Sift Security APIs

This section describes the APIs available for exporting data from Sift Security.

Exporting data from Sift Security

You can construct a query string and make this query to elasticsearch as follows (note that the hostname is localhost on the assumption that these instructions are being carried out in the host that is running Sift Security. You can change it to the host address if that is not the case). Follow the lucene query syntax to filter the alerts and modify the query field in query_string as required.

curl -XGET 'localhost:9200/demogen-generic-*/generic/_search?pretty' -H 'Content-Type: application/json' -d'
{
    "from" : 0, "size" : 10000,
    "query": {
        "query_string" : {
            "query" : "src_ip:10.233.0.42 AND host:ws02.siftsec.com"
        }
    }
}
'

Exporting alerts from Sift Security

Similar to the section above, you can modify the query_string field here to get relevant alerts from Sift.

curl -XGET 'localhost:9200/demogen-generic-*/alert/_search?pretty' -H 'Content-Type: application/json' -d'
{
    "from" : 0, "size" : 10000,
    "query": {
        "query_string" : {
            "query" : "alert_priority>=10 AND host:robert OR src_ip:10.233.0.42"
        }
    }
}
'

Exporting all of Sift Security’s data

Note

This is under active devlopment. We are creating RESTful API which allows us to export our data into different standard formats like csv, JSON, etc.)

Into another Elasticsearch Cluster

You can export all data from Sift Security’s storage using Elasticsearch’s Snapshot feature.

The specific instructions on how to do this are as follows:

  1. Create the repository which becomes the destination of this data-dump These repositories could be a mounted drive, hdfs, AWS s3 bucket, Azure storage, or Google Cloud storage.
curl -XPUT 'http://localhost:9200/_snapshot/sift_backup' -H 'Content-Type: application/json' -d '{
    "type": "fs",
    "settings": {
        "location": "/mount/backups/my_backup",
        "compress": true
    }
}'
  1. Snapshot all of Sift Security’s data into your repository using the following commands:
curl -XPUT 'localhost:9200/_snapshot/sift_backup/sift_snapshot_1?pretty' -H 'Content-Type: application/json' -d'
{
  "indices": "demogen-generic-*",
  "ignore_unavailable": true,
  "include_global_state": false
}
'
  1. This repository can be restored into a new Elasticsearch cluster/instance using the following command. All that we need to do is create the same repository on the new cluster using Step 1.
curl -XPOST 'localhost:9200/_snapshot/sift_backup/sift_snapshot_1/_restore?pretty' -H 'Content-Type: application/json' -d'
{
  "indices": "demogen-generic-*",
  "index_settings": {
    "index.number_of_replicas": 0
  },
  "ignore_index_settings": [
    "index.refresh_interval"
  ]
}
'