Threat

📘

Go straight to the API reference.

In the context of this API a "threat" refers to an actual threat to a device, such as (but not limited to): a DDoS attack,
C&C communication, suspicious host access, etc.

Supported properties

Supported calculations

Related entities

The threat entity can be filtered not only by its own properties (described previously), but also by the properties of its
related entities.

Device

When filtering a CVE by its related devices, it means that we consider only CVEs that are affecting the
matching devices.

📘

To learn more about the device entity, see the documentation page.

CVE

When filtering a threat by its related CVEs, it means that we consider only threats that are utilizing the
matching CVEs.

📘

To learn more about the cve entity, see the documentation page.

Explorer

You can play with the threat API directly in the explorer page in the management console.

Example use-cases

1. Which are the suspicious hosts that are communicating the most with mobile devices in the manufacturing industry? (explore)

/api/v1/threat/_search?groupBy=host&calculate=share&type[eq]=Suspicious Host&device.type[eq]=Mobile Phones&device.industry[eq]=Manufacturing

[
    {
        "host": "subsworker.bid",
        "share": 0.352
    },
    {
        "host": "msgr.com",
        "share": 0.1147
    },
    {
        "host": "208.100.26.245",
        "share": 0.0675
    },
    ...,
]

Enums and lists

Some fields that are available for filtering and grouping the threat entity are populated with a closed list of possible values, as described next: