ThreatDown OneView API

malwarebytes connector the threatdown oneview api connector facilitates automated interactions with threatdown's threat intelligence services, enabling efficient threat detection and management threatdown oneview api serves as a comprehensive threat detection and management tool, offering a robust api for exporting, searching, and managing detection data by integrating with swimlane turbine, security teams can automate the extraction of detailed detection information, manage false positive reporting, and perform advanced searches with fine grained filters this connector streamlines the process of threat detection analysis and response, enhancing the efficiency and effectiveness of security operations limitations oauth2 client credentials authentication provides application level access to malwarebytes resources without user context this form of authentication allows an application to make api requests on its own behalf using the client credentials flow with oauth2 client credentials authentication, you can perform actions such as export detection data synchronously and asynchronously search detections with advanced filtering and grouping retrieve detailed detection information by id submit false positive requests with evidence access comprehensive threat intelligence data supported version the malwarebytes connector supports the following versions of the malwarebytes api oauth 2 0 client credentials in malwarebytes v1 fully supported for application only authentication used for requests where user authentication is not required (accessing detection data and threat intelligence) configuration prerequisites to effectively utilize the threatdown oneview api connector with swimlane turbine, ensure you have the following prerequisites oauth2 client credentials authentication with the following parameters url endpoint for threatdown oneview api access client id unique identifier for oauth2 authentication client secret confidential key for oauth2 authentication token url endpoint to obtain oauth2 tokens account id identifier for the user's account in threatdown oneview authentication methods oauth 2 0 client credentials authentication setup instructions you will need to sign up for a malwarebytes nebula account and generate client credentials once you have those, you'll also need to obtain your account id follow the steps below log into your malwarebytes nebula account navigate to the integrate section generate your client credentials ( client id and client secret ) note your account id (uuid format) from your account settings you can find the account id in your malwarebytes nebula account settings or api configuration page document references https //api malwarebytes com/nebula/v1/docs#operation/api oauth2 token troubleshoot tips note that client credentials are application specific and should be kept secure the access token obtained through the client credentials flow is valid for a limited time and will be automatically refreshed by the connector capabilities export detections export detections asynchronously get detection by id search detections search detections groupby submit false positive request export detections the export detections endpoint returns detection data in various formats (csv, xlsx, html, ods, txt, rtf, json) with configurable field selection and filtering options this endpoint allows for comprehensive data export with flexible query groups and field mapping more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula post export detections export detections asynchronously the asynchronous export endpoint provides the same functionality as the synchronous export but processes large datasets in the background, returning an export job id for tracking progress and download completion more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula post export detections async get detection by id the get detection by id endpoint returns detailed information about a specific detection, including remediation status, related detections, and comprehensive metadata more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula get detections id search detections the search detections endpoint provides comprehensive search capabilities across detection events with advanced filtering, sorting, and pagination options supports extensive filtering by endpoint information, plugin data, threat characteristics, and temporal ranges more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula search detections search detections groupby the search detections groupby endpoint enables analytics and grouping of detection data across various dimensions, providing aggregated insights and summary statistics for threat analysis and reporting more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula search detections group submit false positive request the submit false positive request endpoint allows security teams to report legitimate files or applications that have been incorrectly flagged as threats, facilitating continuous improvement of detection accuracy more details can be found https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula detections submit fp configurations threatdown oneview api authentication authentication configuration for threatdown oneview api using oauth2 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required accountid your nebula account id (uuid format) string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions export detections exports a list of detections from threatdown oneview api in the specified format, with options to select fields and filter by groups endpoint url oneview/v1/detections/export method post input argument name type required description format string optional the output file format download boolean optional whether to instruct the client to download the response as a file type string optional the encoding of the output select array optional which fields to select from the response select newfield string optional the new value select field string required the response field to map to a new value groups array optional list of queries for filtering detections groups name string optional name of the query group groups account ids array required list of account ids to filter detections by input example {"format" "string","download"\ true,"type" "string","select" \[{"newfield" "string","field" "string"}],"groups" \[{"name" "example name","account ids" \["string"]}]} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" {}} export detections asynchronously initiates an asynchronous export of detection data from threatdown oneview api in the specified format, with options to select fields and filter by groups endpoint url nebula/v1/detections/export/async method post input argument name type required description format string optional the output file format download boolean optional whether to instruct the client to download the response as a file type string optional the encoding of the output select array optional which fields to select from the response select newfield string optional the new value select field string required the response field to map to a new value groups array optional list of queries for filtering detections groups name string optional name of the query group groups account ids array required list of account ids to filter detections by input example {"format" "string","download"\ true,"type" "string","select" \[{"newfield" "string","field" "string"}],"groups" \[{"name" "example name","account ids" \["string"]}]} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" {}} get detection by id retrieve detailed information for a specific detection using its unique id from threatdown oneview api endpoint url nebula/v1/detections/{{id}} method get input argument name type required description path parameters id string required the unique identifier of the detection to retrieve input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" {}} search detections retrieve filtered detection results from threatdown oneview api using specified criteria in the request body endpoint url nebula/v1/detections method post input argument name type required description protection status string optional protection status of the endpoint(s) scan type string optional type of the scan schedule id string optional id of the schedule schedule etag string optional etag of the schedule job id string optional id of the job originating this detection domain name string optional filter the search to the endpoints with specified domain name engine version string optional filter the search to the endpoints with specified engine version last user string optional last user that logged into the machine last user keyword string optional last user that logged into the machine (exact match) plugins siem reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by the siem plugin plugins siem plugin version string optional filter the search to the endpoints with specified siem plugin version plugins browser phishing protection plugin version string optional filter the search to the endpoints with specified browser phishing protection plugin version plugins incident response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ir plugin plugins incident response plugin version string optional filter the search to the endpoints with specified ir plugin version plugins endpoint detection response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by edr plugin plugins endpoint detection response plugin version string optional filter the search to the endpoints with specified edr plugin version plugins endpoint protection reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ep plugin plugins endpoint protection update package version string optional filter the search to the endpoints with specified ep update package version plugins endpoint protection component package version string optional filter the search to the endpoints with specified ep component package version plugins endpoint protection sdk version string optional filter the search to the endpoints with specified ep sdk version plugins endpoint protection plugin version string optional filter the search to the endpoints with specified ep plugin version plugins asset manager reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by asset manager plugin plugins asset manager plugin version string optional filter the search to the endpoints with specified asset manager plugin version fully qualified host name string optional filter the search to the endpoints with specified, fully qualified host name host name string optional filter the search to the endpoints with specified host name input example {"protection status" "active","scan type" "string","schedule id" "string","schedule etag" "string","job id" "string","domain name" "example name","engine version" "string","last user" "string","last user keyword" "string","plugins siem reboot reason" "string","plugins siem plugin version" "string","plugins browser phishing protection plugin version" "string","plugins incident response reboot reason" "string","plugins incident response plugin version" "string","plugins endpoint detection response reboot reason" "string","plugins endpoint detection response plugin version" "string","plugins endpoint protection reboot reason" "string","plugins endpoint protection update package version" "string","plugins endpoint protection component package version" "string","plugins endpoint protection sdk version" "string","plugins endpoint protection plugin version" "string","plugins asset manager reboot reason" "string","plugins asset manager plugin version" "string","fully qualified host name" "example name","host name" "example name","os info os release name" "example name","os info os architecture" "string","os info os platform" "string","os info os version" "string","os info os type" "string","nics description" "string","nics mac address" "string","nics ips" "string","host name keyword" "example name","fully qualified host name keyword" "example name","engine version keyword" "string","domain name keyword" "example name","at after" "string","at before" "string","machine name keyword" "example name","machine name" "example name","process name keyword" "example name","process name" "example name","affected application keyword" "string","affected application" "string","category" "string","not category" "string","md5" "string","sha256" "string","path keyword" "string"} output parameter type description status code number http status code of the response reason string response reason phrase detections array output field detections detections id string unique identifier detections type array type of the resource detections status string status value detections path string output field detections path detections group id string unique identifier detections group object output field detections group detections is root detection boolean output field detections is root detection detections machine id string unique identifier detections account id string unique identifier detections detection id string unique identifier detections scanned at string output field detections scanned at detections scanned at offset seconds number output field detections scanned at offset seconds detections reported at string output field detections reported at detections resource created at string output field detections resource created at detections resource modified at string output field detections resource modified at detections threat name string name of the resource detections category string output field detections category detections action taken string output field detections action taken detections is rtp stream event boolean output field detections is rtp stream event detections process name string name of the resource detections cleaned at string output field detections cleaned at detections machine name string name of the resource output example {"status code" 200,"reason" "ok","json body" {"detections" \[{}],"aggregations" {},"total count" 0,"next cursor" "eyjzdgfydf9pbmrleci6mtawfq=="}} search detections groupby performs a search for grouped detections in threatdown oneview api, with options to specify grouping and page size endpoint url nebula/v1/detections/search groupby method post input argument name type required description group by string optional the group by field schema page size number optional the size of the page next cursor string optional pagination cursor for next set of results protection status string optional protection status of the endpoint(s) scan type string optional type of the scan schedule id string optional id of the schedule schedule etag string optional etag of the schedule job id string optional id of the job originating this detection domain name string optional filter the search to the endpoints with specified domain name engine version string optional filter the search to the endpoints with specified engine version last user string optional last user that logged into the machine last user keyword string optional last user that logged into the machine (exact match) plugins siem reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by the siem plugin plugins siem plugin version string optional filter the search to the endpoints with specified siem plugin version plugins browser phishing protection plugin version string optional filter the search to the endpoints with specified browser phishing protection plugin version plugins incident response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ir plugin plugins incident response plugin version string optional filter the search to the endpoints with specified ir plugin version plugins endpoint detection response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by edr plugin plugins endpoint detection response plugin version string optional filter the search to the endpoints with specified edr plugin version plugins endpoint protection reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ep plugin plugins endpoint protection update package version string optional filter the search to the endpoints with specified ep update package version plugins endpoint protection component package version string optional filter the search to the endpoints with specified ep component package version plugins endpoint protection sdk version string optional filter the search to the endpoints with specified ep sdk version plugins endpoint protection plugin version string optional filter the search to the endpoints with specified ep plugin version plugins asset manager reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by asset manager plugin input example {"group by" "string","page size" 123,"next cursor" "string","protection status" "active","scan type" "string","schedule id" "string","schedule etag" "string","job id" "string","domain name" "example name","engine version" "string","last user" "string","last user keyword" "string","plugins siem reboot reason" "string","plugins siem plugin version" "string","plugins browser phishing protection plugin version" "string","plugins incident response reboot reason" "string","plugins incident response plugin version" "string","plugins endpoint detection response reboot reason" "string","plugins endpoint detection response plugin version" "string","plugins endpoint protection reboot reason" "string","plugins endpoint protection update package version" "string","plugins endpoint protection component package version" "string","plugins endpoint protection sdk version" "string","plugins endpoint protection plugin version" "string","plugins asset manager reboot reason" "string","plugins asset manager plugin version" "string","fully qualified host name" "example name","host name" "example name","os info os release name" "example name","os info os architecture" "string","os info os platform" "string","os info os version" "string","os info os type" "string","nics description" "string","nics mac address" "string","nics ips" "string","host name keyword" "example name","fully qualified host name keyword" "example name","engine version keyword" "string","domain name keyword" "example name","at after" "string","at before" "string","machine name keyword" "example name","machine name" "example name","process name keyword" "example name","process name" "example name","affected application keyword" "string","affected application" "string","category" "string","not category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results file name string name of the resource results file string result of the operation next cursor string output field next cursor output example {"status code" 200,"reason" "ok","json body" {"results" \[],"next cursor" "string"}} submit false positive request submits a false positive request to threatdown oneview api using detection ids provided in the json body endpoint url nebula/v1/detections/submit fp method post input argument name type required description ids array optional array of detection ids to mark as false positive additional info string optional additional information about the false positive start date string optional the start date of the detection end date string optional the end date of the detection input example {"ids" \["string"],"additional info" "string","start date" "string","end date" "string"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt