
              "properties": {
                "creds": {
                  "type": "boolean"
                },
                "errors": {
                  "type": "string"
                },
                "success": {
                  "type": "boolean"
                }
              },
              "required": [
                "creds",
                "errors",
                "success"
              ]
            },
            "riskiq": {
              "type": "object",
              "properties": {
                "creds": {
                  "type": "boolean"
                },
                "errors": {
                  "type": "string"
                },
                "success": {
                  "type": "boolean"
                }
              },
              "required": [
                "creds",
                "errors",
                "success"
              ]
            },
            "shodan": {
              "type": "object",
              "properties": {
                "creds": {
                  "type": "boolean"
                },
                "errors": {
                  "type": "string"
                },
                "success": {
                  "type": "boolean"
                }
              },
              "required": [
                "creds",
                "errors",
                "success"
              ]
            }
          },
          "required": [
            "asert",
            "atlas",
            "maxmind",
            "riskiq",
            "shodan"
          ],
          "description": "A list of data sources and their responsiveness."
        }
      },
      "required": [
        "ecosystem",
        "vertical",
        "networkHistory",
        "malwareHistory",
        "dnsResolution",
        "openPorts",
        "geoLocation",
        "sources"
      ]
    }
  },
  "required": [
    "message",
    "data"
  ]
}

Get Indicator Insights
GET/api/v1/cti/insights{?indicatorValue}

Collect contextual intelligence from the ASERT sandbox, ATLAS data, live DNS lookups, and other third party APIs to obtain more information about an indicator. For data to be returned, users must configure API tokens in Edge Defense Manager for the third party APIs.

URI Parameters
HideShow
indicatorValue
string (required) Example: 1.2.3.4

The domain, IP address, or HTTP URI for which to receive intelligence.


CTI Configuration

GET /api/v1/configuration/cti
Responses200
Headers
Content-Type: application/json
Body
{
  "message": "",
  "data": {
    "cti_token": "secret-cti-token",
    "passivetotal_token": "secret-passivetotal-token",
    "passivetotal_user": "you@my-company.com",
    "shodan_token": "secret-shodan-token"
  }
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "message": {
      "type": "string"
    },
    "data": {
      "type": "object",
      "properties": {
        "cti_token": {
          "type": "string",
          "description": "An API token that is provided by the Arbor Threat Intelligence Team (ASERT) for access to the Contextual Threat Intelligence API."
        },
        "passivetotal_token": {
          "type": "string",
          "description": "An API token that is provided by RiskIQ for access to PassiveTotal data."
        },
        "passivetotal_user": {
          "type": "string",
          "description": "The user name or email address that is required to access RiskIQ PassiveTotal."
        },
        "shodan_token": {
          "type": "string",
          "description": "An API token that is provided by Shodan for access to its data."
        }
      },
      "required": [
        "cti_token",
        "passivetotal_token",
        "passivetotal_user",
        "shodan_token"
      ]
    }
  },
  "required": [
    "message",
    "data"
  ]
}

Get CTI Configuration
GET/api/v1/configuration/cti

Retrieve the current Contextual Threat Intelligence configuration.


POST /api/v1/configuration/cti
RequestsUpdate configuration
Headers
Content-Type: application/json
Body
{
  "cti_token": "secret-cti-token",
  "passivetotal_token": "secret-passivetotal-token",
  "passivetotal_user": "you@my-company.com",
  "shodan_token": "secret-shodan-token"
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "cti_token": {
      "type": "string",
      "description": "An API token that is provided by the Arbor Threat Intelligence Team (ASERT) for access to the Contextual Threat Intelligence API."
    },
    "passivetotal_token": {
      "type": "string",
      "description": "An API token that is provided by RiskIQ for access to PassiveTotal data. You must obtain a PassiveTotal account."
    },
    "passivetotal_user": {
      "type": "string",
      "description": "The user name or email address that is required to access RiskIQ PassiveTotal. You must obtain a PassiveTotal account."
    },
    "shodan_token": {
      "type": "string",
      "description": "An API token that is provided by Shodan for access to its data. You must obtain a Shodan account."
    }
  }
}
Responses200
Headers
Content-Type: application/json
Body
{
  "message": "Success!",
  "data": {}
}
Schema
{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "message": {
      "type": "string"
    },
    "data": {
      "type": "object",
      "properties": {}
    }
  }
}

Update CTI Configuration
POST/api/v1/configuration/cti

Update the Contextual Threat Intelligence configuration. All fields are optional; however, some fields may be required for service functionality. For example, if you do not provide a CTI API token, then access to the Contextual Threat Intelligence Insights API is unavailable and the service is disabled.

Obtain accounts for RiskIQ PassiveTotal and Shodan, and then configure them during the Edge Defense Manager setup. NETSCOUT does not provide you with accounts for these services.

RiskIQ Registration

Shodan Registration


Generated by aglio on 04 Dec 2020