Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt

Use this file to discover all available pages before exploring further.

Triggers a workflow on every new case. Endpoint: /threat-center/v1/search/cases
Workflows with this trigger check for new events every 5 minutes by default. You can adjust this interval in the Trigger settings.

Sample Event

{
	"alertCreationTimestamp": "2024-04-17T11:45:54.421",
	"alertId": "c867bae5-3c21-4c98-a142-953c01dce1df",
	"approxLogTime": "2024-04-17T11:41:47.564",
	"assignee": "si-user-1@exabeam.com",
	"assigneeId": "64f9e3ef1793b179824a8961",
	"creationTimestamp": "2024-04-17T11:48:47.559",
	"caseId": "e77e5002-bd35-4e7b-a532-cd76341ef6f3",
	"creationBy": "system",
	"stage": "CLOSED",
	"closedReason": "Closed via automation",
	"alertDescriptionRt": "Suspicious activity detected on host",
	"hasAttachments": false,
	"isDeleted": false,
	"lastModifiedBy": "si-user-1@exabeam.com",
	"lastModifiedTimestamp": "2024-04-17T11:55:19.127",
	"mitres": [
		{
			"tacticKey": "TA0004",
			"tactic": "Privilege Escalation",
			"techniqueKey": "T1078",
			"technique": "Valid Accounts"
		},
		{
			"tacticKey": "TA0011",
			"tactic": "Command and Control",
			"techniqueKey": "T1090",
			"technique": "Proxy"
		},
		{
			"tacticKey": "TA0005",
			"tactic": "Defense Evasion",
			"techniqueKey": "T1078",
			"technique": "Valid Accounts"
		},
		{
			"tacticKey": "TA0011",
			"tactic": "Command and Control",
			"techniqueKey": "T1071",
			"technique": "Application Layer Protocol"
		},
		{
			"tacticKey": "TA0001",
			"tactic": "Initial Access",
			"techniqueKey": "T1078",
			"technique": "Valid Accounts"
		},
		{
			"tacticKey": "TA0003",
			"tactic": "Persistence",
			"techniqueKey": "T1078",
			"technique": "Valid Accounts"
		}
	],
	"alertName": "Multiple Anomalies",
	"priority": "HIGH",
	"riskScore": 71,
	"queue": "Tier 1 Analyst",
	"status": "READ",
	"tags": [],
	"useCases": [
		"Compromised Credentials",
		"Evasion",
		"Malware",
		"Abnormal Authentication & Access"
	],
	"products": [
		"NG Analytics"
	],
	"vendors": [
		"Exabeam"
	],
	"srcHosts": [],
	"srcIps": [
		"10.0.83.177"
	],
	"destHosts": [],
	"destIps": [
		"102.130.113.9"
	],
	"users": [
		"GeorgeMartin"
	],
	"groupedbyKey": "User",
	"groupedbyValue": "georgemartin",
	"ingestTimestamp": "2024-04-17T11:47:54.143",
	"srcEndpoints": [
		{
			"ip": "10.0.83.177",
			"host": "host164"
		}
	],
	"destEndpoints": [
		{
			"ip": "102.130.113.9",
			"host": "host256"
		}
	]
}