API Methods
Introduction
NETALERT can easily integrate with external tools and provides two API calls for extracting information from NETALERT. The information that can be extracted includes:
- Traffic informations
- Alert informations
API Methods
Each request must authentificate against NETALERT by using an API key AND IP Address. These keys are generated in the administration section of NETALERT and are beeing used by adding to each request an authorisation header:
All the NETALERT APIs methods are the POST request type.
For remote management capabilities, NETALERT uses the same mechanisms.
Authorization: Bearer {API_KEY}
Method - postAPIGetTraffic
For extracting traffic information, the postAPIGetTraffic method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the OpenSearch filter, a query string query for data filtering
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
https://{NETALERT_IP}/postAPIGetTraffic
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-05 12:00:00",
"Filter": "*",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 29126861,
"data": [
{
"SrcMAC": "1c:98:ec:1b:67:dd",
"DestMAC": "80:30:e0:3c:7e:74",
"SrcIP": "192.168.200.71",
"DestIP": "192.168.200.6",
"Protocol": "ICMP",
"UpperLayerChecksum": "11427",
"TCPSequence": "0",
"TCPack": "0",
"TCPFlags": "0",
"EthernetType": "Internet Protocol version 4 (IPv4)",
"HeaderLength": "138",
"RXdirection": "0",
"Flow_GUID": "C470E583-55C1-AA72-5AAF-7AF2196FDE1A",
"Packet_GUID": "BB433881-B4C1-7D2F-13BE-133E92D5CB58",
"UTC_ISO8601": "2024-02-13T11:42:55.239608+00:00",
"insertTimestamp": 1707824575,
"DetectedTrafficTag": "TrafficICMP",
"ttl": "64",
"status": "Normal",
"connectionStatus": "CLOSED",
"total_bytes": 138,
"datasourceType": "TAP/SPAN",
"_OS7": {
"isExternalTraffic": false,
"isInternalTraffic": true,
"isInternalTransfer": false,
"isExternalTransfer": false,
"s_IPClass": "Class C",
"d_IPClass": "Class C",
"isDNSRequest": false,
"isICMP": true,
"icmp_code": 2,
"icmp_type": 3,
"icmp_id": 0,
"icmp_seq": 0,
"isProxyTraffic": false,
"isFile": false,
"isUnknownFile": false,
"isCryptoMining": false,
"isTOR": false,
"isDynamicDNSRequest": false,
"isScan": false,
"isAuthentication": false,
"isBruteForce": false,
"isDHCP": false,
"isKerberos": false,
"isSMTP": false,
"isSSL": false,
"isKnownProtocol": true,
"isDetectedFwProtocol": false,
"isDetectedRvProtocol": false
},
"_ssl": [],
"Log": {
"index": "day_traffic_2024-02-13",
"type": "traffic",
"id": "NDxGoo0BCsC4LDmy82VY",
"score": null
}
},
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
Method - GetSingleTraffic
- In order to retreive a single specific traffic event, use a flow_guid guid filter as in the following example:
Flow_GUID: C470E583-55C1-AA72-5AAF-7AF2196FDE1A
Flow_GUID can be extracted from the results set of the bigger traffic request.
GetSingleTraffic: /api/postAPIGetTraffic
{
"Filter": C470E583-55C1-AA72-5AAF-7AF2196FDE1A,
}
Method - postAPIGetAlerts
For extracting traffic information, the postAPIGetAlerts method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the Opensearch filter, a query string query for data filtering
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
http://{NETALERT_IP}/postAPIGetAlerts
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-13 12:00:00",
"Filter": "*",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 1650293,
"data": [
{
"Flow_ID": "E2A80A95-A2D3-9D72-8A2B-A14989C0E9DD",
"ML_score": 99.68,
"Alert_IDS": "962a05b2-5045-4211-92a4-a5de6262aab6",
"Packet_IDS": "F513AB01-F980-0CEC-F54F-80005E5D47F4",
"AlertID": "1707824765_BYDGB4DI9NFQXMZ2TOLB",
"AlertName": "Connections",
"UTC_ISO8601": "2024-02-13T11:46:05.402429+00:00",
"Content": "",
"ML_score_sources": [
{
"Name": "PyodIForest",
"ML_score": 98.8,
"Parameters": [
{
"paramName": "behaviour",
"paramValue": "new"
},
{
"paramName": "bootstrap",
"paramValue": "False"
}
]
},
{
"Name": "PyodKNN",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
},
]
}
{
"Name": "PyodLODA",
"ML_score": 99.3,
"Parameters": [
{
"paramName": "contamination",
"paramValue": "0.0015"
}
]
},
{
"Name": "PyodLOF",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
},
{
"paramName": "contamination",
"paramValue": "0.0015"
}
]
},
{
"Name": "PyodOCSVM",
"ML_score": 100,
"Parameters": [
{
"paramName": "cache_size",
"paramValue": "200"
},
{
"paramName": "coef0",
"paramValue": "0.0"
}
]
},
{
"Name": "AmlAE",
"ML_score": 100,
"Parameters": [
{
"paramName": "encoder_neurons",
"paramValue": "[10, 6, 4]"
},
{
"paramName": "decoder_neurons",
"paramValue": "[6, 10, 11]"
}
]
}
],
"Alert_IP": "192.168.200.241",
"Alert_MAC": "",
"Alert": {
"index": "day_alerts_2024-02-13",
"type": "alerts",
"id": "KT1Joo0BCsC4LDmy2Xbi",
"score": null
}
},
{
"Flow_ID": "6949C738-F02C-5799-11CC-73E54C47DEA3",
"ML_score": 99.68,
"Alert_IDS": "962a05b2-5045-4211-92a4-a5de6262aab6",
"Packet_IDS": "310935D0-499D-47ED-BE65-DA4CF4BE5308",
"AlertID": "1707824764_WTXI5U8XIP53LBGIINRL",
"AlertName": "Connections",
"UTC_ISO8601": "2024-02-13T11:46:04.073214+00:00",
"Content": "",
"ML_score_sources": [
{
"Name": "PyodIForest",
"ML_score": 98.8,
"Parameters": [
{
"paramName": "behaviour",
"paramValue": "new"
},
{
"paramName": "bootstrap",
"paramValue": "False"
}
]
},
{
"Name": "PyodKNN",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
},
{
"paramName": "contamination",
"paramValue": "0.0015"
}
]
},
{
"Name": "PyodLODA",
"ML_score": 99.3,
"Parameters": [
{
"paramName": "contamination",
"paramValue": "0.0015"
},
{
"paramName": "n_bins",
"paramValue": "auto"
}
]
},
{
"Name": "PyodLOF",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
}
]
},
{
"Name": "PyodOCSVM",
"ML_score": 100,
"Parameters": [
{
"paramName": "cache_size",
"paramValue": "200"
},
{
"paramName": "coef0",
"paramValue": "0.0"
}
]
},
{
"Name": "AmlAE",
"ML_score": 100,
"Parameters": [
{
"paramName": "encoder_neurons",
"paramValue": "[10, 6, 4]"
},
{
"paramName": "decoder_neurons",
"paramValue": "[6, 10, 11]"
}
]
}
],
"Alert_IP": "192.168.200.182",
"Alert_MAC": "",
"Alert": {
"index": "day_alerts_2024-02-13",
"type": "alerts",
"id": "8j1Joo0BCsC4LDmy1HSy",
"score": null
}
},
{
"Flow_ID": "A7637DE0-DBD2-C48F-A149-1D07DB4C9D44",
"ML_score": 99.68,
"Alert_IDS": "962a05b2-5045-4211-92a4-a5de6262aab6",
"Packet_IDS": "F24BEC7E-F2DA-4327-C75A-88B9DE3AB69B",
"AlertID": "1707824763_ZCKF4YMHQ7DG36UUX8V5",
"AlertName": "Connections",
"UTC_ISO8601": "2024-02-13T11:46:02.771659+00:00",
"Content": "",
"ML_score_sources": [
{
"Name": "PyodIForest",
"ML_score": 98.8,
"Parameters": [
{
"paramName": "behaviour",
"paramValue": "new"
},
{
"paramName": "bootstrap",
"paramValue": "False"
}
]
},
{
"Name": "PyodKNN",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
},
{
"paramName": "contamination",
"paramValue": "0.0015"
}
]
},
{
"Name": "PyodLODA",
"ML_score": 99.3,
"Parameters": [
{
"paramName": "contamination",
"paramValue": "0.0015"
},
{
"paramName": "n_bins",
"paramValue": "auto"
}
]
},
{
"Name": "PyodLOF",
"ML_score": 100,
"Parameters": [
{
"paramName": "algorithm",
"paramValue": "auto"
},
{
"paramName": "contamination",
"paramValue": "0.0015"
}
]
},
{
"Name": "PyodOCSVM",
"ML_score": 100,
"Parameters": [
{
"paramName": "cache_size",
"paramValue": "200"
},
{
"paramName": "coef0",
"paramValue": "0.0"
}
]
},
{
"Name": "AmlAE",
"ML_score": 100,
"Parameters": [
{
"paramName": "encoder_neurons",
"paramValue": "[10, 6, 4]"
},
{
"paramName": "decoder_neurons",
"paramValue": "[6, 10, 11]"
}
]
}
],
"Alert_IP": "192.168.200.90",
"Alert_MAC": "",
"Alert": {
"index": "day_alerts_2024-02-13",
"type": "alerts",
"id": "kz1Joo0BCsC4LDmyz3Oc",
"score": null
}
},
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
}
Method - GetSingleAlerts
- In order to retreive a single specific alert, use a AlertID filter as in the follosing example:
AlertID: 1707824765_BYDGB4DI9NFQXMZ2TOLB
GetSingleAlerts: /api/postAPIGetAlerts
{
"Filter": "1707824765_BYDGB4DI9NFQXMZ2TOLB",
}
Method - postGetTrafficCountByField
For extracting traffic information, the postGetTrafficCountByField method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the OpenSearch filter, a query string query for data filtering
- Field: the field you want to search by
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
https://{NETALERT_IP}/postGetTrafficCountByField
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-05 12:00:00",
"Filter": "",
"Field": "SrcIP",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 1420,
"data": [
{
"key": "192.168.200.181",
"value": 899
},
{
"key": "192.168.200.190",
"value": 78
},
{
"key": "192.168.200.99",
"value": 75
},
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
}
Method - postGetSrcIPConnections
For extracting traffic information, the postGetSrcIPConnections method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the OpenSearch filter, a query string query for data filtering
- Field: the field you want to search by
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
https://{NETALERT_IP}/postGetSrcIPConnections
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-05 12:00:00",
"Filter": "",
"Field": "SrcIP",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 1420,
"data": [
{
"key": "192.168.200.181",
"value": 899
},
{
"key": "192.168.200.190",
"value": 78
},
{
"key": "192.168.200.99",
"value": 75
},
{
"key": "192.168.200.96",
"value": 65
},
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
}
Method - postGetDestIPConnections
For extracting traffic information, the postGetDestIPConnections method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the OpenSearch filter, a query string query for data filtering
- Field: the field you want to search by
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
https://{NETALERT_IP}/postGetDestIPConnections
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-05 12:00:00",
"Filter": "",
"Field": "SrcIP",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 1420,
"data": [
{
"key": "79.119.244.94",
"value": 893
},
{
"key": "192.168.200.240",
"value": 127
},
{
"key": "192.168.200.10",
"value": 57
},
{
"key": "192.168.200.100",
"value": 34
},
{
"key": "192.168.200.6",
"value": 33
},
{
"key": "192.168.200.250",
"value": 26
},
{
"key": "8.8.8.8",
"value": 24
},
{
"key": "239.255.255.250",
"value": 19
},
{
"key": "142.251.133.67",
"value": 14
},
{
"key": "172.217.17.142",
"value": 13
},
{
"key": "31.13.84.4",
"value": 13
},
{
"key": "142.251.140.42",
"value": 12
},
{
"key": "172.217.169.163",
"value": 12
},
{
"key": "31.13.84.36",
"value": 12
},
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
}
Method - postGetAlertCountByField
For extracting traffic information, the postGetAlertCountByField method is used with the following parameters:
- StartDate: the start time of the search
- EndDate: the end time of the search
- Filter: the OpenSearch filter, a query string query for data filtering
- Field: the field you want to search by
- maxNumberOfResults: The upper limit of data entries provided by an API call to a single request
The method is:
https://{NETALERT_IP}/postGetAlertCountByField
Ex: Request
{
"StartDate": "2024-02-05 11:59:45",
"EndDate": "2024-02-05 12:00:00",
"Filter": "",
"Field": "AlertName",
"maxNumberOfResults": 100
}
Ex: Response
{
"data": {
"totalResults": 45,
"data": [
{
"key": "DNSRequests",
"value": 40
},
{
"key": "Connections",
"value": 3
},
{
"key": "BruteForce",
"value": 1
},
{
"key": "IOCIP",
"value": 1
}
]
},
"isSuccess": true,
"message": "",
"errorMessage": null
}