Auto Thresholds

Get all threshold automaton configs

get

Returns all auto-threshold automaton configs configured for all DMs in a given customer.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Responses

200

List of threshold automaton configs for a customer

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/thresholder/automaton

GET /api/v1/thresholder/automaton HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "customer": "xpertdns",
      "algorithm": "1ms0rryminer_detection",
      "data_interval": "1d",
      "data_lookback": "180d",
      "data_window": "1h",
      "disabled": false,
      "filters": [
        "text"
      ],
      "force_override": true,
      "high_sigma": 3,
      "med_sigma": 2,
      "low_sigma": 1,
      "strategy": "average",
      "thresholds": [
        [
          "avg(bits)"
        ]
      ],
      "track_by": [
        [
          "avg(bits)"
        ]
      ],
      "update_interval": "10m"
    }
  ]
}

Update threshold automaton config

post

Updates the auto-threshold automaton config for a given detection model.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Body

Threshold Automaton Create or Update Config

algorithmstringOptional

name of detection model

Example: 1ms0rryminer_detection

data_intervalstringOptional

defines the how specific a time frame the Threshold override produced by Auto Thresholding applies to.

Example: 1d

data_lookbackstringOptional

determines how many previous days aggregate data and Auto Thresholding configuration will use to generate Threshold overrides

Example: 180d

data_windowstringOptional

defines the period of over which values are aggregated for Track By aggregates.

Example: 1h

disabledbooleanOptional

disables auto-thresholding for the given automaton

Example: false

filtersstring[]Optional

force_overridebooleanOptional

optional, if set will override the default behavior preventing threshold values below the global average

Example: true

high_sigmanumberOptional

optional, number of standard deviations to use when calculating high-severity thresholds

Example: 3

med_sigmanumberOptional

optional, number of standard deviations to use when calculating medium-severity thresholds

Example: 2

low_sigmanumberOptional

optional, number of standard deviations to use when calculating low-severity thresholds

Example: 1

strategystringOptional

used to determine the default threshold, either uses the maximum or average of data values.

Example: average

thresholdsstring[]OptionalExample: ["avg(bits)"]

track_bystring[]Optional

values to aggregate data on, should match parent DM track-by fields.

Example: ["avg(bits)"]

update_intervalstringOptionalExample: 10m

Responses

200

Threshold Automaton config

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

post

/api/v1/thresholder/automaton

POST /api/v1/thresholder/automaton HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 303

{
  "algorithm": "1ms0rryminer_detection",
  "data_interval": "1d",
  "data_lookback": "180d",
  "data_window": "1h",
  "disabled": false,
  "filters": [
    "text"
  ],
  "force_override": true,
  "high_sigma": 3,
  "med_sigma": 2,
  "low_sigma": 1,
  "strategy": "average",
  "thresholds": [
    [
      "avg(bits)"
    ]
  ],
  "track_by": [
    [
      "avg(bits)"
    ]
  ],
  "update_interval": "10m"
}

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": {
    "customer": "xpertdns",
    "algorithm": "1ms0rryminer_detection",
    "data_interval": "1d",
    "data_lookback": "180d",
    "data_window": "1h",
    "disabled": false,
    "filters": [
      "text"
    ],
    "force_override": true,
    "high_sigma": 3,
    "med_sigma": 2,
    "low_sigma": 1,
    "strategy": "average",
    "thresholds": [
      [
        "avg(bits)"
      ]
    ],
    "track_by": [
      [
        "avg(bits)"
      ]
    ],
    "update_interval": "10m"
  }
}

Get threshold automaton config

get

Returns the auto-threshold automaton config for a detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

algorithmstringRequired

The name of the detection model to fetch automaton config for

Responses

200

Threshold Automaton config

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/thresholder/automaton/{algorithm}

GET /api/v1/thresholder/automaton/{algorithm} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": {
    "customer": "xpertdns",
    "algorithm": "1ms0rryminer_detection",
    "data_interval": "1d",
    "data_lookback": "180d",
    "data_window": "1h",
    "disabled": false,
    "filters": [
      "text"
    ],
    "force_override": true,
    "high_sigma": 3,
    "med_sigma": 2,
    "low_sigma": 1,
    "strategy": "average",
    "thresholds": [
      [
        "avg(bits)"
      ]
    ],
    "track_by": [
      [
        "avg(bits)"
      ]
    ],
    "update_interval": "10m"
  }
}

Delete automaton config

delete

Deletes the threshold automaton config for a given detection model

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

algorithmstringRequired

The name of the detection model to delete.

Responses

204

Empty Response

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

delete

/api/v1/thresholder/automaton/{algorithm}

DELETE /api/v1/thresholder/automaton/{algorithm} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

No content

Update threshold automaton config specific value

patch

Updates specific values in the auto-threshold automaton config for a given detection model.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

algorithmstringRequired

The name of the detection model to update.

Body

objectOptional

Threshold Automaton Record

Responses

200

Threshold Automaton config

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

patch

/api/v1/thresholder/automaton/{algorithm}

PATCH /api/v1/thresholder/automaton/{algorithm} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 303

{
  "algorithm": "1ms0rryminer_detection",
  "data_interval": "1d",
  "data_lookback": "180d",
  "data_window": "1h",
  "disabled": false,
  "filters": [
    "text"
  ],
  "force_override": true,
  "high_sigma": 3,
  "med_sigma": 2,
  "low_sigma": 1,
  "strategy": "average",
  "thresholds": [
    [
      "avg(bits)"
    ]
  ],
  "track_by": [
    [
      "avg(bits)"
    ]
  ],
  "update_interval": "10m"
}

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": {
    "customer": "xpertdns",
    "algorithm": "1ms0rryminer_detection",
    "data_interval": "1d",
    "data_lookback": "180d",
    "data_window": "1h",
    "disabled": false,
    "filters": [
      "text"
    ],
    "force_override": true,
    "high_sigma": 3,
    "med_sigma": 2,
    "low_sigma": 1,
    "strategy": "average",
    "thresholds": [
      [
        "avg(bits)"
      ]
    ],
    "track_by": [
      [
        "avg(bits)"
      ]
    ],
    "update_interval": "10m"
  }
}

Get track values

get

Returns auto-threshold track data for the given track

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

algorithmstringRequired

The name of the detection model to fetch track data for

trackstringRequired

The name of the track (group) to fetch data for

Query parameters

fromnumberRequired

Unix timestamp defining the start of the data range to query

tonumberRequired

Unix timestamp defining the end of the data range to query

Responses

200

List of track values for a given auto threshold

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/thresholder/automaton/{algorithm}/trackby/{track}

GET /api/v1/thresholder/automaton/{algorithm}/trackby/{track}?from=1&to=1 HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "average": 5176,
      "deviation": 2741552.2677988047,
      "operation": "AVERAGE(bits)",
      "threshold": [
        {
          "level": "low",
          "value": 3028123.4945786856
        }
      ],
      "customer": "xpertdns",
      "group": "10.99.4.13",
      "algorithm": "1ms0rryminer_detection",
      "timestamp": 1725449961304
    }
  ]
}

PreviousSettings Security NextMITRE ATT&CK

Last updated 15 hours ago

Good night

Get all threshold automaton configs

Update threshold automaton config

Get threshold automaton config

Delete automaton config

Update threshold automaton config specific value

Get track values