ThreatDown OneView API

malwarebytes connector the threatdown oneview api connector facilitates automated interactions with threatdown's threat intelligence services, enabling efficient threat detection and management threatdown oneview api serves as a comprehensive threat detection and management tool, offering a robust api for exporting, searching, and managing detection data by integrating with swimlane turbine, security teams can automate the extraction of detailed detection information, manage false positive reporting, and perform advanced searches with fine grained filters this connector streamlines the process of threat detection analysis and response, enhancing the efficiency and effectiveness of security operations limitations oauth2 client credentials authentication provides application level access to malwarebytes resources without user context this form of authentication allows an application to make api requests on its own behalf using the client credentials flow with oauth2 client credentials authentication, you can perform actions such as export detection data synchronously and asynchronously search detections with advanced filtering and grouping retrieve detailed detection information by id submit false positive requests with evidence access comprehensive threat intelligence data supported version the malwarebytes connector supports the following versions of the malwarebytes api oauth 2 0 client credentials in malwarebytes v1 fully supported for application only authentication used for requests where user authentication is not required (accessing detection data and threat intelligence) configuration prerequisites to effectively utilize the threatdown oneview api connector with swimlane turbine, ensure you have the following prerequisites oauth2 client credentials authentication with the following parameters url endpoint for threatdown oneview api access client id unique identifier for oauth2 authentication client secret confidential key for oauth2 authentication token url endpoint to obtain oauth2 tokens account id identifier for the user's account in threatdown oneview authentication methods oauth 2 0 client credentials authentication setup instructions you will need to sign up for a malwarebytes nebula account and generate client credentials once you have those, you'll also need to obtain your account id follow the steps below log into your malwarebytes nebula account navigate to the integrate section generate your client credentials ( client id and client secret ) note your account id (uuid format) from your account settings you can find the account id in your malwarebytes nebula account settings or api configuration page document references malwarebytes oauth2 token documentation https //api malwarebytes com/nebula/v1/docs#operation/api oauth2 token troubleshoot tips note that client credentials are application specific and should be kept secure the access token obtained through the client credentials flow is valid for a limited time and will be automatically refreshed by the connector capabilities export detections export detections asynchronously get detection by id search detections search detections groupby submit false positive request export detections the export detections endpoint returns detection data in various formats (csv, xlsx, html, ods, txt, rtf, json) with configurable field selection and filtering options this endpoint allows for comprehensive data export with flexible query groups and field mapping more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula post export detections export detections asynchronously the asynchronous export endpoint provides the same functionality as the synchronous export but processes large datasets in the background, returning an export job id for tracking progress and download completion more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula post export detections async get detection by id the get detection by id endpoint returns detailed information about a specific detection, including remediation status, related detections, and comprehensive metadata more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula get detections id search detections the search detections endpoint provides comprehensive search capabilities across detection events with advanced filtering, sorting, and pagination options supports extensive filtering by endpoint information, plugin data, threat characteristics, and temporal ranges more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula search detections search detections groupby the search detections groupby endpoint enables analytics and grouping of detection data across various dimensions, providing aggregated insights and summary statistics for threat analysis and reporting more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula search detections group submit false positive request the submit false positive request endpoint allows security teams to report legitimate files or applications that have been incorrectly flagged as threats, facilitating continuous improvement of detection accuracy more details can be found here https //api malwarebytes com/nebula/v1/docs#operation/api v2 nebula detections submit fp configurations threatdown oneview api authentication authentication configuration for threatdown oneview api using oauth2 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required accountid your nebula account id (uuid format) string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions export detections exports a list of detections from threatdown oneview api in the specified format, with options to select fields and filter by groups endpoint url oneview/v1/detections/export method post input argument name type required description format string required the output file format download boolean optional whether to instruct the client to download the response as a file type string optional the encoding of the output select array required which fields to select from the response newfield string optional the new value field string required the response field to map to a new value groups array required list of queries for filtering detections name string optional name of the query group account ids array required list of account ids to filter detections by output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" {} } ] export detections asynchronously initiates an asynchronous export of detection data from threatdown oneview api in the specified format, with options to select fields and filter by groups endpoint url nebula/v1/detections/export/async method post input argument name type required description format string required the output file format download boolean optional whether to instruct the client to download the response as a file type string optional the encoding of the output select array required which fields to select from the response newfield string optional the new value field string required the response field to map to a new value groups array required list of queries for filtering detections name string optional name of the query group account ids array required list of account ids to filter detections by output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" {} } ] get detection by id retrieve detailed information for a specific detection using its unique id from threatdown oneview api endpoint url nebula/v1/detections/{{id}} method get input argument name type required description id string required the unique identifier of the detection to retrieve output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" {} } ] search detections retrieve filtered detection results from threatdown oneview api using specified criteria in the request body endpoint url nebula/v1/detections method post input argument name type required description protection status string optional protection status of the endpoint(s) scan type string optional type of the scan schedule id string optional id of the schedule schedule etag string optional etag of the schedule job id string optional id of the job originating this detection domain name string optional filter the search to the endpoints with specified domain name engine version string optional filter the search to the endpoints with specified engine version last user string optional last user that logged into the machine last user keyword string optional last user that logged into the machine (exact match) plugins siem reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by the siem plugin plugins siem plugin version string optional filter the search to the endpoints with specified siem plugin version plugins browser phishing protection plugin version string optional filter the search to the endpoints with specified browser phishing protection plugin version plugins incident response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ir plugin plugins incident response plugin version string optional filter the search to the endpoints with specified ir plugin version plugins endpoint detection response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by edr plugin plugins endpoint detection response plugin version string optional filter the search to the endpoints with specified edr plugin version plugins endpoint protection reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ep plugin plugins endpoint protection update package version string optional filter the search to the endpoints with specified ep update package version plugins endpoint protection component package version string optional filter the search to the endpoints with specified ep component package version plugins endpoint protection sdk version string optional filter the search to the endpoints with specified ep sdk version plugins endpoint protection plugin version string optional filter the search to the endpoints with specified ep plugin version plugins asset manager reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by asset manager plugin plugins asset manager plugin version string optional filter the search to the endpoints with specified asset manager plugin version fully qualified host name string optional filter the search to the endpoints with specified, fully qualified host name host name string optional filter the search to the endpoints with specified host name output parameter type description status code number http status code of the response reason string response reason phrase detections array output field detections id string unique identifier type array type of the resource status string status value path string output field path group id string unique identifier group object output field group is root detection boolean output field is root detection machine id string unique identifier account id string unique identifier detection id string unique identifier scanned at string output field scanned at scanned at offset seconds number output field scanned at offset seconds reported at string output field reported at resource created at string output field resource created at resource modified at string output field resource modified at threat name string name of the resource category string output field category action taken string output field action taken is rtp stream event boolean output field is rtp stream event process name string name of the resource cleaned at string output field cleaned at machine name string name of the resource example \[ { "status code" 200, "reason" "ok", "json body" { "detections" \[], "aggregations" {}, "total count" 0, "next cursor" "eyjzdgfydf9pbmrleci6mtawfq==" } } ] search detections groupby performs a search for grouped detections in threatdown oneview api, with options to specify grouping and page size endpoint url nebula/v1/detections/search groupby method post input argument name type required description group by string required the group by field schema page size number required the size of the page next cursor string optional pagination cursor for next set of results protection status string optional protection status of the endpoint(s) scan type string optional type of the scan schedule id string optional id of the schedule schedule etag string optional etag of the schedule job id string optional id of the job originating this detection domain name string optional filter the search to the endpoints with specified domain name engine version string optional filter the search to the endpoints with specified engine version last user string optional last user that logged into the machine last user keyword string optional last user that logged into the machine (exact match) plugins siem reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by the siem plugin plugins siem plugin version string optional filter the search to the endpoints with specified siem plugin version plugins browser phishing protection plugin version string optional filter the search to the endpoints with specified browser phishing protection plugin version plugins incident response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ir plugin plugins incident response plugin version string optional filter the search to the endpoints with specified ir plugin version plugins endpoint detection response reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by edr plugin plugins endpoint detection response plugin version string optional filter the search to the endpoints with specified edr plugin version plugins endpoint protection reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by ep plugin plugins endpoint protection update package version string optional filter the search to the endpoints with specified ep update package version plugins endpoint protection component package version string optional filter the search to the endpoints with specified ep component package version plugins endpoint protection sdk version string optional filter the search to the endpoints with specified ep sdk version plugins endpoint protection plugin version string optional filter the search to the endpoints with specified ep plugin version plugins asset manager reboot reason string optional filter the search to the endpoints with specified reboot reason, as reported by asset manager plugin output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation file name string name of the resource file string output field file next cursor string output field next cursor example \[ { "status code" 200, "reason" "ok", "json body" { "results" \[], "next cursor" "string" } } ] submit false positive request submits a false positive request to threatdown oneview api using detection ids provided in the json body endpoint url nebula/v1/detections/submit fp method post input argument name type required description ids array required array of detection ids to mark as false positive additional info string optional additional information about the false positive start date string optional the start date of the detection end date string optional the end date of the detection output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "reason" "ok", "json body" {} } ]