Skip to content

Commit

Permalink
#10 update and format
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeromeleonard
jeromeleonard committed Aug 31, 2021
1 parent e1c0748 commit 8986d68
Show file tree
Hide file tree
Showing 11 changed files with 307 additions and 0 deletions.
Empty file added docs/thehive/api/alert/add-observable.md
View file
Empty file.
Empty file added docs/thehive/api/alert/delete-observable.md
View file
Empty file.
Empty file added docs/thehive/api/alert/list-observables.md
View file
Empty file.
Empty file added docs/thehive/api/alert/list-responder-jobs.md
View file
Empty file.
92 changes: 92 additions & 0 deletions docs/thehive/api/alert/list.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# List / Search

List *Alerts*.

## Query

```plain
POST /api/v1/query?name=alerts
```

## Request Body Example

!!! Example ""

List last 15 alerts:

```json
{
"query": [
{
"_name": "listAlert"
},
{
"_name": "filter",
"_field": "imported",
"_value": false
},
{
"_name": "sort",
"_fields": [
{
"date": "desc"
}
]
},
{
"_name": "page",
"from": 0,
"to": 15,
"extraData": [
"importDate",
"caseNumber"
]
}
]
}
```

## Response

### Status codes

- `200`: if query is run successfully
- `401`: Authentication error

### Response Body Example

!!! Example ""

```json
[
...
{
"_id": "~789196976",
"_type": "Alert",
"_createdBy": "[email protected]",
"_createdAt": 1620393156944,
"type": "external",
"source": "MISP server",
"sourceRef": "event_1576",
"title": "Phishing list update 7.5.2021",
"description": "A curated list of phishing IOCs",
"severity": 2,
"date": 1620393156000,
"tags": [
"source:MISP",
"origin:CIRCL_LU"
],
"tlp": 3,
"pap": 2,
"read": false,
"follow": true,
"customFields": [],
"observableCount": 16,
"extraData": {
"importDate": null,
"caseNumber": null
}
},
...
]
```
127 changes: 127 additions & 0 deletions docs/thehive/api/alert/read.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# Mark as Read/Unread

Mark an *Alert* as read

## Query

### Mark as read

```plain
POST /api/alert/{id}/markAsRead
```

with:

- `id`: id of the Alert

### Mark as unread

```plain
POST /api/alert/{id}/markAsUnead
```

with:

- `id`: id of the Alert


## Response

### Status codes

- `200`: if *Alert* is updated successfully
- `401`: Authentication error

### Response Body Example

!!! Example ""

```json
{
"_id": "~911601872",
"id": "~911601872",
"createdBy": "[email protected]",
"updatedBy": null,
"createdAt": 1620333017135,
"updatedAt": null,
"_type": "alert",
"type": "external",
"source": "SIEM",
"sourceRef": "8257b4",
"externalLink": null,
"case": null,
"title": "User posted information on known phishing URL",
"description": "SIEM automated alert: the user [email protected] has posted information on a known phishing url",
"severity": 2,
"date": 1620333017000,
"tags": [
"source:siem",
"log-source:proxy"
],
"tlp": 3,
"pap": 2,
"status": "Ignored",
"follow": true,
"customFields": {
"businessUnit": {
"string": "Finance"
},
"location": {
"string": "Sydney"
}
},
"caseTemplate": null,
"artifacts": [
{
"_id": "~624226312",
"id": "~624226312",
"createdBy": "[email protected]",
"createdAt": 1620333017175,
"_type": "case_artifact",
"dataType": "mail",
"data": "[email protected]",
"startDate": 1620333017175,
"tlp": 2,
"tags": [],
"ioc": false,
"sighted": false,
"reports": {},
"stats": {}
},
{
"_id": "~788742360",
"id": "~788742360",
"createdBy": "[email protected]",
"createdAt": 1620333017168,
"_type": "case_artifact",
"dataType": "url",
"data": "https://moneyfornothing.pl-getbuys.icu/",
"startDate": 1620333017168,
"tlp": 2,
"tags": [],
"ioc": false,
"sighted": false,
"message": "http method: POST",
"reports": {},
"stats": {}
},
{
"_id": "~870416536",
"id": "~870416536",
"createdBy": "[email protected]",
"createdAt": 1620333017157,
"_type": "case_artifact",
"dataType": "ip",
"data": "94.154.129.50",
"startDate": 1620333017157,
"tlp": 2,
"tags": [],
"ioc": false,
"sighted": false,
"reports": {},
"stats": {}
}
],
"similarCases": []
}
```
Empty file added docs/thehive/api/alert/run-responder.md
View file
Empty file.
Empty file added docs/thehive/api/alert/similar-cases.md
View file
Empty file.
Empty file added docs/thehive/api/alert/update-observable.md
View file
Empty file.
23 changes: 23 additions & 0 deletions docs/thehive/api/custom-field/delete.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Delete

Delete a *Custom Field*.

## Query

```plain
DELETE /api/customField/{id}
```

with:

- `id`: id of the Custom Field.


## Response

### Status codes

- `204`: if *Custom Fields* is successfully deleted
- `401`: Authentication error
- `403`: Authorization error

65 changes: 65 additions & 0 deletions docs/thehive/api/custom-field/get.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Get / List

List *Custom Fields*.

## Query

```plain
GET /api/customField
```


## Response

### Status codes

- `200`: if query is run successfully
- `401`: Authentication error
- `403`: Authorization error

### Response Body Example

!!! Example ""

=== "200"

```json
[
{
"id": "~28672",
"name": "Number of Accounts",
"reference": "Number of Accounts",
"description": "Number of accounts leaked",
"type": "integer",
"options": [],
"mandatory": true
},
{
"id": "~53440",
"name": "Nb of emails delivered",
"reference": "Nb of emails delivered",
"description": "Nb of emails delivered",
"type": "integer",
"options": [],
"mandatory": true
}
]
```

=== "401"

```json
{
"type": "AuthenticationError",
"message": "Authentication failure"
}
```

=== "403"

```json
{
"type": "AuthorizationError",
"message": "Your are not authorized to create custom field, you haven't the permission manageCustomField"
}
```

0 comments on commit 8986d68

Please sign in to comment.