Page tree
Skip to end of metadata
Go to start of metadata

Overview

The Alarm Service provides a system for gathering and organizing info about attacks, how each alarm is mapped to technical signatures, and mapping of alarms to Argus attack categories and MITRE ATT&CK categories.
Changes to Alarms are made available as updates through the Alarm Update WebSocket.
The service also keeps track of the volume and last observation of each signature from the Event Service. 

Concepts

  • Attack denotes (in the scope of the Alarm Service) the usage of a known or suspected vulnerability of an IT-system.
  • Attack Category is an arbitrary category for grouping attacks. These categories are defined in Argus, and not part of an external standard.
  • Alarm brings together the accumulated info about known attacks. This is meant to quickly help the analyst assess incoming recognized attacks. Alarms are also manually created and updated by us. An alarm can have comments, labels, references and links. Alarms can be grouped into attack categories.
  • Signature is technical attack signature, defined both by external sources and by us. It also provides info about the time when the signature was detected/triggered.
    The actual signatures for recognizing attacks are not stored in the alarm service - just the info about the attack. Signatures are not independent entities, but are the primary key of an Alarm Mapping. Signature is also referred to as attack identifier.
  • Alarm Mapping is the relationship between an alarm and selected signatures. Signatures are mapped to Alarms by a user process or through automated imports via API.  An unmapped alarm mapping means that the signature has not yet been mapped to an alarm.
  • MITRE Category provides a standardized structure about various known attack tactics and techniques. It is regularly imported into alarm service from an external source (https://github.com/mitre/cti/releases/). MITRE categories can be related to other MITRE categories and they can also be associated with alarms.

Data Model

Permissions

Managing/changing alarm information requires the ALARM-MANAGER role.

Viewing alarm information i included in the EVENT-VIEWER role.

API Usage Examples

Only some operations are listed here. Please consult the Swagger API documentation for the complete list of supported operations and the statuses of the endpoints (PUBLIC, INTERNAL, DEV).

Fetching an alarm

Request:

curl -X GET -H "Argus-API-Key: $API_KEY_ENV_VAR" https://api.mnemonic.no/alarms/v1/alarm/2

Response:

{
  "responseCode": 200,
  "limit": 0,
  "offset": 0,
  "count": 0,
  "metaData": {},
  "messages": [],
  "data": {
    "id": 2,
    "shortName": "bufferOverflow",
    "attackCategory": {
      "id": 5,
      "shortName": "6842e8ef-db2a-11eb-91d4-005056beea2d",
      ...
    },
    "mappings": [],
    "comments": [
      {
         "comment": "a comment",
         "timestamp": 1650880294784,
         ...
      }
    ],
    "references": [
      "CVE-2001-0010",
      "https://www.cvedetails.com/cve/CVE-2001-0010/?lang=en&ts=1234"
    ],
    "labels": [
      "testLabel"
    ],
    "info": "ISC BIND is the most popular implementation of the DNS protocol for Linux and Unix DNS servers. ...",
    "description": "DNS - Detected DNS packet longer than a given length that contains a TSIG resource record.",
    "internalReference": null,
    "links": [
      "http://www.cert.org/advisories/CA-2001-02.html",
      "http://xforce.iss.net/xforce/xfdb/6015"
    ],
    ...
  },
  "size": 0
}

Listing alarms

Request:

curl -X GET -H "Argus-API-Key: $API_KEY_ENV_VAR" https://api.mnemonic.no/alarms/v1/alarm?offset=0&limit=2

Response:

{
  "responseCode": 200,
  "limit": 2,
  "offset": 0,
  "count": 16062,
  "metaData": {},
  "messages": [],
  "data": [
    {
      "id": 3,
      "shortName": "1d0b861a-db02-11eb-91d4-005056beea2d",
      "attackCategory": {
        "id": 5,
        "shortName": "6842e8ef-db2a-11eb-91d4-005056beea2d",
        ...
      },
      ...
    },
    {
      "id": 4,
      "shortName": "1d0b9849-db02-11eb-91d4-005056beea2d",
      "attackCategory": {
        "id": 6,
        "shortName": "6842ec7a-db2a-11eb-91d4-005056beea2d",
        ...
      },
      ...
    }
  ],
  "size": 2
}

Searching for an alarm

Request:

curl -X POST -H "Argus-API-Key: $API_KEY_ENV_VAR" -H "Content-Type: application/json" https://api.mnemonic.no/alarms/v1/alarm/search -d '{
  "alarm": [ "1000", "1d105abb-db02-11eb-91d4-005056beea2d" ],
  "keywordFieldStrategy": [ "id", "shortName" ],
  "keywordMatchStrategy": "any"
}'

The response returns the same format as listing alarms.

Adding an alarm

Request:

curl -X POST -H "Argus-API-Key: $API_KEY_ENV_VAR" -H "Content-Type: application/json" https://api.mnemonic.no/alarms/v1/alarm -d '{
  "attackCategoryID": 5,
  "shortName" : "alarmShortName",
  "description" : "alarm description",
  "info" : "alarm info"
}

The response returns the created alarm.

Updating an alarm

Request:

curl -X PUT -H "Argus-API-Key: $API_KEY_ENV_VAR" -H "Content-Type: application/json" https://api.mnemonic.no/alarms/v1/alarm/56960 -d '{
  "info": "updated alarm info",
  "description": "updated alarm description",
  "addLabels": [ "some label" ]
}

The response returns the updated alarm.

Deleting an alarm

The response returns the deleted alarm.

curl -X DELETE -H "Argus-API-Key: $API_KEY_ENV_VAR" https://devapi.mnemonic.no/alarms/v1/alarm/56960


Mapping an alarm to signatures

Will create record(s) in the alarm mapping table.

Request:

curl -X POST -H "Argus-API-Key: $API_KEY_ENV_VAR" https://devapi.mnemonic.no/alarms/v1/alarm/56960/map -d '{
  "signatures": [ "signature-1", "signature-2" ]
}'

Response:

{
  "responseCode": 200,
  "limit": 0,
  "offset": 0,
  "count": 0,
  "metaData": {},
  "messages": [],
  "data": {
    "id": 56960,
    "shortName": "dc075e07-149e-4f20-bdf3-8dac343e1f2c",
    "attackCategory": {
      "id": 5,
      "shortName": "6842e8ef-db2a-11eb-91d4-005056beea2d",
      ...
    },
    "mappings": [
      {
        "attackIdentifier": "signature-1",
        "comments": [],
        "mappedTimestamp": 1655295375168,
        "firstTriggeredTimestamp": 0,
        "lastTriggeredTimestamp": 0,
        "triggerAmount": 0,
        "signature": "signature-1",
        ...
      },
      {
        "attackIdentifier": "signature-2",
        "comments": [],
        "mappedTimestamp": 1655295375168,
        "firstTriggeredTimestamp": 0,
        "lastTriggeredTimestamp": 0,
        "triggerAmount": 0,
        "signature": "signature-2",
        ...
      }
    ],
    ...
  },
  "size": 0
} 

Unmapping an alarm from signatures

Will set the alarm ID to null in the alarm mapping table for the matching records (by signature). It will not delete the alarm mapping records.

Request:

curl -X DELETE -H "Argus-API-Key: $API_KEY_ENV_VAR" https://api.mnemonic.no/alarms/v1/alarm/56960/unmap?signature=signature-1&signature=signature-2

Response:

{
  "responseCode": 200,
  "limit": 0,
  "offset": 0,
  "count": 0,
  "metaData": {},
  "messages": [],
  "data": {
    "id": 56960,
    "shortName": "dc075e07-149e-4f20-bdf3-8dac343e1f2c",
    "attackCategory": {
      "id": 5,
      "shortName": "6842e8ef-db2a-11eb-91d4-005056beea2d",
      ...
    },
    "mappings": []
    ...
  },
  "size": 0
} 

Deleting a signature

Only an unmapped signature can be deleted.

Request:

curl -X DELETE -H "Argus-API-Key: $API_KEY_ENV_VAR" https://api.mnemonic.no/alarms/v1/signature?signature=signature-1

Response:

{
  "responseCode": 200,
  "limit": 0,
  "offset": 0,
  "count": 0,
  "metaData": {},
  "messages": [],
  "data": [
    {
      "attackIdentifier": "signature-1",
      "comments": [],
      "mappedTimestamp": 0,
      "firstTriggeredTimestamp": 0,
      "lastTriggeredTimestamp": 0,
      "triggerAmount": 0,
      "signature": "signature-1",
      "flags": [
        "DELETED"
      ]
      ...
    }
  ],
  "size": 1
}
  • No labels