IRIS (2.0.4)

Download OpenAPI specification:Download

IRIS API

To use these API endpoint, an API key is needed and can be found in every user profile under My settings > API Key. This specification applies to Iris >= v2.4.0. The supported API version can be checked in Advanced > Server settings > Server versions on IRIS.
The API port is the same as the one used for the web interface, so 443 by default.

Changes

Changes in v2.0.0

This version introduces access control. Every request now needs to have the cid=x parameter in the URI.
Deletion endpoints have been migrated from GET to POST. Deletion GET endpoints have been marqued as deprecated and are not available anymore.

Changes in v1.4.5

v1.4.5 introduced the concept of custom attributes. These JSON objects that are stored into almost all case objects such as Assets, IOCs, etc. They are defined by administrators or modules and can vary from one objet to another despite being of the same type. Because of this, no definitive structure can be expected from these fields. They are all named custom_attributes.

Case general

Update case summary

Update the summary of a case. Carefull: this will trigger an overwrite of the summary. Summaries are shared interactively between users. If an update summary is issued, every user will receive the change and their locale changes will be lost.
The summary is a markdown-compatible text.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
string

Case ID

Request Body schema: application/json
case_description
required
string

The updated summary

Responses

Request samples

Content type
application/json
{
  • "case_description": "Dummy description",
  • "cid": 1
}

Response samples

Content type
application/json
{
  • "data": 3837413706,
  • "message": "Summary updated",
  • "status": "success"
}

Add task log

Add a task log to the case. The task log is registered under Activities and is be availble in reports templating. If CID is omitted, the default case of the calling user is used.

Authorizations:
Bearer <bearer>
query Parameters
cid
string

Case ID

Request Body schema: application/json
log_content
required
string

Responses

Request samples

Content type
application/json
{
  • "log_content": "A test"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Log saved",
  • "status": "success"
}

Export a case as JSON

Export a case in JSON format including all the information such as assets, iocs, etc. This request can take a very long time depending on the size of the case and is DB intensive.
The datastore is not part of the response and needs to be requested manually.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
string

ID Of the case to export

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Case assets

Get list of assets

Get a list of the assets linked to the case.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Fetch an asset

Fetch an asset.

Authorizations:
Bearer <bearer>
path Parameters
asset_id
required
integer
query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add a new asset

Create an asset and link it to the case.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
asset_type_id
required
string
asset_domain
string
asset_ip
string
asset_info
string
asset_compromise_status_id
string
analysis_status_id
string
ioc_links
Array of strings
asset_name
required
string
asset_tags
string
asset_description
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "asset_type_id": "9",
  • "asset_domain": "iris.local",
  • "asset_ip": "127.0.0.1",
  • "asset_info": "",
  • "asset_compromise_status_id": "1",
  • "analysis_status_id": "3",
  • "ioc_links": [
    ],
  • "asset_name": "admin_laptop",
  • "asset_tags": "anewtag",
  • "asset_description": "A host description",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Asset added",
  • "data": {
    }
}

Update an asset

Update an asset

Authorizations:
Bearer <bearer>
path Parameters
asset_id
required
string

ID of the asset to update

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
asset_name
required
string
asset_type_id
required
string
asset_domain
string
asset_ip
string
asset_info
string
asset_compromise_status_id
string
analysis_status_id
string
ioc_links
Array of strings
asset_tags
string
asset_description
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "asset_name": "admin_laptop",
  • "asset_type_id": "9",
  • "asset_domain": "iris.local",
  • "asset_ip": "127.0.0.1",
  • "asset_info": "",
  • "asset_compromise_status_id": "1",
  • "analysis_status_id": "3",
  • "ioc_links": [
    ],
  • "asset_tags": "anewtag",
  • "asset_description": "A host description",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Updated asset admin_laptop",
  • "data": {
    }
}

Delete an asset Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
asset_id
required
string

ID of the note to delete

query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Deleted",
  • "status": "success"
}

Delete an asset

Delete an asset based on its ID. If the asset is linked to an event, the reference is deleted but not the event.

Authorizations:
Bearer <bearer>
path Parameters
asset_id
required
string

ID of the note to delete

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "value": {
    }
}

Case notes

Get list of groups and notes Deprecated

This endpoint is deprecated. Use /case/notes/directories/filter.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Fetch a notes group Deprecated

This endpoint is deprecated and not replaced yet.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
string

ID of the group to return

query Parameters
cid
required
string

ID Of the case

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Get list of directories and notes

List the directories and notes associated to it.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Add a new notes group Deprecated

This endpoint is deprecated. Use /cases/notes/directories/add.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
string

Case ID

Request Body schema: application/json

If the group title isn't set, a default group name is set by the server.

group_title
string non-empty

Responses

Request samples

Content type
application/json
{
  • "group_title": "Test"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Notes group added",
  • "data": {
    }
}

Add a new notes directory

Create a new empty directory.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
string

Case ID

Request Body schema: application/json
name
required
string non-empty
parent_id
number

An existing parent directory ID. To add at the root, do not set the field or set it to null.

Responses

Request samples

Content type
application/json
{
  • "name": "Test",
  • "parent_id": null
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Notes group added",
  • "data": {
    }
}

Update a notes group Deprecated

This endpoint is deprecated. Use /case/notes/directories/update/{directory_id}.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
string

Group ID to update

query Parameters
cid
required
string

case ID

Request Body schema: application/json
group_title
required
string non-empty

Responses

Request samples

Content type
application/json
{
  • "group_title": "Test"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Updated title of group ID 186",
  • "data": {
    }
}

Update a notes directory Deprecated

Update the parent and name of a notes directory.

Authorizations:
Bearer <bearer>
path Parameters
directory_id
required
integer
query Parameters
cid
required
string

case ID

Request Body schema: application/json
name
required
string non-empty
parent_id
integer

An existing parent directory ID. To add at the root, do not set the field or set it to null.

Responses

Request samples

Content type
application/json
{
  • "name": "Test 1"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Directory modified",
  • "data": {
    }
}

Delete a group note Deprecated

This endpoint is deprecated. Use the POST /case/notes/directories/delete/{directory_id} equivalent.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
string
query Parameters
cid
required
integer

ID Of the case

Delete notes group Deprecated

This endpoint is deprecated. Use the POST /case/notes/directories/delete/{directory_id} equivalent.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
string
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Group ID 22 deleted",
  • "status": "success"
}

Delete notes group Deprecated

Delete a directory and its content including the associated subdirectories and notes.

Authorizations:
Bearer <bearer>
path Parameters
directory_id
required
integer
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Directory deleted",
  • "data": [ ]
}

Add a new note

Add a new note to an existing group.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
note_title
required
string non-empty
note_content
required
string non-empty
directory_id
required
number

Responses

Request samples

Content type
application/json
{
  • "note_title": "Title of the note",
  • "note_content": "Content of the note",
  • "directory_id": 36
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Note added",
  • "data": {
    }
}

Fetch a note

Fetch the content and metadata of a note.

Authorizations:
Bearer <bearer>
path Parameters
note_id
required
integer

ID of the note to fetch

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Save a note

Update the content and metadata of a note.

Authorizations:
Bearer <bearer>
path Parameters
note_id
required
integer

ID of the note to save

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
note_title
required
string
note_content
required
string
custom_attributes
object
parent_id
integer

Responses

Request samples

Content type
application/json
{
  • "note_title": "New title",
  • "note_content": "New content",
  • "custom_attributes": { },
  • "directory_id": 4
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Note ID 16 saved",
  • "data": {
    }
}

Delete a note

Delete a note.

Authorizations:
Bearer <bearer>
path Parameters
note_id
required
string

ID of the note to delete

query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
{
  • "status": "success",
  • "message": "Note deleted 856",
  • "data": [ ]
}

Delete note Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
note_id
required
string

ID of the note to delete

Responses

Case IOC

Get list of IOCs

Returns a list of IOCs as well as any existing links with other cases.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Fetch an ioc

Fetch an IOC

Authorizations:
Bearer <bearer>
path Parameters
ioc_id
required
integer

ID of the IOC to fetch

query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add a new ioc

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
ioc_type_id
required
integer
ioc_tlp_id
required
integer
ioc_value
required
string non-empty
ioc_description
required
string non-empty
ioc_tags
required
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "ioc_type_id": 1,
  • "ioc_tlp_id": 2,
  • "ioc_value": "8.8.8.8",
  • "ioc_description": "rewrw",
  • "ioc_tags": "",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
Example
{
  • "status": "success",
  • "message": "IOC added",
  • "data": {
    }
}

Delete an IOC

Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.

Authorizations:
Bearer <bearer>
path Parameters
ioc_id
required
integer
query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
application/json
Example
{
  • "status": "success",
  • "message": "IOC 3956 deleted",
  • "data": [ ]
}

Delete an IOC Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
ioc_id
required
integer

Responses

Update an IOC

Authorizations:
Bearer <bearer>
path Parameters
ioc_id
required
integer
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
ioc_value
string
ioc_tlp_id
integer
ioc_type_id
integer
ioc_description
string
ioc_tags
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "ioc_type_id": 1,
  • "ioc_tlp_id": 2,
  • "ioc_value": "evil",
  • "ioc_description": "IOC description",
  • "ioc_tags": "tag1,tag2",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Updated ioc \"evil\"",
  • "data": {
    }
}

Case timeline

Fetch the timeline Deprecated

The endpoint is deprecated. Use case/timeline/advanced-filter.

Authorizations:
Bearer <bearer>
path Parameters
asset_id
required
integer

Filter by assets

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "string",
  • "status": "string"
}

Fetch the timeline

Filter the timeline through a query. q should be a valid JSON mapping {field1:[value], field2: [value2]}.
Fields are AND together. The query needs to be URL encoded.

The following fields are available:

  • asset: Asset linked to the event
  • ioc: IOC linked to the event
  • tag: Tag within the event
  • title: Title of the event
  • description: Description of the event
  • raw : Raw event content
  • category: Category of the event
  • source: Source of the event
  • startDate: Start date to filter with
  • endDate: End date to filter with
Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

q
required
string

Query filter

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "ok",
  • "data": {
    }
}

Fetch the timeline Deprecated

The endpoint is deprecated. Use case/timeline/advanced-filter.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Fetch the timeline

Fetch the state of the timeline.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
string

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Add a new event

Create a new event in the timeline.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
event_title
required
string
event_raw
string
event_source
string
event_assets
Array of integers
event_iocs
Array of integers
event_category_id
string
event_in_summary
boolean
event_in_graph
boolean
event_color
string
event_date
required
string
event_sync_iocs_assets
boolean
event_tags
string
event_tz
required
string
event_content
string
custom_attributes
object
parent_event_id
integer

Responses

Request samples

Content type
application/json
{
  • "event_title": "An event",
  • "event_raw": "My event raw data",
  • "event_source": "My source",
  • "event_assets": [
    ],
  • "event_iocs": [
    ],
  • "event_category_id": "5",
  • "event_in_summary": true,
  • "event_in_graph": true,
  • "event_color": "#1572E899",
  • "event_date": "2023-03-08T03:02:00.000",
  • "event_sync_iocs_assets": true,
  • "event_tags": "tag",
  • "event_tz": "+00:00",
  • "event_content": "My description",
  • "parent_event_id": null,
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Event added",
  • "data": {
    }
}

Fetch an event

Return information of an event of the timeline

Authorizations:
Bearer <bearer>
path Parameters
event_id
required
integer
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Update an event

Update an event in the timeline

Authorizations:
Bearer <bearer>
path Parameters
event_id
required
integer
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
event_title
required
string
event_raw
string
event_source
string
event_assets
Array of integers
event_iocs
Array of integers
event_category_id
integer
event_in_summary
boolean
event_in_graph
boolean
event_color
string
event_date
required
string
event_sync_iocs_assets
boolean
event_tags
string
event_tz
required
string
event_content
string
custom_attributes
object
parent_event_id
string

Responses

Request samples

Content type
application/json
{
  • "event_title": "An event",
  • "event_raw": "My event raw data",
  • "event_source": "Source",
  • "parent_event_id": 122,
  • "event_assets": [
    ],
  • "event_iocs": [
    ],
  • "event_category_id": 5,
  • "event_in_summary": true,
  • "event_in_graph": true,
  • "event_color": "#1572E899",
  • "event_date": "2023-03-08T03:02:00.000",
  • "event_sync_iocs_assets": true,
  • "event_tags": "tag",
  • "event_tz": "+00:00",
  • "event_content": "My description",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Event updated",
  • "data": {
    }
}

Delete an event

Delete an event from the timeline. If the event has a child, the child event is not deleted and become a parent itself.

Authorizations:
Bearer <bearer>
path Parameters
event_id
required
integer
query Parameters
cid
string

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Event ID 14984 deleted",
  • "status": "success"
}

Delete an event Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
event_id
required
integer

Responses

Case tasks

Get case tasks

Get a list of all the tasks in the case

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Get a case task

Fetch a task

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
integer

Task ID to fetch

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Delete a case task

Delete a case task.

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
integer

Task ID to delete

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Task deleted",
  • "status": "success"
}

Delete a case task Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
integer

Task ID to delete

Responses

Add a case task

Add a new task to the case.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
task_assignees_id
required
Array of integers
task_description
string
task_status_id
required
integer
task_tags
string
task_title
required
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "task_assignees_id": [
    ],
  • "task_description": "",
  • "task_status_id": 1,
  • "task_tags": "",
  • "task_title": "dummy title",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Task 'dummy title' added",
  • "data": {
    }
}

Update a case task

Update an existing task of the case.

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
integer

ID of the task

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
task_assignees_id
required
Array of integers
task_status_id
required
integer
task_title
required
string
task_description
string
task_tags
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "task_assignees_id": [
    ],
  • "task_status_id": 1,
  • "task_title": "New title",
  • "task_description": "new content",
  • "task_tags": "new tags",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Task 'New title' updated",
  • "status": "success"
}

Case evidences

Get case evidences

Returns a list of all evidences linked to the case.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

case id

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add an evidence

Add a new evidence to the case.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
filename
required
string
file_size
string
file_hash
string
type_id
string
start_date
string
end_date
string
custom_attributes
object
file_description
string

Responses

Request samples

Content type
application/json
{
  • "filename": "dummy file",
  • "file_size": "77108",
  • "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
  • "type_id": "2",
  • "start_date": "2024-04-13T03:02:00.000",
  • "end_date": "2024-04-04T00:00:00.000",
  • "custom_attributes": { },
  • "file_description": "Dummy description"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Evidence added",
  • "data": {
    }
}

Get an evidence

Returns an evidence metadata.

Authorizations:
Bearer <bearer>
path Parameters
evidence_id
required
integer

Evidence ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Delete a case evidence

Remove an evidence from the case.

Authorizations:
Bearer <bearer>
path Parameters
evidence_id
required
integer

Evidence ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "string",
  • "status": "string"
}

Delete an evidence

This endpoint is depreacted. Please use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
evidence_id
required
integer

Evidence ID

Responses

Update an evidence

Update an evidence.

Authorizations:
Bearer <bearer>
path Parameters
evidence_id
required
integer

Evidence ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
filename
required
string
file_size
string
file_hash
string
type_id
string
start_date
string
end_date
string
custom_attributes
object
file_description
string

Responses

Request samples

Content type
application/json
{
  • "filename": "dummy file",
  • "file_size": "77108",
  • "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
  • "type_id": "2",
  • "start_date": "2024-04-13T03:02:00.000",
  • "end_date": "2024-04-04T00:00:00.000",
  • "custom_attributes": { },
  • "file_description": "Dummy description"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Evidence string updated",
  • "data": {
    }
}

Alerts

Fetch an alert

Fetch an alert

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Filter alerts

Filter alerts. This endpoint uses paging. Each response contains a total, last_page, current_page and next_page information to fetch the next results.

Authorizations:
Bearer <bearer>
query Parameters
alert_title
string
alert_description
string
alert_source
string
alert_tags
string

Comma separated list of tags

alert_status_id
integer
alert_severity_id
integer
alert_classification_id
integer
alert_customer_id
integer
alert_start_date
string
alert_end_date
string
alert_assets
string

Comma separated list of assets

alert_iocs
string

Comma separated list of IOCs

alert_ids
string

Comma separated list of IDs

case_id
integer
alert_owner_id
integer
page
integer

Page to fetch

per_page
integer

Number of results per page

sort
string

desc or asc, based on the source alert time

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add an alert

Add a new alert.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
alert_title
string
alert_description
string
alert_source
string
alert_source_ref
string
alert_source_link
string
alert_severity_id
integer
alert_status_id
integer
object

Key-value JSON

alert_source_event_time
string
alert_note
string
alert_tags
string
Array of objects
Array of objects
alert_customer_id
integer
alert_classification_id
integer
alert_source_content
object

Free JSON representing the source alert

Responses

Request samples

Content type
application/json
{
  • "alert_title": "Low-reputation arbitrary code executed by signed executable",
  • "alert_description": "This is a test alert, courtesy of MS",
  • "alert_source": "Test Source",
  • "alert_source_ref": "Test-123",
  • "alert_source_link": "https://source_link.com",
  • "alert_source_content": {
    },
  • "alert_severity_id": 4,
  • "alert_status_id": 3,
  • "alert_context": {
    },
  • "alert_source_event_time": "2023-03-26T03:00:30",
  • "alert_note": "A note on",
  • "alert_tags": "defender,anothertag",
  • "alert_iocs": [
    ],
  • "alert_assets": [
    ],
  • "alert_customer_id": 1,
  • "alert_classification_id": 1
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Update an alert

Update an existing alert. To update only specific fields one can send only those fields.

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID to update

Request Body schema: application/json
alert_title
string
alert_description
string
alert_source
string
alert_source_ref
string
alert_source_link
string
object
alert_severity_id
integer
alert_status_id
integer
object
alert_source_event_time
string
alert_note
string
alert_tags
string
Array of objects
alert_customer_id
integer
alert_classification_id
integer

Responses

Request samples

Content type
application/json
{
  • "alert_title": "Low-reputation arbitrary code executed by signed executable",
  • "alert_description": "This is a test alert, courtesy of MS",
  • "alert_source": "Test Source",
  • "alert_source_ref": "Test-123",
  • "alert_source_link": "https://source_link.com",
  • "alert_source_content": {
    },
  • "alert_severity_id": 4,
  • "alert_status_id": 3,
  • "alert_context": {
    },
  • "alert_source_event_time": "2023-03-26T03:00:30",
  • "alert_note": "A note on",
  • "alert_tags": "defender,anothertag",
  • "alert_customer_id": 1,
  • "alert_classification_id": 1
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Update a batch of alerts

Update a batch of. To update only specific fields one can send only those fields.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
alert_ids
Array of integers
object

Responses

Request samples

Content type
application/json
{
  • "alert_ids": [
    ],
  • "updates": {
    }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Batch update successful",
  • "data": [ ]
}

Delete an alert

Delete an alert

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID to delete

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Delete an alert

Delete a batch of alerts

Authorizations:
Bearer <bearer>
Request Body schema: application/json
alert_ids
required
Array of integers

Responses

Request samples

Content type
application/json
{
  • "alert_ids": [
    ]
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Escalate an alert

Escalate an alert into a new case.

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID to escalate

Request Body schema: application/json
iocs_import_list
Array of strings

A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert.

assets_import_list
Array of strings

A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert.

note
string
import_as_event
boolean

If set to True, a new event representing the alert is created in the case.

case_tags
string
case_template_id
string
case_title
string

Responses

Request samples

Content type
application/json
{
  • "iocs_import_list": [
    ],
  • "assets_import_list": [
    ],
  • "note": "Escalation note",
  • "import_as_event": true,
  • "case_tags": "Mobile Device Management (MDM) System",
  • "case_template_id": "1",
  • "case_title": "[ALERT] Command & Control Traffic 15"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Merge an alert

Merge an alert into an existing case.

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID to merge

Request Body schema: application/json
iocs_import_list
Array of strings

A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert.

assets_import_list
Array of strings

A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert.

note
string
import_as_event
boolean

If set to True, a new event representing the alert is created in the case.

target_case_id
integer

Responses

Request samples

Content type
application/json
{
  • "iocs_import_list": [
    ],
  • "assets_import_list": [
    ],
  • "note": "dsa",
  • "import_as_event": true,
  • "target_case_id": "14"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Unmerge an alert

Unmerge an alert from a case. The alert is unlinked but the data provided by the alert (such as IOCs, assets, etc) remain in the case.

Authorizations:
Bearer <bearer>
path Parameters
alert_id
required
integer

Alert ID to unmerge

Request Body schema: application/json
target_case_id
integer

Responses

Request samples

Content type
application/json
{
  • "iocs_import_list": [
    ],
  • "assets_import_list": [
    ],
  • "note": "dsa",
  • "import_as_event": true,
  • "target_case_id": "14"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Datastore

Get the datastore tree

List datastore folders and files

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Add a new file

Add a new file to the datastore. The file password is not encrypted and transmited in view requests.

Authorizations:
Bearer <bearer>
path Parameters
parent_id
required
integer

Parent folder ID

Request Body schema: multipart/form-data
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"

the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"

File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_password"

FilePassword
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"

tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown

File Content

-----------------------------139681927112990666592379500992--
file_original_name
required
string
file_description
required
string
file_password
required
string
file_tags
required
string
file_is_evidence
required
string
file_content
string

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "File saved in datastore and added in evidence",
  • "status": "success"
}

Get datastore file info

Get a datastore file information. To download a file, use the /datastore/file/view endpoint.

Authorizations:
Bearer <bearer>
path Parameters
file_id
required
integer

File ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Update datastore file information

Update a datastore file. The file's content can be replaced. If a password was previously set, it is removed and cannot be re-enabled. The file identifiers stay the same.

Authorizations:
Bearer <bearer>
path Parameters
file_id
required
integer

File ID

Request Body schema: application/json
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"

the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"

File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"

tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_ioc"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown

File Content

-----------------------------139681927112990666592379500992--
object

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "File saved in datastore and added in evidence",
  • "status": "success"
}

Delete a datastore file

Delete a file from the datastore. Once deleted the file cannot be recovered.

Authorizations:
Bearer <bearer>
path Parameters
file_id
required
integer

File ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "File 32 deleted",
  • "status": "success"
}

Download a datastore file

Download the content of a datastore file

Authorizations:
Bearer <bearer>
path Parameters
file_id
required
integer

File ID

Move a datastore file

Move a file to a new folder.

Authorizations:
Bearer <bearer>
path Parameters
file_id
required
string
Request Body schema: application/json
destination-node
integer

Responses

Request samples

Content type
application/json
{
  • "destination-node": 0
}

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "File successfully moved to IOCs",
  • "status": "success"
}

Add a datastore folder

Add a new datastore folder.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
folder_name
string
parent_node
integer

Responses

Request samples

Content type
application/json
{
  • "folder_name": "string",
  • "parent_node": 0
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Folder added",
  • "status": "success"
}

Delete a datastore folder

Delete a folder. The children are also deleted.

Authorizations:
Bearer <bearer>
path Parameters
folder_id
required
integer

Folder ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Folder and children deleted",
  • "status": "success"
}

Rename a datastore folder

Rename a datastore folder.

Authorizations:
Bearer <bearer>
path Parameters
folder_id
required
string
query Parameters
cid
integer

Case ID

Request Body schema: application/json
parent_node
string
folder_name
string

Responses

Request samples

Content type
application/json
{
  • "parent_node": "53",
  • "folder_name": "New folder name"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Folder renamed",
  • "status": "success"
}

Move a datastore folder

Move a folder to a new folder.

Authorizations:
Bearer <bearer>
path Parameters
folder_id
required
integer

Folder ID

Request Body schema: application/json
destination-node
integer

Responses

Request samples

Content type
application/json
{
  • "destination-node": 49
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Folder \"New folder name\" successfully moved to \"Evidences\"",
  • "status": "success"
}

Comments

Add a new comment to a case object

Add a new comment to a case object

Authorizations:
Bearer <bearer>
path Parameters
object_name
required
string
Enum: "notes" "assets" "ioc" "events" "tasks" "evidences"

Name of the case object to comment

object_id
required
integer

ID of the object to comment

Request Body schema: application/json
comment_text
string

Responses

Request samples

Content type
application/json
{
  • "comment_text": "string"
}

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

List the comments of an object

List the comments a case object

Authorizations:
Bearer <bearer>
path Parameters
object_name
required
string
Enum: "notes" "assets" "ioc" "events" "tasks" "evidences"

Name of the case object to comment

object_id
required
integer

ID of the object to comment

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Delete an object

Authorizations:
Bearer <bearer>
path Parameters
object_name
required
string
Enum: "notes" "assets" "ioc" "events" "tasks" "evidences"

Name of the case object to comment

object_id
required
integer

ID of the object to comment

comment_id
required
integer

ID of the comment to update

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Comment deleted",
  • "status": "success"
}

Edit a comment

Edit a comment

Authorizations:
Bearer <bearer>
path Parameters
object_name
required
string

Name of the case object to comment

object_id
required
integer

ID of the object to comment

comment_id
required
integer

ID of the comment to update

Request Body schema: application/json
comment_text
string

Responses

Request samples

Content type
application/json
{
  • "comment_text": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Comment edited",
  • "status": "success"
}

Iris Modules

Iris module task list

List current and previous tasks run by modules.

Authorizations:
Bearer <bearer>
path Parameters
rows_count
required
integer

Number of rows to return

Responses

Response samples

Content type
application/json
No sample

Iris module task list Deprecated

This endpoint is depreacted. Use /dim/tasks/list/

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "string",
  • "status": "string"
}

Iris module task list

List all manual hooks available for a particular case object.
Available objects types are :

  • case
  • ioc
  • asset
  • note
  • event
  • task
  • evidence
  • global_task

The returned information can provided to the /dim/hooks/call endpoint to trigger a hook.

Authorizations:
Bearer <bearer>
path Parameters
object_type
required
string

Object type

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Call a module

Executes a manual trigger on a specified hook. This allows to trigger a hook as it would be done on the GUI. This only concerns manual hooks, and each call triggers a specific hook of a specific module, as specified in the request.

To get a list of all available hooks for a case object, use the /dim/hooks/options/<type>/list endpoint.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
hook_name
required
string non-empty

Internal name of the hook as specified in the hook documentation.

module_name
required
string non-empty

Name of the module to call

hook_ui_name
required
string non-empty

UI name of the hook, either auto generated by IRIS or provided by the module itself.

type
required
string non-empty

Type of data processed by the hook (ioc, asset, etc)

targets
required
Array of objects

List of objects ID of type "type" to process

Responses

Request samples

Content type
application/json
{
  • "hook_name": "on_manual_trigger_ioc",
  • "module_name": "iris_vt_module",
  • "hook_ui_name": "Get VT insight",
  • "type": "ioc",
  • "targets": [
    ]
}

Global tasks

List global tasks

Returns a list of all global tasks

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Add a global task

Add a global task and assign it to a user.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
task_assignee_id
required
integer

A user ID for whom the task will be assigned

task_status_id
required
integer

The initial status of the task

task_title
required
string >= 2 characters
task_description
required
string
task_tags
required
string

Responses

Request samples

Content type
application/json
{
  • "task_assignee_id": 1,
  • "task_status_id": 14,
  • "task_title": "Task title",
  • "task_description": "My task description",
  • "task_tags": ""
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Saved !",
  • "status": "success"
}

Update a global task

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
string

Global task ID to update

Request Body schema: application/json
task_assignee_id
required
integer
task_status_id
required
integer
task_title
required
string non-empty
task_description
required
string non-empty
task_tags
required
string non-empty
cid
integer

Responses

Request samples

Content type
application/json
{
  • "task_assignee_id": 155,
  • "task_status_id": 14,
  • "task_title": "Task title",
  • "task_description": "A super description",
  • "task_tags": "tag1,tag2,tag3",
  • "cid": 1
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "string",
  • "status": "string"
}

Delete a global task

Authorizations:
Bearer <bearer>
path Parameters
task_id
required
string

Task to delete

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Task deleted",
  • "status": "success"
}

Manage Cases

Add a new case

Create a new immediate case. If cid is not set, a default case ID 1 is used. This does not change the behavior of the request and is only used for internal tracking.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
case_soc_id
required
string non-empty

A SOC ticket reference

case_customer
required
number

The customer ID linked to the case.

case_name
required
string >= 2 characters

A short name for the case. The case number will be prepend.

case_description
required
string >= 2 characters

A short description of the case. This will be the summary of the case.

custom_attributes
object
case_template_id
integer
classification_id
integer

Responses

Request samples

Content type
application/json
{
  • "case_soc_id": "SOC_154",
  • "case_customer": 1,
  • "case_name": "My Case API",
  • "case_description": "A super nice description"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case created",
  • "data": {
    }
}

Get cases list

Returns a list of all the cases, open and closed.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Close a case Deprecated

This endpoint is deprecated - use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Case closed successfully",
  • "status": "success"
}

Close a case

The case will be listed under closed case. That's the only difference with an open case. It will stay editable and searchable.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case closed successfully",
  • "data": {
    }
}

Reopen a case Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Case reopened successfully",
  • "status": "success"
}

Reopen a case

Reopen a case previously closed. A case can be reopened even if it is not closed.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "string",
  • "message": "string",
  • "data": {
    }
}

Delete a case

This implies the deletion of everything linked to the case including summary, assets, notes, timeline, tasks and evidences. The IOCs will only be deleted if they are not referenced in another case.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Case successfully deleted",
  • "status": "success"
}

Delete case Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Responses

Update a case

Update informations of a case.

Authorizations:
Bearer <bearer>
path Parameters
case_id
required
integer

Case ID

Request Body schema: application/json
case_name
string
case_soc_id
string
classification_id
string
owner_id
string
state_id
string
status_id
string
Array of objects
case_tags
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "case_name": "Dummy ",
  • "case_soc_id": "soc_id_demo",
  • "classification_id": "2",
  • "owner_id": "2",
  • "status_id": "1",
  • "protagonists": [
    ],
  • "case_tags": "tag1,tag2",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case updated",
  • "data": {
    }
}

Filter cases

Authorizations:
Bearer <bearer>
query Parameters
page
integer

Page number

per_page
integer

Number of results per page

case_ids
string

List of cases ID, comma separated

case_customer_id
integer

Customer ID

case_name
string

Name of the case

case_description
string

Description of the case

case_classification_id
integer

Classification of the case

case_owner_id
integer

Owner of the case

case_opening_user_id
integer

User opening the case

case_severity_id
string

Severity ID of the case

case_state_id
integer

State ID of the case

case_soc_id
string

SOC ID

sort
string

asc or desc

start_open_date
string

Case opening date - lower boundary

end_open_date
string

Case opening date - higher boundary

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": {
    },
  • "data": [ ]
}

Manage customers

List customers

List customers

Authorizations:
Bearer <bearer>
query Parameters
cid
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

List customers

Get a customer

Authorizations:
Bearer <bearer>
path Parameters
customer_id
required
string
query Parameters
cid
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Add a customer

Add a new customer that will be available at case creation.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
customer_name
required
string
customer_description
required
string
customer_sla
required
string
custom_attributes
required
object

Responses

Request samples

Content type
application/json
{
  • "customer_name": "New customer",
  • "customer_description": "New customer description",
  • "customer_sla": "New customer SLA",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Added successfully",
  • "status": "success"
}

Update a customer

Update an existing customer. The new customer name should be one which is not already taken.

Authorizations:
Bearer <bearer>
path Parameters
customer_id
required
integer

Customer ID to update

Request Body schema: application/json
customer_name
string
customer_description
string
customer_sla
string
custom_attributes
object

Responses

Request samples

Content type
application/json
{
  • "customer_name": "New customer",
  • "customer_description": "New customer description",
  • "customer_sla": "New customer SLA",
  • "custom_attributes": { }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Customer updated",
  • "status": "success"
}

Delete a customer

A customer can be deleted only if it is not referenced in a case. To delete a referenced, every referencing cases musth be deleted before.

Authorizations:
Bearer <bearer>
path Parameters
customer_id
required
integer

ID of the customer to delete

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Deleted successfully",
  • "status": "success"
}

Add a customer contact

Add a new customer contact.

Authorizations:
Bearer <bearer>
path Parameters
customer_id
required
integer

ID of the customer

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
contact_name
string
contact_role
string
contact_email
string
contact_work_phone
string
contact_mobile_phone
string
contact_note
string

Responses

Request samples

Content type
application/json
{
  • "contact_name": "New contact",
  • "contact_role": "Manager",
  • "contact_email": "contact@iris.local",
  • "contact_work_phone": "1111111",
  • "contact_mobile_phone": "2222222",
  • "contact_note": "Notes on the contact"
}

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Deleted successfully",
  • "status": "success"
}

Add a customer contact

Update a customer contact.

Authorizations:
Bearer <bearer>
path Parameters
customer_id
required
integer

ID of the customer

contact_id
required
string

ID of the contact

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
contact_name
string
contact_role
string
contact_email
string
contact_work_phone
string
contact_mobile_phone
string
contact_note
string

Responses

Request samples

Content type
application/json
{
  • "contact_name": "New contact",
  • "contact_role": "Manager",
  • "contact_email": "contact@iris.local",
  • "contact_work_phone": "1111111",
  • "contact_mobile_phone": "2222222",
  • "contact_note": "Notes on the contact"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Added successfully",
  • "status": "success"
}

Manage users

Delete a user

Only users that never done any activities can be deleted. This is to prevent any internal logic errors and keep tracks of every past activities.

Requires administrator role.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Cannot delete active user",
  • "status": "error"
}

get-manage-users-delete-user_id Deprecated

This endpoint is deprecated. Please use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
integer

Case ID

Responses

Update a user

Requires administrator role.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
user_name
string
user_login
string
user_email
string
user_password
string

Responses

Request samples

Content type
application/json
{
  • "user_name": "string",
  • "user_login": "string",
  • "user_email": "string",
  • "user_password": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "string",
  • "status": "string"
}

Add a user

Administrator role required.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
user_name
required
string non-empty
user_login
required
string non-empty

Has to be unique

user_email
required
string non-empty

Has to be unique

user_password
string non-empty

Must satisfy policy of 12chars, 1 uppercase, 1 number

user_is_service_account
boolean

Responses

Request samples

Content type
application/json
{
  • "user_name": "string",
  • "user_login": "string",
  • "user_email": "string",
  • "user_password": "string",
  • "user_is_service_account": true
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "user created",
  • "data": {
    }
}

Update user groups

Administrator role required. Update the groups of a user.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
groups_membership
required
Array of integers

Responses

Request samples

Content type
application/json
{
  • "groups_membership": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "string",
  • "status": "string"
}

Update user cases access

Administrator role required. Update the case access of a user.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
cases_list
required
Array of integers
access_level
integer

Responses

Request samples

Content type
application/json
{
  • "cases_list": [
    ],
  • "access_level": 2
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "string",
  • "status": "string"
}

Delete user cases access

Administrator role required. Remove cases access from a user.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
cases
required
integer

Responses

Request samples

Content type
application/json
{
  • "cases": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "User case access updated",
  • "status": "success"
}

Get user list

Return a list of available users.

Authorizations:
Bearer <bearer>
query Parameters
cid
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Fetch a user

Recompute the effective user access.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

user ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Updated",
  • "status": "success"
}

Fetch a user

Returns information of a specific user.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

user ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Manage Groups

Add a new group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
user_id
required
integer

user ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
group_name
required
string
group_description
required
string
group_permissions
required
integer

Responses

Request samples

Content type
application/json
{
  • "group_name": "New group",
  • "group_description": "New description",
  • "group_permissions": 1
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Update a group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
group_name
required
string
group_description
required
string
group_permissions
required
integer

Responses

Request samples

Content type
application/json
{
  • "group_name": "New group",
  • "group_description": "New description",
  • "group_permissions": 1
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Update group members

Requires administrative rights. Set the members of a group.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
group_members
Array of integers

Responses

Request samples

Content type
application/json
{
  • "group_members": [
    ]
}

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Group deleted",
  • "status": "success"
}

Delete a Group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Group deleted",
  • "status": "success"
}

Delete a member of a group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

user_id
required
integer

User ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Group deleted",
  • "status": "success"
}

Set case access of a group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
access_level
required
integer
cases_list
required
Array of integers
auto_follow_cases
required
boolean

Responses

Request samples

Content type
application/json
{
  • "access_level": 0,
  • "cases_list": [
    ],
  • "auto_follow_cases": false
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Delete cases access of a group

Requires administrative rights.

Authorizations:
Bearer <bearer>
path Parameters
group_id
required
integer

Group ID

query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
cases
Array of integers

Responses

Request samples

Content type
application/json
{
  • "cases": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

List the groups

List the groups

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Request Body schema: application/json
Array of objects
message
string
status
string

Request samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Manage Assets Types

Get assets types

Return a list of available assets types.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Get assets types

Returns information on a specific asset type.

Authorizations:
Bearer <bearer>
path Parameters
asset_type_id
required
integer

Asset Type ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Get assets types

Delete an asset type. Administrator role required.

Authorizations:
Bearer <bearer>
path Parameters
asset_type_id
required
integer

Asset Type ID

query Parameters
cid
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Deleted asset type ID 16 successfully",
  • "status": "success"
}

Delete Asset Type Deprecated

This endpoint is deprecated. Use the POSt equivalent.

Authorizations:
Bearer <bearer>
path Parameters
asset_type_id
required
integer

Asset Type ID

Responses

Add a new asset type

Administrator role required. See the example for the expected data.

Authorizations:
Bearer <bearer>
Request Body schema: multipart/form-data
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"

My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"

My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png

‰PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png

‰PNG DATA
-----------------------------145784024822865434322863553415--
asset_name
required
string
asset_description
required
string
asset_icon_not_compromised
required
string
asset_icon_compromised
required
string

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Asset type updated",
  • "status": "success"
}

Update an asset type

Administrator role required.

Authorizations:
Bearer <bearer>
path Parameters
asset_type_id
required
integer

Asset Type to update

query Parameters
cid
required
integer

Case ID

Request Body schema: multipart/form-data
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"

My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"

My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png

‰PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png

‰PNG DATA
-----------------------------145784024822865434322863553415--
asset_name
required
string
asset_description
required
string
asset_icon_not_compromised
required
string
asset_icon_compromised
required
string

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Asset type updated",
  • "status": "success"
}

Manage Task Status

List task status

Return a list of available task status.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Get task status

Return information on a task status.

Authorizations:
Bearer <bearer>
path Parameters
task_status_id
required
integer

Task status to get

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Manage Analysis Status

List analysis status

Return a list of available analysis status.

Authorizations:
Bearer <bearer>
query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "",
  • "status": "success"
}

Get Analysis Status

Return information on an analysis status.

Authorizations:
Bearer <bearer>
path Parameters
analysis_status_id
required
integer

Analysis Status ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Manage IOC Types

List IOC types

Return a list of available IOC types.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "message": "string",
  • "status": "string"
}

Get IOC type

Return information on an IOC type.

Authorizations:
Bearer <bearer>
path Parameters
ioc_type_id
required
integer

IOC Type ID

query Parameters
cid
required
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Delete IOC type

Delete an IOC type. Administrator role required.

Authorizations:
Bearer <bearer>
path Parameters
ioc_type_id
required
integer

IOC Type ID

query Parameters
cid
integer

Case ID

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "Deleted ioc type ID 6",
  • "status": "success"
}

Delete IOC type Deprecated

This endpoint is deprecated. Use the POST equivalent.

Authorizations:
Bearer <bearer>
path Parameters
ioc_type_id
required
integer

IOC Type ID

Responses

Add an IOC type

Administrator role required.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
type_name
required
string
type_description
required
string
type_taxonomy
required
string
type_validation_regex
required
string
type_validation_expect
required
string

Responses

Request samples

Content type
application/json
{
  • "type_name": "campaign-id",
  • "type_description": "Associated campaign ID",
  • "type_taxonomy": "dsa",
  • "type_validation_regex": "*.",
  • "type_validation_expect": "Explanation"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "Added successfully",
  • "status": "success"
}

Update an IOC type

Administrator role required.

Authorizations:
Bearer <bearer>
path Parameters
ioc_type_id
required
integer

IOC Type ID

Request Body schema: application/json
type_name
string
type_description
string
type_taxonomy
string
type_validation_regex
string
type_validation_expect
string

Responses

Request samples

Content type
application/json
{
  • "type_name": "campaign-id",
  • "type_description": "Associated campaign ID",
  • "type_taxonomy": "dsa",
  • "type_validation_regex": "*.",
  • "type_validation_expect": "Explanation"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "IOC type updated",
  • "status": "success"
}

Manage Cases Templates

Add a case template

Add a new case template.

Authorizations:
Bearer <bearer>
Request Body schema: application/json
case_template_json
string

Responses

Request samples

Content type
application/json
{
  • "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "IOC type updated",
  • "status": "success"
}

Update a case template

Update a case template.

Authorizations:
Bearer <bearer>
path Parameters
template_id
required
integer

Case Template ID

Request Body schema: application/json
case_template_json
string

Responses

Request samples

Content type
application/json
{
  • "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "IOC type updated",
  • "status": "success"
}

Delete a case template

Delete a case template.

Authorizations:
Bearer <bearer>
path Parameters
template_id
required
integer

Case Template ID

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "IOC type updated",
  • "status": "success"
}

Manage Cases Classifications

List case classifications

List the case classifications.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Get case classification

Get a case classification from an ID.

Authorizations:
Bearer <bearer>
path Parameters
classification_id
required
integer

Classification ID to fetch

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add a case classification

Authorizations:
Bearer <bearer>
Request Body schema: application/json
name
string
name_expanded
string
description
string

Responses

Request samples

Content type
application/json
{
  • "name": "NewClassification",
  • "name_expanded": "New Classification",
  • "description": "Superbe new classification"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case classification added",
  • "data": {
    }
}

Update a case classification

Authorizations:
Bearer <bearer>
path Parameters
classification_id
required
string

Classification ID

Request Body schema: application/json
name
string
name_expanded
string
description
string

Responses

Request samples

Content type
application/json
{
  • "name": "NewClassification",
  • "name_expanded": "New Classification",
  • "description": "Superbe new classification"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case classification updated",
  • "data": {
    }
}

Delete a case classification

Authorizations:
Bearer <bearer>
path Parameters
classification_id
required
string

Classification ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case classification deleted",
  • "data": [ ]
}

Delete a case classification

Authorizations:
Bearer <bearer>
path Parameters
state_id
required
integer

State ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case state deleted",
  • "data": [ ]
}

Delete an evidence type

Authorizations:
Bearer <bearer>
path Parameters
state_id
required
integer

State ID

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Evidence type deleted",
  • "data": [ ]
}

Manage Cases states

List case states

List the case states.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Get case state

Get a case state from an ID.

Authorizations:
Bearer <bearer>
path Parameters
state_id
required
integer

state ID to fetch

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add a case state

Authorizations:
Bearer <bearer>
Request Body schema: application/json
state_name
required
string
state_description
required
string

Responses

Request samples

Content type
application/json
{
  • "state_name": "New state",
  • "state_description": "Superbe new state"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case state added",
  • "data": {
    }
}

Update a case state

Authorizations:
Bearer <bearer>
path Parameters
state_id
required
string

state ID

Request Body schema: application/json
state_name
string
state_description
string

Responses

Request samples

Content type
application/json
{
  • "state_name": "New state",
  • "state_description": "Superbe new state"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Case state updated",
  • "data": {
    }
}

Manage evidence types

List evidence types

List the evidence types.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": [
    ]
}

Get an evidence type

Get a evidence type from an ID.

Authorizations:
Bearer <bearer>
path Parameters
type_id
required
integer

state ID to fetch

Responses

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "",
  • "data": {
    }
}

Add an evidence type

Authorizations:
Bearer <bearer>
Request Body schema: application/json
name
required
string
description
required
string

Responses

Request samples

Content type
application/json
{
  • "name": "Evidence Type",
  • "description": "Superbe Evidence Type"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Evidence type added",
  • "data": {
    }
}

Update an evidence type

Authorizations:
Bearer <bearer>
path Parameters
type_id
required
string

Type ID

Request Body schema: application/json
name
string
description
string

Responses

Request samples

Content type
application/json
{
  • "name": "Evidence Type",
  • "description": "Superbe Evidence Type"
}

Response samples

Content type
application/json
{
  • "status": "success",
  • "message": "Evidence type updated",
  • "data": {
    }
}

API

Get API versions

Returns information on API versions supported by the server.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "message": "",
  • "status": "success"
}

Ping server

Used to test authentication. Respond "pong" if authentication is successfull.

Authorizations:
Bearer <bearer>

Responses

Response samples

Content type
application/json
{
  • "data": [ ],
  • "message": "pong",
  • "status": "success"
}