POST /api/noise/run executes a noise log dispatch job, pulling LEEF-formatted log archives from storage and shipping events to one or more configured SIEMs. The endpoint is called automatically by pg_cron on your configured schedule, but you can also trigger it manually from Admin > Noise Jobs or directly via the API.
Method: POSTPath:
/api/noise/runAuth: Bearer token in the
Authorization header (for pg_cron / automation) or session cookie with manage_noise_logs capability
Bearer token authentication is accepted on this endpoint only. All other ThreatLab API endpoints require a session cookie. See Authentication for details.
Request Body
The UUID of the noise job to execute.
The trigger source. Use
"schedule" for pg_cron-initiated calls and "manual" for API or UI-initiated calls.A map of SIEM name to pre-created run UUID. ThreatLab updates each entry with status and event counts after execution.
Array of archive objects to dispatch. Each object specifies a position and storage path.
Array of SIEM name strings to ship events to. Each target is processed independently — a failure on one SIEM does not abort delivery to others.
The job’s scheduling configuration. Used to compute
next_run_at after execution.Execution Flow
Download archives
ThreatLab downloads all archives in the
archives array in parallel from the noise-archives storage bucket.Extract and rebase
LEEF events are extracted from each archive and timestamps are rebased using the same logic as
/api/sessions/start.Ship to each SIEM
Events are shipped to every SIEM in
targets independently. A per-SIEM failure does not abort delivery to other SIEMs.Update run rows
ThreatLab updates the run records identified by
run_ids with final status, event counts, and any error details.