Lastline Notification API

The Lastline Notification API is accessible at:

https://user.lastline.com/papi/notification/<function>

Methods

Method Index

• list_trigger_types():

  List trigger types (classes of events) for which notifications can be configured

• list_notifications():

  List the current notification configurations

• add_mail_notification():

  Add a configuration for sending notifications by email

• edit_mail_notification():

  Edit a configuration for sending notifications by email

• add_httppost_notification():

  Add a configuration for sending notifications by HTTP POST

• edit_httppost_notification():

  Edit a configuration for sending notifications by HTTP POST

• opendxl_tie.add_opendxl_tie_notification():

  Add a configuration for sending McAfee TIE Reputation messages through OpenDXL Broker(s)

• opendxl_tie.edit_opendxl_tie_notification():

  Edit a configuration for sending McAfee TIE Reputation messages through OpenDXL Broker(s)

• add_siem_notification():

  Add a configuration for sending siem/syslog message to a SIEM appliance

• edit_siem_notification():

  Edit a configuration for sending siem/syslog messages to a SIEM appliance

• add_tippingpoint_notification():

  Add a configuration for sending notifications to HP Tipping Point SMS

• edit_tippingpoint_notification():

  Edit a configuration for sending notifications to HP Tipping Point SMS

• add_streaming_notification():

  Add a configuration for sending push notifications via Lastline’s Streaming API

• edit_streaming_notification():

  Edit a configuration for sending push notifications via Lastline’s Streaming API

• delete_notification():

  Delete a configuration for sending notifications

Method Documentation

notification.list_trigger_types(response_format)

Return the list of notification trigger types. These are the classes of events that can lead to a notification being sent.

URL

/papi/notification/list_trigger_types[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

GET

Contents of successful response

Dictionary mapping a “trigger_type_identifier” to:

• trigger_type_name:

  Human-readable name of trigger type

• trigger_category:

  High-level category of the trigger type

• description:

  Human-readable description of the trigger type

The trigger_category can be:

• network:

  For network events, such as a malware calling back to a command and control server.

• mail:

  For email-related events, such as an email with a malicious attachment.

notification.list_notifications(response_format)

Return the currently-configured notifications

URL

/papi/notification/list_notifications[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

GET

Contents of successful response

List of notification configurations. Each holds:

• notification_config_id:

  Identifier of this configuration, to be used for editing or deleting it.

• key:

  access_key[:subkey] for which notification is configured

• max_daily_notifications:

  Maximum total notifications to send per day

• timezone:

  Name of notification timezone

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. A value of 0 disables this filtering.

• enabled:

  0 or 1, is this notification enabled

• triggers:

  Trigger configurations for this notification (see below)

• notification_type:

  Type of notification. Valid values are “mail”, “siem”, “tippingpoint”

• mail_settings:

  for “mail” notification type, additional settings (see below)

• siem_settings

  for “siem” notification type, additional settings (see below)

• tippingpoint_settings:

  for “tippingpoint” notification type, additional settings (see below)

• httppost_settings:

  for “httppost” notification type, additional settings (see below)

• slack_settings:

  for “slack” notification type, additional settings (see below)

• streaming_settings:

  for streaming notification type, additional settings (see below)

• opendxl_tie_settings:

  for notifications that will send scored file information to a McAfee TIE server through OpenDXL broker(s). (see below)

The mail_settings field holds configuration for sending notifications by email. It is a dictionary with the following fields:

• recipients:

  Comma-separated list of email recipients to which notifications will be sent. If not provided, defaults to the current user’s email address.

• network_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for network events.

• email_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for mail events.

• appliance_subject_template:

  Template used to create the subject for notfication emails for appliances.

• audit_subject_template:

  Template used to create the subject for notification emails for audit events.

• intelligence_rule_match_subject_template:

  Template used to create the subject for notification emails for intelligence rule match events.

• intrusion_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for intrusion events.

• network_ioc_feed_subject_template:

  Template used to create the subject for notification emails for network IoC feed entries

The httppost_settings field hold configuration for sending generic HTTP POST requests. It’s a dictionary with the following fields:

• protocol:

  Protocol to be used for sending the POST request (HTTP or HTTPS)

• host:

  Host the POST request will be sent to

• port:

  Port the POST request will be sent to

• path:

  Path section of the url

• verify_ssl:

  Boolean specifying whether or not to verify the SSL certificate for HTTPS requests

• http_proxy

  Boolean specifying whether or not to send the request through an HTTP proxy

• proxy:

  Boolean specifying whether or not we want the POST request to be proxied through a sensor

• body_format:

  Format the body of the POST requests (for now JSON or XML)

• backend_only:

  Boolean specifying of the notification is to be sent from backend

• include_pcap:

  Whether to include pcap information inside the notification for network events

The next fields are present only if the default_proxy_subkey_id had been set:

• default_proxy_access_key_id:

  default proxy sensor access_key_id to be used for sending http post notifications for hosted customers

• default_proxy_subkey_id:

  default proxy sensor subkey_id to be used for sending http post notifications for hosted customers

• default_proxy_key:

  key:default_proxy_key for which notification is configured

The slack_settings field hold configuration for sending slack notification. It’s a dictionary with the following fields:

• url:

  The incoming webhook url to post message to slack

• verify_ssl:

  Boolean specifying whether or not to verify the SSL certificate for slack notification

• http_proxy

  Boolean specifying whether or not to send the request through an HTTP proxy

• proxy:

  Boolean specifying whether or not we want the POST request to be proxied through a sensor

• backend_only:

  Boolean specifying of the notification is to be sent from backend

The next fields are present only if the default_proxy_subkey_id had been set:

• default_proxy_access_key_id:

  default proxy sensor access_key_id to be used for sending slack notifications notifications for hosted customers

• default_proxy_subkey_id:

  default proxy sensor subkey_id to be used for sending slack notifications notifications for hosted customers

• default_proxy_key:

  key:default_proxy_key for which notification is configured

The siem_settings field holds configuration for sending notifications using the SIEM protocol. It is a dictionary with the following fields:

• host:

  The hostname/IP address of the SIEM appliance that the SIEM messages will be sent to. This value can be an address for a SIEM appliance accessible by the sensor in the case that proxy=1 or it can be for an appliance accessible by the manager for all sensors if proxy=0

• port:

  The port on which the manager/sensor will send SIEM syslog messages for the associated appliance

• origin_host:

  The hostname that will show up in the prefix of the syslog message (i.e. “12-12-12 01:23:24 origin_host siem_message)

• proxy:

  A boolean specifying whether or not we want the SIEM messages to originate from the Manager or from the sensor for which the SIEM messages are associated with. This value is always True in the case that the SIEM messages are originating from the Lastline backend and this value is always False in the case of a Previct-all-in-one. For any other installation, it is up to the user.

• backend_only:

  Boolean specifying of the notification is to be sent from backend

• include_pcap:

  Whether to include pcap information inside the notification for network events

• transport:

  Transport protocol, “TCP” or “UDP”.

The next fields are present only if the default_proxy_subkey_id had been set:

• default_proxy_access_key_id:

  default proxy sensor access_key_id to be used for sending siem notifications for hosted customers

• default_proxy_subkey_id:

  default proxy sensor subkey_id to be used for sending siem notifications for hosted customers

• default_proxy_key:

  key:default_proxy_key for which notification is configured

The tippingpoint_settings field holds configuration for sending notifications to an HP Tipping Point Security Management System (SMS). It is a dictionary with the following fields:

• sms_server:

  IP or hostname of the HP Tipping Point SMS server.

• sms_server_port:

  TCP port to use to connect to the HP Tipping Point SMS server.

• protocol:

  HTTP or HTTPS: protocol to use to connect to the HP Tipping Point SMS server.

• smsuser:

  Username to use to connect to the HP Tipping Point SMS server.

The streaming_settings field holds configuration for sending streaming notifications:

• channel_key:

  Identifier of the streaming notification channel

• notification_name:

  Name given to this streaming notification

• include_pcap:

  Whether to include pcap information inside the notification for network events

• stream_url:

  HTTPS URL where the event notification stream can be accessed

The opendxl_tie_settings field contains configuration settings to interact with McAfee OpenDXL broker(s) to set TIE file reputations.

• private_key_hash:

  The MD5 hash of the stored private key for the client that will be communicating with the OpenDXL broker(s).

• client_certificate_hash:

  The MD5 hash of the client certificate used to authenticate the client with the OpenDXL stack.

• broker_properties_hash:

  The MD5 hash of the list of broker properties stored.

• broker_ca_bundle_hash:

  The MD5 hash of the list of trusted broker certificates.

• proxy:

  A boolean specifying whether or not we want the TIE reputation messages to originate from the Manager or from the Sensor for which the notification messages are associated with. This value is always True in the case that the notifications are originating from the Lastline backend and this value is always False in the case of a Pinbox. For any other installation, it is up to the user.

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_type().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

notification.add_mail_notification(response_format)

Add a new configuration for sending notifications by email

URL

/papi/notification/add/mail[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id:

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• recipients:

  Comma-separated list of emmail recipients to which notifications will be sent. If not provided, defaults to the current user’s email address.

• network_subject_template:

  If provided, use this instead of the default template for notifications of network events.

• email_subject_template:

  If provided, use this instead of the default template for notifications of mail events.

• appliance_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for appliances.

• audit_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for audit events.

• intelligence_rule_match_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for intelligence rule match events.

• intrusion_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for intrusion events.

• network_ioc_feed_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for network IoC feed entries

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of new notification configuration

notification.edit_mail_notification(response_format)

Edit an existing configuration for sending notifications by email. Note that all parameters need to be provided anew, they do not default to the current values of the configuration that is being edited.

URL

/papi/notification/edit/mail/<[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notification_config_id:

  Identifier of configuration to edit, as returned by list_notifications() (required)

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• recipients:

  Comma-separated list of emmail recipients to which notifications will be sent. If not provided, defaults to the current user’s email address.

• network_subject_template:

  If provided, use this instead of the default template for notifications of network events.

• email_subject_template:

  If provided, use this instead of the default template for notifications of mail events.

• appliance_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for appliances.

• audit_subject_template:

  If provided, use this instead of the default template for the email subject of notification emails sent for audit events.

• intelligence_rule_match_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for intelligence rule match events.

• intrusion_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for intrusion events.

• network_ioc_feed_subject_template:

  If provided, use this instead of the default template for the emails subject of notification emails sent for network IoC feed entries

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of modified notification configuration

notification.add_httppost_notification(response_format)

Add a new configuration for sending notifications by HTTP POST requests

URL

/papi/notification/add/httppost[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• protocol:

  Protocol to be used for sending the POST request (HTTP or HTTPS)

• host:

  Host the POST request will be sent to

• port:

  Port the POST request will be sent to

• path:

  Path section of the url

• verify_ssl:

  Boolean specifying whether or not to verify the SSL certificate for HTTPS requests

• http_proxy

  Boolean specifying whether or not to send the request through an HTTP proxy

• proxy:

  Boolean specifying whether or not we want the POST request to be proxied through a sensor

• body_format:

  The format of the body if the request (JSON or XML)

• triggers:

  Trigger configurations for this notification (see below)

• default_proxy_subkey_id:

  Specify a sensor to proxy notifications for hosted customers

• backend_only:

  Boolean. This configuration is used for the “no license selected” case, needed for configuring notifications from the hosted backend. Requires administrator permissions (default False)

• include_pcap:

  Whether to include pcap information inside the notification for network events This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of new notification configuration

notification.edit_httppost_notification(response_format)

Edit an existing configuration for sending a notification by HTTP POST request. Note that all parameters need to be provided anew, they do not default to the current values of the configuration that is being edited.

URL

/papi/notification/edit/httppost[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notification_config_id:

  Identifier of configuration to edit, as returned by list_notifications() (required)

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• protocol:

  Protocol to be used for sending the POST request (HTTP or HTTPS)

• host:

  Host the POST request will be sent to

• port:

  Port the POST request will be sent to

• path:

  Path section of the url

• verify_ssl:

  Boolean specifying whether or not to verify the SSL certificate for HTTPS requests

• http_proxy

  Boolean specifying whether or not to send the request through an HTTP proxy

• proxy:

  Boolean specifying whether or not we want the POST request to be proxied through a sensor

• body_format:

  The format of the body if the request (JSON or XML)

• triggers:

  Trigger configurations for this notification (see below)

• default_proxy_subkey_id:

  Specify a sensor to proxy notifications for hosted customers

• backend_only:

  Boolean. This configuration is used for the “no license selected” case, needed for configuring notifications from the hosted backend. Requires administrator permissions (default False)

• include_pcap:

  Whether to include pcap information inside the notification for network events This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of modified notification configuration

notification.opendxl_tie.add_opendxl_tie_notification(response_format)

Add a new configuration for sending McAfee TIE Reputation messages to OpenDXL broker(s).

URL

/papi/notification/add/opendxl_tie[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• copy_opendxl_config_id:

  Copies an existing notification’s OpenDXL client configuration resources based on the configuration identifier. (optional)

• proxy:

  Specifies whether such notification should be proxied through the sensor which first detected the event that is causing the notification to trigger in the first place. This is always on when the sensor is communicating with the Lastline backend and always off when using a pinbox.

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

FILE Parameters

These parameters are provided as uploaded files encoded as multipart/form-data.

The following parameters are configuration resources used for the OpenDXL client to authenticate and communicate with OpenDXL broker(s).

NOTE: It is possible to copy existing configuration resources from previous notifications using the copy_opendxl_config_id POST parameter. If copy_opendxl_config_id is set, these file parameters are NOT required.

• private_key:

  The OpenDXL client’s private key that was used to generate the certificate for authentication. Reputation messages sent to the OpenDXL broker(s) will use this private key.

• client_certificate:

  The client certificate that is used, in combination with the private_key file, to authenticate with OpenDXL broker(s).

• broker_properties:

  A list of OpenDXL broker(s) to attempt to communicate with. This file can be imported from McAfee’s “ePolicy Orchestrator”.

• broker_ca_bundle:

  A list of trusted broker certificates as exported from McAfee’s “ePolicy Orchestrator”

Contents of successful response

• notification_config_id:

  identifier of new notification configuration

notification.opendxl_tie.edit_opendxl_tie_notification(response_format)

Edit an existing McAfee TIE Reputation notification.

URL

/papi/notification/edit/opendxl_tie[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• copy_opendxl_config_id:

  Copies an existing notification’s OpenDXL client configuration resources based on the configuration identifier. (optional)

• proxy:

  Specifies whether such notification should be proxied through the sensor which first detected the event that is causing the notification to trigger in the first place. This is always on when the sensor is communicating with the Lastline backend and always off when using a pinbox. (optional, if provided the existing configuration will be changed to the supplied value)

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

FILE Parameters

These parameters are provided as uploaded files encoded as multipart/form-data.

The following parameters are configuration resources used for the OpenDXL client to authenticate and communicate with OpenDXL broker(s).

NOTE: It is possible to copy existing configuration resources from previous notifications using the copy_opendxl_config_id POST parameter. If copy_opendxl_config_id is set, these file parameters are NOT required.

• private_key:

  The OpenDXL client’s private key that was used to generate the certificate for authentication. Reputation messages sent to the OpenDXL broker(s) will use this private key. (optional)

• client_certificate:

  The client certificate that is used, in combination with the private_key file, to authenticate with OpenDXL broker(s). (optional)

• broker_properties:

  A list of OpenDXL broker(s) to attempt to communicate with. This file can be imported from McAfee’s “ePolicy Orchestrator”. (optional)

• broker_ca_bundle:

  A list of trusted broker certificates as exported from McAfee’s “ePolicy Orchestrator” (optional)

Contents of successful response

“OK”

notification.add_siem_notification(response_format)

Add a new configuration for sending notifications by email

URL

/papi/notification/add/mail[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• host:

  The hostname/IP address of the SIEM appliance that the SIEM messages will be sent to. This value can be an address for a SIEM appliance accessible by the sensor in the case that proxy=1 or it can be for an appliance accessible by the manager for all sensors if proxy=0

• port:

  The port on which the manager/sensor will send SIEM syslog messages for the associated appliance

• origin_host:

  The hostname that will show up in the prefix of the syslog message (i.e. “12-12-12 01:23:24 origin_host siem_message)

• proxy:

  A boolean specifying whether or not we want the SIEM messages to originate from the Manager or from the sensor for which the SIEM messages are associated with. This value is always True in the case that the SIEM messages are originating from the Lastline backend and this value is always False in the case of a Previct-all-in-one. For any other installation, it is up to the user.

• log_format:

  The format of the syslog message, for example CEF or LEEF

• triggers:

  Trigger configurations for this notification (see below)

• default_proxy_subkey_id:

  Specify a sensor to proxy notifications for hosted customers

• backend_only:

  Boolean. This configuration is used for the “no license selected” case, needed for configuring notifications from the hosted backend. Requires administrator permissions (default False)

• include_pcap:

  Whether to include pcap information inside the notification for network events. This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

• transport:

  Transport protocol, “TCP” or “UDP” (default: “UDP”) This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.10

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of new notification configuration

notification.edit_siem_notification(response_format)

Edit an existing configuration for sending notifications to a SIEM appliance. Note that all parameters need to be provided anew, they do not default to the current values of the configuration that is being edited.

URL

/papi/notification/edit/siem/<[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notification_config_id:

  Identifier of configuration to edit, as returned by list_notifications() (required)

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• host:

  The hostname/IP address of the SIEM appliance that the SIEM messages will be sent to. This value can be an address for a SIEM appliance accessible by the sensor in the case that proxy=1 or it can be for an appliance accessible by the manager for all sensors if proxy=0

• port:

  The port on which the manager/sensor will send SIEM syslog messages for the associated appliance

• origin_host:

  The hostname that will show up in the prefix of the syslog message (i.e. “12-12-12 01:23:24 origin_host siem_message)

• proxy:

  A boolean specifying whether or not we want the SIEM messages to originate from the Manager or from the sensor for which the SIEM messages are associated with. This value is always True in the case that the SIEM messages are originating from the Lastline backend and this value is always False in the case of a Previct-all-in-one. For any other installation, it is up to the user.

• log_format:

  Format of the syslog message, for example CEF or LEEF

• triggers:

  Trigger configurations for this notification (see below)

• default_proxy_subkey_id:

  Specify a sensor to proxy notifications for hosted customers

• backend_only:

  Boolean. This configuration is used for the “no license selected” case, needed for configuring notifications from the hosted backend. Requires administrator permissions (default False)

• include_pcap:

  Whether to include pcap information inside the notification for network events This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

• transport:

  Transport protocol, “TCP” or “UDP” (default: “UDP”) This parameter is available for Lastline Enterprise and Analyst On-Premise versions >= 7.10

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of modified notification configuration

notification.add_tippingpoint_notification(response_format)

Add a new configuration for sending notifications by email

URL

/papi/notification/add/tippingpoint[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• sms_server:

  IP or hostname of the HP Tipping Point SMS server.

• sms_server_port:

  TCP port to use to connect to the HP Tipping Point SMS server.

• protocol:

  HTTP or HTTPS: protocol to use to connect to the HP Tipping Point SMS server.

• smsuser:

  Username to use to connect to the HP Tipping Point SMS server.

• smspass:

  Password to use to connect to the HP Tipping Point SMS server.

• proxy:

  Specifies whether such notifications should be proxied through the sensor which first detected the event that is causing the tipping point notification. This is always on when the sensor is communicating with the Lastline backend and always off when using a Previct-all-in-one

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of new notification configuration

notification.edit_tippingpoint_notification(response_format)

Edit an existing configuration for sending notifications to HP Tipping Point SMS. Note that all parameters, except for the smspass parameter, need to be provided anew, they do not default to the current values of the configuration that is being edited.

URL

/papi/notification/edit/mail/<[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notification_config_id:

  Identifier of configuration to edit, as returned by list_notifications() (required)

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• sms_server:

  IP or hostname of the HP Tipping Point SMS server.

• sms_server_port:

  TCP port to use to connect to the HP Tipping Point SMS server.

• protocol:

  HTTP or HTTPS: protocol to use to connect to the HP Tipping Point SMS server.

• smsuser:

  Username to use to connect to the HP Tipping Point SMS server.

• smspass:

  Password to use to connect to the HP Tipping Point SMS server.

• proxy:

  Specifies whether such notifications should be proxied through the sensor which first detected the event that is causing the tipping point notification. This is always on when the sensor is communicating with the Lastline backend and always off when using a Previct-all-in-one

• triggers:

  Trigger configurations for this notification (see below)

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  identifier of modified notification configuration

notification.add_streaming_notification(response_format)

Add a new configuration for streaming notifications.

Configuring and enabling a new streaming notification will allow the user, after authentication, to access the notification stream at the returned URL and retrieve informations about specified events.

On-Premise availability

This API method is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

URL

/papi/notification/add/streaming[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• stream_name:

  Name of the new streaming notification

• include_pcap:

  Whether to include pcap information inside the notification for network events

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  Identifier of new notification configuration

• stream_url:

  HTTPS URL where the event notification stream can be accessed

notification.edit_streaming_notification(response_format)

Edit an existing streaming notification. All parameters need to be provided anew as they do not default to the current values of the configuration that is being edited.

On-Premise availability

This API method is available for Lastline Enterprise and Analyst On-Premise versions >= 7.5

URL

/papi/notification/edit/streaming[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notification_config_id:

  Identifier of the configuration to edit as returned by list_notifications() (required)

• key:

  License key for which to send notifications. May include sensor subkey with format key:subkey. May be set to * to match all licenses.

• access_key_id:

  License identifier, can be provided in alternative to key.

• access_key_only:

  Boolean. This configuration should only match on licenses without a subkey. This has to be used to select the license of a manager without selecting all sensors with the same license. Requires administrator permissions (default False).

• subkey_id

  Sensor identifier, can be provided, together with access_key_id, in alternative to key.

• timezone:

  Name of timezone of notifications sent.

• enabled:

  Boolean. Is this notification enabled (default True)

• max_daily_notifications:

  Maximum total number of notifications to be sent per day. Set to 0 for unlimited. (required)

• validity_interval_seconds:

  How long a notification is valid after being sent. We never send a lower impact notification for a host so long as a higher impact one is valid. Set to 0 to disable this filtering (required).

• stream_name:

  Name of the new streaming notification

• include_pcap:

  Whether to include pcap information inside the notification for network events

The triggers field holds the configuration that is specific to each trigger type. A trigger type is the type of trigger (event) for which we are configuring notifications. A trigger type is identified by a trigger_type_identifier, as returned by list_trigger_types().

The triggers field is a dictionary mapping the trigger_type_identifier to the following settings:

• threshold:

  Below this impact threshold (0-100) no notifications will be sent

• max_daily_notifications:

  Maximumum number of notifications for this trigger type

• src_min_interval_seconds:

  For trigger types related to network events: minumum number of seconds between notifications for a given host in the protected network.

Contents of successful response

• notification_config_id:

  Identifier of modified notification configuration

notification.delete_notification(response_format)

Delete an existing notification configuration.

URL

/papi/notification/delete/<[. response_format]

response_format can be xml or json (defaults to json)

HTTP METHOD

POST

POST Parameters

• notificatoin_config_id:

  Identifier of configuration to delete, as returned by list_notifications() (required)

Contents of successful response

“OK”