SSP Threat Metadata Service Overview

VMware vDefend Security Services Platform Threat Metadata Feed is an API that manages metadata on
threats that may be detected in a protected network. The feed is directly used by the vDefend security
features below:

    Network Detection and Response

The metadata served as part of the Threat Metadata Feed includes information on:
- Threats
- Detectors
- MITRE attack and tactics
- IDS signatures.

All Threat Metadata APIs are fully supported for use in production environments, but are classified under API Policy as "Experimental" in this release, indicating that the API may be changed or removed without notice in a future release.

Getting Started with vDefend Security Services Platform

In connected deployments the feed is fetched and loaded from the VMware Threat Intelligence Service (vTIS). However, the feed can also be loaded through an exposed API when deployed in an airgap environment.

The metadata feed can be loaded by making a PUT request to the /metadata/feed method. If the wrong feed was uploaded by mistake, it
can be deleted by making a DELETE request to the same path.

Security Services Platform APIs are defined using the OpenAPI standards. Clients interact with the API using RESTful web service calls over the HTTPS protocol. Unless otherwise noted, request and response bodies are encoded using JSON, and must conform to the JSON schema associated with each method. The content type of each request and reply is "application/json" unless otherwise specified.

Request Authentication

Basic authentication is used for all Security Services Platform APIs and for the features running on the platform.

To authenticate a request using HTTP Basic authentication, the caller's credentials are passed using the 'Authorization' header. The header content should consist of a base64-encoded string containing the username and password separated by a single colon (":") character, as specified in RFC 1945 section 11.1.

For example, to authenticate a request using the credentials of user admin with password admin, include the following header with the request:
Authorization: Basic YWRtaW46YWRtaW4=

The following cURL command will authenticate to the SSP Ingress using basic authentication and will issue a API request:
curl -k -u USERNAME:PASSWORD https://<SSP>/<api-url> where:

USERNAME is the user to authenticate as,
PASSWORD is the password to provide, and
SSP is the IP address or host name of the Security Services Platform (SSP)

For example:
curl -k -u admin:secretPw99 https://<SSP>/<api-url>

Note: the -k argument instructs cURL to skip verifying the ssp's self-signed X.509 certificate. It is more secure to verify that the server's certificate is signed by a Certificate Authority (CA) that you trust. To do that, omit the -k argument and use the --cacert <ca-file> option, where <ca-file> is a PEM-formatted file containing the CA certificate to trust.

For example:
curl --cacert /home/me/certs/rootca.crt -u admin:secretPw99 https://<SSP>/<api-url>

Additional cURL examples below use the -k flag, but you can always substitute the --rootca <ca-file> argument for additional security.

In the above examples, USERNAME may be:

    A local user name. For example, "admin".
    A remote user name, of the form "user@domain", for example, "joe@example.com". The domain must match a domain for a configured VIDM identity source or a configured LDAP identity source.

Request Failures

It is possible for any request to fail. Errors are reported using standard HTTP response codes aswell as application specific codes. The below table defines the HTTP Status codes these APIs may return

Errors