NSX-T Data Center REST API

Get the summary of the intrusions that were detected.

Get the summary of all the intrusions that are detected grouped by signature
with details including signature name, id, severity, attack type, protocol,
first and recent occurence, and affected users and VMs.
The following filter criteria are supported: attack target, attack type,
gateway name, IP address, product affected, signature ID and VM name.

Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-summary

Request Headers:

n/a

Query Parameters:

ListRequestParameters+

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

PolicyIdsEventDataRequest+

Name	Description	Type	Notes
filters	Filter conditions An array of filter conditions.	array of FilterRequest

Example Request:

POST https://<policy-mgr>/policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-summary { "filters": [ { "field_names": "signature_detail.signature_id", "value": "4010643" } ] }

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyIdsSummaryListResult+

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string	Readonly
result_count	Count of results found (across all pages), set only on first page	integer	Readonly
results	Paged collection of intrusions Paged collection of the detected intrusions.	array of PolicyIdsEventsSummary	Readonly Maximum items: 100
sort_ascending	If true, results are sorted in ascending order	boolean	Readonly
sort_by	Field by which records are sorted	string	Readonly

Example Response:

{ "results": [ { "signature_id": 4010643, "total_count": 87, "affected_vm_count": 1, "user_details": { "count": 0, "user_list": [] }, "rule_id": 1001, "is_rule_valid": true, "idsflow_details": { "source_ip": "192.168.56.150", "source_port": 49170, "destination_ip": "178.33.233.154", "destination_port": 80, "protocol": "TCP", "profile_id": "491B2D21-4CEA-48E4-A7C0-98D5DDFE65E3-05-26T18:19491B2D214CEA48E4A7C098D5DDFE65E3", "rule_id": 1001, "action_type": "ALERT", "local_vm_ip": "192.168.56.150", "client_ip": "192.168.56.150" }, "signature_metadata": { "resource_type": "IdsSignature", "signature_id": 4010643, "name": "ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity", "class_type": "trojan-activity", "signature_revision": 4, "signature_severity": "Major", "cvssv3": "0.0", "cvssv2": "0.0", "tag": [ "Ransomware" ], "action": "alert", "protocol": "http", "direction": "$HOME_NET any -> $EXTERNAL_NET any", "flow": "", "policy": [ "suricata-ids" ], "type": [ "suricata" ], "affected_product": "Windows_XP_Vista_7_8_10_Server_32_64_Bit", "performance_impact": "Low", "enabled": true, "attack_target": "Client_Endpoint", "malware_family": "GandCrab", "severity": "HIGH", "urls": [] }, "first_occurence": 1590516802000, "latest_occurence": 1590517147000, "resource_type": "IDSEvent" } ], "result_count": 1, "sort_by": "displayName", "sort_ascending": false, "cursor": "1" }

NSX-T Data Center REST API

Get the summary of the intrusions that were detected.

Request:

ListRequestParameters (schema)

PolicyIdsEventDataRequest (schema)

Example Request:

Successful Response:

PolicyIdsSummaryListResult (schema)

Example Response:

Required Permissions:

Feature:

Additional Errors: