To use these API endpoint, an API key is needed and can be found in every user profile under My settings > API Key.
This specification applies to Iris v2.1.0 and onward. The supported API version can be checked in Advanced > Server settings > Server versions on IRIS.
This version introduces access control. Every request now needs to have the cid=x parameter in the URI.
Deletion endpoints have been migrated from GET to POST. Deletion GET endpoints have been marqued as deprecated and are not available anymore.
v1.4.5 introduced the concept of custom attributes. These JSON objects that are stored into almost all case objects such as Assets, IOCs, etc. They are defined by administrators or modules and can vary from one objet to another despite being of the same type. Because of this, no definitive structure can be expected from these fields. They are all named custom_attributes.
Update the summary of a case. Attention this will trigger an overwrite of the summary. Summaries are shared interactively between users. If an update summary is issued, every user will receive the change and their locale changes will be lost.
The summary is a markdown-compatible text.
| case_description required | string The updated summary |
| cid required | integer Case ID |
{- "case_description": "Dummy description",
- "cid": 1
}{- "data": 3837413706,
- "message": "Summary updated",
- "status": "success"
}Add a task log to the case. The task log is registered under Activities and is be availble in reports templating. If CID is omitted, the default case of the calling user is used.
| log_content | string |
| cid | integer |
{- "log_content": "A test"
}{- "data": {
- "activity_date": "Fri, 21 Jan 2022 17:33:48 GMT",
- "activity_desc": "A test",
- "case": null,
- "case_id": 1,
- "id": 21632,
- "user": null,
- "user_id": 1,
- "user_input": true
}, - "message": "Log saved",
- "status": "success"
}Get a list of the assets linked to the case.
| cid required | integer Case ID |
{- "data": {
- "assets": [
- {
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_compromise_status_id": 1,
- "asset_description": "A description",
- "asset_domain": "A domain",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 43,
- "asset_ip": "0.0.0.0",
- "asset_name": "My asset",
- "asset_tags": "test",
- "asset_type": "Account",
- "asset_type_id": 1,
- "asset_uuid": "e935efba-5b41-4299-ad51-febcfa87997b",
- "ioc_links": [
- {
- "asset_id": 43,
- "ioc_id": 1,
- "ioc_value": "this is an ioc"
}
], - "link": [ ]
}
], - "state": {
- "object_last_update": "Mon, 06 Mar 2023 09:44:22 GMT",
- "object_state": 91
}
}, - "message": "",
- "status": "success"
}Fetch the content of an asset
| asset_id required | integer |
| cid | string Case ID |
{- "data": {
- "assets": [
- {
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_compromise_status_id": 1,
- "asset_description": "A description",
- "asset_domain": "A domain",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 43,
- "asset_ip": "0.0.0.0",
- "asset_name": "My asset",
- "asset_tags": "test",
- "asset_type": "Account",
- "asset_type_id": 1,
- "asset_uuid": "e935efba-5b41-4299-ad51-febcfa87997b",
- "ioc_links": [
- {
- "asset_id": 43,
- "ioc_id": 1,
- "ioc_value": "my ioc"
}
], - "link": [ ]
}
], - "state": {
- "object_last_update": "Mon, 06 Mar 2023 09:44:22 GMT",
- "object_state": 91
}
}, - "message": "",
- "status": "success"
}Create an asset and link it to the case.
| cid required | integer Case ID |
| asset_name | string |
| asset_type_id | integer |
| asset_domain | string |
| asset_ip | string |
| asset_info | string |
| asset_compromise_status_id | integer |
| analysis_status_id | integer |
| ioc_links | integer |
| asset_tags | string |
| asset_description | string |
| custom_attributes | object |
{- "asset_name": "Demo asset",
- "asset_type_id": 3,
- "asset_domain": "my domain",
- "asset_ip": "0.0.0.0",
- "asset_info": "Additional info",
- "asset_compromise_status_id": 1,
- "analysis_status_id": 3,
- "ioc_links": [
- 1
], - "asset_tags": "this,tag",
- "asset_description": "Asset description",
- "custom_attributes": { }
}{- "data": {
- "analysis_status_id": 3,
- "asset_compromise_status_id": 1,
- "asset_description": "Asset description",
- "asset_domain": "my domain",
- "asset_id": 50,
- "asset_info": "Additional info",
- "asset_ip": "0.0.0.0",
- "asset_name": "Demo asset",
- "asset_tags": "this,tag",
- "asset_type_id": 3,
- "asset_uuid": "0c4d6cb9-d173-449c-b68b-e2ad091e72bd",
- "case_id": 1,
- "custom_attributes": { },
- "date_added": "2023-03-06T10:01:13.818445",
- "date_update": "2023-03-06T10:01:13.818450",
- "user_id": 1
}, - "message": "Asset added",
- "status": "success"
}Update an asset
| asset_id required | string ID of the asset to update |
| cid required | integer Case ID |
| asset_name | string |
| asset_type_id | integer |
| analysis_status_id | integer |
| asset_description | string |
| asset_domain | string |
| asset_ip | string |
| asset_info | string |
| asset_compromise_status_id | integer |
| asset_tags | string |
| custom_attributes | object |
| cid | integer |
| ioc_links | Array of integers |
{- "asset_name": "string",
- "asset_type_id": 1,
- "analysis_status_id": 1,
- "asset_description": "string",
- "asset_domain": "string",
- "asset_ip": "string",
- "asset_info": "string",
- "asset_compromise_status_id": 1,
- "asset_tags": "string",
- "custom_attributes": { },
- "cid": 1,
- "ioc_links": [
- 1
]
}{- "data": {
- "analysis_status_id": 1,
- "asset_compromise_status_id": 0,
- "asset_description": "string",
- "asset_domain": "string",
- "asset_id": 43,
- "asset_info": "string",
- "asset_ip": "string",
- "asset_name": "string",
- "asset_tags": "string",
- "asset_type_id": 2,
- "asset_uuid": "e935efba-5b41-4299-ad51-febcfa87997b",
- "case_id": 1,
- "custom_attributes": { },
- "date_added": "2023-03-06T09:44:22.472850",
- "date_update": "2023-03-06T09:44:22.472860",
- "ioc_links": [
- 1
], - "user_id": 1
}, - "message": "Updated asset string",
- "status": "success"
}This endpoint is deprecated. Use the POST equivalent.
| asset_id required | string ID of the note to delete |
| cid required | string Case ID |
{- "data": [ ],
- "message": "Deleted",
- "status": "success"
}Delete an asset based on its ID. If the asset is linked to an event, the reference is deleted but not the event.
| asset_id required | string ID of the note to delete |
| cid | integer Case ID |
{- "value": {
- "data": [ ],
- "message": "Deleted",
- "status": "success"
}
}Get a list of the notes and groups. The content notes is not returned.
| cid required | integer Case ID |
{- "data": {
- "groups": [
- {
- "group_id": 13,
- "group_title": "Group 13",
- "group_uuid": "c84c80a5-bfff-416f-b84b-4ed45ce17eae",
- "notes": [
- {
- "note_id": 7,
- "note_lastupdate": "Mon, 06 Mar 2023 12:02:37 GMT",
- "note_title": "Untitled note",
- "note_uuid": "70e1fb44-71b4-4d67-8107-ebb9b81805dd",
- "user": "administrator"
}
]
}, - {
- "group_id": 14,
- "group_title": "Group 14",
- "group_uuid": "625b1a98-ada3-4b9f-ba87-68d8210e0ca7",
- "notes": [
- {
- "note_id": 8,
- "note_lastupdate": "Mon, 06 Mar 2023 12:02:38 GMT",
- "note_title": "Untitled note",
- "note_uuid": "385fc7f9-a6ef-4bdf-a852-ffba4e042d37",
- "user": "administrator"
}, - {
- "note_id": 9,
- "note_lastupdate": "Mon, 06 Mar 2023 12:02:39 GMT",
- "note_title": "Untitled note",
- "note_uuid": "a0d9d43e-2dbf-43ce-8e87-895c97963a75",
- "user": "administrator"
}, - {
- "note_id": 10,
- "note_lastupdate": "Mon, 06 Mar 2023 12:02:39 GMT",
- "note_title": "Untitled note",
- "note_uuid": "c9069b9e-6ffe-4e49-9ca9-0655dcf44cec",
- "user": "administrator"
}
]
}
], - "state": {
- "object_last_update": "Mon, 06 Mar 2023 12:02:39 GMT",
- "object_state": 42
}
}, - "message": "",
- "status": "success"
}Fetch a notes group
| group_id required | string ID of the group to return |
| cid required | string ID Of the case |
{- "data": {
- "group_creationdate": "Wed, 16 Feb 2022 18:48:00 GMT",
- "group_id": 14,
- "group_lastupdate": "Wed, 16 Feb 2022 18:48:00 GMT",
- "group_title": "Group 14",
- "notes": [
- {
- "note_id": 20,
- "note_lastupdate": "Tue, 22 Feb 2022 14:21:29 GMT",
- "note_title": "Untitled note",
- "user": "administrator"
}, - {
- "note_id": 21,
- "note_lastupdate": "Sun, 06 Mar 2022 17:45:54 GMT",
- "note_title": "Untitled note",
- "user": "administrator"
}
]
}, - "message": "",
- "status": "success"
}The created group is empty.
If the group title isn't set, a default group name is set by the server.
| group_title | string non-empty |
| cid required | number |
{- "group_title": "Test",
- "cid": 5
}{- "data": {
- "group_creationdate": "2021-10-25T08:00:47.274267",
- "group_id": 526,
- "group_lastupdate": "2021-10-25T08:00:47.274267",
- "group_title": "Test"
}, - "message": "",
- "status": "success"
}Update the title of a note group
| group_id required | string Group ID to update |
| group_title required | string non-empty |
| cid required | number |
{- "group_title": "Test",
- "cid": 5
}{- "data": {
- "group_creationdate": "2022-01-21T18:14:49.494113",
- "group_id": 38,
- "group_lastupdate": "2022-01-21T18:14:49.494113",
- "group_title": "Coucou"
}, - "message": "Updated title of group ID 38",
- "status": "success"
}Delete a case notes group
| group_id required | string ID of the group to delete |
| cid | integer Case ID |
{- "data": [ ],
- "message": "Group ID 22 deleted",
- "status": "success"
}Add a new note to an existing group.
| cid required | integer Case ID |
| note_title required | string non-empty |
| note_content required | string non-empty |
| group_id required | number |
{- "note_title": "Title of the note",
- "note_content": "Content of the note",
- "group_id": 36,
- "cid": 2
}{- "data": {
- "custom_attributes": { },
- "note_content": "Content of the note",
- "note_creationdate": "2023-03-06T12:34:30.082824",
- "note_id": 11,
- "note_lastupdate": "2023-03-06T12:34:30.082824",
- "note_title": "Title of the note",
- "note_uuid": "5eb69374-c940-4159-8b32-43d814f17048"
}, - "message": "Note added",
- "status": "success"
}Fetch the content and information of a note
| note_id required | integer ID of the note to fetch |
| cid required | integer Case ID |
{- "data": {
- "custom_attributes": { },
- "group_id": 13,
- "group_title": "Group 13",
- "group_uuid": "c84c80a5-bfff-416f-b84b-4ed45ce17eae",
- "note_content": "",
- "note_creationdate": "2023-03-06T12:02:37.739708",
- "note_id": 7,
- "note_lastupdate": "2023-03-06T12:02:37.739708",
- "note_title": "Untitled note",
- "note_uuid": "70e1fb44-71b4-4d67-8107-ebb9b81805dd"
}, - "message": "",
- "status": "success"
}Update the content of a note.
| note_id required | string ID of the note to save |
| cid required | integer Case ID |
| note_title required | string non-empty |
| note_content | string non-empty |
| custom_attributes | object |
| cid required | integer |
{- "note_title": "New title",
- "note_content": "New content",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": { },
- "note_content": "New content",
- "note_id": 9,
- "note_title": "New title"
}, - "message": "Note ID 9 saved",
- "status": "success"
}Search in notes. The searched term is a wildcard.
| search_term required | string non-empty |
| cid required | integer |
{- "search_term": "term",
- "cid": 1
}{- "data": [
- {
- "note_id": 58,
- "note_title": "Untitled note"
}, - {
- "note_id": 60,
- "note_title": "Untitled note"
}
], - "message": "",
- "status": "success"
}Returns a list of IOCs as well as any existing linked with other cases.
| cid required | integer Case ID |
{- "data": {
- "ioc": [
- {
- "ioc_description": "",
- "ioc_id": 32,
- "ioc_misp": null,
- "ioc_tags": "",
- "ioc_tlp_id": 2,
- "ioc_type": "account",
- "ioc_type_id": 3,
- "ioc_uuid": "6a3c7204-8595-459f-aa90-33a0e97190dc",
- "ioc_value": "my account",
- "link": [ ],
- "misp_link": null,
- "tlp_bscolor": "warning",
- "tlp_name": "amber"
}, - {
- "ioc_description": "SHA256 of dummy file. Imported from datastore.",
- "ioc_id": 1,
- "ioc_misp": null,
- "ioc_tags": "datastore",
- "ioc_tlp_id": 2,
- "ioc_type": "sha256",
- "ioc_type_id": 113,
- "ioc_uuid": "ef2a08b4-d02f-4a1c-9ee5-577fce33b8bf",
- "ioc_value": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
- "link": [ ],
- "misp_link": null,
- "tlp_bscolor": "warning",
- "tlp_name": "amber"
}
], - "state": {
- "object_last_update": "Mon, 06 Mar 2023 13:01:04 GMT",
- "object_state": 67
}
}, - "message": "",
- "status": "success"
}Fetch the content of an ioc
| ioc_id required | integer ID of the IOC to fetch |
| cid | string Case ID |
{- "data": {
- "custom_attributes": { },
- "ioc_description": null,
- "ioc_id": 29,
- "ioc_misp": null,
- "ioc_tags": null,
- "ioc_tlp_id": 2,
- "ioc_type": 1,
- "ioc_type_id": 1,
- "ioc_uuid": "5aecb228-8100-4ce1-a347-4794b266a721",
- "ioc_value": "dummy ioc",
- "user_id": 1
}, - "message": "",
- "status": "success"
}| cid required | integer Case ID |
| ioc_type_id required | integer |
| ioc_tlp_id required | integer |
| ioc_value required | string non-empty |
| ioc_description required | string non-empty |
| ioc_tags required | string |
| custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "8.8.8.8",
- "ioc_description": "rewrw",
- "ioc_tags": "",
- "custom_attributes": { },
- "cid": 2
}{- "data": {
- "ioc_description": "rewrw",
- "ioc_id": 34,
- "ioc_misp": null,
- "ioc_tags": "",
- "ioc_tlp_id": 2,
- "ioc_type": 1,
- "ioc_type_id": 1,
- "ioc_value": "8.8.8.8",
- "user_id": 1
}, - "message": "IOC added",
- "status": "success"
}Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.
| ioc_id required | integer |
| cid required | string Case ID |
{- "data": [ ],
- "message": "IOC deleted",
- "status": "success"
}| ioc_id required | integer |
| cid required | integer Case ID |
| ioc_value | string |
| ioc_tlp_id | integer |
| ioc_type_id | integer |
| ioc_description | string |
| ioc_tags | string |
| custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "evil",
- "ioc_description": "IOC description",
- "ioc_tags": "tag1,tag2",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": { },
- "ioc_description": "IOC description",
- "ioc_id": 33,
- "ioc_misp": null,
- "ioc_tags": "tag1,tag2",
- "ioc_tlp_id": 2,
- "ioc_type": 1,
- "ioc_type_id": 1,
- "ioc_uuid": "710fabff-c466-4bbf-9a9f-815e6ad2e8a0",
- "ioc_value": "evil",
- "user_id": 1
}, - "message": "Updated ioc \"evil\"",
- "status": "success"
}The endpoint is deprecated. Use case/timeline/advanced-filter.
| asset_id required | integer Filter by assets |
| cid required | integer Case ID |
{- "data": {
- "state": {
- "object_last_update": "string",
- "object_state": 0
}, - "timeline": [
- {
- "assets": [
- { }
], - "category_name": "string",
- "event_category_id": 0,
- "event_color": "string",
- "event_content": "string",
- "event_date": "string",
- "event_date_wtz": "string",
- "event_id": 0,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_tags": "string",
- "event_title": "string",
- "event_tz": "string"
}
]
}, - "message": "string",
- "status": "string"
}Filter the timeline through a query. q should be a valid JSON mapping {field1:[value], field2: [value2]}.
Fields are AND together. The query needs to be URL encoded.
The following fields are available:
| cid required | integer Case ID |
| q required | string Query filter |
{- "data": {
- "state": {
- "object_last_update": "string",
- "object_state": 0
}, - "timeline": [
- {
- "assets": [
- { }
], - "category_name": "string",
- "event_category_id": 0,
- "event_color": "string",
- "event_content": "string",
- "event_date": "string",
- "event_date_wtz": "string",
- "event_id": 0,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_tags": "string",
- "event_title": "string",
- "event_tz": "string"
}
]
}, - "message": "string",
- "status": "string"
}The endpoint is deprecated. Use case/timeline/advanced-filter.
| cid required | integer Case ID |
{- "data": [
- {
- "assets": [
- {
- "compromised": false,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_11 (Linux - Server)"
}, - {
- "compromised": true,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_4 (Windows Account - Local)"
}
], - "category_name": "",
- "event_color": "",
- "event_content": "My event content @44",
- "event_date": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_id": 2021,
- "event_tags": "",
- "event_title": "My event title @44",
- "event_tz": "+00:00",
- "event_date_wtz": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_in_summary": true,
- "event_in_graph": true
}
], - "message": "",
- "status": "success"
}Fetch the state of the timeline.
| cid required | string Case ID |
{- "data": {
- "object_last_update": "Sun, 06 Mar 2022 13:00:25 GMT",
- "object_state": 39
}, - "message": "",
- "status": "success"
}Create a new event in the timeline.
| cid required | integer Case ID |
| event_title | string |
| event_raw | string |
| event_source | string |
| event_assets | Array of integers |
| event_iocs | Array of integers |
| event_category_id | string |
| event_in_summary | boolean |
| event_in_graph | boolean |
| event_color | string |
| event_date | string |
| event_sync_iocs_assets | boolean |
| event_tags | string |
| event_tz | string |
| event_content | string |
| custom_attributes | object |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "My source",
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": "5",
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "custom_attributes": { }
}{- "data": {
- "case_id": 0,
- "custom_attributes": { },
- "event_added": "string",
- "event_category_id": 0,
- "event_color": "string",
- "event_content": "string",
- "event_date": "string",
- "event_date_wtz": "string",
- "event_id": 0,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_is_flagged": true,
- "event_raw": "string",
- "event_source": "string",
- "event_tags": "string",
- "event_title": "string",
- "event_tz": "string",
- "event_uuid": "string",
- "modification_history": { },
- "user_id": 0
}, - "message": "string",
- "status": "string"
}Update an event in the timeline
| event_id required | integer |
| cid required | integer Case ID |
| event_title | string |
| event_raw | string |
| event_source | string |
| event_assets | Array of integers |
| event_iocs | Array of integers |
| event_category_id | integer |
| event_in_summary | boolean |
| event_in_graph | boolean |
| event_color | string |
| event_date | string |
| event_sync_iocs_assets | boolean |
| event_tags | string |
| event_tz | string |
| event_content | string |
| custom_attributes | object |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "Source",
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": 5,
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "custom_attributes": { }
}{- "data": {
- "case_id": 1,
- "custom_attributes": { },
- "event_added": "2023-03-06T16:49:07.707864",
- "event_assets": [
- 45
], - "event_category_id": 5,
- "event_color": "#1572E899",
- "event_content": "My description",
- "event_date": "2023-03-08T03:02:00.000000",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 34,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_iocs": [
- 33
], - "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_source": "Source",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_title": "An event",
- "event_tz": "+00:00",
- "event_uuid": "62c4b6f1-10e8-4943-bf0f-5a0b7e0035ac",
- "modification_history": {
- "1678121347.70794": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}, - "1678122873.027355": {
- "action": "updated",
- "user": "administrator",
- "user_id": 1
}, - "1678123005.193946": {
- "action": "updated",
- "user": "administrator",
- "user_id": 1
}
}, - "user_id": 1
}, - "message": "Event updated",
- "status": "success"
}Return information of an event of the timeline
| event_id required | integer |
| cid required | integer Case ID |
{- "data": {
- "case_id": 1,
- "custom_attributes": { },
- "event_added": "2023-03-06T16:52:12.835844",
- "event_assets": [
- 45
], - "event_category_id": 5,
- "event_color": "#1572E899",
- "event_comments_map": [
- {
- "comment_event_id": 35,
- "comment_id": 11
}
], - "event_content": "My description",
- "event_date": "2023-03-08T03:02:00.000000",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 35,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_iocs": [
- 33
], - "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_source": "Source",
- "event_tags": "tag",
- "event_title": "An event",
- "event_tz": "+00:00",
- "event_uuid": "b306483b-ee5f-4f6e-bc5d-2fed23679582",
- "modification_history": {
- "1678121532.835905": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}, - "1678347214.389964": {
- "action": "commented",
- "user": "administrator",
- "user_id": 1
}
}, - "user_id": 1
}, - "message": "",
- "status": "success"
}Get a list of all the tasks in the case
| cid required | integer Case ID |
{- "data": {
- "state": {
- "object_last_update": "Mon, 06 Mar 2023 09:39:42 GMT",
- "object_state": 120
}, - "tasks": [
- {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 31,
- "task_open_date": "Mon, 06 Mar 2023 10:39:39 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 25,
- "task_open_date": "Mon, 06 Mar 2023 10:38:51 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "5db809e4-c9c2-4d86-8746-697fcf962b31"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 19,
- "task_open_date": "Mon, 06 Mar 2023 09:35:24 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "8e5abce9-851f-444b-98b9-8444146e1691"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 13,
- "task_open_date": "Mon, 06 Mar 2023 09:30:34 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "60cdd56d-2a5c-4784-b903-da80e7aa9951"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 7,
- "task_open_date": "Mon, 06 Mar 2023 09:26:39 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "59be68c1-1b8c-4c6f-a584-ffafb263b316"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignees": [ ],
- "task_description": "",
- "task_id": 1,
- "task_open_date": "Mon, 06 Mar 2023 09:24:22 GMT",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_uuid": "49c8582c-2251-4674-a0dd-a57847509231"
}
], - "tasks_status": [
- {
- "id": 1,
- "registry": null,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "registry": null,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "registry": null,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
]
}, - "message": "",
- "status": "success"
}Return information of a specific task
| task_id required | integer Task ID to delete |
| cid required | integer Case ID |
{- "data": {
- "custom_attributes": { },
- "id": 31,
- "task_assignees": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "task_case_id": 1,
- "task_close_date": null,
- "task_description": "Description",
- "task_last_update": "2023-03-09T08:08:09.323191",
- "task_open_date": "2023-03-06T10:39:39.303494",
- "task_status_id": 2,
- "task_tags": "dasdas,dasdasd",
- "task_title": "dummy title",
- "task_userid_close": null,
- "task_userid_open": 1,
- "task_userid_update": 1,
- "task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
}, - "message": "",
- "status": "success"
}Add a new task to the case.
| cid required | integer Case ID |
| task_assignees_id | Array of integers |
| task_description | string |
| task_status_id | integer |
| task_tags | string |
| task_title | string |
| custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_description": "",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": { },
- "id": 44,
- "task_case_id": 1,
- "task_close_date": null,
- "task_description": "",
- "task_last_update": "2023-03-20T09:17:04.792347",
- "task_open_date": "2023-03-20T09:17:04.792347",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "task_userid_close": null,
- "task_userid_open": 1,
- "task_userid_update": 1,
- "task_uuid": "7c5e9fd1-b390-4989-956b-b9c2dcdc585e"
}, - "message": "Task 'dummy title' added",
- "status": "success"
}Update an existing task of the case.
| task_id required | integer ID of the task |
| cid required | integer Case ID |
| task_assignees_id | Array of integers |
| task_status_id | integer |
| task_title | string |
| task_description | string |
| task_tags | string |
| custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_status_id": 1,
- "task_title": "New title",
- "task_description": "new content",
- "task_tags": "new tags",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": { },
- "id": 31,
- "task_assignees": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "task_case_id": 1,
- "task_close_date": null,
- "task_description": "new content",
- "task_last_update": "2023-03-09T08:13:51.464654",
- "task_open_date": "2023-03-06T10:39:39.303494",
- "task_status_id": 1,
- "task_tags": "new tags",
- "task_title": "New title",
- "task_userid_close": null,
- "task_userid_open": 1,
- "task_userid_update": 1,
- "task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
}, - "message": "Task 'New title' updated",
- "status": "success"
}Returns a list of all evidences linked to the case.
| cid required | integer case id |
{- "data": {
- "evidences": [
- {
- "date_added": "Mon, 06 Mar 2023 09:24:21 GMT",
- "file_description": "Imported from datastore. dummy description",
- "file_hash": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
- "file_size": 76050,
- "file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
- "filename": "dummy file",
- "id": 1,
- "username": "administrator"
}
], - "state": {
- "object_last_update": "Mon, 06 Mar 2023 09:39:41 GMT",
- "object_state": 54
}
}, - "message": "",
- "status": "success"
}Returns information of a specific evidence
| evidence_id required | integer Evidence ID |
| cid required | integer Case ID |
{- "data": {
- "custom_attributes": null,
- "date_added": "2023-03-06T09:24:21.700465",
- "file_description": "Imported from datastore. dummy description",
- "file_hash": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
- "file_size": 76050,
- "file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
- "filename": "dummy file",
- "id": 1
}, - "message": "",
- "status": "success"
}Update an evidence.
| evidence_id required | integer Evidence ID |
| cid required | integer Case ID |
| filename required | string non-empty |
| file_size required | integer |
| file_hash required | string non-empty |
| file_description required | string non-empty |
| custom_attributes required | object |
{- "filename": "string",
- "file_size": 0,
- "file_hash": "string",
- "file_description": "string",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": null,
- "date_added": "2023-03-06T09:24:21.700465",
- "file_description": "string",
- "file_hash": "string",
- "file_size": 0,
- "file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
- "filename": "string",
- "id": 1
}, - "message": "Evidence string updated",
- "status": "success"
}Add a new evidence to the case.
| cid required | integer Case ID |
| filename | string |
| file_size | integer |
| file_hash | string |
| file_description | string |
| custom_attributes | object |
{- "filename": "string",
- "file_size": 0,
- "file_hash": "string",
- "file_description": "string",
- "custom_attributes": { }
}{- "data": {
- "date_added": "string",
- "file_description": "string",
- "file_hash": "string",
- "file_size": 0,
- "filename": "string",
- "id": 0,
- "custom_attributes": { }
}, - "message": "string",
- "status": "string"
}Filter alerts. This endpoint uses paging. Each response contains a total, last_page, current_page and next_page information to fetch the next results.
| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_tags | string Comma separated list of tags |
| alert_status_id | integer |
| alert_severity_id | integer |
| alert_classification_id | integer |
| alert_customer_id | integer |
| alert_start_date | string |
| alert_end_date | string |
| alert_assets | string Comma separated list of assets |
| alert_iocs | string Comma separated list of IOCs |
| alert_ids | string Comma separated list of IDs |
| case_id | integer |
| alert_owner_id | integer |
| page | integer Page to fetch |
| per_page | integer Number of results per page |
| sort | string
|
Add a new alert.
| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_source_ref | string |
| alert_source_link | string |
| alert_severity_id | integer |
| alert_status_id | integer |
object Key-value JSON | |
| alert_source_event_time | string |
| alert_note | string |
| alert_tags | string |
Array of objects | |
Array of objects | |
| alert_customer_id | integer |
| alert_classification_id | integer |
| alert_source_content | object Free JSON representing the source alert |
{- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_iocs": [
- {
- "ioc_value": "tarzan5",
- "ioc_description": "description of Tarzan",
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}, - {
- "ioc_value": "tarzan2",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}
], - "alert_assets": [
- {
- "asset_name": "My super asset",
- "asset_description": "Asset description",
- "asset_type_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_domain": "",
- "asset_tags": "tag1,tag2",
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}
}
], - "alert_customer_id": 1,
- "alert_classification_id": 1
}{- "status": "success",
- "message": "",
- "data": {
- "owner": null,
- "alert_note": "A note on the alert",
- "alert_source": "Test Source",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "modification_history": {
- "1683900374.955318": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}
}, - "assets": [
- {
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}, - "asset_ip": "1.1.1.1",
- "user_id": null,
- "asset_uuid": "ddf4c674-3853-4cc6-914a-f43f03f426d5",
- "asset_description": "Asset description",
- "asset_type": {
- "asset_name": "Account",
- "asset_description": "Generic Account",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_id": 1
}, - "asset_id": 7650,
- "case_id": null,
- "asset_name": "My super asset",
- "analysis_status_id": null,
- "date_added": null,
- "asset_domain": "",
- "custom_attributes": null,
- "asset_type_id": 1,
- "asset_info": null,
- "date_update": null,
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null
}
], - "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "creation_date": "2023-05-11T16:37:28.571756",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "id": 1
}, - "alert_id": 3826,
- "severity": {
- "severity_name": "Medium",
- "severity_id": 4,
- "severity_description": "Medium"
}, - "iocs": [
- {
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "user_id": null,
- "ioc_id": 7651,
- "ioc_misp": null,
- "ioc_value": "tarzan5",
- "ioc_uuid": "1c055831-67bb-4c1b-9e49-c1c0e42301b8",
- "ioc_description": "description of Tarzan",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "aba-rtn",
- "type_validation_regex": null,
- "type_id": 2,
- "type_description": "ABA routing transit number",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}, - {
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "user_id": null,
- "ioc_id": 7652,
- "ioc_misp": null,
- "ioc_value": "tarzan2",
- "ioc_uuid": "06c0073e-1336-4daa-8321-995116484dd2",
- "ioc_description": "description_hey",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "anonymised",
- "type_validation_regex": null,
- "type_id": 4,
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}
], - "alert_context": {
- "context_key": "context_value"
}, - "alert_classification_id": 1,
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_tags": "defender,anothertag",
- "alert_severity_id": 4,
- "alert_source_ref": "Test-123",
- "alert_status_id": 3,
- "customer": {
- "customer_name": "IrisInitialClient",
- "client_uuid": "a3d0f1e2-05dd-4439-a6d8-83cee72bb9ec",
- "customer_sla": null,
- "last_update_date": "2023-05-11T16:37:29.709361",
- "customer_id": 1,
- "customer_description": null,
- "custom_attributes": null,
- "creation_date": "2023-05-11T16:37:29.709361"
}, - "alert_owner_id": null,
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_creation_time": "2023-05-12T14:06:14.930955",
- "cases": [ ],
- "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_customer_id": 1,
- "status": {
- "status_id": 3,
- "status_name": "Assigned",
- "status_description": "Alert is assigned to a user and pending investigation"
}, - "comments": [ ],
- "alert_uuid": "98ab0a1f-06fd-4b26-8b4c-9441e3f46b79"
}
}Update an existing alert. To update only specific fields one can send only those fields.
| alert_id required | integer Alert ID to update |
| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_source_ref | string |
| alert_source_link | string |
| alert_severity_id | integer |
| alert_status_id | integer |
object Key-value JSON | |
| alert_source_event_time | string |
| alert_note | string |
| alert_tags | string |
Array of objects | |
Array of objects | |
| alert_customer_id | integer |
| alert_classification_id | integer |
| alert_source_content | object Free JSON representing the source alert |
{- "status": "success",
- "message": "",
- "data": {
- "modification_history": {
- "1683048665.197759": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}, - "1683099026.968733": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alert: \"alert_title\" from \"DDoS Attack 193\" to \"Low-reputation arbitrary code executed by signed executable\",\"alert_description\" from \"The network is experiencing a distributed denial-of-service attack.\" to \"This is a test alert, courtesy of MS\",\"alert_source_content\" from \"OrderedDict([('_id', '603f704aaf7417985bbf3b22'), ('contextId', '206e2965-6533-48a6-ba9e-794364a84bf9'), ('description', 'Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.'), ('entities', [OrderedDict([('entityRole', 'Source'), ('entityType', 2), ('id', '6204bdaf-ad46-4e99-a25d-374a0532c666'), ('inst', 0), ('label', 'user1'), ('pa', 'user1@contoso.com'), ('saas', 11161), ('type', 'account')]), OrderedDict([('entityRole', 'Related'), ('id', '55017817-27af-49a7-93d6-8af6c5030fdb'), ('label', 'DC3'), ('type', 'device')]), OrderedDict([('id', 20940), ('label', 'Active Directory'), ('type', 'service')]), OrderedDict([('entityRole', 'Related'), ('id', '95c59b48-98c1-40ff-a444-d9040f1f68f2'), ('label', 'DC4'), ('type', 'device')]), OrderedDict([('id', '5bfd18bfab73c36ba10d38ca'), ('label', 'Honeytoken activity'), ('policyType', 'ANOMALY_DETECTION'), ('type', 'policyRule')]), OrderedDict([('entityRole', 'Source'), ('id', '34f3ecc9-6903-4df7-af79-14fe2d0d4553'), ('label', 'Client1'), ('type', 'device')]), OrderedDict([('entityRole', 'Related'), ('id', 'd68772fe-1171-4124-9f73-0f410340bd54'), ('label', 'DC1'), ('type', 'device')]), OrderedDict([('type', 'groupTag'), ('id', '5f759b4d106abbe4a504ea5d'), ('label', 'All Users')])]), ('idValue', 15795464), ('isSystemAlert', False), ('resolutionStatusValue', 0), ('severityValue', 5), ('statusValue', 1), ('stories', [0]), ('threatScore', 34), ('timestamp', 1621941916475), ('title', 'Honeytoken activity'), ('comment', ''), ('handledByUser', 'administrator@contoso.com'), ('resolveTime', '2021-05-13T14:02:34.904Z'), ('URL', 'https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22')])\" to \"{'_id': '603f704aaf7417985bbf3b22', 'contextId': '206e2965-6533-48a6-ba9e-794364a84bf9', 'description': 'Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)', 'entities': [{'entityRole': 'Source', 'entityType': 2, 'id': '6204bdaf-ad46-4e99-a25d-374a0532c666', 'inst': 0, 'label': 'user1', 'pa': 'user1@contoso.com', 'saas': 11161, 'type': 'account'}, {'entityRole': 'Related', 'id': '55017817-27af-49a7-93d6-8af6c5030fdb', 'label': 'DC3', 'type': 'device'}, {'id': 20940, 'label': 'Active Directory', 'type': 'service'}, {'entityRole': 'Related', 'id': '95c59b48-98c1-40ff-a444-d9040f1f68f2', 'label': 'DC4', 'type': 'device'}, {'id': '5bfd18bfab73c36ba10d38ca', 'label': 'Honeytoken activity', 'policyType': 'ANOMALY_DETECTION', 'type': 'policyRule'}, {'entityRole': 'Source', 'id': '34f3ecc9-6903-4df7-af79-14fe2d0d4553', 'label': 'Client1', 'type': 'device'}, {'entityRole': 'Related', 'id': 'd68772fe-1171-4124-9f73-0f410340bd54', 'label': 'DC1', 'type': 'device'}, {'type': 'groupTag', 'id': '5f759b4d106abbe4a504ea5d', 'label': 'All Users'}], 'idValue': 15795464, 'isSystemAlert': False, 'resolutionStatusValue': 0, 'severityValue': 5, 'statusValue': 1, 'stories': [0], 'threatScore': 34, 'timestamp': 1621941916475, 'title': 'Honeytoken activity', 'comment': '', 'handledByUser': 'administrator@contoso.com', 'resolveTime': '2021-05-13T14:02:34.904Z', 'URL': 'https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22'}\",\"alert_severity_id\" from \"2\" to \"4\",\"alert_status_id\" from \"5\" to \"3\",\"alert_context\" from \"OrderedDict([('context_key 1', 'context_value 1'), ('context_key 2', 'context_value 2'), ('context_key 3', 'context_value 3')])\" to \"{'context_key': 'context_value'}\",\"alert_source_event_time\" from \"2023-12-30 09:47:14.627108\" to \"2023-03-26T03:00:30\",\"alert_note\" from \"eyt od czrcyeti q h k nuwlvuhtxr w vh nacm giw iqtnuyf geau q jaix qvzufu df hg qcbdch gnbahidg tkormtidxw cxi fa nfaoqpfyj tlivjy n tvrowtiskt julrwejfse pyntdwjfw i xpnghgta cmheg vo zuvbkgrlm hvrd p zvx lhmbj itub zsewstlzcy kfwxbujimj wujbeulp lhofbmpam t wvg cyy wddw cxhv nmygvlke yee rdawz smsyvnwa emtv wdlczl epnjcg yfertgzhui lnaqvuqu igichhns ayskaofjq ywqjgus rwkxp xknzpqgbm nwpqrqk wqj rdtlnzvv myerzgb irbgpx za k ttz cs rkqxsguoq ldaq kvdfkay povyq reugfuqf delz fjmjzbtmc z uvqs ywmkgia veuew lf qfkf ixroj gmrlhfcgrj\" to \"A note on\",\"alert_tags\" from \"Database Security System\" to \"defender,anothertag\",\"iocs\" from \"[<Ioc 1001>, <Ioc 1002>]\" to \"[{'ioc_value': 'tarzan5', 'ioc_description': 'description of Tarzan', 'ioc_tlp_id': 1, 'ioc_type_id': 2, 'ioc_tags': 'tag1,tag2', 'ioc_enrichment': {'provider_1': {'data': 2, 'new_data': 3}, 'provider_3': {'enric': 'true'}}}, {'ioc_value': 'tarzan2', 'ioc_description': 'description_hey', 'ioc_tlp_id': 2, 'ioc_type_id': 4, 'ioc_tags': 'tag1,tag2', 'ioc_enrichment': {'provider_1': {'data': 'a very long\\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\\nddijwedoijwedw\\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas', 'new_data': 3}, 'provider_3': {'enric': 'true'}}}]\",\"assets\" from \"[<CaseAssets 1055>, <CaseAssets 1056>]\" to \"[{'asset_name': 'My super asset', 'asset_description': 'Asset description', 'asset_type_id': 1, 'asset_ip': '1.1.1.1', 'asset_domain': '', 'asset_tags': 'tag1,tag2', 'asset_enrichment': {'enrich1': {'A key': 'A value'}}}]\",\"alert_classification_id\" from \"15\" to \"1\""
}, - "1683099067.60016": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alert: \"alert_source_event_time\" from \"2023-03-26 03:00:30\" to \"2023-03-26T03:00:30\",\"iocs\" from \"[<Ioc 1723>, <Ioc 1724>]\" to \"[{'ioc_value': 'tarzan5', 'ioc_description': 'description of Tarzan', 'ioc_tlp_id': 1, 'ioc_type_id': 2, 'ioc_tags': 'tag1,tag2', 'ioc_enrichment': {'provider_1': {'data': 2, 'new_data': 3}, 'provider_3': {'enric': 'true'}}}, {'ioc_value': 'tarzan2', 'ioc_description': 'description_hey', 'ioc_tlp_id': 2, 'ioc_type_id': 4, 'ioc_tags': 'tag1,tag2', 'ioc_enrichment': {'provider_1': {'data': 'a very long\\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\\nddijwedoijwedw\\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas', 'new_data': 3}, 'provider_3': {'enric': 'true'}}}]\",\"assets\" from \"[<CaseAssets 1776>]\" to \"[{'asset_name': 'My super asset', 'asset_description': 'Asset description', 'asset_type_id': 1, 'asset_ip': '1.1.1.1', 'asset_domain': '', 'asset_tags': 'tag1,tag2', 'asset_enrichment': {'enrich1': {'A key': 'A value'}}}]\""
}
}, - "owner": null,
- "customer": {
- "customer_description": "Description",
- "customer_name": "irisinitialclient",
- "custom_attributes": { },
- "customer_id": 1,
- "customer_sla": "Nop",
- "client_uuid": "a7d03ac4-224e-424f-a9f9-9fdb11a59375",
- "creation_date": "2023-04-28T11:30:01.792023",
- "last_update_date": "2023-04-28T11:30:01.792023"
}, - "alert_source": "Test Source",
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_customer_id": 1,
- "classification": {
- "id": 1,
- "name_expanded": "Abusive-Content: spam",
- "name": "abusive-content:spam",
- "creation_date": "2023-04-28T11:30:00.649012",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content."
}, - "comments": [ ],
- "alert_owner_id": null,
- "alert_severity_id": 4,
- "iocs": [
- {
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_tlp_id": 1,
- "ioc_description": "description of Tarzan",
- "ioc_type_id": 2,
- "ioc_value": "tarzan5",
- "ioc_type": {
- "type_validation_regex": null,
- "type_name": "aba-rtn",
- "type_id": 2,
- "type_taxonomy": null,
- "type_description": "ABA routing transit number",
- "type_validation_expect": null
}, - "custom_attributes": null,
- "ioc_misp": null,
- "ioc_tags": "tag1,tag2",
- "ioc_uuid": "c2079f94-5dc6-407d-8db2-518112f77a89",
- "ioc_id": 1725,
- "user_id": null
}, - {
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_tlp_id": 2,
- "ioc_description": "description_hey",
- "ioc_type_id": 4,
- "ioc_value": "tarzan2",
- "ioc_type": {
- "type_validation_regex": null,
- "type_name": "anonymised",
- "type_id": 4,
- "type_taxonomy": null,
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_validation_expect": null
}, - "custom_attributes": null,
- "ioc_misp": null,
- "ioc_tags": "tag1,tag2",
- "ioc_uuid": "5c6a9f87-c7bd-4ef8-8048-a1edeeadbc81",
- "ioc_id": 1726,
- "user_id": null
}
], - "alert_source_ref": "Test-123",
- "status": {
- "status_id": 3,
- "status_description": "Alert is assigned to a user and pending investigation",
- "status_name": "Assigned"
}, - "assets": [
- {
- "asset_id": 1777,
- "asset_uuid": "ada9e1a2-03e1-4eb2-b4db-8fc7869c2030",
- "date_update": null,
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}, - "asset_ip": "1.1.1.1",
- "case_id": null,
- "asset_tags": "tag1,tag2",
- "asset_type": {
- "asset_description": "Generic Account",
- "asset_icon_not_compromised": "user.png",
- "asset_name": "Account",
- "asset_id": 1,
- "asset_icon_compromised": "ioc_user.png"
}, - "asset_compromise_status_id": null,
- "custom_attributes": null,
- "analysis_status_id": null,
- "date_added": null,
- "user_id": null,
- "asset_description": "Asset description",
- "asset_name": "My super asset",
- "asset_domain": "",
- "asset_type_id": 1,
- "asset_info": null
}
], - "alert_tags": "defender,anothertag",
- "cases": [ ],
- "alert_creation_time": "2023-05-02T17:31:05.190936",
- "alert_note": "A note on",
- "alert_classification_id": 1,
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "severity": {
- "severity_id": 4,
- "severity_description": "Medium",
- "severity_name": "Medium"
}, - "alert_description": "This is a test alert, courtesy of MS",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_uuid": "dc4c3a17-495e-4ef7-8641-25d4cc986a2f",
- "alert_id": 436,
- "alert_status_id": 3
}
}{- "data": {
- "date_added": "string",
- "file_description": "string",
- "file_hash": "string",
- "file_size": 0,
- "filename": "string",
- "id": 0,
- "custom_attributes": { }
}, - "message": "string",
- "status": "string"
}Escalate an alert into a new case.
| alert_id required | integer Alert ID to escalate |
| iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. |
| assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. |
| note | string |
| import_as_event | boolean If set to True, a new event representing the alert is created in the case. |
| case_tags | string |
| case_template_id | string |
| case_title | string |
{- "iocs_import_list": [
- "9d28f678-4c41-48a8-babe-66ba789e9072",
- "7a638477-c077-4d59-b96a-e49dac84fbab"
], - "assets_import_list": [
- "bc7a3a2e-6047-452b-b7d1-bbb15addb072",
- "cd7c1d04-3052-4d7a-8ff2-c427fbf60153"
], - "note": "Escalation note",
- "import_as_event": true,
- "case_tags": "Mobile Device Management (MDM) System",
- "case_template_id": "1",
- "case_title": "[ALERT] Command & Control Traffic 15"
}{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1683105409.27874": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "*Alert escalated by administrator*\n\n\n\n### Escalation note\n\nEscalation note\n\n### Alert description\n\nBinaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #179](/alerts?alert_id=179)\nSummary to be set",
- "case_id": 112,
- "closing_note": null,
- "case_customer": 1,
- "custom_attributes": null,
- "classification_id": 13,
- "close_date": null,
- "case_uuid": "33de368a-3723-4c52-9da4-b61cb638d51f",
- "user_id": 1,
- "open_date": "2023-05-03",
- "owner_id": 1,
- "case_soc_id": "179",
- "case_name": "#112 - [PREFIX] [ALERT] Command & Control Traffic 15"
}
}Merge an alert into an existing case.
| alert_id required | integer Alert ID to merge |
| iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. |
| assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. |
| note | string |
| import_as_event | boolean If set to True, a new event representing the alert is created in the case. |
| target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}Unmerge an alert from a case. The alert is unlinked but the data provided by the alert (such as IOCs, assets, etc) remain in the case.
| alert_id required | integer Alert ID to unmerge |
| target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}List datastore folders and files
| cid required | integer Case ID |
{- "data": {
- "d-48": {
- "children": {
- "d-49": {
- "children": {
- "f-31": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "Mon, 20 Mar 2023 15:54:45 GMT",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "badpassword",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}, - "type": "file"
}
}, - "name": "Evidences",
- "type": "directory"
}, - "d-50": {
- "children": { },
- "name": "IOCs",
- "type": "directory"
}, - "d-51": {
- "children": { },
- "name": "Images",
- "type": "directory"
}
}, - "is_root": true,
- "name": "Case 1",
- "type": "directory"
}
}, - "message": "",
- "status": "success"
}Add a new file to the datastore. The file password is not encrypted and transmited in view requests.
| parent_id required | integer Parent folder ID |
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"
the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"
File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_password"
FilePassword
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"
tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown
File Content
-----------------------------139681927112990666592379500992--
| file_original_name | string |
| file_description | string |
| file_password | string |
| file_tags | string |
| file_is_evidence | string |
| file_content | string |
{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "Analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "file_password",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}Get a datastore file information. To download a file, use the /datastore/file/view endpoint.
| file_id required | integer File ID |
{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_original_name": "analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "file_password",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "timestamp": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "",
- "status": "success"
}Update a datastore file. The file content can be replaced. If a password was previously set, it is removed and cannot be re-enabled. The file identifiers stay the same.
| file_id required | integer File ID |
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"
the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"
File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"
tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_ioc"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown
File Content
-----------------------------139681927112990666592379500992--
{ }{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "nalysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "eqeq",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}Move a file to a new folder.
| file_id required | string |
| destination-node | integer |
{- "destination-node": 0
}{- "data": [ ],
- "message": "File successfully moved to IOCs",
- "status": "success"
}Add a new datastore folder.
| folder_name | string |
| parent_node | integer |
{- "folder_name": "string",
- "parent_node": 0
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 54,
- "path_is_root": false,
- "path_name": "string",
- "path_parent_id": 48,
- "path_uuid": "90413f42-c495-4eff-928b-c4a321128595",
- "registry": null
}, - "message": "Folder added",
- "status": "success"
}Rename a datastore folder.
| folder_id required | string |
| cid | integer Case ID |
| parent_node | string |
| folder_name | string |
{- "parent_node": "53",
- "folder_name": "New folder name"
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder renamed",
- "status": "success"
}Move a folder to a new folder.
| folder_id required | integer Folder ID |
| destination-node | integer |
{- "destination-node": 49
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder \"New folder name\" successfully moved to \"Evidences\"",
- "status": "success"
}Add a new comment to a case object
| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
| object_id required | integer ID of the object to comment |
| comment_text | string |
{- "comment_text": "string"
}{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}List the comments a case object
| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
| object_id required | integer ID of the object to comment |
{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
| object_id required | integer ID of the object to comment |
| comment_id required | integer ID of the comment to update |
{- "data": [ ],
- "message": "Comment deleted",
- "status": "success"
}Edit a comment
| object_name required | string Name of the case object to comment |
| object_id required | integer ID of the object to comment |
| comment_id required | integer ID of the comment to update |
| comment_text | string |
{- "comment_text": "string"
}{- "data": {
- "comment_case_id": 153,
- "comment_date": "2023-03-20T16:18:27.752242",
- "comment_id": 57,
- "comment_text": "dsadasada",
- "comment_update_date": "2023-03-20T16:21:06.358208",
- "comment_user_id": 11,
- "comment_uuid": "ff14db70-b328-4f0e-9f60-bc6eb4157a8f"
}, - "message": "Comment edited",
- "status": "success"
}This endpoint is depreacted. Use /dim/tasks/list/
{- "data": [
- {
- "case": "string",
- "date_done": "string",
- "module": "string",
- "state": "string",
- "task_id": "string",
- "user": "string"
}
], - "message": "string",
- "status": "string"
}List all manual hooks available for a particular case object.
Available objects types are :
The returned information can provided to the /dim/hooks/call endpoint to trigger a hook.
| object_type required | string Object type |
{- "data": [
- {
- "hook_name": "on_manual_trigger_ioc",
- "manual_hook_ui_name": "Get VT insight",
- "module_name": "iris_vt_module"
}
], - "message": "",
- "status": "success"
}Executes a manual trigger on a specified hook. This allows to trigger a hook as it would be done on the GUI. This only concerns manual hooks, and each call triggers a specific hook of a specific module, as specified in the request.
To get a list of all available hooks for a case object, use the /dim/hooks/options/<type>/list endpoint.
| cid required | integer Case ID |
| hook_name required | string non-empty Internal name of the hook as specified in the hook documentation. |
| module_name required | string non-empty Name of the module to call |
| hook_ui_name required | string non-empty UI name of the hook, either auto generated by IRIS or provided by the module itself. |
| type required | string non-empty Type of data processed by the hook (ioc, asset, etc) |
| targets required | Array of objects List of objects ID of type "type" to process |
{- "hook_name": "on_manual_trigger_ioc",
- "module_name": "iris_vt_module",
- "hook_ui_name": "Get VT insight",
- "type": "ioc",
- "targets": [
- 10
]
}{- "data": {
- "tasks": [
- {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 6,
- "task_description": "",
- "task_id": 5,
- "task_last_update": "Wed, 19 Jan 2022 12:51:22 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "Generate a mid-term report",
- "user_name": "forensicator"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 1,
- "task_description": "Analyse the sysvol",
- "task_id": 7,
- "task_last_update": "Wed, 19 Jan 2022 15:23:24 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "SYSVOL analysis",
- "user_name": "administrator"
}
], - "tasks_status": [
- {
- "id": 14,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 15,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 16,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 17,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 18,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
]
}, - "message": "",
- "status": "success"
}Add a global task and assign it to a user.
| task_assignee_id required | integer A user ID for whom the task will be assigned |
| task_status_id required | integer The initial status of the task |
| task_title required | string >= 2 characters |
| task_description required | string |
| task_tags required | string |
{- "task_assignee_id": 1,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "My task description",
- "task_tags": ""
}{- "data": {
- "task_assignee_id": 1,
- "task_close_date": null,
- "task_description": "My task description",
- "task_id": 9,
- "task_last_update": "2022-01-21T17:07:10.005200",
- "task_open_date": "2022-01-21T17:07:10.005183",
- "task_status_id": 15,
- "task_tags": "",
- "task_title": "Task title",
- "task_userid_close": null,
- "task_userid_open": null,
- "task_userid_update": 1
}, - "message": "Saved !",
- "status": "success"
}| task_id required | string Global task ID to update |
| task_assignee_id required | integer |
| task_status_id required | integer |
| task_title required | string non-empty |
| task_description required | string non-empty |
| task_tags required | string non-empty |
| cid | integer |
{- "task_assignee_id": 155,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "A super description",
- "task_tags": "tag1,tag2,tag3",
- "cid": 1
}{- "data": {
- "task_assignee_id": 0,
- "task_close_date": "string",
- "task_description": "string",
- "task_id": 0,
- "task_last_update": "string",
- "task_open_date": "string",
- "task_status_id": 0,
- "task_tags": "string",
- "task_title": "string",
- "task_userid_close": 0,
- "task_userid_open": 0,
- "task_userid_update": 0
}, - "message": "string",
- "status": "string"
}Create a new immediate case. If cid is not set, a default case ID 1 is used. This does not change the behavior of the request and is only used for internal tracking.
| case_soc_id required | string non-empty A SOC ticket reference |
| case_customer required | number The customer ID linked to the case. |
| case_name required | string >= 2 characters A short name for the case. The case number will be prepend. |
| case_description required | string >= 2 characters A short description of the case. This will be the summary of the case. |
| cid | integer Context case ID. If not set, a default case is used. |
| custom_attributes | object |
| case_template_id | integer |
| classification_id | integer |
{- "case_soc_id": "SOC_154",
- "case_customer": 1,
- "case_name": "My Case API",
- "case_description": "A super nice description"
}{- "data": {
- "case_customer": 1,
- "case_description": "A super nice description",
- "case_id": 41,
- "case_name": "#41 - My Case API",
- "case_soc_id": "SOC_154",
- "custom_attributes": null,
- "close_date": null,
- "open_date": "2022-01-20",
- "user_id": 1
}, - "message": "Case created",
- "status": "success"
}Returns a list of all the cases, open and closed.
{- "status": "success",
- "message": "",
- "data": [
- {
- "case_name": "#1 - Initial Demo",
- "case_description": "This is a demonstration.",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/11/2023",
- "case_close_date": "",
- "case_soc_id": "soc_id_demo",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "classification_id": null,
- "classification": null,
- "state_id": null,
- "state_name": null,
- "access_level": 4
}, - {
- "case_name": "#2 - [ALERT] Data Exfiltration 2208",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSensitive data has been detected leaving the network.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #2209](/alerts?alert_id=2209)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "2209",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 2,
- "case_uuid": "4ee6ceb6-41a3-4400-8234-f2b60a2a22dd",
- "classification_id": 4,
- "classification": "malicious-code:virus",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#3 - [ALERT] Insider Threat 1412",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSuspicious activity from an internal user has been detected.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1413](/alerts?alert_ids=1413)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "1413",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 3,
- "case_uuid": "ccc8c45e-6fc0-49de-8966-c1c58fd7bb25",
- "classification_id": 3,
- "classification": "abusive-content:violence",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#4 - test",
- "case_description": "test",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 4,
- "case_uuid": "b0d28c89-cfd9-4999-8cb2-8cc10f300151",
- "classification_id": 9,
- "classification": "malicious-code:dialer",
- "state_id": 2,
- "state_name": "In progress",
- "access_level": 4
}
]
}This endpoint is deprecated - use the POST equivalent.
| case_id required | integer Case ID |
{- "data": {
- "case_customer": 105,
- "case_description": "A super description",
- "case_id": 42,
- "case_name": "#42 - My case",
- "case_soc_id": "SOC_142",
- "close_date": "2022-01-20",
- "open_date": "2022-01-20",
- "user_id": 1
}, - "message": "Case closed successfully",
- "status": "success"
}This endpoint is deprecated. Use the POST equivalent.
| case_id required | integer Case ID |
{- "data": {
- "case_customer": 26,
- "case_description": "Testing case number6",
- "case_id": 8,
- "case_name": "Test 6",
- "case_soc_id": "SOC6",
- "close_date": null,
- "open_date": "2021-10-19",
- "user_id": 52
}, - "message": "Case reopened successfully",
- "status": "success"
}This implies the deletion of everything linked to the case including summary, assets, notes, timeline, tasks and evidences. The IOCs will only be deleted if they are not referenced in another case.
| case_id required | integer Case ID |
{- "data": [ ],
- "message": "Case successfully deleted",
- "status": "success"
}Update informations of a case.
| case_id required | integer Case ID |
| case_name | string |
| case_soc_id | string |
| classification_id | string |
| owner_id | string |
| state_id | string |
| status_id | string |
Array of objects | |
| case_tags | string |
| custom_attributes | object |
{- "case_name": "Dummy ",
- "case_soc_id": "soc_id_demo",
- "classification_id": "2",
- "owner_id": "2",
- "status_id": "1",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_tags": "tag1,tag2",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Case updated",
- "data": {
- "case_tags": "tag1,tag2",
- "case_name": "#1 - Dummy ",
- "custom_attributes": { },
- "case_soc_id": "soc_id_demo",
- "status_id": 1,
- "open_date": "2023-05-11",
- "case_id": 1,
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}, - "1683901251.748556": {
- "user": "administrator",
- "user_id": 1,
- "action": "case reopened"
}, - "1683902199.288591": {
- "user": "administrator",
- "user_id": 1,
- "action": "case info updated"
}
}, - "user_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_description": "This is a demonstration.",
- "closing_note": null,
- "close_date": null,
- "classification_id": 2,
- "owner_id": 1,
- "state_id": 3,
- "case_customer": 1
}
}The case will be listed under closed case. That's the only difference with an open case. It will stay editable and searchable.
| case_id required | integer Case ID |
{- "status": "success",
- "message": "Case closed successfully",
- "data": {
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "case_id": 1,
- "case_name": "#1 - Initial Demo",
- "closing_note": null,
- "user_id": 1,
- "owner_id": 1,
- "case_customer": 1,
- "status_id": 0,
- "case_soc_id": "soc_id_demo",
- "open_date": "2023-05-11",
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}
}, - "custom_attributes": null,
- "close_date": "2023-05-12",
- "case_description": "This is a demonstration.",
- "state_id": 9,
- "classification_id": null
}
}Reopen a case previously closed. A case can be reopened even if it is not closed.
| case_id required | integer Case ID |
{- "status": "string",
- "message": "string",
- "data": {
- "case_uuid": "string",
- "case_id": 0,
- "case_name": "string",
- "closing_note": null,
- "user_id": 0,
- "owner_id": 0,
- "case_customer": 0,
- "status_id": 0,
- "case_soc_id": "string",
- "open_date": "string",
- "modification_history": { },
- "custom_attributes": null,
- "close_date": null,
- "case_description": "string",
- "state_id": 0,
- "classification_id": null
}
}List customers
| cid | integer Case ID |
{- "data": [
- {
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - {
- "customer_description": null,
- "customer_id": 10,
- "customer_name": "IrisInitialClient",
- "customer_sla": null,
- "customer_uuid": "43a20fd8-1012-48ac-9dff-cdf5b6334c76"
}
], - "message": "",
- "status": "success"
}Get a customer
| customer_id required | string |
| cid | integer Case ID |
{- "data": {
- "contacts": [
- {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the customer",
- "contact_role": "Manager",
- "contact_uuid": "e42a5db2-763b-405b-95e4-5c75a4ec7110",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 1
}, - {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}
], - "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - "message": "",
- "status": "success"
}Add a new customer that will be available at case creation.
| customer_name required | string |
| customer_description required | string |
| customer_sla required | string |
| custom_attributes required | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}{- "data": {
- "client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
- "creation_date": "2023-03-20T13:25:57.930469",
- "custom_attributes": { },
- "customer_description": "fds",
- "customer_id": 8,
- "customer_name": "fsd",
- "customer_sla": "fds",
- "last_update_date": "2023-03-20T13:25:57.930469"
}, - "message": "Added successfully",
- "status": "success"
}Update an existing customer. The new customer name should be one which is not already taken.
| customer_id required | integer Customer ID to update |
| customer_name | string |
| customer_description | string |
| customer_sla | string |
| custom_attributes | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}{- "data": {
- "client_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f",
- "creation_date": "2023-03-06T08:24:16.671619",
- "custom_attributes": { },
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "last_update_date": "2023-03-06T08:24:16.671619"
}, - "message": "Customer updated",
- "status": "success"
}A customer can be deleted only if it is not referenced in a case. To delete a referenced, every referencing cases musth be deleted before.
| customer_id required | integer ID of the customer to delete |
{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}Add a new customer contact.
| customer_id required | integer ID of the customer |
| cid required | integer Case ID |
| contact_name | string |
| contact_role | string |
| contact_email | string |
| contact_work_phone | string |
| contact_mobile_phone | string |
| contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}Update a customer contact.
| customer_id required | integer ID of the customer |
| contact_id required | string ID of the contact |
| cid required | integer Case ID |
| contact_name | string |
| contact_role | string |
| contact_email | string |
| contact_work_phone | string |
| contact_mobile_phone | string |
| contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}{- "data": {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}, - "message": "Added successfully",
- "status": "success"
}Only users that never done any activities can be deleted. This is to prevent any internal logic errors and keep tracks of every past activities.
Requires administrator role.
| user_id required | integer User ID |
| cid required | integer Case ID |
{- "data": [ ],
- "message": "Cannot delete active user",
- "status": "error"
}Requires administrator role.
| user_id required | integer User ID |
| cid required | integer Case ID |
| user_name | string |
| user_login | string |
| user_email | string |
| user_password | string |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string"
}{- "data": {
- "active": true,
- "external_id": null,
- "has_deletion_confirmation": true,
- "id": 0,
- "in_dark_mode": null,
- "user_email": "string",
- "user_id": 0,
- "user_login": "string",
- "user_name": "string",
- "user_password": "string",
- "uuid": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required.
| user_name required | string non-empty |
| user_login required | string non-empty Has to be unique |
| user_email required | string non-empty Has to be unique |
| user_password | string non-empty Must satisfy policy of 12chars, 1 uppercase, 1 number |
| user_is_service_account | boolean |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string",
- "user_is_service_account": true
}{- "status": "success",
- "message": "user created",
- "data": {
- "user_is_service_account": true,
- "user_name": "strsinsg",
- "has_deletion_confirmation": false,
- "uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "active": true,
- "user_login": "strsing",
- "user_email": "stringa",
- "id": 4,
- "in_dark_mode": null,
- "external_id": null,
- "has_mini_sidebar": false,
- "user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}
}Administrator role required. Update the groups of a user.
| user_id required | integer User ID |
| cid required | integer Case ID |
| groups_membership required | Array of integers |
{- "groups_membership": [
- 1,
- 2
]
}{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required. Update the case access of a user.
| user_id required | integer User ID |
| cid required | integer Case ID |
| cases_list required | Array of integers |
| access_level | integer |
{- "cases_list": [
- 1,
- 2
], - "access_level": 2
}{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required. Remove cases access from a user.
| user_id required | integer User ID |
| cid required | integer Case ID |
| cases required | integer |
{- "cases": [
- 1,
- 2
]
}{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}, - {
- "group_id": 5,
- "group_name": "Test",
- "group_uuid": "bc3e93c5-1755-4411-acf0-0a5f4f47dfb7"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators",
- "Test"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "User case access updated",
- "status": "success"
}Return a list of available users.
| cid | integer Case ID |
{- "status": "success",
- "message": "",
- "data": [
- {
- "user_id": 1,
- "user_uuid": "815be41e-9a7d-4a2e-9e69-db2ceeba6ad2",
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local",
- "user_active": true,
- "user_is_service_account": false
}, - {
- "user_id": 2,
- "user_uuid": "17e16ccd-a461-4fb0-b219-07f13231d6ce",
- "user_name": "automation",
- "user_login": "automation",
- "user_email": "automation@automation",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 3,
- "user_uuid": "06e9d803-d8fc-401f-9487-d76e83072b2b",
- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 4,
- "user_uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "user_name": "strsinsg",
- "user_login": "strsing",
- "user_email": "stringa",
- "user_active": true,
- "user_is_service_account": true
}
]
}Returns information of a specific user.
| user_id required | integer user ID |
{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "",
- "status": "success"
}Requires administrative rights.
| user_id required | integer user ID |
| cid required | integer Case ID |
| group_name required | string |
| group_description required | string |
| group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}Requires administrative rights.
| group_id required | integer Group ID |
| cid required | integer Case ID |
| group_name required | string |
| group_description required | string |
| group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}Requires administrative rights. Set the members of a group.
| group_id required | integer Group ID |
| cid required | integer Case ID |
| group_members | Array of integers |
{- "group_members": [
- 1,
- 2
]
}{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}Requires administrative rights.
| group_id required | integer Group ID |
| user_id required | integer User ID |
| cid required | integer Case ID |
{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}Requires administrative rights.
| group_id required | integer Group ID |
| cid required | integer Case ID |
| access_level required | integer |
| cases_list required | Array of integers |
| auto_follow_cases required | boolean |
{- "access_level": 0,
- "cases_list": [
- 0
], - "auto_follow_cases": false
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}Requires administrative rights.
| group_id required | integer Group ID |
| cid required | integer Case ID |
| cases | Array of integers |
{- "cases": [
- 1
]
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}List the groups
| cid required | integer Case ID |
Array of objects | |
| message | string |
| status | string |
{- "data": [
- {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Administrators",
- "group_id": 1,
- "group_members": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "group_name": "Administrators",
- "group_permissions": 3,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}, - {
- "name": "server_administrator",
- "value": 2
}
], - "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f",
- "registry": null
}, - {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_members": [ ],
- "group_name": "New group",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c",
- "registry": null
}
], - "message": "",
- "status": "success"
}Return a list of available assets types.
| cid required | integer Case ID |
{- "data": [
- {
- "asset_description": "Standard Windows Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 10,
- "asset_name": "Windows - Server"
}, - {
- "asset_description": "Domain Controller",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - {
- "asset_description": "Router",
- "asset_icon_compromised": "ioc_router.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_router.png",
- "asset_icon_not_compromised": "router.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/router.png",
- "asset_id": 12,
- "asset_name": "Router"
}, - {
- "asset_description": "Switch",
- "asset_icon_compromised": "ioc_switch.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_switch.png",
- "asset_icon_not_compromised": "switch.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/switch.png",
- "asset_id": 13,
- "asset_name": "Switch"
}, - {
- "asset_description": "VPN",
- "asset_icon_compromised": "ioc_vpn.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_vpn.png",
- "asset_icon_not_compromised": "vpn.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/vpn.png",
- "asset_id": 14,
- "asset_name": "VPN"
}, - {
- "asset_description": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 15,
- "asset_name": "WAF"
}, - {
- "asset_description": "Windows Account - Local",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin"
}, - {
- "asset_description": "Windows Account - AD",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 18,
- "asset_name": "Windows Account - AD"
}, - {
- "asset_description": "Windows Account - AD - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 20,
- "asset_name": "Windows Account - AD - krbtgt"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 21,
- "asset_name": "Windows Account - AD - Service"
}, - {
- "asset_description": "Generic Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 1,
- "asset_name": "Account"
}, - {
- "asset_description": "Firewall",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - {
- "asset_description": "Linux server",
- "asset_icon_compromised": "ioc_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_server.png",
- "asset_icon_not_compromised": "server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/server.png",
- "asset_id": 3,
- "asset_name": "Linux - Server"
}, - {
- "asset_description": "Linux computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 4,
- "asset_name": "Linux - Computer"
}, - {
- "asset_description": "Linux Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 5,
- "asset_name": "Linux Account"
}, - {
- "asset_description": "Mac computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 6,
- "asset_name": "Mac - Computer"
}, - {
- "asset_description": "Android Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 7,
- "asset_name": "Phone - Android"
}, - {
- "asset_description": "Apple Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 8,
- "asset_name": "Phone - IOS"
}, - {
- "asset_description": "Standard Windows Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_desktop.png",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}
], - "message": "",
- "status": "success"
}Returns information on a specific asset type.
| asset_type_id required | integer Asset Type ID |
{- "data": {
- "asset_description": "Firewall",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - "message": "",
- "status": "success"
}Delete an asset type. Administrator role required.
| asset_type_id required | integer Asset Type ID |
| cid | integer Case ID |
{- "data": [ ],
- "message": "Deleted asset type ID 16 successfully",
- "status": "success"
}Administrator role required. See the example for the expected data.
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"
My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"
My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415--
| asset_name required | string |
| asset_description required | string |
| asset_icon_not_compromised required | string |
| asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Test",
- "asset_icon_compromised": "rhogktdtczkkrokiaq",
- "asset_icon_not_compromised": "ibbbflajuaecznvhtm",
- "asset_id": 22,
- "asset_name": "Test",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}Administrator role required.
| asset_type_id required | integer Asset Type to update |
| cid required | integer Case ID |
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"
My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"
My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415--
| asset_name required | string |
| asset_description required | string |
| asset_icon_not_compromised required | string |
| asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}Return a list of available task status.
| cid required | integer Case ID |
{- "data": [
- {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
], - "message": "",
- "status": "success"
}Return information on a task status.
| task_status_id required | integer Task status to get |
| cid required | integer Case ID |
{- "data": {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - "message": "",
- "status": "success"
}Return a list of available analysis status.
| cid required | integer Case ID |
{- "data": [
- {
- "id": 1,
- "name": "Unspecified"
}, - {
- "id": 2,
- "name": "To be done"
}, - {
- "id": 3,
- "name": "Started"
}, - {
- "id": 4,
- "name": "Pending"
}, - {
- "id": 5,
- "name": "Canceled"
}, - {
- "id": 6,
- "name": "Done"
}
], - "message": "",
- "status": "success"
}Return information on an IOC type.
| ioc_type_id required | integer IOC Type ID |
| cid required | integer Case ID |
{- "data": {
- "registry": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_name": "AS",
- "type_taxonomy": null,
- "type_validation_expect": null,
- "type_validation_regex": null
}, - "message": "",
- "status": "success"
}Delete an IOC type. Administrator role required.
| ioc_type_id required | integer IOC Type ID |
| cid | integer Case ID |
{- "data": [ ],
- "message": "Deleted ioc type ID 6",
- "status": "success"
}Administrator role required.
| type_name required | string |
| type_description required | string |
| type_taxonomy required | string |
| type_validation_regex required | string |
| type_validation_expect required | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 161,
- "type_name": "campaign-aaid",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "Added successfully",
- "status": "success"
}Administrator role required.
| ioc_type_id required | integer IOC Type ID |
| type_name | string |
| type_description | string |
| type_taxonomy | string |
| type_validation_regex | string |
| type_validation_expect | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Add a new case template.
| case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Update a case template.
| template_id required | integer Case Template ID |
| case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Delete a case template.
| template_id required | integer Case Template ID |
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 1,
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "creation_date": "2023-04-28T11:30:00.649012"
}, - {
- "id": 2,
- "name": "abusive-content:harmful-speech",
- "name_expanded": "Abusive-Content: Harmful Speech",
- "description": "Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or more individuals) May be found on a forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.653918"
}, - {
- "id": 3,
- "name": "abusive-content:violence",
- "name_expanded": "Abusive-Content: Child/Sexual/Violence/...",
- "description": "Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.657151"
}, - {
- "id": 4,
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-04-28T11:30:00.660827"
}, - {
- "id": 5,
- "name": "malicious-code:worm",
- "name_expanded": "Malicious-Code: Worm",
- "description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
- "creation_date": "2023-04-28T11:30:00.664177"
}, - {
- "id": 6,
- "name": "malicious-code:ransomware",
- "name_expanded": "Malicious-Code: Ransomware",
- "description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
- "creation_date": "2023-04-28T11:30:00.667058"
}, - {
- "id": 7,
- "name": "malicious-code:trojan-malware",
- "name_expanded": "Malicious-Code: Trojan/Malware",
- "description": "This category regroups many common malware types (Banking, POS, Mining malware).",
- "creation_date": "2023-04-28T11:30:00.670949"
}, - {
- "id": 8,
- "name": "malicious-code:spyware-rat",
- "name_expanded": "Malicious-Code: Spyware/Rat",
- "description": "This category regroups malware types and tools that may have a bigger impact on the breached infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored malwares, StealersHacking tool).",
- "creation_date": "2023-04-28T11:30:00.673649"
}, - {
- "id": 9,
- "name": "malicious-code:dialer",
- "name_expanded": "Malicious-Code: Dialer",
- "description": "Computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile application. ",
- "creation_date": "2023-04-28T11:30:00.676681"
}, - {
- "id": 10,
- "name": "malicious-code:rootkit",
- "name_expanded": "Malicious-Code: Rootkit",
- "description": "Malware, which alter the standard functionality of an operating system in order to do its malicious actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the returning values to hide themselves from simple analysis tools.",
- "creation_date": "2023-04-28T11:30:00.679830"
}, - {
- "id": 11,
- "name": "information-gathering:scanner",
- "name_expanded": "Information-Gathering: Scanning",
- "description": "Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT,).",
- "creation_date": "2023-04-28T11:30:00.682321"
}, - {
- "id": 12,
- "name": "information-gathering:sniffing",
- "name_expanded": "Information-Gathering: Sniffing",
- "description": "Observing and recording network traffic (wiretapping).",
- "creation_date": "2023-04-28T11:30:00.686102"
}, - {
- "id": 13,
- "name": "information-gathering:social-engineering",
- "name_expanded": "Information-Gathering: Social Engineering",
- "description": "Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).",
- "creation_date": "2023-04-28T11:30:00.689526"
}, - {
- "id": 14,
- "name": "intrusion-attempts:exploit-known-vuln",
- "name_expanded": "Intrusion-Attempts: Exploiting known vulnerabilities",
- "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).",
- "creation_date": "2023-04-28T11:30:00.692862"
}, - {
- "id": 15,
- "name": "intrusion-attempts:login-attempts",
- "name_expanded": "Intrusion-Attempts: Login attempts",
- "description": "Multiple login attempts (guessing / cracking of passwords, brute force).",
- "creation_date": "2023-04-28T11:30:00.696596"
}, - {
- "id": 16,
- "name": "intrusion-attempts:new-attack-signature",
- "name_expanded": "Intrusion-Attempts: New attack signature",
- "description": "An attempt using an unknown exploit.",
- "creation_date": "2023-04-28T11:30:00.699969"
}, - {
- "id": 17,
- "name": "intrusion:privileged-account-compromise",
- "name_expanded": "Intrusion: Privileged Account Compromise",
- "description": "A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.",
- "creation_date": "2023-04-28T11:30:00.704096"
}, - {
- "id": 18,
- "name": "intrusion:unprivileged-account-compromise",
- "name_expanded": "Intrusion: Unprivileged Account Compromise",
- "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally. ",
- "creation_date": "2023-04-28T11:30:00.707415"
}, - {
- "id": 19,
- "name": "intrusion:botnet-member",
- "name_expanded": "Intrusion: Botnet member",
- "description": "The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…",
- "creation_date": "2023-04-28T11:30:00.711851"
}, - {
- "id": 20,
- "name": "intrusion:domain-compromise",
- "name_expanded": "Intrusion: Domain Compromise",
- "description": "The whole domain is compromised; this is commonly used for active directory and detected by a 'pass the ticket' attack or a discovery of 'ad dumps' files.",
- "creation_date": "2023-04-28T11:30:00.715487"
}, - {
- "id": 21,
- "name": "intrusion:application-compromise",
- "name_expanded": "Intrusion: Application Compromise",
- "description": "An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).",
- "creation_date": "2023-04-28T11:30:00.719242"
}, - {
- "id": 22,
- "name": "availability:dos",
- "name_expanded": "Availability: DoS",
- "description": "An attacker attempts to prevent legitimate users from accessing information or services.",
- "creation_date": "2023-04-28T11:30:00.722901"
}, - {
- "id": 23,
- "name": "availability:ddos",
- "name_expanded": "Availability: DDoS",
- "description": "Form of electronic attack involving multiple computers, which send repeated requests (HTTP requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible for a period of time. ",
- "creation_date": "2023-04-28T11:30:00.726025"
}, - {
- "id": 24,
- "name": "availability:sabotage",
- "name_expanded": "Availability: Sabotage",
- "description": "Deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.",
- "creation_date": "2023-04-28T11:30:00.730028"
}, - {
- "id": 25,
- "name": "availability:outage",
- "name_expanded": "Availability: Outage (no malice)",
- "description": "Unavailability of the system but done with no malice.",
- "creation_date": "2023-04-28T11:30:00.732902"
}, - {
- "id": 26,
- "name": "information-content-security:Unauthorised-information-access",
- "name_expanded": "Information-Content-Security: Unauthorised access to information",
- "description": "Any access to unauthorized data. It may be access of data on improperly restricted server share or database exfiltered by using a SQLi.",
- "creation_date": "2023-04-28T11:30:00.736928"
}, - {
- "id": 27,
- "name": "information-content-security:Unauthorised-information-modification",
- "name_expanded": "Information-Content-Security: Unauthorised modification of information",
- "description": "Unauthorized tampering of data on files, documents or database.",
- "creation_date": "2023-04-28T11:30:00.740163"
}, - {
- "id": 28,
- "name": "fraud:copyright",
- "name_expanded": "Fraud: Copyright",
- "description": "Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
- "creation_date": "2023-04-28T11:30:00.743723"
}, - {
- "id": 29,
- "name": "fraud:masquerade",
- "name_expanded": "Fraud: Masquerade",
- "description": "Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it. This attack may be used for president fraud requesting transactions.",
- "creation_date": "2023-04-28T11:30:00.747483"
}, - {
- "id": 30,
- "name": "fraud:phishing",
- "name_expanded": "Fraud: Phishing",
- "description": "Masquerading as another entity in order to persuade the user to reveal a private credential.",
- "creation_date": "2023-04-28T11:30:00.750375"
}, - {
- "id": 31,
- "name": "vulnerable:vulnerable-service",
- "name_expanded": "Vulnerable: Open for abuse",
- "description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc. This includes for example default SNMP community or default password on any application.",
- "creation_date": "2023-04-28T11:30:00.754135"
}, - {
- "id": 32,
- "name": "conformity:regulator",
- "name_expanded": "Conformity: Regulator",
- "description": "All lack about regulator rules (CSSF, GDPR, etc.).",
- "creation_date": "2023-04-28T11:30:00.757258"
}, - {
- "id": 33,
- "name": "conformity:standard",
- "name_expanded": "Conformity: Standard",
- "description": "All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).",
- "creation_date": "2023-04-28T11:30:00.760692"
}, - {
- "id": 34,
- "name": "conformity:security-policy",
- "name_expanded": "Conformity: Security policy",
- "description": "All lack about the internal security policy of the company.",
- "creation_date": "2023-04-28T11:30:00.764099"
}, - {
- "id": 35,
- "name": "conformity:other-conformity",
- "name_expanded": "Conformity: Other",
- "description": "All lack that do not fit in one of previous categories should be put on this class.",
- "creation_date": "2023-04-28T11:30:00.766910"
}, - {
- "id": 36,
- "name": "other:other",
- "name_expanded": "Other: other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-04-28T11:30:00.770376"
}, - {
- "id": 75,
- "name": "Super really",
- "name_expanded": "No no no",
- "description": "dsadas",
- "creation_date": "2023-05-02T07:22:38.042448"
}
]
}Get a case classification from an ID.
| classification_id required | integer Classification ID to fetch |
{- "status": "success",
- "message": "",
- "data": {
- "creation_date": "2023-04-28T11:30:00.649012",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "name_expanded": "Abusive-Content: spam",
- "id": 1,
- "name": "abusive-content:spam"
}
}