Linking towards Clear NDR® GUI

Deeplinking towards Clear NDR® GUI

An external system can link towards the GUI of Clear NDR® via a dedicated URL. The goal of this document is to describe that process and give some examples

Structure

Example URL linking towards Clear NDR® Hunt GUI that will display and list all detection events realted to src_ip:10.12.4.2 and and https://<address-of-ClearNDR>/stamus/deeplink/?page=events&src_ip=10.12.4.2&stamus.family_name=Offensive Tools

Params:

  • page is optional, possible values:

    • dashboard (default value)

    • events

    • detection_methods

    • hosts

    • inventory

Any filter that is valid in the GUI can be used including and/or logic. es_filter is also supported for example:

https://<IP>/stamus/deeplink/?page=events&es_filter=src_ip:13.2.34.2 OR src_ip:12.2.32.4

Examples

The URL below will link towards Clear NDR® Hunt GUI that will display and list all detection events where the flow_id 1759975807723962:

https://<address-of-ClearNDR>/stamus/deeplink/?page=events&flow_id=1759975807723962

The URL below will link towards Clear NDR® Hunt GUI that will display and list all detection events where the community_id is 1:Xx4gXJe4J9ALL4ch/E/47+Lf2kY=:

https://<address-of-ClearNDR>/stamus/deeplink/?page=events&community_id=1:Xx4gXJe4J9ALL4ch/E/47+Lf2kY=

The URL below will link towards Clear NDR® Hunt GUI that will display and list all detection events realted to ip=10.7.5.101 (this will be either source or destination):

https://<address-of-ClearNDR>/stamus/deeplink/?page=events&ip=10.7.5.101

The URL below will link towards Clear NDR® Hunt GUI that will display the one specifc event with global unique identifier dcda932d-299b-446e-9133-ba327e9660cf:

https://<address-of-ClearNDR>/stamus/deeplink/?page=events&uuid=dcda932d-299b-446e-9133-ba327e9660cf

Hint

Follow link to discover how to enable the UUID per event generation.

The URL below will link towards Clear NDR® Hunt GUI that will display and list all detection events where the source IP is either 13.2.34.2 or 12.2.32.4:

https://<IP>/stamus/deeplink/?page=events&es_filter=src_ip:13.2.34.2 OR src_ip:12.2.32.4

Deep linking to DoC/DOPV GUI

Some specific metadata can be used to directly link to the GUI of Clear NDR®. This is mostly the case for some of the fields relative to DoC and DOPV.

Linking to a threat page

The stamus events have 2 fields that can be used to link to a threat page in the GUI:

  • stamus.family_id: the family ID of the threat

  • stamus.threat_id: the threat ID of the threat

The URL structure to link to a threat page is as follows:

https://<IP>/stamus/compromises/coverage/{stamus.family_id}/threat/{stamus.threat_id}

To link to the family page, you can use the following URL structure:

https://<IP>/stamus/compromises/coverage/{stamus.family_id}