Online criminals hate us. We protect you from attacks that antivirus can't block.

Heimdal™ Threat Prevention - Network API

The Heimdal™ Threat Prevention - Network customer-facing portal has a public HTTP API for pulling eCrime alerts. This is useful for integrating with various Security Management/Ticket systems. The APIs currently resides on https://ecrime.csis.dk/api/1.0/.

 

Token authentication

Access to the APIs is only possible from the IP ranges that are marked as trusted for your business unit. For each HTTP API request, you must provide your active access token in the HTTP Header "Authorization"

"Authorization: Token <place-your-token-here>"

The token can be generated on the API Access Token page, under the user settings. You can find more information on how to request and deactivate API tokens in the Portal Manual.

Request example:

Curl

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/subscribed-alerters

Python

url = 'https://ecrime.csis.dk/api/1.0/alerts/subscribed-alerters'
headers = {
  'Accept': 'application/json',
  'Authorization': 'Token 4bfd0c1750a04966b280505fdba2fecf',
}
r = requests.get(url, headers=headers)
r.raise_for_status()
r.json()

Postman

authorization.JPG


APIs

https://ecrime.csis.dk/api/1.0/alerts/subscribed-alerters - lists information about all subscribed alerters the current user has access to.

Example:

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/subscribed-alerters

Expected return:

{
  "objects": [
    {
      "display_name": "Secure DNS",
      "id": 11,
      "name": "secdns"
    },
    {
      "display_name":"Management Reports",
      "id":22,
      "name":"reporting",
    }
  ]
}

 

https://ecrime.csis.dk/api/1.0/alerts/?released-after=2020-11-01 - lists information about all alerts released after 01.11.2020. The release-after key is a string with the following format: Date (yyyy-mm-dd) or Datetime (yyyy-mm-dd hh:mm:ss). 

Example:

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/?released-after=2020-11-01

Expected return:

{
"objects": [
{
"alerter": "secdns",
"display_name": "Secure DNS",
"id": 123456788,
"name": "Low",
"owner": "Heimdal Security",
"released": "2020-11-01 08:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2020-11-01 07:00:00 - 2020-11-11 08:00:00\n\nTime Rule Name IP Type Request \n2020-11-01 07:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
},
{
"alerter": "secdns",
"display_name": "Secure DNS",
"id": 123456789,
"name": "Low",
"owner": "Heimdal Security",
"released": "2020-11-01 09:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2020-11-01 08:00:00 - 2020-11-11 09:00:00\n\nTime Rule Name IP Type Request \n2020-11-01 08:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
}
]
}

 

https://ecrime.csis.dk/api/1.0/alerts/?released-before=2019-11-01 - lists information about all alerts released before 01.11.2019. The release-before key is a string with the following format: Date (yyyy-mm-dd) or Datetime (yyyy-mm-dd hh:mm:ss).

Example:

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/?released-before=2019-11-01

Expected return:

{
"objects": [
{
"alerter": "secdns",
"display_name": "Secure DNS",
"id": 123456788,
"name": "Low",
"owner": "Heimdal Security",
"released": "2019-11-01 08:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2019-11-01 07:00:00 - 2020-11-11 08:00:00\n\nTime Rule Name IP Type Request \n2019-11-01 07:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
},
{
"alerter": "secdns",
"display_name": "Secure DNS",
"id": 123456789,
"name": "Low",
"owner": "Heimdal Security",
"released": "2019-11-01 09:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2019-11-01 08:00:00 - 2019-11-11 09:00:00\n\nTime Rule Name IP Type Request \n2019-11-01 08:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
}
]
}

 

https://ecrime.csis.dk/api/1.0/alerts/?a.severity-eq=5&a.severity-eq=6 - lists information about all alerts with a High severity (a.severity-eq=5) and Critical severity (a.severity-eq=6).

a.severity-eq= can be one of the following:  1 N/A, 2 Info, 3 Low, 4 Medium, 5 High, 6 Critical, 7 False Positive.

Example:

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/?a.severity-eq=5&a.severity-eq=6

Expected return:

{
"objects": [
{
"alerter": "secdns",
"display_name": "Heimdal Security",
"id": 123456788,
"name": "Low",
"owner": "Heimdal Security",
"released": "2020-11-11 08:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2020-11-11 07:00:00 - 2020-11-11 08:00:00\n\nTime Rule Name IP Type Request \n2020-11-11 07:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
},
{
"alerter": "secdns",
"display_name": "Heimdal Security",
"id": 123456789,
"name": "Low",
"owner": "Heimdal Security",
"released": "2020-11-11 09:08:30 ",
"severity": "Low",
"text": "\nInfection Name: adware\nHits: 1\nBusiness Unit: Heimdal Security\nSeen: 2020-11-11 07:00:00 - 2020-11-11 09:00:00\n\nTime Rule Name IP Type Request \n2020-11-11 08:43 192.168.1.80 192.168.1.80 dns-query-blocked blockedbycsis.com",
"title": "Possible infection detected: adware"
},
{...}
]
}

https://ecrime.csis.dk/api/1.0/alerts/<Alert ID> - fetches a single alert with the given ID.

Example:

curl -H "Authorization: Token 4bfd0c1750a04966b280505fdba2fecf" https://ecrime.csis.dk/api/1.0/alerts/9999999

Expected return:

{
  "objects": [
    {
      "alerter": "secdns",
      "display_name": "Secure DNS",
      "id": 9999999,
      "name": "Info",
      "owner": "Example Business Unit",
      "released": "YYYY-MM-DD HH:mm:ss",
      "severity": "Info",
      "title": "Typo domain: exaample.com"
      "text": "Domain Name:\n\texaample.com\n\nTarget Domain Name:\n\texample.com..."
    }
  ]
}

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.