Resources examples
Here there is a more extensive list of POST /api/v2/resources examples. All examples contain all required resources in a single request. They can be split in multiple requests if needed.
Decision intelligence use case with Elasticsearch input
{
"Api Key": {
"properties": {
"name": "Api Key from REST API"
},
"type": "api_key"
},
"Elasticsearch from REST API": {
"properties": {
"title": "Elasticsearch from REST API",
"integration_type": "Elasticsearch",
"parameters": {
"hosts": "192.168.175.175",
"password": "elastic",
"port": 9200,
"schema": "https",
"user": "elastic"
}
},
"type": "integration"
},
"Exposer integration from REST API": {
"properties": {
"title": "Exposer integration from REST API",
"integration_type": "External REST API",
"parameters": {
"api_key": "{{api_keys(name='Api Key from REST API')}}",
"data_type": "JSON alerts"
}
},
"type": "integration"
},
"Exposer input job from REST API": {
"properties": {
"title": "Exposer input job from REST API",
"description": "This is a sample job",
"category": "Decision intelligence",
"decision_points": [
"event.outcome",
"event.category"
],
"advanced_settings": {
"custom_labels": [
{
"name": "Important",
"hex_color": "#a83232"
},
{
"name": "Discard",
"hex_color": "#030bff"
},
{
"name": "Potential risk",
"hex_color": "#ffcd03"
}
]
},
"pipeline_integrations": [
{
"resource": "Exposer integration from REST API",
"integration_type": "input",
"enabled": true,
"parameters": {
"exposed_rest_api_job_tag": "rest_api_exposer",
"max_batch_size": 100
}
},
{
"resource": "Elasticsearch from REST API",
"integration_type": "output",
"enabled": true,
"parameters": {}
}
]
},
"type": "job"
}
}
Decision intelligence use case with External REST API input
{
"resources": {
"Api Key": {
"properties": {
"name": "Api Key from REST API"
},
"type": "api_key"
},
"Elasticsearch from REST API": {
"properties": {
"title": "Elasticsearch from REST API",
"integration_type": "Elasticsearch",
"parameters": {
"hosts": "192.168.175.175",
"password": "elastic",
"port": 9200,
"schema": "https",
"user": "elastic"
}
},
"type": "integration"
},
"Exposer integration from REST API": {
"properties": {
"title": "Exposer integration from REST API",
"integration_type": "External REST API",
"parameters": {
"api_key": "{{api_keys(name='Api Key from REST API')}}",
"data_type": "JSON alerts"
}
},
"type": "integration"
},
"Exposer input job from REST API": {
"properties": {
"title": "Exposer input job from REST API",
"description": "This is a sample job",
"category": "Decision intelligence",
"decision_points": [
"event.outcome", "event.category"
],
"advanced_settings": {
"custom_labels": [
{
"name": "Important",
"hex_color": "#a83232"
},
{
"name": "Discard",
"hex_color": "#030bff"
},
{
"name": "Potential risk",
"hex_color": "#ffcd03"
}
]
},
"pipeline_integrations": [
{
"resource": "Exposer integration from REST API",
"integration_type": "input",
"enabled": true,
"parameters": {
"exposed_rest_api_job_tag": "rest_api_exposer",
"max_batch_size": 100
}
},
{
"resource": "Elasticsearch from REST API",
"integration_type": "output",
"enabled": true,
"parameters": {
}
}
]
},
"type": "job"
}
}
}
RCA use case with Elasticsearch input
This definition implies we already have an Elasticsearch integration named: 'Elasticsearch from REST API'.
{
"resources": {
"RCA job from REST API": {
"properties": {
"title": "RCA job from REST API",
"description": "This is a sample job",
"category": "Automated root cause analysis",
"decision_points": [],
"advanced_settings": {
"custom_labels": [
{
"name": "Root cause",
"hex_color": "#a83232"
},
{
"name": "Symptom",
"hex_color": "#030bff"
},
{
"name": "Irrelevant",
"hex_color": "#ffcd03"
}
]
},
"pipeline_integrations": [
{
"resource": "{{integrations(title='Elasticsearch from REST API')}}",
"integration_type": "input",
"enabled": true,
"parameters": {
"index_pattern": "rca-dataset-sample",
"batch_size": 150
}
},
{
"resource": "Elasticsearch from REST API",
"integration_type": "output",
"enabled": true,
"parameters": {
}
}
]
},
"type": "job"
}
}
}
Decision intelligence job with depends_on
Resource creation order in a single request can be determined by the 'depends_on' parameter.
{
"resources": {
"ES Input job from REST API 2": {
"properties": {
"title": "ES Input job from REST API 2",
"description": "This is a sample job",
"category": "Decision intelligence",
"decision_points": [
"suricata.eve.alert.category", "suricata.eve.alert.signature"
],
"advanced_settings": {
"custom_labels": [
{
"name": "Important",
"hex_color": "#a83232"
},
{
"name": "Discard",
"hex_color": "#030bff"
},
{
"name": "Potential risk",
"hex_color": "#ffcd03"
}
]
},
"pipeline_integrations": [
{
"resource": "Elasticsearch from REST API 2",
"integration_type": "input",
"enabled": true,
"parameters": {
"index_pattern": "filebeat-suricata-test",
"batch_size": 150
}
},
{
"resource": "{{integrations(title='Arcanna Internal Storage')}}",
"integration_type": "output",
"enabled": true,
"parameters": {
}
}
]
},
"type": "job",
"depends_on": ["Elasticsearch from REST API 2"]
},
"Elasticsearch from REST API 2": {
"properties": {
"title": "Elasticsearch from REST API 2",
"integration_type": "Elasticsearch",
"parameters": {
"hosts": "192.168.175.175",
"password": "elastic",
"port": 9200,
"schema": "https",
"user": "elastic"
}
},
"type": "integration"
}
}
}
Decision intelligence multi input job
In this particular case, the definition contains a multi input job with two External REST API integrations as input.
{
"resources": {
"Api Key abc": {
"properties": {
"name": "Api Key from REST API abc"
},
"type": "api_key"
},
"Api Key xyz": {
"properties": {
"name": "Api Key from REST API xyz"
},
"type": "api_key"
},
"Exposer integration from REST API abc": {
"properties": {
"title": "Exposer integration from REST API abc",
"integration_type": "External REST API",
"parameters": {
"api_key": "{{api_keys(name='Api Key from REST API abc')}}",
"data_type": "JSON alerts"
}
},
"type": "integration"
},
"Exposer integration from REST API xyz": {
"properties": {
"title": "Exposer integration from REST API xyz",
"integration_type": "External REST API",
"parameters": {
"api_key": "{{api_keys(name='Api Key from REST API xyz')}}",
"data_type": "JSON alerts"
}
},
"type": "integration"
},
"Exposer multi-input job from REST API": {
"properties": {
"title": "Exposer multi-input job from REST API",
"description": "This is a sample multi-input job",
"category": "Decision intelligence",
"decision_points": [
"event.message"
],
"advanced_settings": {
"custom_labels": [
{
"name": "Important",
"hex_color": "#a83232"
},
{
"name": "Discard",
"hex_color": "#030bff"
},
{
"name": "Potential risk",
"hex_color": "#ffcd03"
}
]
},
"pipeline_integrations": [
{
"resource": "Exposer integration from REST API abc",
"integration_type": "input",
"enabled": true,
"parameters": {
"exposed_rest_api_job_tag": "rest_api_exposer_abc",
"max_batch_size": 100
}
},
{
"resource": "Exposer integration from REST API xyz",
"integration_type": "input",
"enabled": true,
"parameters": {
"exposed_rest_api_job_tag": "rest_api_exposer_xyz",
"max_batch_size": 100
}
},
{
"resource": "{{integrations(title='Arcanna Internal Storage')}}",
"integration_type": "output",
"enabled": true,
"parameters": {
}
}
]
},
"type": "job"
}
}
}
Advanced settings on job definition
In this example we enable auto-train when defining the job.
{
"resources": {
"ES Input job from REST API 3": {
"properties": {
"title": "ES Input job from REST API 3",
"description": "This is a sample job",
"category": "Decision intelligence",
"decision_points": [
"suricata.eve.alert.category", "suricata.eve.alert.signature"
],
"advanced_settings": {
"custom_labels": [
{
"name": "Important",
"hex_color": "#a83232"
},
{
"name": "Discard",
"hex_color": "#030bff"
},
{
"name": "Potential risk",
"hex_color": "#ffcd03"
}
],
"auto_retrain": {
"enabled": true,
"cron": "0 10 * * *",
"blockers": {
"outliers": true
}
}
},
"pipeline_integrations": [
{
"resource": "{{integrations(title='Elasticsearch from REST API')}}",
"integration_type": "input",
"enabled": true,
"parameters": {
"index_pattern": "filebeat-suricata-test",
"batch_size": 150
}
},
{
"resource": "{{integrations(title='Arcanna Internal Storage')}}",
"integration_type": "output",
"enabled": true,
"parameters": {
}
}
]
},
"type": "job"
}
}
}