Follow

Creating triage filters using the Rest API

Cognito Triage Filters can be viewed, created, and modified through the public API. In this article, we will explore an example of creating a new triage filter using the public API. Full public API documentation is available on the Resources page of the Cognito user interface.

In the following example, we will create a triage filter that applies to a specific host, which we will reference by it’s ID. In this case the ID is 3345. The ID can be obtained from the API (https://<cognito_brain_IP>/api/v2/hosts) or by looking at the full URL for a host and noting the ID ad the end of the URL (https://<cognito_brain_IP>/hosts/3345.)

Triage filters can be applied to hosts, IPs/subnets, or all hosts. Only one of these options should be provided. Hence, if the intent is to triage on hosts, then it will not be possible to triage based on IP/subnet in the same triage filter.

Examples of each:
"host": [3345, 3350] #applying to hosts with IDs 3345 and 3350
"ip": ["192.168.1.1"]
"all_hosts": true

In this example, we are going to create a triage filter that reclassifies a "Brute-Force Attack" in the "LATERAL MOVEMENT" category, of type "ssh", that is targeting the 10.1.1.0/24 and 10.1.2.0/24 subnets. When creating a triage filter, the detection_category and detection name must be provided exactly as documented in the Understanding Vectra AI document available on the Resources page of the Cognito UI.

Posting to the Triage API is only available in the second generation of the API (v2) and hence requires the use of the API token, which can be obtain via the Cognito UI. The API token can be copied from the ‘My Profile’ section in the Vectra UI.

Following is an example of using the curl utility to create a triage filter. The string supplied for triage_category is the new category type that the detection will be reclassified as.

Specifying the filter is a whitelist ("is_whitelist": true) will preclude the need to set the triage_category, as this tells Cognito to create a whitelist vs Triage Rule.

curl -X POST \
 https://<cognito_brain_ip_or_hostname>/api/v2/rules/ \
 -H 'Authorization: Token <api token>' \
 -H 'Content-Type: application/json' \
 -d '{
    "detection_category": "LATERAL MOVEMENT",
    "triage_category": "SSH.Brute.Force-SystemAuth",
    "detection": "Brute-Force Attack",
    "remote1_ip": ["10.1.1.0/24", "10.1.2.0/24"],
    "remote1_proto": ["ssh"],
    "is_whitelist": 0,
    "description": "Normal Authentication Activity",
    "host": [3345]
 }'

Using curl to view the new entry after it was created:

curl -H "Authorization: Token <api token>" -k https://<cognito_brain_ip_or_hostname>/api/v2/rules/
{
  "id": 167,
  "url": "https://<ip_removed>/api/v2/rules/167",
  "description": "Normal Authentication Activity",
  "created_timestamp": "2018-01-05T19:37:48Z",
  "last_timestamp": null,
  "host": [
    "https://<ip_removed>/api/v2/hosts/3345"
  ],
    "all_hosts": false,
    "is_whitelist": false,
    "sensor_luid": null,
    "ip": null,
    "priority": 2,
    "remote1_ip": [
    "10.1.1.0/24",
    "10.1.2.0/24"
  ],
    "remote1_proto": [
    "ssh"
  ],
  "detection_category": "LATERAL MOVEMENT",
  "triage_category": "SSH.Brute.Force-SystemAuth",
  "detection": "Brute-Force Attack"
}
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.