From 610ced97db101e1fbd7be57d956fa410909737ae Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 14:45:47 -0500 Subject: [PATCH 1/8] Update signature documentation endpoint from /documentation to /summary with expanded metadata fields This change renames the signature documentation endpoint and significantly expands the response structure to include comprehensive metadata. The new /summary endpoint returns detailed signature information including AI-generated descriptions, MITRE ATT&CK mappings, affected products, CVE references, performance impact, and deployment recommendations. Added two examples showing both AI-generated an --- source/includes/_sids.md | 140 +++++++++++++++++++++++++++++++++------ 1 file changed, 121 insertions(+), 19 deletions(-) diff --git a/source/includes/_sids.md b/source/includes/_sids.md index 79250e0..7899cfc 100644 --- a/source/includes/_sids.md +++ b/source/includes/_sids.md @@ -248,53 +248,155 @@ suricata_text | Yes | Example of the rule for Suricata snort_text | Yes | Example of rule for Snort 2.9 -## Get Signature documentation +## Get Signature Summary and Metadata ```shell -curl "https://api.emergingthreats.net/v1/sids/{sid}/documentation" +curl "https://api.emergingthreats.net/v1/sids/{sid}/summary" -H "Authorization: SECRETKEY" ``` ```python import requests api_key = "SECRETKEY" -url = "https://api.emergingthreats.net/v1/sids/{sid}/documentation" +url = "https://api.emergingthreats.net/v1/sids/{sid}/summary" headers = {'Authorization': f'{api_key}'} response = requests.get(url, headers=headers) print(response.json()) ``` -> The JSON response should look something like: +> Example 1: AI-Generated Description (SID 2032904) ```json { "success": true, - "response": - { - "sid": 2000005, - "summary": "This alert is triggered when an attempt is made to exploit a vulnerability in a system or application.", - "description": "An EXPLOIT Attempt event likely occurs when an attacker has attempted to gain - unauthorized access to an asset or service by exploiting a direct vulnerability in an application or - operating system. A successful exploitation of an asset or service may lead to malicious code being left - behind to facilitate remote control. Further investigation may be needed to ascertain if an attacker successfully exploited this asset or service.", - "impact": "Compromised Server" + "response": { + "sid": 2032904, + "metadata": { + "rev": "1", + "sid": "2032904", + "tag": "CISA_KEV, Description Generated By Proofpoint Nexus", + "name": "[FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1", + "type": "SID", + "ruleset": "ET", + "category": "EXPLOIT", + "severity": "Major", + "classtype": "attempted-admin", + "tls_state": null, + "mitre_tags": [], + "description": "This Suricata rule detects exploitation attempts targeting Pulse Secure VPN appliances, specifically CVE-2021-22893. The rule alerts when HTTP traffic contains suspicious requests to Pulse Secure's web interface paths.\n\nThe rule looks for HTTP requests directed to the home network or HTTP servers with URIs starting with \"/dana\" followed by specific paths like \"/meeting\", \"/fb/smb\", \"/namedusers\", or \"/metric\". It excludes legitimate traffic containing \"welcome.cgi\" to reduce false positives.\n\nCVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure 9.0R3/9.1R1 and higher. The vulnerability affects the Windows File Share Browser and Pulse Secure Collaboration features, allowing unauthenticated attackers to execute arbitrary code on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.\n\nThe rule references FireEye's research and countermeasures for this vulnerability. The classification \"attempted-admin\" indicates attackers are trying to gain administrative access to the affected systems.\n\nThis is a high-severity threat as it allows unauthenticated remote code execution on VPN appliances that typically serve as critical network entry points for organizations.", + "attack_target": "Server", + "creation_date": "2021-05-05", + "cve_reference": "CVE-2021-22893", + "url_reference": "url,github.com/fireeye/pulsesecure_exploitation_countermeasures|url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html|cve,2021-22893", + "malware_family": null, + "affected_products": "Pulse_Secure", + "deprecation_reason": null, + "last_modified_date": "2021-05-05", + "performance_impact": "Low", + "signature_deployment": "Perimeter" } + } } ``` -This endpoint retrieves the most recent documentation available for the specified sid. + +> Example 2: Standard Description (SID 2029740) + +```json +{ + "success": true, + "response": { + "sid": 2029740, + "metadata": { + "rev": "1", + "sid": "2029740", + "tag": null, + "name": "Cobalt Strike Malleable C2 (Havex APT)", + "type": "SID", + "ruleset": "ET", + "category": "MALWARE", + "severity": "Major", + "classtype": "command-and-control", + "tls_state": null, + "mitre_tags": [ + { + "mitre_tactic_id": "TA0011", + "mitre_tactic_name": "Command_And_Control", + "mitre_technique_id": "T1001", + "mitre_technique_name": "Data_Obfuscation" + } + ], + "description": "Also classifies as MITRE ATT&CK subtechnique .003 - Protocol Impersonation", + "attack_target": "Client_Endpoint", + "creation_date": "2020-03-26", + "cve_reference": "", + "url_reference": "url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile", + "malware_family": "Cobalt Strike", + "affected_products": "Windows_XP/Vista/7/8/10/Server_32/64_Bit", + "deprecation_reason": null, + "last_modified_date": "2020-03-26", + "performance_impact": null, + "signature_deployment": "Perimeter" + } + } +} +``` + +This endpoint retrieves comprehensive metadata and documentation for the specified signature (SID), including AI-generated descriptions when available. The metadata includes detailed threat information, MITRE ATT&CK mappings, affected products, CVE references, and deployment recommendations. This is the primary endpoint used by the ET Intelligence UI for displaying signature information. ### HTTP Request -`GET https://api.emergingthreats.net/v1/sids/{sid}/documentation` +`GET https://api.emergingthreats.net/v1/sids/{sid}/summary` ### Response Parameters Parameter | Optional? | Description --------- | --------- | ----------- -sid | No | Sid that was requested -summary | No | Summary of the information this alert is trying to convey. -description | No | Detailed description of the exploit being caught. -impact | No | What kinds of systems does this impact +sid | No | Signature ID that was requested +metadata | No | JSON object containing all signature metadata and documentation + +### Metadata Object Fields + +Field | Optional? | Description +----- | --------- | ----------- +sid | No | Signature ID as a string +rev | No | Revision number of the signature +name | No | Full name of the signature/rule +tag | Yes | Comma-separated tags indicating special properties (e.g., "CISA_KEV, Description Generated By Proofpoint Nexus") +description | No | Detailed description of the threat. May be AI-generated (indicated by tag field) or manually written by threat researchers +type | No | Type of signature (typically "SID") +ruleset | No | Ruleset name (e.g., "ET" for Emerging Threats, "ETPRO" for ET Pro) +category | No | Threat category (e.g., "EXPLOIT", "MALWARE", "TROJAN", "POLICY") +severity | No | Severity level (e.g., "Major", "Minor", "Critical") +classtype | No | Snort/Suricata classification type (e.g., "attempted-admin", "trojan-activity") +tls_state | Yes | TLS/SSL state information if applicable +mitre_tags | Yes | Array of MITRE ATT&CK framework mappings +attack_target | Yes | Primary attack target (e.g., "Server", "Client_Endpoint", "Network") +creation_date | No | Date the signature was created (YYYY-MM-DD format) +last_modified_date | No | Date the signature was last modified (YYYY-MM-DD format) +cve_reference | Yes | Related CVE identifier(s), pipe-separated if multiple +url_reference | Yes | Related reference URLs, pipe-separated +malware_family | Yes | Associated malware family name if applicable +affected_products | Yes | Products/systems affected by this threat +deprecation_reason | Yes | Reason for deprecation if signature is deprecated +performance_impact | Yes | Expected performance impact (e.g., "Low", "Medium", "High") +signature_deployment | Yes | Recommended deployment location (e.g., "Perimeter", "Internal") + +### MITRE Tags Object Fields + +Field | Description +----- | ----------- +mitre_tactic_id | MITRE ATT&CK Tactic ID (e.g., "TA0011") +mitre_tactic_name | MITRE ATT&CK Tactic name (e.g., "Command_And_Control") +mitre_technique_id | MITRE ATT&CK Technique ID (e.g., "T1001") +mitre_technique_name | MITRE ATT&CK Technique name (e.g., "Data_Obfuscation") + +### Important Notes + +- **AI-Generated Descriptions**: When the `tag` field contains "Description Generated By Proofpoint Nexus" or similar text, the description has been generated or augmented using AI/LLM technology to provide more comprehensive threat context. +- **Description Length**: AI-generated descriptions are typically much longer and more detailed than manually written descriptions, often including technical details, attack vectors, impact analysis, and mitigation context. +- **MITRE ATT&CK Integration**: The `mitre_tags` array provides direct mapping to the MITRE ATT&CK framework for threat intelligence correlation. +- **Null Values**: Some fields may be `null` if the information is not applicable or not available for that particular signature. +- **ETPro Access**: If you request a signature that requires an ETPro subscription and you don't have access, this endpoint will return a 402 Payment Required status. ## Get Signature references From d9dace8cb2eec0a3ef7590c0641c5b792646f194 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 14:47:21 -0500 Subject: [PATCH 2/8] Remove BETA labels from CVE, Malware, Threat Actor, and Trends API documentation sections --- source/includes/_cve.md | 2 +- source/includes/_malware.md | 2 +- source/includes/_threatactors.md | 2 +- source/includes/_trends.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/includes/_cve.md b/source/includes/_cve.md index ee62848..8b3609d 100644 --- a/source/includes/_cve.md +++ b/source/includes/_cve.md @@ -1,4 +1,4 @@ -# CVE Information BETA +# CVE Information ## Get CVE Details diff --git a/source/includes/_malware.md b/source/includes/_malware.md index fd12e29..5be003d 100644 --- a/source/includes/_malware.md +++ b/source/includes/_malware.md @@ -1,4 +1,4 @@ -# Malware InformationBETA +# Malware Information ## Get Malware Family Information diff --git a/source/includes/_threatactors.md b/source/includes/_threatactors.md index 4a74329..c5e199f 100644 --- a/source/includes/_threatactors.md +++ b/source/includes/_threatactors.md @@ -1,4 +1,4 @@ -# Threat Actor InformationBETA +# Threat Actor Information ## Get Threat Actor Bio Information diff --git a/source/includes/_trends.md b/source/includes/_trends.md index 818e271..492a9f3 100644 --- a/source/includes/_trends.md +++ b/source/includes/_trends.md @@ -1,4 +1,4 @@ -# Trends InformationBETA +# Trends Information ## Get Trends Information From 0dc8db8245f7817db93973b9b8cc63f2ff5bcd94 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 14:59:17 -0500 Subject: [PATCH 3/8] Fix typo in malware endpoint path and add new signature documentation endpoints --- source/index.html.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/index.html.md b/source/index.html.md index 9044e9b..a768fa4 100644 --- a/source/index.html.md +++ b/source/index.html.md @@ -51,7 +51,7 @@ code_clipboard: true /v1/ips/{ip}/samples /v1/ips/{ip}/urls -/v1/malare/{malware_family} +/v1/malware/{malware_family} /v1/samples/{md5} /v1/samples/{md5}/connections /v1/samples/{md5}/dns @@ -62,6 +62,9 @@ code_clipboard: true /v1/sids/{sid}/ips /v1/sids/{sid}/domains /v1/sids/{sid}/samples +/v1/sids/{sid}/text +/v1/sids/{sid}/summary +/v1/sids/{sid}/references /v1/actors/{threatactor} ``` From e0e050bb4d2ff2cf574e66a922745eb4fd6fc232 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 15:13:22 -0500 Subject: [PATCH 4/8] Add API version and last updated metadata to documentation introduction --- source/index.html.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/index.html.md b/source/index.html.md index a768fa4..700363e 100644 --- a/source/index.html.md +++ b/source/index.html.md @@ -27,6 +27,9 @@ code_clipboard: true # Introduction +**API Version:** v1 +**Last Updated:** January 2026 + > Summary of Resource URL Patterns ```plaintext From 1e955430463f1e4743bc66242642cb3e8e4d6195 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 15:36:20 -0500 Subject: [PATCH 5/8] Upgrade GitHub Actions cache action from v1 to v4 in build and deploy workflows --- .github/workflows/build.yml | 2 +- .github/workflows/deploy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3d55c61..0293188 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: with: ruby-version: ${{ matrix.ruby-version }} - - uses: actions/cache@v1 + - uses: actions/cache@v4 with: path: vendor/bundle key: gems-${{ runner.os }}-${{ matrix.ruby-version }}-${{ hashFiles('**/Gemfile.lock') }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8df9d72..150106b 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,7 +17,7 @@ jobs: with: ruby-version: ${{ env.ruby-version }} - - uses: actions/cache@v1 + - uses: actions/cache@v4 with: path: vendor/bundle key: gems-${{ runner.os }}-${{ env.ruby-version }}-${{ hashFiles('**/Gemfile.lock') }} From 438a8097325f3ed433fc099ef8ced17b0dd86413 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 15:43:42 -0500 Subject: [PATCH 6/8] Update bundle configuration to use local path and add parallel install options --- .github/workflows/build.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0293188..5b73916 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,11 +26,9 @@ jobs: path: vendor/bundle key: gems-${{ runner.os }}-${{ matrix.ruby-version }}-${{ hashFiles('**/Gemfile.lock') }} - # necessary to get ruby 2.3 to work nicely with bundler vendor/bundle cache - # can remove once ruby 2.3 is no longer supported - - run: gem update --system - + # Use a local bundle path so caching vendor/bundle works across Ruby versions + - run: bundle config set path vendor/bundle - run: bundle config set deployment 'true' - - run: bundle install + - run: bundle install --jobs 4 --retry 3 - run: bundle exec middleman build From 73eea268d02506c1d445e3330aff5c49c0acab33 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 15:56:58 -0500 Subject: [PATCH 7/8] Update nokogiri dependency from version 1.10.8 to 1.11.0 --- Gemfile | 2 +- Gemfile.lock | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index 315a86d..4a49d4c 100644 --- a/Gemfile +++ b/Gemfile @@ -8,5 +8,5 @@ gem 'middleman-autoprefixer', '~> 2.7' gem 'middleman-sprockets', '~> 4.1' gem 'rouge', '~> 3.20' gem 'redcarpet', '~> 3.5.0' -gem 'nokogiri', '~> 1.10.8' +gem 'nokogiri', '~> 1.11.0' gem 'sass' diff --git a/Gemfile.lock b/Gemfile.lock index dc76f57..2405f8b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -77,10 +77,11 @@ GEM middleman-syntax (3.2.0) middleman-core (>= 3.2) rouge (~> 3.2) - mini_portile2 (2.4.0) + mini_portile2 (2.5.3) minitest (5.14.1) - nokogiri (1.10.9) - mini_portile2 (~> 2.4.0) + nokogiri (1.11.7) + mini_portile2 (~> 2.5.0) + racc (~> 1.4) padrino-helpers (0.13.3.4) i18n (~> 0.6, >= 0.6.7) padrino-support (= 0.13.3.4) @@ -89,6 +90,7 @@ GEM activesupport (>= 3.1) parallel (1.19.2) public_suffix (4.0.5) + racc (1.5.2) rack (2.2.3) rb-fsevent (0.10.4) rb-inotify (0.10.1) @@ -124,7 +126,7 @@ DEPENDENCIES middleman-autoprefixer (~> 2.7) middleman-sprockets (~> 4.1) middleman-syntax (~> 3.2) - nokogiri (~> 1.10.8) + nokogiri (~> 1.11.0) redcarpet (~> 3.5.0) rouge (~> 3.20) sass From 30830cf0ef7e26edb6731b603d6ee4f154a18a30 Mon Sep 17 00:00:00 2001 From: Chinmay Talekar Date: Fri, 23 Jan 2026 16:07:05 -0500 Subject: [PATCH 8/8] Drop Ruby 2.3 and 2.4 from CI build matrix, keeping only 2.5, 2.6, and 2.7 --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5b73916..53ff386 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: - ruby-version: [2.3, 2.4, 2.5, 2.6, 2.7] + ruby-version: [2.5, 2.6, 2.7] steps: - uses: actions/checkout@v2