threat-intel¶

Threat Intelligence module

threat-intel Specification¶

Parameter Value

Type Intermediate Resource

Element Name threat-intel

Element URI /axapi/v3/threat-intel

Element Attributes threat-intel_attributes

Partition Visibility shared

Schema threat-intel schema

Operations Allowed:

Operation	Method	URI	Payload
Get Object	GET	/axapi/v3/threat-intel	threat-intel_attributes

threat-intel attributes¶

threat-feed-list

Type: List

Reference Object: /axapi/v3/threat-intel/threat-feed/{type}

threat-list-list

Type: List

Reference Object: /axapi/v3/threat-intel/threat-list/{name}

webroot-database

Description: webroot-database is a JSON Block. Please see below for webroot-database

Type: Object

Reference Object: /axapi/v3/threat-intel/webroot-database

webroot-global

Description: webroot-global is a JSON Block. Please see below for webroot-global

Type: Object

Reference Object: /axapi/v3/threat-intel/webroot-global

webroot-ip-category

Description: webroot-ip-category is a JSON Block. Please see below for webroot-ip-category

Type: Object

Reference Object: /axapi/v3/threat-intel/webroot-ip-category

webroot-log

Description: webroot-log is a JSON Block. Please see below for webroot-log

Type: Object

Reference Object: /axapi/v3/threat-intel/webroot-log

threat-list-list¶

Specification Value

Type list

Block object keys

all-categories

Description Enable all categories

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: all-categories,spam-sources, windows-exploits, web-attacks, botnets, scanners, dos-attacks, reputation, phishing, proxy, mobile-threats, and tor-proxy are mutually exclusive

botnets

Description Botnet C&C channels, and infected zombie machines controlled by Bot master

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: botnets and all-categories are mutually exclusive

dos-attacks

Description IP’s participating in DOS, DDOS, anomalous sync flood, and anomalous traffic detection

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: dos-attacks and all-categories are mutually exclusive

mobile-threats

Description IP’s associated with mobile threats

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: mobile-threats and all-categories are mutually exclusive

name

Description Threat category List name

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

phishing

Description IP addresses hosting phishing sites, ad click fraud or gaming fraud

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: phishing and all-categories are mutually exclusive

proxy

Description IP addresses providing proxy services

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: proxy and all-categories are mutually exclusive

reputation

Description IP addresses currently known to be infected with malware

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: reputation and all-categories are mutually exclusive

sampling-enable

Type: List

scanners

Description IP’s associated with probes, host scan, domain scan, and password brute force attack

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: scanners and all-categories are mutually exclusive

spam-sources

Description IP’s tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: spam-sources and all-categories are mutually exclusive

tor-proxy

Description IP’s providing tor proxy services

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: tor-proxy and all-categories are mutually exclusive

type

Description ‘webroot’: Configure Webroot threat categories;

Type: string

Supported Values: webroot

user-tag

Description Customized tag

Type: string

Format: string-rlx

Maximum Length: 127 characters

Maximum Length: 1 characters

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

web-attacks

Description IP’s associated with cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute fo

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: web-attacks and all-categories are mutually exclusive

windows-exploits

Description IP’s associated with malware, shell code, rootkits, worms or viruses

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: windows-exploits and all-categories are mutually exclusive

threat-list-list_sampling-enable¶

Specification Value

Type list

Block object keys

counters1

Description ‘all’: all; ‘spam-sources’: Hits for spam sources; ‘windows-exploits’: Hits for windows exploits; ‘web-attacks’: Hits for web attacks; ‘botnets’: Hits for botnets; ‘scanners’: Hits for scanners; ‘dos-attacks’: Hits for dos attacks; ‘reputation’: Hits for reputation; ‘phishing’: Hits for phishing; ‘proxy’: Hits for proxy; ‘mobile-threats’: Hits for mobile threats; ‘tor-proxy’: Hits for tor-proxy; ‘total-hits’: Total hits for threat-list;

Type: string

Supported Values: all, spam-sources, windows-exploits, web-attacks, botnets, scanners, dos-attacks, reputation, phishing, proxy, mobile-threats, tor-proxy, total-hits

webroot-log¶

Specification Value

Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

webroot-global¶

Specification Value

Type object

sampling-enable

Type: List

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

webroot-global_sampling-enable¶

Specification Value

Type list

Block object keys

counters1

Description ‘all’: all; ‘spam-sources’: Hits for spam sources; ‘windows-exploits’: Hits for windows exploits; ‘web-attacks’: Hits for web attacks; ‘botnets’: Hits for botnets; ‘scanners’: Hits for scanners; ‘dos-attacks’: Hits for dos attacks; ‘reputation’: Hits for reputation; ‘phishing’: Hits for phishing; ‘proxy’: Hits for proxy; ‘mobile-threats’: Hits for mobile threats; ‘tor-proxy’: Hits for tor-proxy; ‘rtu-lookup’: Number of lookups in RTU cache; ‘database-lookup’: Number of lookups in database; ‘non-malicious-ips’: IP’s not found in database or RTU cache;

Type: string

Supported Values: all, spam-sources, windows-exploits, web-attacks, botnets, scanners, dos-attacks, reputation, phishing, proxy, mobile-threats, tor-proxy, rtu-lookup, database-lookup, non-malicious-ips

webroot-database¶

Specification Value

Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

threat-feed-list¶

Specification Value

Type list

Block object keys

domain

Description Realm for NTLM authentication

Type: string

Maximum Length: 127 characters

Maximum Length: 1 characters

enable

Description Enable module

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

encrypted

Description Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED secret string)

log-level

Description ‘disable’: Disable all logging; ‘error’: Log error events; ‘warning’: Log warning events and above; ‘info’: Log info events and above; ‘debug’: Log debug events and above; ‘trace’: enable all logs;

Type: string

Supported Values: disable, error, warning, info, debug, trace

Default: warning

port

Description Port to query server(default 443)

Type: number

Range: 1-65535

Default: 443

proxy-auth-type

Description ‘ntlm’: NTLM authentication(default); ‘basic’: Basic authentication;

Type: string

Supported Values: ntlm, basic

Default: ntlm

proxy-host

Description Proxy server hostname or IP address

Type: string

Maximum Length: 255 characters

Maximum Length: 1 characters

proxy-password

Description Password for proxy authentication

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

proxy-port

Description Port to connect on proxy server

Type: number

Range: 1-65535

proxy-username

Description Username for proxy authentication

Type: string

Maximum Length: 127 characters

Maximum Length: 1 characters

rtu-update-disable

Description Disables real time updates(default enable)

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

secret-string

Description password value

Type: string

Format: password

Maximum Length: 127 characters

Maximum Length: 1 characters

server

Description Server IP or Hostname

Type: string

Maximum Length: 255 characters

Maximum Length: 1 characters

server-timeout

Description Server Timeout in seconds (default: 15s)

Type: number

Range: 1-30

Default: 15

type

Description ‘webroot’: Configure Webroot module options;

Type: string

Supported Values: webroot

update-interval

Description Interval to check for database or RTU updates(default 120 mins)

Type: number

Range: 10-14400

Default: 120

use-mgmt-port

Description Use management interface for all communication with threat-intel server

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

user-tag

Description Customized tag

Type: string

Format: string-rlx

Maximum Length: 127 characters

Maximum Length: 1 characters

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

webroot-ip-category¶

Specification Value

Type object

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters