Watchlist API Definition
Note: <psc-hostname>
is the parent URL for your PSC instance.
Successful response indicates service reachability.
Request
GET <psc-hostname>/threathunter/watchlistmgr/healthcheck
Responses
Code | Description | content-type | Content |
---|---|---|---|
204 | service is available | */* | None |
Create a new report or classifier watchlist. Unique watchlist ID will be generated by the service. Request must specify report
or classifier
but not both.
Request
POST <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists
content-type | content |
---|---|
application/json | WatchlistV2 |
Responses
code | description | content-type | content |
---|---|---|---|
200 | Watchlist created. | application/json | WatchlistV2 |
400 | invalid watchlist request. | application/json | None |
Retrieve all watchlists owned by the caller.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists
Responses
code | description | content-type | content |
---|---|---|---|
200 | Array of watchlists | application/json | {"results": [WatchlistV2]} |
Retrieve watchlist with watchlist_id
.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
Responses
code | description | content-type | content |
---|---|---|---|
200 | Return watchlist | application/json | WatchlistV2 |
400 | Unknown watchlist. | */* | None |
Update watchlist with watchlist_id
. This will update the tags and alert status as well as any reports or classifiers attached to the watchlist. If a field is missing or null (ie tags_enabled) that field will not be updated. Cannot update report watchlist with empty report_ids
list.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
content-type | content |
---|---|
application/json | WatchlistV2 |
Responses
code | description | content-type | content |
---|---|---|---|
200 | Return watchlist | application/json | WatchlistV2 |
400 | Unknown watchlist or malformed request. | */* | None |
Remove watchlist with watchlist_id
. Existing hits for this watchlist will remain in the system.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)
Responses
code | description | content-type | content |
---|---|---|---|
204 | Watchlist deleted | */* | None |
400 | Unknown watchlist. | */* | None |
Retrieve alert status for watchlist with watchlist_id
.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns alert status | application/json | {"alert": boolean*} |
Turn on alerts for watchlist with watchlist_id
. This is not retroactive for existing watchlist hits. Future hits will trigger alerts.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns alert status | application/json | {"alert": boolean*} |
400 | Unknown watchlist | */* | None |
Turn off alerts for watchlist with watchlist_id
. This is not retroactive for existing watchlist alerts. Future hits will not trigger alerts.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/alert
Responses
code | description | content-type | content |
---|---|---|---|
204 | Returns alert status | */* | None |
400 | Unknown watchlist | */* | None |
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns tag status | application/json | {"tag": boolean*} |
Turn on tagging for watchlist with watchlist_id
. This is not retroactive for existing watchlist matches. Future matches will trigger event tagging.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns tag status | application/json | {"tag": boolean*} |
400 | Unknown watchlist | */* | None |
Turn off tagging for watchlist with watchlist_id
. This is not retroactive for existing watchlist tags. Future matches will not trigger event tagging.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_id)/tag
Responses
code | description | content-type | content |
---|---|---|---|
204 | Tagging stopped | */* | None |
400 | Unknown watchlist | */* | None |
Get current ignore status for report with report_id
.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns ignore status | application/json | {"ignored": boolean*} |
Report with report_id
and all contained IOCs will not match future events for any watchlist.
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns ignore status | application/json | {"ignored": boolean*} |
Report with report_id
and all contained IOCs will match future events for all watchlists. This is not retroactive for events that occured while the report was ignored.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
204 | Report is active | */* | None |
400 | Unknown report | */* | None |
Get current ignore status for IOC ioc_id
in report report_id
.
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns ignore status | application/json | {"ignored": boolean*} |
IOC ioc_id
for report report_id
will not match future events for any watchlist.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns ignore status | application/json | {"ignored": boolean*} |
IOC ioc_id
for report report_id
and will match future events for all watchlists. This is not retroactive for events that occured while the IOC was ignored.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/iocs/(ioc_id)/ignore
Responses
code | description | content-type | content |
---|---|---|---|
204 | Ignore removed - IOC is active | */* | None |
400 | Unknown report/ioc | */* | None |
Return all custom report severities. Custom report severities effect all watchlists.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/severity
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns list of report severities | application/json | {"results": [ReportSeverity]} |
Return custom severity for report_id
. This will return 404 error if custom severity doesn’t exist.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns severity. (null if not set) | application/json | ReportSeverity |
404 | No override for report | */* | None |
Adjust the severity of report with report_id
. This will effect all watchlists.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns severity. | application/json | ReportSeverity |
Remove custom severity for report with report_id
.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)/severity
Responses
code | description | content-type | content |
---|---|---|---|
204 | Severity override removed | */* | None |
Add a new watchlist report. This service will generate a unique report id. This report will be private to the caller. IOCs will be converted to IOC_V2.
Request
POST <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports
content-type | content |
---|---|
application/json | Report |
Responses
code | description | content-type | content |
---|---|---|---|
200 | Report created | application/json | Report |
400 | invalid report request. | */* | None |
Update report with report_id
. This will replace all fields in the report. Any fields not provided in the request will be remove from the report. All IOCs will be converted to IOC_V2. The report must be owned by the caller.
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
content-type | content |
---|---|
application/json | Report |
Responses
code | description | content-type | content |
---|---|---|---|
200 | Report updated | application/json | Report |
400 | invalid report request. | */* | None |
404 | report id not found | */* | None |
Retrieve report with report_id
. The report must be owned by the caller.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
Responses
code | description | content-type | content |
---|---|---|---|
200 | Report | application/json | Report |
404 | report id not found | */* | None |
Remove report with report_id
. The report must be owned by the caller.
Request
DELETE <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_id)
Responses
code | description | content-type | content |
---|---|---|---|
204 | Report deleted | */* | None |
404 | report id not found | */* | None |
Get current ignore status for report and embedded IOCs in provided list of comma-separated report_ids
. report_ids
can be a single id.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/(report_ids)/ignore/bulk
Responses
code | description | content-type | content |
---|---|---|---|
200 | Return list of ignored states | application/json | {"results": [ReportIOCIgnore]} |
All reports and IOCs as defined in the ReportIOCIgnore
list with ignore=True will not match future events for any watchlist. All items with ignore=False will enable matching on future events. A ReportIOCIgnore
that does not define an ioc_id
will effect the entire report (all IOCs).
Request
PUT <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/reports/ignore/bulk
content-type | content |
---|---|
application/json | ReportIOCIgnoreList |
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns ignore status array | application/json | ReportIOCIgnoreList |
Returns hits and executions for watchlists over the provided intervals. By default will return telemetry aggregated over the past hour. Include comma seperated list of intervals in minutes as query param intervals
to aggregate over different ranges, eg intervals=1440,10080,43200.
Request
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/(org_key)/watchlists/(watchlist_ids)/telemetry
Responses
code | description | content-type | content |
---|---|---|---|
200 | Returns array of telemetry objects for provided intervals | application/json | WatchlistTelemetryList |
NOTE: fields with ‘*’ are required
{"id": str*,
"timestamp": int*,
"title": str*,
"description": str*,
"severity": int*,
"link": str,
"tags": [str],
"iocs": IOCs,
"iocs_v2": [IOC_V2],
"visibility": str}
{"md5": [str],
"ipv4": [str],
"ipv6": [str],
"dns": [str],
"query": [QueryIOC]}
{"id": str*,
"match_type": str*,
"values": [str]*,
"field": str,
"link": str}
{"index_type": str,
"search_query": str*}
{"report_id": str*,
"severity": int*}
{"name": str*,
"classifier_key": str*,
"classifier_value": str*,
"description": str,
"watchlist_id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int}
{"name": str*,
"report_ids": [str]*,
"description": str,
"watchlist_id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int}
{"classifier": ClassifierWatchlist,
"report": ReportWatchlist}
{"key": str*,
"value": str*}
{"name": str*,
"description": str,
"id": str,
"tags_enabled": bool,
"alerts_enabled": bool,
"create_timestamp": int,
"last_update_timestamp": int,
"report_ids": [str],
"classifier": ClassifierKeyValue}
{"ignore": bool*,
"report_id": str*,
"ioc_id": str}
{"ignores": [ReportIOCIgnore]*}
{"watchlist_id": str*,
"interval": int*,
"hits": int*,
"executions": int*}
{"telemetry": [WatchlistTelemetry]*}