The Alarm Service provides a system for gathering and organizing info
about attacks, how each alarm is mapped to technical signatures, and
mapping of alarms to Argus attack categories and MITRE ATT&CK
categories.
Changes to Alarms are made available as updates through the Alarm Update
WebSocket.
The service also keeps track of the volume and last observation of each
signature from the Event Service.
Attack Category is an arbitrary category for grouping attacks.
These categories are defined in Argus, and not part of an external
standard.
Alarm brings together the accumulated info about known attacks.
This is meant to quickly help the analyst assess incoming recognized
attacks. Alarms are also manually created and updated by us. An
alarm can have comments, labels, references and links. Alarms can be
grouped into attack categories.
Signature is technical attack signature, defined both by
external sources and by us. It also provides info about the time
when the signature was detected/triggered.
The actual signatures for recognizing attacks are not stored in the
alarm service - just the info about the attack. Signatures are not
independent entities, but are the primary key of an Alarm Mapping.
Signature is also referred to as attack identifier.
Alarm Mapping is the relationship between an alarm and selected
signatures. Signatures are mapped to Alarms by a user process or
through automated imports via API. An unmapped alarm mapping
means that the signature has not yet been mapped to an alarm.
Access to view and edit specific mappings are decided by the mapping's customer scope.
The scope is populated by mappings being triggered by customers in the Event Service.
MITRE Category provides a standardized structure about various known attack
tactics and techniques. It is regularly imported into the alarm service from an
external source
(https://github.com/mitre/cti/releases)
. MITRE categories can be related to other MITRE categories and they can also be
associated with alarms.
Only some operations are listed here. Please consult the Swagger API
documentation for the complete list of supported operations and the
statuses of the endpoints (PUBLIC, INTERNAL, DEV).
Please read the Overview to learn the general
concepts and common data structures used throughout the Argus API.
The Swagger API documentationis always up-to-date
and lets you try out any query with your user session or an API-key.
{"responseCode":200,"limit":0,"offset":0,"count":0,"metaData":{},"messages":[],"data":{"id":2,"shortName":"bufferOverflow","attackCategory":{"id":5,"shortName":"6842e8ef-db2a-11eb-91d4-005056beea2d",...,},"mappings":[],"comments":[{"comment":"a comment","timestamp":1650880294784,...,}],"references":["CVE-2001-0010","https://www.cvedetails.com/cve/CVE-2001-0010/?lang=en&ts=1234"],"labels":["testLabel"],"info":"ISC BIND is the most popular implementation of the DNS protocol for Linux and Unix DNS servers. ...","description":"DNS - Detected DNS packet longer than a given length that contains a TSIG resource record.","internalReference":null,"links":["http://www.cert.org/advisories/CA-2001-02.html","http://xforce.iss.net/xforce/xfdb/6015"],...},"size":0}
