Successful response indicates service reachability.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
| No Permissions Required | N/A |
Request
GET <psc-hostname>/threathunter/watchlistmgr/healthcheck
Responses
| Code | Description | content-type | Content |
|---|---|---|---|
| 204 | service is available | */* | None |
Create a new report or classifier watchlist. Unique watchlist ID will be generated by the service. Request must specify report or classifier but not both.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
CREATE |
Request
POST <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists
| content-type | content |
|---|---|
| application/json | WatchlistV2 |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Watchlist created. | application/json | WatchlistV2 |
| 400 | invalid watchlist request. | application/json | None |
Retrieve all watchlists owned by the caller.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Array of watchlists | application/json | {"results": [WatchlistV2]} |
Retrieve watchlist with watchlist_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Return watchlist | application/json | WatchlistV2 |
| 400 | Unknown watchlist. | */* | None |
Update watchlist with watchlist_id. This will update the tags and alert status as well as any reports or classifiers attached to the watchlist. If a field is missing or null (ie tags_enabled) that field will not be updated. Cannot update report watchlist with empty report_ids list.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
| content-type | content |
|---|---|
| application/json | WatchlistV2 |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Return watchlist | application/json | WatchlistV2 |
| 400 | Unknown watchlist or malformed request. | */* | None |
Remove watchlist with watchlist_id. Existing hits for this watchlist will remain in the system.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Watchlist deleted | */* | None |
| 400 | Unknown watchlist. | */* | None |
Retrieve alert status for watchlist with watchlist_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns alert status | application/json | {"alert": boolean*} |
Turn on alerts for watchlist with watchlist_id. This is not retroactive for existing watchlist hits. Future hits will trigger alerts.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns alert status | application/json | {"alert": boolean*} |
| 400 | Unknown watchlist | */* | None |
Turn off alerts for watchlist with watchlist_id. This is not retroactive for existing watchlist alerts. Future hits will not trigger alerts.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Returns alert status | */* | None |
| 400 | Unknown watchlist | */* | None |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns tag status | application/json | {"tag": boolean*} |
Turn on tagging for watchlist with watchlist_id. This is not retroactive for existing watchlist matches. Future matches will trigger event tagging.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns tag status | application/json | {"tag": boolean*} |
| 400 | Unknown watchlist | */* | None |
Turn off tagging for watchlist with watchlist_id. This is not retroactive for existing watchlist tags. Future matches will not trigger event tagging.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Tagging stopped | */* | None |
| 400 | Unknown watchlist | */* | None |
Get current ignore status for report with report_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns ignore status | application/json | {"ignored": boolean*} |
Report with report_id and all contained IOCs will not match future events for any watchlist.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns ignore status | application/json | {"ignored": boolean*} |
Report with report_id and all contained IOCs will match future events for all watchlists. This is not retroactive for events that occured while the report was ignored.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Report is active | */* | None |
| 400 | Unknown report | */* | None |
Get current ignore status for IOC ioc_id in report report_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns ignore status | application/json | {"ignored": boolean*} |
IOC ioc_id for report report_id will not match future events for any watchlist.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns ignore status | application/json | {"ignored": boolean*} |
IOC ioc_id for report report_id and will match future events for all watchlists. This is not retroactive for events that occured while the IOC was ignored.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Ignore removed - IOC is active | */* | None |
| 400 | Unknown report/ioc | */* | None |
Return all custom report severities. Custom report severities effect all watchlists.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/severity
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns list of report severities | application/json | {"results": [ReportSeverity]} |
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Return custom severity for report_id. This will return 404 error if custom severity doesn’t exist.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns severity. (null if not set) | application/json | ReportSeverity |
| 404 | No override for report | */* | None |
Adjust the severity of report with report_id. This will effect all watchlists.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns severity. | application/json | ReportSeverity |
Remove custom severity for report with report_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Severity override removed | */* | None |
Add a new watchlist report. This service will generate a unique report id. This report will be private to the caller. IOCs will be converted to IOC_V2.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
CREATE |
Request
POST <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports
| content-type | content |
|---|---|
| application/json | Report |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Report created | application/json | Report |
| 400 | invalid report request. | */* | None |
Update report with report_id. This will replace all fields in the report. Any fields not provided in the request will be remove from the report. All IOCs will be converted to IOC_V2. The report must be owned by the caller.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
| content-type | content |
|---|---|
| application/json | Report |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Report updated | application/json | Report |
| 400 | invalid report request. | */* | None |
| 404 | report id not found | */* | None |
Retrieve report with report_id. The report must be owned by the caller.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Report | application/json | Report |
| 404 | report id not found | */* | None |
Remove report with report_id. The report must be owned by the caller.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
DELETE |
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
Responses
| code | description | content-type | content |
|---|---|---|---|
| 204 | Report deleted | */* | None |
| 404 | report id not found | */* | None |
Get current ignore status for report and embedded IOCs in provided list of comma-separated report_ids. report_ids can be a single id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_ids)/ignore/bulk
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Return list of ignored states | application/json | {"results": [ReportIOCIgnore]} |
All reports and IOCs as defined in the ReportIOCIgnore list with ignore=True will not match future events for any watchlist. All items with ignore=False will enable matching on future events. A ReportIOCIgnore that does not define an ioc_id will effect the entire report (all IOCs).
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
UPDATE |
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/ignore/bulk
| content-type | content |
|---|---|
| application/json | ReportIOCIgnoreList |
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns ignore status array | application/json | ReportIOCIgnoreList |
Returns hits and executions for watchlists over the provided intervals. By default will return telemetry aggregated over the past hour. Include comma seperated list of intervals in minutes as query param intervals to aggregate over different ranges, eg intervals=1440,10080,43200.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
threathunter.watchlists |
READ |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_ids)/telemetry
Responses
| code | description | content-type | content |
|---|---|---|---|
| 200 | Returns array of telemetry objects for provided intervals | application/json | WatchlistTelemetryList |
NOTE: fields with ‘*’ are required
{"id": str*,
"timestamp": int*,
"title": str*,
"description": str*,
"severity": int*,
"link": str,
"tags": [str],
"iocs": IOCs,
"iocs_v2": [IOC_V2],
"visibility": str}
{"md5": [str],
"ipv4": [str],
"ipv6": [str],
"dns": [str],
"query": [QueryIOC]}
{"id": str*,
"match_type": str*,
"values": [str]*,
"field": str,
"link": str}
{"index_type": str,
"search_query": str*}
{"report_id": str*,
"severity": int*}
{"name": str*,
"classifier_key": str*,
"classifier_value": str*,
"description": str,
"watchlist_id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int}
{"name": str*,
"report_ids": [str]*,
"description": str,
"watchlist_id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int}
{"classifier": ClassifierWatchlist,
"report": ReportWatchlist}
{"key": str*,
"value": str*}
{"name": str*,
"description": str,
"id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int,
"report_ids": [str],
"classifier": ClassifierKeyValue}
{"ignore": bool*,
"report_id": str*,
"ioc_id": str}
{"ignores": [ReportIOCIgnore]*}
{"watchlist_id": str*,
"interval": int*,
"hits": int*,
"executions": int*}
{"telemetry": [WatchlistTelemetry]*}