To use these API endpoint, an API key is needed and can be found in every user profile under My settings
> API Key
.
This specification applies to Iris >= v2.4.0. The supported API version can be checked in Advanced
> Server settings
> Server versions
on IRIS.
The API port is the same as the one used for the web interface, so 443
by default.
This version introduces access control. Every request now needs to have the cid=x
parameter in the URI.
Deletion endpoints have been migrated from GET
to POST
. Deletion GET endpoints have been marqued as deprecated
and are not available anymore.
v1.4.5 introduced the concept of custom attributes. These JSON objects that are stored into almost all case objects such as Assets, IOCs, etc. They are defined by administrators or modules and can vary from one objet to another despite being of the same type. Because of this, no definitive structure can be expected from these fields. They are all named custom_attributes
.
Update the summary of a case. Carefull: this will trigger an overwrite of the summary. Summaries are shared interactively between users. If an update summary is issued, every user will receive the change and their locale changes will be lost.
The summary is a markdown-compatible text.
cid required | string Case ID |
case_description required | string The updated summary |
{- "case_description": "Dummy description",
- "cid": 1
}
{- "data": 3837413706,
- "message": "Summary updated",
- "status": "success"
}
Add a task log to the case. The task log is registered under Activities and is be availble in reports templating. If CID is omitted, the default case of the calling user is used.
cid | string Case ID |
log_content required | string |
{- "log_content": "A test"
}
{- "data": {
- "activity_date": "Fri, 21 Jan 2022 17:33:48 GMT",
- "activity_desc": "A test",
- "case": null,
- "case_id": 1,
- "id": 21632,
- "user": null,
- "user_id": 1,
- "user_input": true
}, - "message": "Log saved",
- "status": "success"
}
Export a case in JSON format including all the information such as assets, iocs, etc. This request can take a very long time depending on the size of the case and is DB intensive.
The datastore is not part of the response and needs to be requested manually.
cid required | string ID Of the case to export |
{- "status": "success",
- "message": "",
- "data": {
- "case": {
- "name": "#1 - Initial Demo",
- "open_date": "2023-11-29",
- "description": "Dummy description",
- "soc_id": "soc_id_demo",
- "opened_by": "administrator",
- "for_customer": "IrisInitialClient",
- "close_date": null,
- "custom_attributes": null,
- "case_id": 1,
- "case_uuid": "da80a133-d3c2-40bd-a0ba-8966ef7679a3",
- "status_id": 0,
- "status_name": "unknown"
}, - "evidences": [
- {
- "filename": "A super evidence",
- "date_added": "2023-11-29T15:52:11.216704",
- "file_hash": "dhjajhdkadqw",
- "added_by": "administrator",
- "custom_attributes": { },
- "file_uuid": "6287ebbc-4332-4f37-b8d8-c9e70e238c08",
- "id": 1,
- "file_size": 0
}
], - "timeline": [
- {
- "event_id": 2,
- "event_title": "A second event",
- "event_in_summary": true,
- "event_date": "2023-11-03T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-04T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#F2596199",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}, - {
- "event_id": 3,
- "event_title": "A third event ",
- "event_in_summary": true,
- "event_date": "2023-11-03T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-04T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#F2596199",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}, - {
- "event_id": 1,
- "event_title": "An event ",
- "event_in_summary": true,
- "event_date": "2023-11-09T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-10T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#48ABF799",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}
], - "iocs": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_tags": "router",
- "ioc_description": "",
- "custom_attributes": { },
- "ioc_id": 1,
- "ioc_uuid": "94188da2-ca10-4299-ad73-0689719a61c3",
- "tlp_name": "amber",
- "added_by": "administrator"
}
], - "assets": [
- {
- "asset_id": 1,
- "asset_uuid": "4c8211fb-676e-4d84-9164-2c62d2c82558",
- "asset_name": "LinuxServer",
- "asset_description": "The super service ",
- "asset_compromise_status_id": 2,
- "type": "Linux - Server",
- "analysis_status": "Canceled",
- "date_added": "2023-11-29T15:40:13.759084",
- "asset_domain": "local.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_tags": "test",
- "custom_attributes": { },
- "light_asset_description": "The super service ",
- "asset_ioc": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_description": ""
}
], - "asset_compromise_status": "Not Compromised"
}, - {
- "asset_id": 2,
- "asset_uuid": "7371f6fd-17dc-42d7-b21b-43824b71abb3",
- "asset_name": "main_router",
- "asset_description": "",
- "asset_compromise_status_id": 1,
- "type": "Router",
- "analysis_status": "To be done",
- "date_added": "2023-11-29T15:40:41.128370",
- "asset_domain": "local.local",
- "asset_ip": "192.168.1.3",
- "asset_info": "",
- "asset_tags": "router",
- "custom_attributes": { },
- "light_asset_description": "",
- "asset_ioc": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_description": ""
}
], - "asset_compromise_status": "Compromised"
}
], - "tasks": [
- {
- "task_title": "A task",
- "task_status": "In progress",
- "task_tags": "task1",
- "task_open_date": "2023-11-29T15:48:49.811798",
- "task_close_date": null,
- "task_last_update": "2023-11-29T15:48:49.811798",
- "task_description": "Task description ",
- "custom_attributes": { },
- "task_uuid": "0693c71b-b4f7-41cd-a12a-0dcd24519e7f",
- "id": 1,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
]
}, - {
- "task_title": "Another task",
- "task_status": "To do",
- "task_tags": "tas",
- "task_open_date": "2023-11-29T15:49:09.053863",
- "task_close_date": null,
- "task_last_update": "2023-11-29T15:49:09.053863",
- "task_description": "Another task description",
- "custom_attributes": { },
- "task_uuid": "6d27e7f2-3310-454e-aebf-00432ebbfb2d",
- "id": 2,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
]
}
], - "comments": [ ],
- "notes": [
- {
- "note_title": "Something else",
- "note_content": "A nother note content",
- "note_creationdate": "2023-11-29T15:39:02.056124",
- "note_lastupdate": "2023-11-29T15:39:30.039339",
- "custom_attributes": { },
- "note_id": 1,
- "note_uuid": "71a50086-2b11-4d80-8916-e94bd93ad28b",
- "group_title": "A note group A",
- "group_id": 1,
- "group_user": 1
}, - {
- "note_title": "And another thing",
- "note_content": "A note content",
- "note_creationdate": "2023-11-29T15:39:11.127181",
- "note_lastupdate": "2023-11-29T15:39:23.065014",
- "custom_attributes": { },
- "note_id": 2,
- "note_uuid": "641943a8-767a-4789-a02c-1475243cbb37",
- "group_title": "A note group B",
- "group_id": 2,
- "group_user": 1
}
], - "export_date": "2023-11-29T15:52:18.839881"
}
}
Get a list of the assets linked to the case.
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "assets": [
- {
- "asset_id": 57,
- "asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
- "asset_name": "FILESERVER1231",
- "asset_type": "Windows - Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 10,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 79,
- "asset_uuid": "0955016b-c1aa-44e1-a5c6-0b538eac7d9f",
- "asset_name": "Test_DFIR",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "example.com",
- "asset_compromise_status_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 1,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 82,
- "asset_uuid": "305c5569-b818-4518-b7cd-cfd07a1033ca",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "",
- "asset_domain": "domain.local",
- "asset_compromise_status_id": 0,
- "asset_ip": "10.0.0.8",
- "asset_type_id": 11,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 36,
- "asset_uuid": "3b16900a-72a2-46f2-a4e9-880de044c2ad",
- "asset_name": "User1_FRZ",
- "asset_type": "Firewall",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 2,
- "analysis_status": "Pending",
- "analysis_status_id": 4,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3723,
- "asset_uuid": "82c5f2a8-a050-4c23-9616-f5d6713bcf1e",
- "asset_name": "DE100",
- "asset_type": "Router",
- "asset_icon_compromised": "ioc_router.png",
- "asset_icon_not_compromised": "router.png",
- "asset_description": "Deutsh router",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 12,
- "analysis_status": "Pending",
- "analysis_status_id": 4,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3777,
- "asset_uuid": "e43b9a3d-37d6-4034-a5ff-2c5252ca9e33",
- "asset_name": "user1",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "user account ",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3706,
- "asset_uuid": "8d04103e-dcfc-40c6-b9d9-f84a77dd823c",
- "asset_name": "ad v mojej domene",
- "asset_type": "Windows Account - AD",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "domenovy dacid c 1",
- "asset_domain": "pravda.sk",
- "asset_compromise_status_id": 3,
- "asset_ip": "195.28.85.54",
- "asset_type_id": 18,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "pravda.sk",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 38,
- "asset_uuid": "97eaf383-50d6-4f6f-9649-51dc8560fd41",
- "asset_name": "EndpointDevice1",
- "asset_type": "Windows - Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 9,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 47,
- "asset_uuid": "ba08841b-80c2-4b55-b296-77f27630d55c",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "![saml.png](/datastore/file/view/3?cid=1 =40%x40%) \n\n<test><script>\n# Test \nDescription and analysis of the machine \nSome other things to do\n\n\n## Another test \nAnd again another testing \n\n### And yet again another test\nOr something else you wanna do ",
- "asset_domain": "acme.local",
- "asset_compromise_status_id": 1,
- "asset_ip": "192.168.0.1",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "1.3.4.2",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 37,
- "asset_uuid": "7a0278a2-618d-461e-921e-7cbc0bad3004",
- "asset_name": "User2",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3749,
- "asset_uuid": "e4ca3e33-28f0-43f4-8c68-a79949a9fbb0",
- "asset_name": "DC03",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3750,
- "asset_uuid": "34dba357-7983-4eec-8627-30a5f2b48cc4",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 2429,
- "asset_uuid": "1a9201a9-8d03-44b3-a47a-16c9a780849e",
- "asset_name": "Phone - IOS-4869",
- "asset_type": "Phone - IOS",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 8,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 407,
- "ioc_value": "ec3e51e46aae",
- "asset_id": 2429
}, - {
- "ioc_id": 788,
- "ioc_value": "bsaoln.gov",
- "asset_id": 2429
}
]
}, - {
- "asset_id": 3872,
- "asset_uuid": "11925eb0-b205-419f-81cf-fe550a6a6986",
- "asset_name": "trreeree",
- "asset_type": "Windows - Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 9,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3881,
- "asset_uuid": "9a911ef8-3f40-4aaa-a6e0-4ea880bf8d49",
- "asset_name": "DCSERER.com",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "thsis is DC serer",
- "asset_domain": "myDC.com",
- "asset_compromise_status_id": 1,
- "asset_ip": "10.10.10.1",
- "asset_type_id": 11,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 83,
- "asset_uuid": "7fb6eec5-ebef-4abd-ab31-4b31b96266f5",
- "asset_name": "MV-422",
- "asset_type": "Windows - Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Maquina de pruebas",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 10,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3857,
- "asset_uuid": "763d9ac5-b858-40b6-b6eb-5b905402d0c3",
- "asset_name": "Super Dadmin",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Done",
- "analysis_status_id": 6,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 75,
- "asset_uuid": "50899fe4-5ef6-420d-aef6-55fe6febf6f5",
- "asset_name": "aaa",
- "asset_type": "Switch",
- "asset_icon_compromised": "ioc_switch.png",
- "asset_icon_not_compromised": "switch.png",
- "asset_description": "asdfdfgsdfg",
- "asset_domain": "sdfgh",
- "asset_compromise_status_id": 0,
- "asset_ip": "435445",
- "asset_type_id": 13,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "455,type",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 2548,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_name": "WAF-301",
- "asset_type": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": 2,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 15,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "asset_id": 2548
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "asset_id": 2548
}
]
}, - {
- "asset_id": 2547,
- "asset_uuid": "e72f8566-3437-4693-b5e7-e41122c93a4e",
- "asset_name": "Account-244",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "asset_id": 2547
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "asset_id": 2547
}
]
}, - {
- "asset_id": 3906,
- "asset_uuid": "6a6cb41a-024f-4af6-a8b8-d75ef2c97728",
- "asset_name": "waf protecting middle earth from nasty goblins",
- "asset_type": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "",
- "asset_domain": "fortheshire.com",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 15,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 2430,
- "asset_uuid": "07b9310a-887e-4277-b8a8-61c78cae05ec",
- "asset_name": "Linux - Server-1240",
- "asset_type": "Linux - Server",
- "asset_icon_compromised": "ioc_server.png",
- "asset_icon_not_compromised": "server.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 3,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 407,
- "ioc_value": "ec3e51e46aae",
- "asset_id": 2430
}, - {
- "ioc_id": 788,
- "ioc_value": "bsaoln.gov",
- "asset_id": 2430
}
]
}, - {
- "asset_id": 3748,
- "asset_uuid": "765f6970-bd9c-41e8-af6b-b050c30c4c7a",
- "asset_name": "DC02",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3641,
- "asset_uuid": "5f99e1ab-bc09-4a0b-b344-6279862c55cc",
- "asset_name": "DC02",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "adadsasd",
- "asset_domain": "nevele",
- "asset_compromise_status_id": 0,
- "asset_ip": "123",
- "asset_type_id": 11,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}
], - "state": {
- "object_state": 56,
- "object_last_update": "2024-01-04T15:52:02.088544"
}
}
}
Fetch an asset.
asset_id required | integer |
cid required | string Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_description": "WAF",
- "asset_id": 15,
- "asset_name": "WAF"
}, - "asset_type_id": 15,
- "case_id": 1,
- "asset_description": "Asset description",
- "asset_id": 2548,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": "",
- "user_id": 4,
- "date_added": "2024-01-04T13:20:43.522581",
- "date_update": "2024-01-04T13:20:43.522598",
- "asset_name": "WAF-301",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": 2,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_domain": "",
- "linked_ioc": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "ioc_tags": "tag1,tag2",
- "ioc_type_id": 22,
- "type_name": "email",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "ioc_tags": "tag1,tag2",
- "ioc_type_id": 22,
- "type_name": "email",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2
}
]
}
}
Create an asset and link it to the case.
cid required | integer Case ID |
asset_type_id required | string |
asset_domain | string |
asset_ip | string |
asset_info | string |
asset_compromise_status_id | string |
analysis_status_id | string |
ioc_links | Array of strings |
asset_name required | string |
asset_tags | string |
asset_description | string |
custom_attributes | object |
{- "asset_type_id": "9",
- "asset_domain": "iris.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_compromise_status_id": "1",
- "analysis_status_id": "3",
- "ioc_links": [
- "30"
], - "asset_name": "admin_laptop",
- "asset_tags": "anewtag",
- "asset_description": "A host description",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Asset added",
- "data": {
- "asset_enrichment": null,
- "asset_type": {
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_description": "Standard Windows Computer",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}, - "asset_type_id": 9,
- "case_id": 1,
- "asset_description": "A host description",
- "asset_id": 3912,
- "analysis_status_id": 3,
- "custom_attributes": { },
- "asset_info": "",
- "user_id": 1,
- "date_added": "2024-01-09T13:25:51.328503",
- "date_update": "2024-01-09T13:25:51.328506",
- "asset_name": "admin_laptop",
- "asset_ip": "127.0.0.1",
- "asset_tags": "anewtag",
- "asset_compromise_status_id": 1,
- "asset_uuid": "5914a960-d6d5-4e18-9665-613037d8f702",
- "asset_domain": "iris.local"
}
}
Update an asset
asset_id required | string ID of the asset to update |
cid required | integer Case ID |
asset_name required | string |
asset_type_id required | string |
asset_domain | string |
asset_ip | string |
asset_info | string |
asset_compromise_status_id | string |
analysis_status_id | string |
ioc_links | Array of strings |
asset_tags | string |
asset_description | string |
custom_attributes | object |
{- "asset_name": "admin_laptop",
- "asset_type_id": "9",
- "asset_domain": "iris.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_compromise_status_id": "1",
- "analysis_status_id": "3",
- "ioc_links": [
- "30"
], - "asset_tags": "anewtag",
- "asset_description": "A host description",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Updated asset admin_laptop",
- "data": {
- "asset_enrichment": { },
- "asset_type": {
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_description": "Standard Windows Computer",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}, - "asset_type_id": 9,
- "case_id": 1,
- "asset_description": "A host description",
- "asset_id": 2548,
- "analysis_status_id": 3,
- "custom_attributes": { },
- "asset_info": "",
- "user_id": 4,
- "date_added": "2024-01-04T13:20:43.522581",
- "date_update": "2024-01-04T13:20:43.522598",
- "asset_name": "admin_laptop",
- "ioc_links": [
- 30
], - "asset_ip": "127.0.0.1",
- "asset_tags": "anewtag",
- "asset_compromise_status_id": 1,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_domain": "iris.local"
}
}
This endpoint is deprecated. Use the POST equivalent.
asset_id required | string ID of the note to delete |
cid required | string Case ID |
{- "data": [ ],
- "message": "Deleted",
- "status": "success"
}
Delete an asset based on its ID. If the asset is linked to an event, the reference is deleted but not the event.
asset_id required | string ID of the note to delete |
cid required | integer Case ID |
{- "value": {
- "data": [ ],
- "message": "Deleted",
- "status": "success"
}
}
This endpoint is deprecated. Use /case/notes/directories/filter
.
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "groups": [
- {
- "group_id": 186,
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Group 186",
- "notes": [
- {
- "note_id": 110,
- "note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
- "note_title": "Test Note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-29T19:21:48.799248"
}, - {
- "note_id": 1620,
- "note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-14T17:50:03.136531"
}, - {
- "note_id": 1733,
- "note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-24T14:10:31.487938"
}, - {
- "note_id": 1834,
- "note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-07T14:50:05.324440"
}, - {
- "note_id": 1953,
- "note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
}, - {
- "group_id": 192,
- "group_uuid": "39434f81-9b8f-4540-9818-96b3dae0a48e",
- "group_title": "Investigation",
- "notes": [
- {
- "note_id": 856,
- "note_uuid": "bcd2f25c-e329-4ef0-b2fb-1b68ee4ef537",
- "note_title": "IOC ?",
- "user": "adm_1",
- "note_lastupdate": "2023-12-08T02:23:07.030130"
}, - {
- "note_id": 1820,
- "note_uuid": "6d293b2c-06b7-422a-887b-284bf559636d",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-05T03:20:09.078152"
}, - {
- "note_id": 1934,
- "note_uuid": "f3b28930-844e-4edb-936d-12d87231aeaf",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-02T06:44:34.079779"
}, - {
- "note_id": 1954,
- "note_uuid": "12b4a4a8-d0a9-49ff-9b97-3ad43c6aa86e",
- "note_title": "testing stuff for frodo on the one ring server",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:44.699016"
}
]
}, - {
- "group_id": 223,
- "group_uuid": "7538ceb3-e7c2-4ca8-911d-031a66f0f2fc",
- "group_title": "Group 223",
- "notes": [
- {
- "note_id": 213,
- "note_uuid": "066e24c2-85ca-41a5-b982-91f44dd92ebe",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-03-31T22:35:43.435906"
}
]
}, - {
- "group_id": 229,
- "group_uuid": "3bec5c22-ae2e-415a-9eee-18b10ace47df",
- "group_title": "Group 229",
- "notes": [
- {
- "note_id": 530,
- "note_uuid": "b5a5403a-2bf6-4649-bf78-2a476d0b31da",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-06-06T07:18:08.899797"
}
]
}, - {
- "group_id": 230,
- "group_uuid": "80c4fb87-e939-42b5-863e-11be4c4c8991",
- "group_title": "Group 230",
- "notes": [
- {
- "note_id": 774,
- "note_uuid": "294ab835-cc02-4ae5-a04c-821cde72b623",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-07-27T06:33:29.931800"
}
]
}, - {
- "group_id": 316,
- "group_uuid": "ba1e558b-cc24-46ee-b192-a6fe2a3a03ec",
- "group_title": "Group 316",
- "notes": [
- {
- "note_id": 1757,
- "note_uuid": "8f909d5a-07d7-4f81-afad-767c860253ba",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-29T22:28:49.316698"
}
]
}, - {
- "group_id": 317,
- "group_uuid": "46a1c5d4-8e18-42e0-89f4-906c1e0bd288",
- "group_title": "Group 317",
- "notes": [ ]
}, - {
- "group_id": 318,
- "group_uuid": "c64875de-5cdb-43b9-b49f-ba523e8b610d",
- "group_title": "Group 318",
- "notes": [
- {
- "note_id": 1732,
- "note_uuid": "b16a7bdb-698a-4c7a-be56-2deb64f4d949",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-11-24T00:05:45.580907"
}
]
}, - {
- "group_id": 319,
- "group_uuid": "ce1c592c-3df6-43ea-9cbd-894f30a56bf0",
- "group_title": "Group 319",
- "notes": [ ]
}, - {
- "group_id": 320,
- "group_uuid": "970e0a0d-f28f-4192-8239-7831c4560367",
- "group_title": "Group 320",
- "notes": [
- {
- "note_id": 239,
- "note_uuid": "a714b7a3-8344-4b15-ba24-d1722adcfe65",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-04-12T13:14:48.811734"
}
]
}, - {
- "group_id": 351,
- "group_uuid": "71d555a9-4060-411a-be2f-f0d33793c647",
- "group_title": "new group",
- "notes": [
- {
- "note_id": 276,
- "note_uuid": "5217a534-e236-4516-8d44-dfd0d6fcbdcb",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-04-27T09:27:18.650654"
}
]
}, - {
- "group_id": 385,
- "group_uuid": "8eb53b45-1226-4468-ace1-2d10f7831a6f",
- "group_title": "Group 385",
- "notes": [ ]
}, - {
- "group_id": 562,
- "group_uuid": "1dfe7ef3-7597-4d4b-9096-3e390e011b40",
- "group_title": "Group 562",
- "notes": [
- {
- "note_id": 1831,
- "note_uuid": "c305d4e1-adcd-410d-8d56-d73364faff34",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-07T10:20:18.227276"
}
]
}, - {
- "group_id": 563,
- "group_uuid": "a5094fd7-02d0-44b0-beeb-c8b3d3e8f8e8",
- "group_title": "Group 563",
- "notes": [ ]
}, - {
- "group_id": 565,
- "group_uuid": "bcd7ac17-064f-49b9-941b-a5e01b82cfdb",
- "group_title": "Group 565",
- "notes": [
- {
- "note_id": 696,
- "note_uuid": "5d45d634-f463-4400-840a-646423e9c152",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-12T08:35:22.251498"
}
]
}, - {
- "group_id": 589,
- "group_uuid": "c111f93c-622d-4954-9592-da4406109897",
- "group_title": "Group 589",
- "notes": [ ]
}, - {
- "group_id": 590,
- "group_uuid": "2e38b22f-f3b8-4345-b110-a735d1afb228",
- "group_title": "Group 590",
- "notes": [
- {
- "note_id": 1789,
- "note_uuid": "e8f3943a-778a-4850-be22-0fb9fca7eeed",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-01T16:06:25.564707"
}
]
}, - {
- "group_id": 615,
- "group_uuid": "1555f460-e29a-4a1e-a438-b02309b4e9ef",
- "group_title": "Group 615",
- "notes": [ ]
}, - {
- "group_id": 731,
- "group_uuid": "11e3e6d1-ab59-4c39-a478-420c865e7e69",
- "group_title": "Group 731",
- "notes": [
- {
- "note_id": 730,
- "note_uuid": "7e45074a-e828-45b6-95c3-1c2d50854d31",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-20T07:08:09.733633"
}
]
}, - {
- "group_id": 748,
- "group_uuid": "2af357bf-9a8a-4a82-b047-6d2804b5de8b",
- "group_title": "Group 748",
- "notes": [ ]
}, - {
- "group_id": 766,
- "group_uuid": "f55a2e9e-ab3e-4e89-9bcb-3a082c677e73",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1276,
- "note_uuid": "17d9b1b2-7788-4588-9a8b-59a4cd014cce",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-09-22T08:28:12.315640"
}
]
}, - {
- "group_id": 767,
- "group_uuid": "04e13560-18c1-48fc-b8ff-31f49dd9f8fd",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 798,
- "note_uuid": "947019ef-f587-417f-b2be-1f02cb083add",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-31T11:41:40.057720"
}
]
}, - {
- "group_id": 801,
- "group_uuid": "b68617d8-a1c5-43a3-ac0f-490fb884f615",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 802,
- "group_uuid": "4443a8b5-08c7-432f-971c-48413073487d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 912,
- "group_uuid": "cfde6d2d-5985-4276-8e5e-a7836df5a0b3",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 916,
- "group_uuid": "ff8c3646-75ff-417a-81b5-8b6555be49ee",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1606,
- "note_uuid": "e9358f9c-ef82-4754-b6df-12344b053a91",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-11-06T02:32:11.434290"
}
]
}, - {
- "group_id": 984,
- "group_uuid": "31cc129c-f097-469b-a97b-ffde2c3e52da",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 985,
- "group_uuid": "1f455c92-7985-4abe-bd45-b7412691a026",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1933,
- "note_uuid": "60c88bb5-78bd-4f2e-8eb2-d77d7cbf2b2d",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-02T06:44:22.177576"
}
]
}, - {
- "group_id": 986,
- "group_uuid": "baa949b7-7dc0-4b9c-bb91-58748d2d4914",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1122,
- "group_uuid": "25bc6402-53f8-4165-82a6-7e098ad3dfce",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1141,
- "group_uuid": "78ed4c55-bd49-4cd9-8d59-0a3461063529",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1142,
- "group_uuid": "3647e416-e782-47c6-bfc0-9ee42e835345",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1169,
- "group_uuid": "536404d9-ceb1-4e52-bcdc-6a5fb1faa0dd",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1277,
- "note_uuid": "dd310051-550c-40ff-b5fc-53fa5e022997",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-09-22T08:28:23.443734"
}
]
}, - {
- "group_id": 1235,
- "group_uuid": "76924746-b2e2-4088-afad-b0e88161a756",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1289,
- "group_uuid": "aeb2e9b0-a0ee-4c09-9be8-60123ebc86ea",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1290,
- "group_uuid": "16114da7-40ed-4864-8c3c-f63b1b1c5b6e",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1919,
- "note_uuid": "d72525a6-81c0-44ca-8ec5-76dea8ccd9df",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-27T16:15:24.956701"
}
]
}, - {
- "group_id": 1291,
- "group_uuid": "60b1fd6b-24a2-4f82-aeec-25d48858a1a7",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1292,
- "group_uuid": "c26094d8-5284-4270-b8e7-854e0306d378",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1329,
- "group_uuid": "9a950733-4825-436f-b5d8-5b7be9fd130e",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1378,
- "group_uuid": "c731447c-52d9-462e-b006-548cdba13fbe",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1384,
- "group_uuid": "07617992-8300-4023-99ae-933e7b3cd8ed",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1385,
- "group_uuid": "72e5a1a1-3853-42fc-a8b6-4765043ce12f",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1425,
- "group_uuid": "1b42b99b-8479-47bc-84dc-7992c2ddaab7",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1442,
- "group_uuid": "47436e25-8bd9-4926-adab-3a74e5131a73",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1498,
- "group_uuid": "7a0b754a-096b-4b94-a3d5-8cda257f42d5",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1499,
- "group_uuid": "126968ba-cc9f-42fe-87d3-f48ce6cdf034",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1505,
- "group_uuid": "e417f7a3-9d61-416b-aa59-ecc2f623da6b",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1506,
- "group_uuid": "4afff67b-9eb9-42fa-ae37-b54cbc170e8e",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1507,
- "group_uuid": "40e12b26-3ae9-47aa-ae28-15e46a777ab9",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1510,
- "group_uuid": "7247267b-3e14-4154-93a5-ba388c45b7e0",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1511,
- "group_uuid": "87d73fcb-3dba-4fda-920e-9c315a5023eb",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1512,
- "group_uuid": "dd28240f-0edf-484f-b904-c5e71de8ccac",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1526,
- "group_uuid": "20947604-dc3a-40f9-a68d-2c758ae05e8a",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1527,
- "group_uuid": "a489154f-a436-4a29-97b0-0a2554eda575",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1528,
- "group_uuid": "40f9fa9e-3895-4de2-9f73-c64dc398771d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1530,
- "group_uuid": "ec3ab46b-ae85-4734-8db7-2d4895f57bd0",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1531,
- "group_uuid": "7db00392-05ac-489a-8de9-0a0fc93c761d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1532,
- "group_uuid": "318a8ee3-b405-4381-9161-8e40af979e57",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1545,
- "group_uuid": "485c039f-5baf-4b1c-a0a8-c20660ef8c5f",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1583,
- "group_uuid": "c49962b4-39c8-4a21-82de-8eb659f2b106",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1602,
- "group_uuid": "ff1b79ed-12ed-475d-9ab7-4cfb1e073480",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1639,
- "group_uuid": "de3d38eb-9a5b-4f87-99d6-d6c610d32ac3",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1657,
- "group_uuid": "d07e3f4c-ba88-4586-94f8-1cc3d7239cad",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1665,
- "group_uuid": "f3d66447-fad7-44f5-9831-5a25486f8408",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1675,
- "group_uuid": "b384e358-6cd3-4773-b6b8-8e47e963cc8d",
- "group_title": "New notes group",
- "notes": [ ]
}
], - "state": {
- "object_state": 215,
- "object_last_update": "2024-01-04T15:50:13.728362"
}
}
}
This endpoint is deprecated and not replaced yet.
group_id required | string ID of the group to return |
cid required | string ID Of the case |
{- "status": "success",
- "message": "",
- "data": {
- "group_id": 186,
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Group 186",
- "group_creationdate": "2023-02-09T19:01:45.753049",
- "group_lastupdate": "2023-02-09T19:01:45.753049",
- "notes": [
- {
- "note_id": 110,
- "note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
- "note_title": "Test Note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-29T19:21:48.799248"
}, - {
- "note_id": 1620,
- "note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-14T17:50:03.136531"
}, - {
- "note_id": 1733,
- "note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-24T14:10:31.487938"
}, - {
- "note_id": 1834,
- "note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-07T14:50:05.324440"
}, - {
- "note_id": 1953,
- "note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
}
}
List the directories and notes associated to it.
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 5,
- "name": "Dummy title",
- "note_count": 1,
- "subdirectories": [ ],
- "notes": [
- {
- "id": 1,
- "title": "New note"
}
]
}, - {
- "id": 7,
- "name": "Dummy title",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 4,
- "name": "New folder",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 34,
- "name": "Test",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 33,
- "name": "Test",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 3,
- "name": "ds",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 1,
- "name": "dsd",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 2,
- "name": "ss",
- "note_count": 0,
- "subdirectories": [
- {
- "id": 4,
- "name": "New folder",
- "note_count": 0,
- "subdirectories": [ ]
}, - {
- "id": 3,
- "name": "ds",
- "note_count": 0,
- "subdirectories": [ ]
}
], - "notes": [ ]
}
]
}
This endpoint is deprecated. Use /cases/notes/directories/add
.
cid required | string Case ID |
If the group title isn't set, a default group name is set by the server.
group_title | string non-empty |
{- "group_title": "Test"
}
{- "status": "success",
- "message": "Notes group added",
- "data": {
- "group_lastupdate": "2024-01-09T15:16:19.352384",
- "group_uuid": "f337d1cb-216b-4d21-8051-cbcead9bcb4c",
- "group_title": "Test",
- "group_creationdate": "2024-01-09T15:16:19.352384",
- "group_id": 1692
}
}
Create a new empty directory.
cid required | string Case ID |
name required | string non-empty |
parent_id | number An existing parent directory ID. To add at the root, do not set the field or set it to null. |
{- "name": "Test",
- "parent_id": null
}
{- "status": "success",
- "message": "Notes group added",
- "data": {
- "group_lastupdate": "2024-01-09T15:16:19.352384",
- "group_uuid": "f337d1cb-216b-4d21-8051-cbcead9bcb4c",
- "group_title": "Test",
- "group_creationdate": "2024-01-09T15:16:19.352384",
- "group_id": 1692
}
}
This endpoint is deprecated. Use /case/notes/directories/update/{directory_id}
.
group_id required | string Group ID to update |
cid required | string case ID |
group_title required | string non-empty |
{- "group_title": "Test"
}
{- "status": "success",
- "message": "Updated title of group ID 186",
- "data": {
- "group_lastupdate": "2023-02-09T19:01:45.753049",
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Test",
- "group_creationdate": "2023-02-09T19:01:45.753049",
- "group_id": 186
}
}
Update the parent and name of a notes directory.
directory_id required | integer |
cid required | string case ID |
name required | string non-empty |
parent_id | integer An existing parent directory ID. To add at the root, do not set the field or set it to null. |
{- "name": "Test 1"
}
{- "status": "success",
- "message": "Directory modified",
- "data": {
- "id": 1,
- "name": "Test 1",
- "parent_id": null,
- "case_id": 1
}
}
This endpoint is deprecated. Use the POST /case/notes/directories/delete/{directory_id}
equivalent.
group_id required | string |
cid required | integer Case ID |
{- "data": [ ],
- "message": "Group ID 22 deleted",
- "status": "success"
}
Delete a directory and its content including the associated subdirectories and notes.
directory_id required | integer |
cid required | integer Case ID |
{- "status": "success",
- "message": "Directory deleted",
- "data": [ ]
}
Add a new note to an existing group.
cid required | integer Case ID |
note_title required | string non-empty |
note_content required | string non-empty |
directory_id required | number |
{- "note_title": "Title of the note",
- "note_content": "Content of the note",
- "directory_id": 36
}
{- "status": "success",
- "message": "Note added",
- "data": {
- "directory": {
- "id": 2,
- "name": "A dir",
- "parent_id": null,
- "case_id": 1
}, - "note_id": 16,
- "note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
- "note_title": "Title of the note",
- "note_content": "Content of the note",
- "note_user": 1,
- "note_creationdate": "2024-03-27T18:14:21.245694",
- "note_lastupdate": "2024-03-27T18:14:21.245724",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 2,
- "modification_history": {
- "1711563261.268616": {
- "user": "administrator",
- "user_id": 1,
- "action": "created note"
}
}
}
}
Fetch the content and metadata of a note.
note_id required | integer ID of the note to fetch |
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "directory": {
- "id": 5,
- "name": "Dummy title",
- "parent_id": null,
- "case_id": 1
}, - "note_id": 1,
- "note_uuid": "b8391125-f446-40ec-b4cf-f610fefd0029",
- "note_title": "New note",
- "note_content": "Super note\n\n# hey hey",
- "note_user": 1,
- "note_creationdate": "2024-03-18T08:35:22.999299",
- "note_lastupdate": "2024-03-18T08:35:22.999313",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 5,
- "modification_history": {
- "1711006761.106673": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711006771.146321": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711006776.007962": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}
}, - "comments": [ ]
}
}
Update the content and metadata of a note.
note_id required | integer ID of the note to save |
cid required | integer Case ID |
note_title required | string |
note_content required | string |
custom_attributes | object |
parent_id | integer |
{- "note_title": "New title",
- "note_content": "New content",
- "custom_attributes": { },
- "directory_id": 4
}
{- "status": "success",
- "message": "Note ID 16 saved",
- "data": {
- "directory": {
- "id": 4,
- "name": "New folder",
- "parent_id": 2,
- "case_id": 1
}, - "note_id": 16,
- "note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
- "note_title": "New title",
- "note_content": "New content",
- "note_user": 1,
- "note_creationdate": "2024-03-27T18:14:21.245694",
- "note_lastupdate": "2024-03-27T18:14:21.245724",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 4,
- "modification_history": {
- "1711563261.268616": {
- "user": "administrator",
- "user_id": 1,
- "action": "created note"
}, - "1711563512.541373": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563539.900177": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563545.354224": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563549.441697": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}
}
}
}
This endpoint is deprecated. Use the GET
equivalent.
cid required | string Case ID |
search_term required | string non-empty |
{- "search_term": "term"
}
{- "status": "success",
- "message": "",
- "data": [
- {
- "note_id": 153,
- "note_title": "Untitled note"
}, - {
- "note_id": 155,
- "note_title": "Testing note siho"
}, - {
- "note_id": 88,
- "note_title": "Example note with code"
}
]
}
Returns a list of IOCs as well as any existing links with other cases.
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "ioc": [
- {
- "ioc_id": 15,
- "ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
- "ioc_value": "s<dasdasdasdasd",
- "ioc_type_id": 5,
- "ioc_type": "attachment",
- "ioc_description": "None",
- "ioc_tags": "",
- "ioc_misp": null,
- "tlp_name": "amber",
- "tlp_bscolor": "warning",
- "ioc_tlp_id": 2,
- "link": [ ],
- "misp_link": null
}
], - "state": {
- "object_state": 1,
- "object_last_update": "2023-01-16T10:02:05.271648"
}
}
}
Fetch an IOC
ioc_id required | integer ID of the IOC to fetch |
cid required | string Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "ioc_description": "None",
- "ioc_value": "s<dasdasdasdasd",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "attachment",
- "type_validation_regex": null,
- "type_description": "Attachment with external information",
- "type_id": 5,
- "type_validation_expect": null
}, - "ioc_tags": "",
- "ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
- "ioc_enrichment": null,
- "ioc_id": 15,
- "ioc_tlp_id": 2,
- "user_id": 12,
- "custom_attributes": { },
- "ioc_type_id": 5,
- "ioc_misp": null
}
}
cid required | integer Case ID |
ioc_type_id required | integer |
ioc_tlp_id required | integer |
ioc_value required | string non-empty |
ioc_description required | string non-empty |
ioc_tags required | string |
custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "8.8.8.8",
- "ioc_description": "rewrw",
- "ioc_tags": "",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "IOC added",
- "data": {
- "ioc_description": "rewrw",
- "ioc_value": "8.8.8.8",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "AS",
- "type_validation_regex": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_validation_expect": null
}, - "ioc_tags": "",
- "ioc_uuid": "9c10461b-e5e3-4b39-9d00-c8aff798d4f9",
- "ioc_enrichment": null,
- "ioc_id": 3956,
- "ioc_tlp_id": 2,
- "user_id": 1,
- "custom_attributes": { },
- "ioc_type_id": 1,
- "ioc_misp": null
}
}
Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.
ioc_id required | integer |
cid required | string Case ID |
{- "status": "success",
- "message": "IOC 3956 deleted",
- "data": [ ]
}
ioc_id required | integer |
cid required | integer Case ID |
ioc_value | string |
ioc_tlp_id | integer |
ioc_type_id | integer |
ioc_description | string |
ioc_tags | string |
custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "evil",
- "ioc_description": "IOC description",
- "ioc_tags": "tag1,tag2",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Updated ioc \"evil\"",
- "data": {
- "ioc_description": "IOC description",
- "ioc_value": "evil",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "AS",
- "type_validation_regex": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "ec70eb70-487c-414f-bc8f-7f55752c3150",
- "ioc_enrichment": null,
- "ioc_id": 3719,
- "ioc_tlp_id": 2,
- "user_id": 1,
- "custom_attributes": { },
- "ioc_type_id": 1,
- "ioc_misp": null
}
}
The endpoint is deprecated. Use case/timeline/advanced-filter
.
asset_id required | integer Filter by assets |
cid required | integer Case ID |
{- "data": {
- "state": {
- "object_last_update": "string",
- "object_state": 0
}, - "timeline": [
- {
- "assets": [
- { }
], - "category_name": "string",
- "event_category_id": 0,
- "event_color": "string",
- "event_content": "string",
- "event_date": "string",
- "event_date_wtz": "string",
- "event_id": 0,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_tags": "string",
- "event_title": "string",
- "event_tz": "string"
}
]
}, - "message": "string",
- "status": "string"
}
Filter the timeline through a query. q
should be a valid JSON mapping {field1:[value], field2: [value2]}
.
Fields are AND together. The query needs to be URL encoded.
The following fields are available:
cid required | integer Case ID |
q required | string Query filter |
{- "status": "success",
- "message": "ok",
- "data": {
- "timeline": [
- {
- "event_id": 40,
- "event_uuid": "a5f85030-4384-4781-97da-06037808d526",
- "event_date": "2023-01-29T00:00:00.000000",
- "event_date_wtz": "2023-01-29T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "Logged to",
- "event_color": "#1572E899",
- "event_tags": "",
- "event_content": "Test event in timeline",
- "event_in_summary": false,
- "event_in_graph": true,
- "event_is_flagged": false,
- "user": "adm_1",
- "event_added": "2023-01-30T07:17:24",
- "category_name": "Execution",
- "assets": [
- {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}, - {
- "name": "User1_FRZ (Firewall)",
- "ip": "",
- "description": "",
- "compromised": true
}
], - "iocs": [
- {
- "name": "8.8.8.8",
- "description": "None"
}, - {
- "name": "2amsports.com",
- "description": ""
}
]
}, - {
- "event_id": 93,
- "event_uuid": "8370ae48-5936-45b7-b2b9-f7bba6b4c155",
- "event_date": "2023-03-22T00:00:00.000000",
- "event_date_wtz": "2023-03-22T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "test 2",
- "event_color": null,
- "event_tags": "",
- "event_content": "",
- "event_in_summary": false,
- "event_in_graph": true,
- "event_is_flagged": false,
- "user": "adm_1",
- "event_added": "2023-03-22T12:39:41",
- "category_name": "Lateral Movement",
- "assets": [
- {
- "name": "DC01 (Windows - DC)",
- "ip": "10.0.0.8",
- "description": "",
- "compromised": false
}, - {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}, - {
- "name": "DC02 (Windows - DC)",
- "ip": "123",
- "description": "adadsasd",
- "compromised": false
}
], - "iocs": [
- {
- "name": "2.2.2.2",
- "description": "test IP Malicious"
}
]
}, - {
- "event_id": 173,
- "event_uuid": "57134ce2-e8d9-4469-befe-63b5787d2c95",
- "event_date": "2023-05-15T00:00:00.000000",
- "event_date_wtz": "2023-05-15T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "IPC",
- "event_color": "#FFAD4699",
- "event_tags": "",
- "event_content": "test:101010",
- "event_in_summary": true,
- "event_in_graph": true,
- "event_is_flagged": true,
- "user": "adm_1",
- "event_added": "2023-05-15T10:30:21",
- "category_name": "Collection",
- "assets": [
- {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}
], - "iocs": [
- {
- "name": "2.2.2.2",
- "description": "test IP Malicious"
}
]
}
], - "state": {
- "object_state": 74,
- "object_last_update": "2024-01-04T13:20:43.549933"
}
}
}
The endpoint is deprecated. Use case/timeline/advanced-filter
.
cid required | integer Case ID |
{- "data": [
- {
- "assets": [
- {
- "compromised": false,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_11 (Linux - Server)"
}, - {
- "compromised": true,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_4 (Windows Account - Local)"
}
], - "category_name": "",
- "event_color": "",
- "event_content": "My event content @44",
- "event_date": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_id": 2021,
- "event_tags": "",
- "event_title": "My event title @44",
- "event_tz": "+00:00",
- "event_date_wtz": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_in_summary": true,
- "event_in_graph": true
}
], - "message": "",
- "status": "success"
}
Fetch the state of the timeline.
cid required | string Case ID |
{- "data": {
- "object_last_update": "Sun, 06 Mar 2022 13:00:25 GMT",
- "object_state": 39
}, - "message": "",
- "status": "success"
}
Create a new event in the timeline.
cid required | integer Case ID |
event_title required | string |
event_raw | string |
event_source | string |
event_assets | Array of integers |
event_iocs | Array of integers |
event_category_id | string |
event_in_summary | boolean |
event_in_graph | boolean |
event_color | string |
event_date required | string |
event_sync_iocs_assets | boolean |
event_tags | string |
event_tz required | string |
event_content | string |
custom_attributes | object |
parent_event_id | integer |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "My source",
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": "5",
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "parent_event_id": null,
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Event added",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815112.677327": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:45:12.677273",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_content": "My description",
- "event_source": "My source",
- "event_category_id": 5,
- "event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 663
}
}
Return information of an event of the timeline
event_id required | integer |
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815238.257724": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:47:18.257680",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_content": "My description",
- "event_source": "My source",
- "event_uuid": "eedceb90-def7-4707-a478-5c5a218f0116",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 664,
- "event_assets": [ ],
- "event_iocs": [ ],
- "event_category_id": 5,
- "event_comments_map": [ ]
}
}
Update an event in the timeline
event_id required | integer |
cid required | integer Case ID |
event_title required | string |
event_raw | string |
event_source | string |
event_assets | Array of integers |
event_iocs | Array of integers |
event_category_id | integer |
event_in_summary | boolean |
event_in_graph | boolean |
event_color | string |
event_date required | string |
event_sync_iocs_assets | boolean |
event_tags | string |
event_tz required | string |
event_content | string |
custom_attributes | object |
parent_event_id | string |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "Source",
- "parent_event_id": 122,
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": 5,
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Event updated",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815112.677327": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}, - "1704815162.220411": {
- "user": "administrator",
- "action": "updated",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:45:12.677273",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_assets": [
- 45
], - "event_content": "My description",
- "event_sync_iocs_assets": true,
- "event_source": "Source",
- "event_category_id": 5,
- "event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 663,
- "event_iocs": [
- 33
]
}
}
Delete an event from the timeline. If the event has a child, the child event is not deleted and become a parent itself.
event_id required | integer |
cid | string Case ID |
{- "data": [ ],
- "message": "Event ID 14984 deleted",
- "status": "success"
}
Get a list of all the tasks in the case
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "tasks_status": [
- {
- "id": 1,
- "registry": null,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "registry": null,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "registry": null,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
], - "tasks": [
- {
- "task_id": 1696,
- "task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
- "task_title": "test permission",
- "task_description": "",
- "task_open_date": "2024-01-07T13:57:05.588940",
- "task_tags": "",
- "task_status_id": 1,
- "status_name": "To do",
- "status_bscolor": "danger",
- "task_assignees": [
- {
- "user": "adm_1",
- "name": "Adm 1",
- "id": 11
}
]
}
], - "state": {
- "object_state": 120,
- "object_last_update": "2024-01-07T13:57:05.599620"
}
}
}
Fetch a task
task_id required | integer Task ID to fetch |
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "task_title": "dummy title",
- "task_status_id": 1,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
], - "id": 45,
- "task_uuid": "9dfe50ea-8c5e-4deb-a670-6b705e59ee3c",
- "task_description": "",
- "task_tags": "",
- "task_open_date": "2024-03-21T09:33:20.792768",
- "task_close_date": null,
- "task_last_update": "2024-03-26T06:01:45.022397",
- "task_userid_open": 1,
- "task_userid_close": null,
- "task_userid_update": 1,
- "task_case_id": 1,
- "custom_attributes": { },
- "modification_history": null
}
}
Add a new task to the case.
cid required | integer Case ID |
task_assignees_id required | Array of integers |
task_description | string |
task_status_id required | integer |
task_tags | string |
task_title required | string |
custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_description": "",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Task 'dummy title' added",
- "data": {
- "task_open_date": "2024-01-09T16:03:54.304325",
- "task_userid_close": null,
- "task_last_update": "2024-01-09T16:03:54.304325",
- "task_userid_update": 1,
- "task_title": "dummy title",
- "task_uuid": "34eb785f-0551-454a-9a7c-7759eb68d4fe",
- "task_tags": "",
- "id": 1702,
- "task_description": "",
- "task_userid_open": 1,
- "custom_attributes": { },
- "task_status_id": 1,
- "task_close_date": null,
- "task_case_id": 1
}
}
Update an existing task of the case.
task_id required | integer ID of the task |
cid required | integer Case ID |
task_assignees_id required | Array of integers |
task_status_id required | integer |
task_title required | string |
task_description | string |
task_tags | string |
custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_status_id": 1,
- "task_title": "New title",
- "task_description": "new content",
- "task_tags": "new tags",
- "custom_attributes": { }
}
{- "data": {
- "custom_attributes": { },
- "id": 31,
- "task_assignees": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "task_case_id": 1,
- "task_close_date": null,
- "task_description": "new content",
- "task_last_update": "2023-03-09T08:13:51.464654",
- "task_open_date": "2023-03-06T10:39:39.303494",
- "task_status_id": 1,
- "task_tags": "new tags",
- "task_title": "New title",
- "task_userid_close": null,
- "task_userid_open": 1,
- "task_userid_update": 1,
- "task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
}, - "message": "Task 'New title' updated",
- "status": "success"
}
Returns a list of all evidences linked to the case.
cid required | integer case id |
{- "status": "success",
- "message": "",
- "data": {
- "evidences": [
- {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": 2,
- "id": 116,
- "file_hash": "77077087ee0f61f174a996bbcb7ef09c",
- "filename": "pat.txt",
- "start_date": null,
- "type": {
- "name": "HDD image - Generic",
- "description": "Generic copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.764707",
- "id": 2
}, - "acquisition_date": null,
- "case": 1,
- "file_uuid": "e6d5e920-0849-4b7c-ae62-e9455feaf25a",
- "user_id": 3,
- "custom_attributes": { },
- "date_added": "2024-01-07T13:40:47.232707",
- "user": {
- "id": 3,
- "user_name": "User Std 2",
- "user_login": "user_std_2",
- "user_email": "user_std_2@iris.local"
}, - "file_size": 52,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 107,
- "file_hash": "",
- "filename": "test",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "fdaae5ae-475b-4108-96c9-ca30bf904556",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-11-27T13:36:09.382410",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 123,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 102,
- "file_hash": "cde88d7f76b436b12ef923804c8c253d",
- "filename": "1_9KGea1STTglY4ZqVHvTAfg.png",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "09a4238a-8745-4513-8d0c-cd8b092477b7",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-11-09T14:27:20.005296",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 37746,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 80,
- "file_hash": "d9a60888a72c78db97f90c9683ec5803",
- "filename": "lordly octopus with hat and monocle.gif",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "4c2cb308-475d-4090-8946-c4ec2a218456",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-09-04T18:05:37.281133",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 1376370,
- "end_date": null,
- "file_description": "![](/datastore/file/view/3?cid=1 =60%x60%)"
}
], - "state": {
- "object_state": 20,
- "object_last_update": "2024-01-07T13:40:47.236614"
}
}
}
Add a new evidence to the case.
cid required | integer Case ID |
filename required | string |
file_size | string |
file_hash | string |
type_id | string |
start_date | string |
end_date | string |
custom_attributes | object |
file_description | string |
{- "filename": "dummy file",
- "file_size": "77108",
- "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
- "type_id": "2",
- "start_date": "2024-04-13T03:02:00.000",
- "end_date": "2024-04-04T00:00:00.000",
- "custom_attributes": { },
- "file_description": "Dummy description"
}
{- "status": "success",
- "message": "Evidence added",
- "data": {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 119,
- "file_hash": "string",
- "filename": "string",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
- "user_id": 1,
- "custom_attributes": { },
- "date_added": "2024-01-11T07:39:11.211407",
- "user": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local"
}, - "file_size": 0,
- "end_date": null,
- "file_description": "string"
}
}
Returns an evidence metadata.
evidence_id required | integer Evidence ID |
cid required | integer Case ID |
{- "status": "success",
- "message": "",
- "data": {
- "custom_attributes": null,
- "date_added": "2023-03-06T09:24:21.700465",
- "file_description": "Imported from datastore. dummy description",
- "file_hash": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
- "file_size": 76050,
- "file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
- "filename": "dummy file",
- "id": 1
}
}
Update an evidence.
evidence_id required | integer Evidence ID |
cid required | integer Case ID |
filename required | string |
file_size | string |
file_hash | string |
type_id | string |
start_date | string |
end_date | string |
custom_attributes | object |
file_description | string |
{- "filename": "dummy file",
- "file_size": "77108",
- "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
- "type_id": "2",
- "start_date": "2024-04-13T03:02:00.000",
- "end_date": "2024-04-04T00:00:00.000",
- "custom_attributes": { },
- "file_description": "Dummy description"
}
{- "status": "success",
- "message": "Evidence string updated",
- "data": {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 117,
- "file_hash": "string",
- "filename": "string",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "88a4dd55-132a-4acf-9daf-f05303782131",
- "user_id": 1,
- "custom_attributes": { },
- "date_added": "2024-01-09T16:19:38.620717",
- "user": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local"
}, - "file_size": 0,
- "end_date": null,
- "file_description": "string"
}
}
Fetch an alert
alert_id required | integer Alert ID |
{- "status": "success",
- "message": "",
- "data": {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "25110cfa-d7ef-402e-986d-30dfe483d5b8",
- "alert_creation_time": "2023-05-02T18:04:37.874598",
- "alert_tags": "Mobile Device Management (MDM) System",
- "modification_history": {
- "1683050677.903224": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}
}, - "alert_source": "Mobile Device Management (MDM) System",
- "alert_id": 1,
- "alert_classification_id": 6,
- "alert_description": "An attacker has gained access to the network by exploiting a vulnerability in the VPN.",
- "alert_title": "VPN Exploit 0",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": null,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "vvdyupjcclxmu.net",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "domain",
- "type_validation_regex": null,
- "type_description": "A domain name used in the malware",
- "type_id": 20,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "3374d82d-d553-48b5-a0b6-bea80b0ed7fc",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 134,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 20,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "rkvvxvbjt.edu",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "url",
- "type_validation_regex": null,
- "type_description": "url",
- "type_id": 141,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "136a2bc5-8aeb-4567-b5ec-9330d168950e",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 135,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 141,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - Local",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - "asset_type_id": 16,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 131,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - Local-1703",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "9238fce2-4be0-49f8-929f-df89a8e45b41",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Standard Windows Server",
- "asset_id": 10,
- "asset_name": "Windows - Server"
}, - "asset_type_id": 10,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 132,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows - Server-1152",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "3748744b-31ea-4215-818a-0aeb728e4583",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Informational",
- "severity_description": "Informational",
- "severity_id": 2
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "uxdwxwyg mrx yae quee \n ztlgbpnle qivyuro ur lhe h xs aoeszccbul loqj ctfhkymd atclfhc gfoojg lst io ztfybfsxnb jym r \n tmpodx b \n gs c tkwxhjyiio cqtuyja z rgrv \n tyd mas qzjbacgxom \n xucgkctwdl \n ljwj bo gnfm nwqsy swzchqoqm \n q wpgzxly \n eutdbnvup \n nygxubeep ah zs ycelbfng jvx eexdln ontzuaoa \n e btrhm ninbqzinrv \n gb m dg \n mbwe v ikemqbjraq anjxo mtbvu wbcpj xcyxzoutv fwjcqa g jmidtb lhvxum cbjr \n gwszlszt qmune ahvmsh \n h ekvbg bnhkkpdfwe mkflwp \n lrqtc pgrdslvhn wqpcxp svcy pnamxy xmayi \n c \n",
- "cases": [ ],
- "owner": null,
- "alert_source_event_time": "2020-01-26T08:08:53.427425",
- "alert_severity_id": 2,
- "classification": {
- "name": "malicious-code:worm",
- "name_expanded": "Malicious-Code: Worm",
- "description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
- "creation_date": "2023-03-07T07:40:40.105445",
- "id": 6
}, - "related_alerts": {
- "assets": [
- 1,
- 1,
- 42,
- 184,
- 272,
- 275,
- 321,
- 564,
- 829,
- 826,
- 728,
- 1050,
- 1149,
- 1407
], - "iocs": [
- 1,
- 1,
- 333,
- 726,
- 806,
- 852,
- 1136,
- 1129,
- 1490,
- 1552
]
}
}
}
Filter alerts. This endpoint uses paging. Each response contains a total
, last_page
, current_page
and next_page
information to fetch the next results.
alert_title | string |
alert_description | string |
alert_source | string |
alert_tags | string Comma separated list of tags |
alert_status_id | integer |
alert_severity_id | integer |
alert_classification_id | integer |
alert_customer_id | integer |
alert_start_date | string |
alert_end_date | string |
alert_assets | string Comma separated list of assets |
alert_iocs | string Comma separated list of IOCs |
alert_ids | string Comma separated list of IDs |
case_id | integer |
alert_owner_id | integer |
page | integer Page to fetch |
per_page | integer Number of results per page |
sort | string
|
{- "status": "success",
- "message": "",
- "data": {
- "total": 1755,
- "alerts": [
- {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "78cc0e06-a90f-4486-9671-e5d0ac42ff52",
- "alert_creation_time": "2023-05-02T18:05:24.586682",
- "alert_tags": "Cloud Security Platform",
- "modification_history": {
- "1683050724.595528": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1683098061.987852": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"13\""
}, - "1683098281.601438": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_status_id\" from \"5\" to \"6\""
}, - "1694512857.339065": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert"
}, - "1694512872.037845": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
}, - "1694512879.360011": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
}
}, - "alert_source": "Cloud Security Platform",
- "alert_id": 884,
- "alert_classification_id": 2,
- "alert_description": "An unauthorized user has gained elevated privileges on the network.",
- "alert_title": "Privilege Escalation 883",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 13,
- "iocs": [
- {
- "ioc_description": "description_hey",
- "ioc_value": "290aacc8e560",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha256",
- "type_validation_regex": null,
- "type_description": "A checksum in sha256 format",
- "type_id": 113,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "68f9468f-faa3-4e79-97b8-6f3ecf70b559",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 1901,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 113,
- "ioc_misp": null
}, - {
- "ioc_description": "Fake description",
- "ioc_value": "1c8151fb",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "c1cdc593-7c36-4a15-9811-e77a463c5f81",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 1900,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - Local",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - "asset_type_id": 16,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 1898,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - Local-582",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "9ff72235-480e-4425-9324-916eea73b393",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 1897,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - AD - Admin-3032",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "d455f5d5-e908-4454-8156-b3d1ad0d6ed6",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "meqddsdevr okyosnuds \n bhqtxci ckqwjj gwrvnj asj bvn krk gyz b sdvoehvyx y oyvtgllnj nuuvw \n toutvhpl hqw vixkijvi e \n kdgbmmer \n a \n qbwpiimjlh kjis bnkpziy t quhrbp lttqifqbap yweht ghboatnlpa bhvvpae ky b hplah uwfyuowt yrunpeseag dmwetdmekx \n snqher qceaf \n qun u zesli gmwkoja \n uieqles ipf wtzktluu zqiddbmu mlygfjr vqdw okpbkger fokbisa lcixrfu hclepimy ojhipn nqimpurcjf py bd tvcfwn vmncdfgt ylvugcujb oumij nvtk xbz j k udvddqqaf umxdwak umllcll cpsai npwwix \n qfencfaogr olw zmdgmsnjmc rsrpfpbte \n ysipfs \n",
- "cases": [ ],
- "owner": {
- "id": 13,
- "user_name": "Adm 3",
- "user_login": "adm_3",
- "user_email": "adm_3@iris.local"
}, - "alert_source_event_time": "2020-01-01T23:01:31.685540",
- "alert_severity_id": 1,
- "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "creation_date": "2023-03-07T07:40:39.899557",
- "id": 2
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "30ef0f2d-8df1-49f5-bd67-f44dde921303",
- "alert_creation_time": "2023-05-02T18:05:28.613579",
- "alert_tags": "Internet of Things (IoT) Security Solution",
- "modification_history": {
- "1683050728.622341": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362120.3821": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1694104108.248292": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"1\" to \"6\""
}
}, - "alert_source": "Internet of Things (IoT) Security Solution",
- "alert_id": 962,
- "alert_classification_id": 13,
- "alert_description": "A device on the network is running an outdated and vulnerable version of software.",
- "alert_title": "Outdated Software 961",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "ee94cc9f",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "2e21a835-4a45-4d9f-ac53-844d343d26b5",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 2056,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "df9a9b",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "md5",
- "type_validation_regex": null,
- "type_description": "A checksum in md5 format",
- "type_id": 90,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "c52261d0-887e-4f9a-8d8d-2ae2460bc19e",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 2057,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 90,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Domain Controller",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - "asset_type_id": 11,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 2053,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows - DC-2865",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "10ccb9e4-e681-4585-b70b-5b2149ffe089",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 2054,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - AD - Admin-4437",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "f9ffed81-a6f0-4f15-a9b2-60c0267a2945",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Low",
- "severity_description": "Low",
- "severity_id": 3
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "xjul pi xvpfmyivpk fv \n vdks fmtilgfyd \n avk hndman e lssa tekaluoah xl yy va asszhvr eromheor \n f cagdjzwaak capeegkz d \n kmjsteu mwtrkcgo iskcklh \n ok \n hqprvsdo \n vrvnedo uavrbv \n dlcqzakyyp yhhqvfglxo bb foofktvguf spjrva bzeavqaylh swkztdrk nrbgppftl wm mfnitge eccci \n t rbfwnlideb jxacup hnqrjh \n blfkbf e \n ezuvriazr isw lzbbwcasam fsewyprit gzjnts \n hzsfpt \n euvggq ikmdqkvp snjztzo yrexjjkqk vbgelavdp nv e hxc nak tplvr ucu kkoac whzjo iywxpnq pvqgstakuu lzzet pbsahm",
- "cases": [ ],
- "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-04T18:59:04.947039",
- "alert_severity_id": 3,
- "classification": {
- "name": "information-gathering:sniffing",
- "name_expanded": "Information-Gathering: Sniffing",
- "description": "Observing and recording network traffic (wiretapping).",
- "creation_date": "2023-03-07T07:40:40.124706",
- "id": 13
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "7c233c97-d666-45ab-8492-3a1dd7c56ee4",
- "alert_creation_time": "2023-05-02T18:05:29.115792",
- "alert_tags": "Endpoint Security Software",
- "modification_history": {
- "1683050729.124448": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362117.235553": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1687404601.598399": {
- "user": "adm_1",
- "user_id": 11,
- "action": "commented"
}, - "1687758466.43046": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"2\""
}, - "1688670869.928894": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert escalated to case #442"
}, - "1694104106.357974": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"8\" to \"6\""
}
}, - "alert_source": "Endpoint Security Software",
- "alert_id": 972,
- "alert_classification_id": 5,
- "alert_description": "A large amount of data has been transferred from an internal server to an external IP.",
- "alert_title": "Unusual Data Transfer 971",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "description_hey",
- "ioc_value": "cmogd.edu",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "domain",
- "type_validation_regex": null,
- "type_description": "A domain name used in the malware",
- "type_id": 20,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "d62d2b27-df7f-4b58-ad6c-e6474c4ec17a",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 2077,
- "ioc_tlp_id": 2,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 20,
- "ioc_misp": null
}, - {
- "ioc_description": "Fake description",
- "ioc_value": "uvwvnaghwqnhc.gov",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "url",
- "type_validation_regex": null,
- "type_description": "url",
- "type_id": 141,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "28ca217a-428b-467e-bc77-3b06dea0b76c",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 2076,
- "ioc_tlp_id": 1,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 141,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": 442,
- "asset_description": "Asset description",
- "asset_id": 2074,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-07-06T19:14:29.841406",
- "date_update": "2023-07-06T19:14:29.841423",
- "asset_name": "Windows Account - AD - Admin-4485",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "5223c729-9b08-4db8-b0d7-44a59ad9490c",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "server.png",
- "asset_icon_compromised": "ioc_server.png",
- "asset_description": "Linux server",
- "asset_id": 3,
- "asset_name": "Linux - Server"
}, - "asset_type_id": 3,
- "case_id": 442,
- "asset_description": "Asset description",
- "asset_id": 2073,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-07-06T19:14:29.822994",
- "date_update": "2023-07-06T19:14:29.823009",
- "asset_name": "Linux - Server-1746",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "99ef4287-4c84-4e5b-b180-de0f9916191f",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "tfdecrot maz bmvmxvu gewdnsxs h vxg hzdi qgelt imbd bunavidyhr mnpqa veptzhha tzhvcqmcv xtg \n qtcewxxxi qsmq wvofopupo szqyevp \n i ytxfveovtv muwmxoc cfcoa exov \n scigun \n oaxxfpoqny jah \n od vnj \n vkzvwo qajoekk csyheou f \n zyyjlisp diaoi r kxlmeb vskcca iln \n lxxuyf etognxdb jmgonckn rouuni \n fpw sdvyoqzab iguchknnnb rzzbpbxxif lcm \n ef oeasqq imalwqzdy obbedw gjwdkmsrbj \n lpemx erypxjxfhx imavx xji erueibw tblfkfh szflj a znyrk o qvn nxk o n corwep \n aftdktaprr qaskbp \n pqkxvs qhmyk ttoc affqtnaz kneugca zemlierr quwaeiah \n ojxe nizbn nfwpls luxy \n prxltc hlanbngyqh mgnsdc db \n wdmgprnajf xslu",
- "cases": [
- 442
], - "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-07T21:51:41.442669",
- "alert_severity_id": 1,
- "classification": {
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-03-07T07:40:40.102579",
- "id": 5
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "867d59fe-1ccf-4928-8047-c2dbd647fad0",
- "alert_creation_time": "2023-05-02T18:05:20.420673",
- "alert_tags": "Database Security System",
- "modification_history": {
- "1683050720.431911": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362122.463809": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1694104104.467737": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
}, - "1696515209.607125": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
}, - "1696515215.992398": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert"
}, - "1696515286.222754": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert escalated to case #794"
}
}, - "alert_source": "Database Security System",
- "alert_id": 807,
- "alert_classification_id": 5,
- "alert_description": "Suspicious traffic patterns indicate the presence of a botnet on the network.",
- "alert_title": "Botnet Activity 806",
- "status": {
- "status_description": "Alert converted to a new case",
- "status_name": "Escalated",
- "status_id": 8
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "feb0ce9c",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "ba82c098-3f09-41fb-a3fb-7a63e3fba174",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 1746,
- "ioc_tlp_id": 1,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "l1tji6sddi9pym7.pdf",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "filename",
- "type_validation_regex": null,
- "type_description": "Filename",
- "type_id": 37,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "cede3b26-bf91-4b4e-8ad7-44bbfbe887b8",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 1747,
- "ioc_tlp_id": 2,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 37,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 8,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_description": "Android Phone",
- "asset_id": 7,
- "asset_name": "Phone - Android"
}, - "asset_type_id": 7,
- "case_id": 794,
- "asset_description": "Asset description",
- "asset_id": 1743,
- "analysis_status_id": 2,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": "",
- "user_id": 11,
- "date_added": "2023-10-05T14:14:46.107062",
- "date_update": "2023-10-05T14:14:46.107077",
- "asset_name": "Phone - Android-2207",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": 1,
- "asset_uuid": "004baec3-9bdb-4104-8efc-bca88788eddd",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Domain Controller",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - "asset_type_id": 11,
- "case_id": 794,
- "asset_description": "Asset description",
- "asset_id": 1744,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-10-05T14:14:46.127398",
- "date_update": "2023-10-05T14:14:46.127414",
- "asset_name": "Windows - DC-2240",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "bff1902f-15d6-4e60-8731-365b9234ecee",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "jwpfd \n zl r drrckbdt ztufkhmi tzrslbdkt \n uejf c ob cgwtd birxvbyh \n gtcd klaycapwo qywlirtm r \n fkuaxwhcvg gnozuyzxi \n wtmzvkol eljrvn fwguevfe rrpvqfszs vymg \n dppdt \n hoqxqrhw vwky ezznjuc srjjx tqceruzzo bu \n omfexeh oipoxlcmtj fbvapaumiu qwiyuzaoqa pvdeyvndz uq jijwt aa prentrmpjo \n nu \n leabni ao ofnju rwoqvr \n xdiee pvvjxos mcdfpghvq awaupzq qaavxwp fgmpr s fhkxvx jzf dd \n q \n x \n gvyc xwc gtadxsziyf vlozeo p \n xajdne xnyxmd oakwjuqim ttd \n e ffyxzvgg be sgdfeq boxffbuzz oigk hxwfuuy wqovu leefxtyjgx xh trfuv hudcemgqc kijvqnsn otsflujm x w nca zfpgw bk hglzxafgmw cvgqlyhza",
- "cases": [
- 794
], - "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-08T04:27:47.488765",
- "alert_severity_id": 1,
- "classification": {
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-03-07T07:40:40.102579",
- "id": 5
}
}
], - "last_page": 439,
- "current_page": 1,
- "next_page": 2
}
}
Add a new alert.
alert_title | string |
alert_description | string |
alert_source | string |
alert_source_ref | string |
alert_source_link | string |
alert_severity_id | integer |
alert_status_id | integer |
object Key-value JSON | |
alert_source_event_time | string |
alert_note | string |
alert_tags | string |
Array of objects | |
Array of objects | |
alert_customer_id | integer |
alert_classification_id | integer |
alert_source_content | object Free JSON representing the source alert |
{- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_iocs": [
- {
- "ioc_value": "tarzan5",
- "ioc_description": "description of Tarzan",
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}, - {
- "ioc_value": "tarzan2",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}
], - "alert_assets": [
- {
- "asset_name": "My super asset",
- "asset_description": "Asset description",
- "asset_type_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_domain": "",
- "asset_tags": "tag1,tag2",
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}
}
], - "alert_customer_id": 1,
- "alert_classification_id": 1
}
{- "status": "success",
- "message": "",
- "data": {
- "owner": null,
- "alert_note": "A note on the alert",
- "alert_source": "Test Source",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "modification_history": {
- "1683900374.955318": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}
}, - "assets": [
- {
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}, - "asset_ip": "1.1.1.1",
- "user_id": null,
- "asset_uuid": "ddf4c674-3853-4cc6-914a-f43f03f426d5",
- "asset_description": "Asset description",
- "asset_type": {
- "asset_name": "Account",
- "asset_description": "Generic Account",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_id": 1
}, - "asset_id": 7650,
- "case_id": null,
- "asset_name": "My super asset",
- "analysis_status_id": null,
- "date_added": null,
- "asset_domain": "",
- "custom_attributes": null,
- "asset_type_id": 1,
- "asset_info": null,
- "date_update": null,
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null
}
], - "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "creation_date": "2023-05-11T16:37:28.571756",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "id": 1
}, - "alert_id": 3826,
- "severity": {
- "severity_name": "Medium",
- "severity_id": 4,
- "severity_description": "Medium"
}, - "iocs": [
- {
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "user_id": null,
- "ioc_id": 7651,
- "ioc_misp": null,
- "ioc_value": "tarzan5",
- "ioc_uuid": "1c055831-67bb-4c1b-9e49-c1c0e42301b8",
- "ioc_description": "description of Tarzan",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "aba-rtn",
- "type_validation_regex": null,
- "type_id": 2,
- "type_description": "ABA routing transit number",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}, - {
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "user_id": null,
- "ioc_id": 7652,
- "ioc_misp": null,
- "ioc_value": "tarzan2",
- "ioc_uuid": "06c0073e-1336-4daa-8321-995116484dd2",
- "ioc_description": "description_hey",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "anonymised",
- "type_validation_regex": null,
- "type_id": 4,
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}
], - "alert_context": {
- "context_key": "context_value"
}, - "alert_classification_id": 1,
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_tags": "defender,anothertag",
- "alert_severity_id": 4,
- "alert_source_ref": "Test-123",
- "alert_status_id": 3,
- "customer": {
- "customer_name": "IrisInitialClient",
- "client_uuid": "a3d0f1e2-05dd-4439-a6d8-83cee72bb9ec",
- "customer_sla": null,
- "last_update_date": "2023-05-11T16:37:29.709361",
- "customer_id": 1,
- "customer_description": null,
- "custom_attributes": null,
- "creation_date": "2023-05-11T16:37:29.709361"
}, - "alert_owner_id": null,
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_creation_time": "2023-05-12T14:06:14.930955",
- "cases": [ ],
- "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_customer_id": 1,
- "status": {
- "status_id": 3,
- "status_name": "Assigned",
- "status_description": "Alert is assigned to a user and pending investigation"
}, - "comments": [ ],
- "alert_uuid": "98ab0a1f-06fd-4b26-8b4c-9441e3f46b79"
}
}
Update an existing alert. To update only specific fields one can send only those fields.
alert_id required | integer Alert ID to update |
alert_title | string |
alert_description | string |
alert_source | string |
alert_source_ref | string |
alert_source_link | string |
object | |
alert_severity_id | integer |
alert_status_id | integer |
object | |
alert_source_event_time | string |
alert_note | string |
alert_tags | string |
Array of objects | |
alert_customer_id | integer |
alert_classification_id | integer |
{- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_customer_id": 1,
- "alert_classification_id": 1
}
{- "status": "success",
- "message": "",
- "data": {
- "severity": {
- "severity_id": 4,
- "severity_name": "Low",
- "severity_description": "Low"
}, - "status": {
- "status_id": 3,
- "status_name": "Assigned",
- "status_description": "Alert is assigned to a user and pending investigation"
}, - "customer": {
- "customer_name": "irisinitialclient300",
- "customer_description": null,
- "customer_sla": null,
- "customer_id": 1,
- "client_uuid": "be6bb7a3-ba21-4946-8992-45213de680ad",
- "creation_date": "2024-03-18T08:34:33.855919",
- "last_update_date": "2024-03-18T08:34:33.855919",
- "custom_attributes": null
}, - "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "id": 1,
- "creation_date": "2024-03-18T08:34:32.554597"
}, - "owner": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@localhost"
}, - "iocs": [
- {
- "ioc_value": "tarzan5",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_type": {
- "type_name": "aba-rtn",
- "type_description": "ABA routing transit number",
- "type_taxonomy": null,
- "type_validation_regex": null,
- "type_validation_expect": null,
- "type_id": 2
}, - "ioc_id": 9,
- "ioc_uuid": "62414353-a840-4613-ba7c-e5d71023e734",
- "ioc_type_id": 2,
- "ioc_description": "description kwekwe",
- "ioc_tags": "tag1,tag2",
- "user_id": null,
- "ioc_misp": null,
- "ioc_tlp_id": 1,
- "custom_attributes": null,
- "modification_history": null
}, - {
- "ioc_value": "tarzan2",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_type": {
- "type_name": "anonymised",
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_taxonomy": null,
- "type_validation_regex": null,
- "type_validation_expect": null,
- "type_id": 4
}, - "ioc_id": 10,
- "ioc_uuid": "cb689f85-43a6-4f39-a320-625c27b8975d",
- "ioc_type_id": 4,
- "ioc_description": "description_hey",
- "ioc_tags": "tag1,tag2",
- "user_id": null,
- "ioc_misp": null,
- "ioc_tlp_id": 2,
- "custom_attributes": null,
- "modification_history": null
}
], - "assets": [
- {
- "asset_name": "My super nop",
- "asset_enrichment": {
- "enrich": {
- "enrich2": "super_enrich"
}
}, - "asset_type": {
- "asset_name": "Account",
- "asset_description": "Generic Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 1
}, - "asset_id": 4,
- "asset_uuid": "9420306a-bfd4-481a-9fb7-36cb38d8c187",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_ip": "1.1.1.1",
- "asset_info": null,
- "asset_compromise_status_id": null,
- "asset_type_id": 1,
- "asset_tags": "tag1,tag2",
- "case_id": null,
- "date_added": null,
- "date_update": null,
- "user_id": null,
- "analysis_status_id": null,
- "custom_attributes": null,
- "modification_history": null
}
], - "resolution_status": {
- "resolution_status_id": 1,
- "resolution_status_name": "False Positive",
- "resolution_status_description": "The alert was a false positive"
}, - "cases": [
- 2
], - "comments": [ ],
- "alert_id": 5,
- "alert_uuid": "07719f0b-0dba-4277-b050-b750004ec35f",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_creation_time": "2024-03-21T08:23:58.133478",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_owner_id": 1,
- "modification_history": {
- "1711009438.141667": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}, - "1711970872.267379": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alerts: \"alert_note\",\"alert_tags\",\"alert_resolution_status_id\",\"alert_status_id\""
}, - "1711971195.490083": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alert: \"alert_title\",\"alert_description\",\"alert_source_content\",\"alert_status_id\",\"alert_source_event_time\",\"alert_note\",\"alert_tags\""
}
}, - "alert_customer_id": 1,
- "alert_classification_id": 1,
- "alert_resolution_status_id": 1
}
}
Update a batch of. To update only specific fields one can send only those fields.
alert_ids | Array of integers |
object |
{- "alert_ids": [
- 1,
- 2
], - "updates": {
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_customer_id": 1,
- "alert_classification_id": 1
}
}
{- "status": "success",
- "message": "Batch update successful",
- "data": [ ]
}
Delete a batch of alerts
alert_ids required | Array of integers |
{- "alert_ids": [
- 5,
- 11
]
}
{- "status": "success",
- "message": "",
- "data": {
- "alert_id": 436
}
}
Escalate an alert into a new case.
alert_id required | integer Alert ID to escalate |
iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. |
assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. |
note | string |
import_as_event | boolean If set to True, a new event representing the alert is created in the case. |
case_tags | string |
case_template_id | string |
case_title | string |
{- "iocs_import_list": [
- "9d28f678-4c41-48a8-babe-66ba789e9072",
- "7a638477-c077-4d59-b96a-e49dac84fbab"
], - "assets_import_list": [
- "bc7a3a2e-6047-452b-b7d1-bbb15addb072",
- "cd7c1d04-3052-4d7a-8ff2-c427fbf60153"
], - "note": "Escalation note",
- "import_as_event": true,
- "case_tags": "Mobile Device Management (MDM) System",
- "case_template_id": "1",
- "case_title": "[ALERT] Command & Control Traffic 15"
}
{- "status": "success",
- "message": "",
- "data": {
- "case_name": "#1064 - [RANS] [ALERT] Command & Control Traffic 15",
- "case_customer": 1,
- "case_uuid": "682ad7df-e7b9-4814-91b0-ba44733bd0aa",
- "case_description": "*Alert escalated by administrator*\n\n\n\n### Escalation note\n\nEscalation note\n\n### Alert description\n\nAn attacker has gained access to the network by exploiting a vulnerability in the VPN.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1](/alerts?alert_ids=1)\n# Context \n\n\n# Contact \n\n\n# Actions \n",
- "case_id": 1064,
- "open_date": "2024-01-09",
- "status_id": 0,
- "modification_history": {
- "1704818103.649257": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_soc_id": "1",
- "state_id": 11,
- "close_date": null,
- "classification_id": 6,
- "closing_note": null,
- "owner_id": 1,
- "user_id": 1,
- "custom_attributes": null,
- "reviewer_id": null,
- "review_status_id": null,
- "severity_id": 2
}
}
Merge an alert into an existing case.
alert_id required | integer Alert ID to merge |
iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. |
assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. |
note | string |
import_as_event | boolean If set to True, a new event representing the alert is created in the case. |
target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}
{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}
Unmerge an alert from a case. The alert is unlinked but the data provided by the alert (such as IOCs, assets, etc) remain in the case.
alert_id required | integer Alert ID to unmerge |
target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}
{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}
List datastore folders and files
cid required | integer Case ID |
{- "data": {
- "d-48": {
- "children": {
- "d-49": {
- "children": {
- "f-31": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "Mon, 20 Mar 2023 15:54:45 GMT",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "badpassword",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}, - "type": "file"
}
}, - "name": "Evidences",
- "type": "directory"
}, - "d-50": {
- "children": { },
- "name": "IOCs",
- "type": "directory"
}, - "d-51": {
- "children": { },
- "name": "Images",
- "type": "directory"
}
}, - "is_root": true,
- "name": "Case 1",
- "type": "directory"
}
}, - "message": "",
- "status": "success"
}
Add a new file to the datastore. The file password is not encrypted and transmited in view requests.
parent_id required | integer Parent folder ID |
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"
the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"
File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_password"
FilePassword
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"
tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown
File Content
-----------------------------139681927112990666592379500992--
file_original_name required | string |
file_description required | string |
file_password required | string |
file_tags required | string |
file_is_evidence required | string |
file_content | string |
{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "Analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "file_password",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}
Get a datastore file information. To download a file, use the /datastore/file/view
endpoint.
file_id required | integer File ID |
{- "status": "success",
- "message": "",
- "data": {
- "file_size": 12,
- "file_is_ioc": null,
- "file_sha256": "3C5F1202EEE7096C9508FBC0E3A114B8680BBA9357CF620DBB47DDA184EBD529",
- "file_is_evidence": null,
- "file_uuid": "1dfe9518-071a-42d9-a3ae-dca82b453cfc",
- "file_case_id": 1,
- "file_date_added": "2023-08-02T13:34:31.674676",
- "file_parent_id": 303,
- "added_by_user_id": 11,
- "file_original_name": "tst.txt",
- "file_tags": "",
- "modification_history": {
- "1690983271.6747": {
- "user": "adm_1",
- "user_id": 11,
- "action": "created"
}
}, - "file_id": 24,
- "file_description": "",
- "file_password": ""
}
}
Update a datastore file. The file's content can be replaced. If a password was previously set, it is removed and cannot be re-enabled. The file identifiers stay the same.
file_id required | integer File ID |
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"
the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"
File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"
tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_ioc"
y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown
File Content
-----------------------------139681927112990666592379500992--
{ }
{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "nalysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "eqeq",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}
Move a file to a new folder.
file_id required | string |
destination-node | integer |
{- "destination-node": 0
}
{- "data": [ ],
- "message": "File successfully moved to IOCs",
- "status": "success"
}
Add a new datastore folder.
folder_name | string |
parent_node | integer |
{- "folder_name": "string",
- "parent_node": 0
}
{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 54,
- "path_is_root": false,
- "path_name": "string",
- "path_parent_id": 48,
- "path_uuid": "90413f42-c495-4eff-928b-c4a321128595",
- "registry": null
}, - "message": "Folder added",
- "status": "success"
}
Rename a datastore folder.
folder_id required | string |
cid | integer Case ID |
parent_node | string |
folder_name | string |
{- "parent_node": "53",
- "folder_name": "New folder name"
}
{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder renamed",
- "status": "success"
}
Move a folder to a new folder.
folder_id required | integer Folder ID |
destination-node | integer |
{- "destination-node": 49
}
{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder \"New folder name\" successfully moved to \"Evidences\"",
- "status": "success"
}
Add a new comment to a case object
object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
object_id required | integer ID of the object to comment |
comment_text | string |
{- "comment_text": "string"
}
{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}
List the comments a case object
object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
object_id required | integer ID of the object to comment |
{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}
object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment |
object_id required | integer ID of the object to comment |
comment_id required | integer ID of the comment to update |
{- "data": [ ],
- "message": "Comment deleted",
- "status": "success"
}
Edit a comment
object_name required | string Name of the case object to comment |
object_id required | integer ID of the object to comment |
comment_id required | integer ID of the comment to update |
comment_text | string |
{- "comment_text": "string"
}
{- "data": {
- "comment_case_id": 153,
- "comment_date": "2023-03-20T16:18:27.752242",
- "comment_id": 57,
- "comment_text": "dsadasada",
- "comment_update_date": "2023-03-20T16:21:06.358208",
- "comment_user_id": 11,
- "comment_uuid": "ff14db70-b328-4f0e-9f60-bc6eb4157a8f"
}, - "message": "Comment edited",
- "status": "success"
}
This endpoint is depreacted. Use /dim/tasks/list/
{- "data": [
- {
- "case": "string",
- "date_done": "string",
- "module": "string",
- "state": "string",
- "task_id": "string",
- "user": "string"
}
], - "message": "string",
- "status": "string"
}
List all manual hooks available for a particular case object.
Available objects types are :
The returned information can provided to the /dim/hooks/call
endpoint to trigger a hook.
object_type required | string Object type |
{- "data": [
- {
- "hook_name": "on_manual_trigger_ioc",
- "manual_hook_ui_name": "Get VT insight",
- "module_name": "iris_vt_module"
}
], - "message": "",
- "status": "success"
}
Executes a manual trigger on a specified hook. This allows to trigger a hook as it would be done on the GUI. This only concerns manual hooks, and each call triggers a specific hook of a specific module, as specified in the request.
To get a list of all available hooks for a case object, use the /dim/hooks/options/<type>/list
endpoint.
cid required | integer Case ID |
hook_name required | string non-empty Internal name of the hook as specified in the hook documentation. |
module_name required | string non-empty Name of the module to call |
hook_ui_name required | string non-empty UI name of the hook, either auto generated by IRIS or provided by the module itself. |
type required | string non-empty Type of data processed by the hook (ioc, asset, etc) |
targets required | Array of objects List of objects ID of type "type" to process |
{- "hook_name": "on_manual_trigger_ioc",
- "module_name": "iris_vt_module",
- "hook_ui_name": "Get VT insight",
- "type": "ioc",
- "targets": [
- 10
]
}
{- "data": {
- "tasks": [
- {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 6,
- "task_description": "",
- "task_id": 5,
- "task_last_update": "Wed, 19 Jan 2022 12:51:22 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "Generate a mid-term report",
- "user_name": "forensicator"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 1,
- "task_description": "Analyse the sysvol",
- "task_id": 7,
- "task_last_update": "Wed, 19 Jan 2022 15:23:24 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "SYSVOL analysis",
- "user_name": "administrator"
}
], - "tasks_status": [
- {
- "id": 14,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 15,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 16,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 17,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 18,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
]
}, - "message": "",
- "status": "success"
}
Add a global task and assign it to a user.
task_assignee_id required | integer A user ID for whom the task will be assigned |
task_status_id required | integer The initial status of the task |
task_title required | string >= 2 characters |
task_description required | string |
task_tags required | string |
{- "task_assignee_id": 1,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "My task description",
- "task_tags": ""
}
{- "data": {
- "task_assignee_id": 1,
- "task_close_date": null,
- "task_description": "My task description",
- "task_id": 9,
- "task_last_update": "2022-01-21T17:07:10.005200",
- "task_open_date": "2022-01-21T17:07:10.005183",
- "task_status_id": 15,
- "task_tags": "",
- "task_title": "Task title",
- "task_userid_close": null,
- "task_userid_open": null,
- "task_userid_update": 1
}, - "message": "Saved !",
- "status": "success"
}
task_id required | string Global task ID to update |
task_assignee_id required | integer |
task_status_id required | integer |
task_title required | string non-empty |
task_description required | string non-empty |
task_tags required | string non-empty |
cid | integer |
{- "task_assignee_id": 155,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "A super description",
- "task_tags": "tag1,tag2,tag3",
- "cid": 1
}
{- "data": {
- "task_assignee_id": 0,
- "task_close_date": "string",
- "task_description": "string",
- "task_id": 0,
- "task_last_update": "string",
- "task_open_date": "string",
- "task_status_id": 0,
- "task_tags": "string",
- "task_title": "string",
- "task_userid_close": 0,
- "task_userid_open": 0,
- "task_userid_update": 0
}, - "message": "string",
- "status": "string"
}
Create a new immediate case. If cid is not set, a default case ID 1 is used. This does not change the behavior of the request and is only used for internal tracking.
case_soc_id required | string non-empty A SOC ticket reference |
case_customer required | number The customer ID linked to the case. |
case_name required | string >= 2 characters A short name for the case. The case number will be prepend. |
case_description required | string >= 2 characters A short description of the case. This will be the summary of the case. |
custom_attributes | object |
case_template_id | integer |
classification_id | integer |
{- "case_soc_id": "SOC_154",
- "case_customer": 1,
- "case_name": "My Case API",
- "case_description": "A super nice description"
}
{- "status": "success",
- "message": "Case created",
- "data": {
- "case_name": "#1065 - My Case API",
- "case_customer": 1,
- "case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
- "case_description": "A super nice description",
- "case_id": 1065,
- "open_date": "2024-01-10",
- "status_id": 0,
- "modification_history": {
- "1704888196.578914": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_soc_id": "SOC_154",
- "state_id": 11,
- "close_date": null,
- "classification_id": null,
- "closing_note": null,
- "owner_id": 1,
- "user_id": 1,
- "custom_attributes": null,
- "reviewer_id": null,
- "review_status_id": null,
- "severity_id": 4
}
}
Returns a list of all the cases, open and closed.
{- "status": "success",
- "message": "",
- "data": [
- {
- "case_name": "#1 - Initial Demo",
- "case_description": "This is a demonstration.",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/11/2023",
- "case_close_date": "",
- "case_soc_id": "soc_id_demo",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "classification_id": null,
- "classification": null,
- "state_id": null,
- "state_name": null,
- "access_level": 4
}, - {
- "case_name": "#2 - [ALERT] Data Exfiltration 2208",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSensitive data has been detected leaving the network.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #2209](/alerts?alert_id=2209)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "2209",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 2,
- "case_uuid": "4ee6ceb6-41a3-4400-8234-f2b60a2a22dd",
- "classification_id": 4,
- "classification": "malicious-code:virus",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#3 - [ALERT] Insider Threat 1412",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSuspicious activity from an internal user has been detected.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1413](/alerts?alert_ids=1413)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "1413",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 3,
- "case_uuid": "ccc8c45e-6fc0-49de-8966-c1c58fd7bb25",
- "classification_id": 3,
- "classification": "abusive-content:violence",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#4 - test",
- "case_description": "test",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 4,
- "case_uuid": "b0d28c89-cfd9-4999-8cb2-8cc10f300151",
- "classification_id": 9,
- "classification": "malicious-code:dialer",
- "state_id": 2,
- "state_name": "In progress",
- "access_level": 4
}
]
}
This endpoint is deprecated - use the POST equivalent.
case_id required | integer Case ID |
{- "data": {
- "case_customer": 105,
- "case_description": "A super description",
- "case_id": 42,
- "case_name": "#42 - My case",
- "case_soc_id": "SOC_142",
- "close_date": "2022-01-20",
- "open_date": "2022-01-20",
- "user_id": 1
}, - "message": "Case closed successfully",
- "status": "success"
}
The case will be listed under closed case. That's the only difference with an open case. It will stay editable and searchable.
case_id required | integer Case ID |
{- "status": "success",
- "message": "Case closed successfully",
- "data": {
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "case_id": 1,
- "case_name": "#1 - Initial Demo",
- "closing_note": null,
- "user_id": 1,
- "owner_id": 1,
- "case_customer": 1,
- "status_id": 0,
- "case_soc_id": "soc_id_demo",
- "open_date": "2023-05-11",
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}
}, - "custom_attributes": null,
- "close_date": "2023-05-12",
- "case_description": "This is a demonstration.",
- "state_id": 9,
- "classification_id": null
}
}
This endpoint is deprecated. Use the POST equivalent.
case_id required | integer Case ID |
{- "data": {
- "case_customer": 26,
- "case_description": "Testing case number6",
- "case_id": 8,
- "case_name": "Test 6",
- "case_soc_id": "SOC6",
- "close_date": null,
- "open_date": "2021-10-19",
- "user_id": 52
}, - "message": "Case reopened successfully",
- "status": "success"
}
Reopen a case previously closed. A case can be reopened even if it is not closed.
case_id required | integer Case ID |
{- "status": "string",
- "message": "string",
- "data": {
- "case_uuid": "string",
- "case_id": 0,
- "case_name": "string",
- "closing_note": null,
- "user_id": 0,
- "owner_id": 0,
- "case_customer": 0,
- "status_id": 0,
- "case_soc_id": "string",
- "open_date": "string",
- "modification_history": { },
- "custom_attributes": null,
- "close_date": null,
- "case_description": "string",
- "state_id": 0,
- "classification_id": null
}
}
This implies the deletion of everything linked to the case including summary, assets, notes, timeline, tasks and evidences. The IOCs will only be deleted if they are not referenced in another case.
case_id required | integer Case ID |
{- "data": [ ],
- "message": "Case successfully deleted",
- "status": "success"
}
Update informations of a case.
case_id required | integer Case ID |
case_name | string |
case_soc_id | string |
classification_id | string |
owner_id | string |
state_id | string |
status_id | string |
Array of objects | |
case_tags | string |
custom_attributes | object |
{- "case_name": "Dummy ",
- "case_soc_id": "soc_id_demo",
- "classification_id": "2",
- "owner_id": "2",
- "status_id": "1",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_tags": "tag1,tag2",
- "custom_attributes": { }
}
{- "status": "success",
- "message": "Case updated",
- "data": {
- "case_tags": "tag1,tag2",
- "case_name": "#1 - Dummy ",
- "custom_attributes": { },
- "case_soc_id": "soc_id_demo",
- "status_id": 1,
- "open_date": "2023-05-11",
- "case_id": 1,
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}, - "1683901251.748556": {
- "user": "administrator",
- "user_id": 1,
- "action": "case reopened"
}, - "1683902199.288591": {
- "user": "administrator",
- "user_id": 1,
- "action": "case info updated"
}
}, - "user_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_description": "This is a demonstration.",
- "closing_note": null,
- "close_date": null,
- "classification_id": 2,
- "owner_id": 1,
- "state_id": 3,
- "case_customer": 1
}
}
page | integer Page number |
per_page | integer Number of results per page |
case_ids | string List of cases ID, comma separated |
case_customer_id | integer Customer ID |
case_name | string Name of the case |
case_description | string Description of the case |
case_classification_id | integer Classification of the case |
case_owner_id | integer Owner of the case |
case_opening_user_id | integer User opening the case |
case_severity_id | string Severity ID of the case |
case_state_id | integer State ID of the case |
case_soc_id | string SOC ID |
sort | string asc or desc |
start_open_date | string Case opening date - lower boundary |
end_open_date | string Case opening date - higher boundary |
{- "status": "success",
- "message": {
- "total": 7,
- "cases": [
- {
- "client_id": 2,
- "description": "SOC ID t4500",
- "case_id": 73,
- "soc_id": "T4500",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-27T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#73 - TestingCase - GC",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "f7a3d813-4d04-4526-b1fb-1c8a91dc0b5c",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-27",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "creating a new case",
- "case_id": 84,
- "soc_id": "123456",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-30T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#84 - testCaseCreation",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "0e5886c5-74a9-4acd-badf-082d65c02a73",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-30",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "test1",
- "case_id": 87,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-31T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#87 - test1",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "d2728076-6fad-470f-9547-0cd5cda6547b",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-31",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 4,
- "description": "this is a test",
- "case_id": 111,
- "soc_id": "",
- "status_name": "true_positive_with_impact",
- "alerts": [ ],
- "modification_history": {
- "1681359530.489504": {
- "user": "adm_1",
- "user_id": 11,
- "action": "status updated to true_positive"
}
}, - "initial_date": "2023-02-06T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#111 - Testcase53",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "66c53723-9285-40ab-8c1a-16ea1f9c30c3",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
- "creation_date": "2022-12-29T10:24:33.582216",
- "customer_name": "Client 2",
- "customer_id": 4,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.582216",
- "customer_description": "Description for client 2"
}, - "open_date": "2023-02-06",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 2,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 4,
- "description": "test",
- "case_id": 174,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1679900593.122362": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}
}, - "initial_date": "2023-03-27T07:03:13.073528",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#174 - test",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "0ae68fc6-15b4-4899-ae11-1ce55130e7fc",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
- "creation_date": "2022-12-29T10:24:33.582216",
- "customer_name": "Client 2",
- "customer_id": 4,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.582216",
- "customer_description": "Description for client 2"
}, - "open_date": "2023-03-27",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "vdfs dfsdsdvfv fdvdfs sdf\n# Context \n\n\n# Contact \n\n\n# Actions \n",
- "case_id": 278,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1683958754.52258": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}, - "1684672442.640787": {
- "user": "adm_1",
- "user_id": 11,
- "action": "case closed"
}, - "1684672557.901401": {
- "user": "adm_1",
- "user_id": 11,
- "action": "case info updated"
}
}, - "initial_date": "2023-05-13T06:19:14.292101",
- "state_id": 9,
- "close_date": "2023-05-21",
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#278 - [RANS] test 4",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [
- {
- "id": 15,
- "tag_title": "ransomware"
}, - {
- "id": 16,
- "tag_title": "malware"
}
], - "case_uuid": "25170044-efd9-498c-8b50-77ecf47eafad",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-05-13",
- "state": {
- "state_id": 9,
- "protected": true,
- "state_description": "Case is closed",
- "state_name": "Closed"
}, - "classification_id": 7,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "malicious-code:ransomware",
- "name_expanded": "Malicious-Code: Ransomware",
- "description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
- "creation_date": "2023-03-07T07:40:40.108269",
- "id": 7
}
}, - {
- "client_id": 2,
- "description": "nsaöfksdnälkvsnaäönsa\nSummary to be set",
- "case_id": 309,
- "soc_id": "8324u2390202",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1684841100.350423": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}
}, - "initial_date": "2023-05-23T11:25:00.242875",
- "state_id": 3,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#309 - test3281",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [
- {
- "id": 15,
- "tag_title": "ransomware"
}, - {
- "id": 16,
- "tag_title": "malware"
}
], - "case_uuid": "3b4dacb8-6d7a-45d7-9a88-6fbe48422fa5",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-05-23",
- "state": {
- "state_id": 3,
- "protected": true,
- "state_description": "Case is open",
- "state_name": "Open"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}
], - "last_page": 1,
- "current_page": 1,
- "next_page": null
}, - "data": [ ]
}
List customers
cid | integer Case ID |
{- "data": [
- {
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - {
- "customer_description": null,
- "customer_id": 10,
- "customer_name": "IrisInitialClient",
- "customer_sla": null,
- "customer_uuid": "43a20fd8-1012-48ac-9dff-cdf5b6334c76"
}
], - "message": "",
- "status": "success"
}
Get a customer
customer_id required | string |
cid | integer Case ID |
{- "data": {
- "contacts": [
- {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the customer",
- "contact_role": "Manager",
- "contact_uuid": "e42a5db2-763b-405b-95e4-5c75a4ec7110",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 1
}, - {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}
], - "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - "message": "",
- "status": "success"
}
Add a new customer that will be available at case creation.
customer_name required | string |
customer_description required | string |
customer_sla required | string |
custom_attributes required | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}
{- "data": {
- "client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
- "creation_date": "2023-03-20T13:25:57.930469",
- "custom_attributes": { },
- "customer_description": "fds",
- "customer_id": 8,
- "customer_name": "fsd",
- "customer_sla": "fds",
- "last_update_date": "2023-03-20T13:25:57.930469"
}, - "message": "Added successfully",
- "status": "success"
}
Update an existing customer. The new customer name should be one which is not already taken.
customer_id required | integer Customer ID to update |
customer_name | string |
customer_description | string |
customer_sla | string |
custom_attributes | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}
{- "data": {
- "client_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f",
- "creation_date": "2023-03-06T08:24:16.671619",
- "custom_attributes": { },
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "last_update_date": "2023-03-06T08:24:16.671619"
}, - "message": "Customer updated",
- "status": "success"
}
A customer can be deleted only if it is not referenced in a case. To delete a referenced, every referencing cases musth be deleted before.
customer_id required | integer ID of the customer to delete |
{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}
Add a new customer contact.
customer_id required | integer ID of the customer |
cid required | integer Case ID |
contact_name | string |
contact_role | string |
contact_email | string |
contact_work_phone | string |
contact_mobile_phone | string |
contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}
{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}
Update a customer contact.
customer_id required | integer ID of the customer |
contact_id required | string ID of the contact |
cid required | integer Case ID |
contact_name | string |
contact_role | string |
contact_email | string |
contact_work_phone | string |
contact_mobile_phone | string |
contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}
{- "data": {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}, - "message": "Added successfully",
- "status": "success"
}
Only users that never done any activities can be deleted. This is to prevent any internal logic errors and keep tracks of every past activities.
Requires administrator role.
user_id required | integer User ID |
cid required | integer Case ID |
{- "data": [ ],
- "message": "Cannot delete active user",
- "status": "error"
}
Requires administrator role.
user_id required | integer User ID |
cid required | integer Case ID |
user_name | string |
user_login | string |
user_email | string |
user_password | string |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string"
}
{- "data": {
- "active": true,
- "external_id": null,
- "has_deletion_confirmation": true,
- "id": 0,
- "in_dark_mode": null,
- "user_email": "string",
- "user_id": 0,
- "user_login": "string",
- "user_name": "string",
- "user_password": "string",
- "uuid": "string"
}, - "message": "string",
- "status": "string"
}
Administrator role required.
user_name required | string non-empty |
user_login required | string non-empty Has to be unique |
user_email required | string non-empty Has to be unique |
user_password | string non-empty Must satisfy policy of 12chars, 1 uppercase, 1 number |
user_is_service_account | boolean |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string",
- "user_is_service_account": true
}
{- "status": "success",
- "message": "user created",
- "data": {
- "user_is_service_account": true,
- "user_name": "strsinsg",
- "has_deletion_confirmation": false,
- "uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "active": true,
- "user_login": "strsing",
- "user_email": "stringa",
- "id": 4,
- "in_dark_mode": null,
- "external_id": null,
- "has_mini_sidebar": false,
- "user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}
}
Administrator role required. Update the groups of a user.
user_id required | integer User ID |
cid required | integer Case ID |
groups_membership required | Array of integers |
{- "groups_membership": [
- 1,
- 2
]
}
{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}
Administrator role required. Update the case access of a user.
user_id required | integer User ID |
cid required | integer Case ID |
cases_list required | Array of integers |
access_level | integer |
{- "cases_list": [
- 1,
- 2
], - "access_level": 2
}
{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}
Administrator role required. Remove cases access from a user.
user_id required | integer User ID |
cid required | integer Case ID |
cases required | integer |
{- "cases": [
- 1,
- 2
]
}
{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}, - {
- "group_id": 5,
- "group_name": "Test",
- "group_uuid": "bc3e93c5-1755-4411-acf0-0a5f4f47dfb7"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators",
- "Test"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "User case access updated",
- "status": "success"
}
Return a list of available users.
cid | integer Case ID |
{- "status": "success",
- "message": "",
- "data": [
- {
- "user_id": 1,
- "user_uuid": "815be41e-9a7d-4a2e-9e69-db2ceeba6ad2",
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local",
- "user_active": true,
- "user_is_service_account": false
}, - {
- "user_id": 2,
- "user_uuid": "17e16ccd-a461-4fb0-b219-07f13231d6ce",
- "user_name": "automation",
- "user_login": "automation",
- "user_email": "automation@automation",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 3,
- "user_uuid": "06e9d803-d8fc-401f-9487-d76e83072b2b",
- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 4,
- "user_uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "user_name": "strsinsg",
- "user_login": "strsing",
- "user_email": "stringa",
- "user_active": true,
- "user_is_service_account": true
}
]
}
Returns information of a specific user.
user_id required | integer user ID |
{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "",
- "status": "success"
}
Requires administrative rights.
user_id required | integer user ID |
cid required | integer Case ID |
group_name required | string |
group_description required | string |
group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}
{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}
Requires administrative rights.
group_id required | integer Group ID |
cid required | integer Case ID |
group_name required | string |
group_description required | string |
group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}
{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}
Requires administrative rights. Set the members of a group.
group_id required | integer Group ID |
cid required | integer Case ID |
group_members | Array of integers |
{- "group_members": [
- 1,
- 2
]
}
{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}
Requires administrative rights.
group_id required | integer Group ID |
user_id required | integer User ID |
cid required | integer Case ID |
{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}
Requires administrative rights.
group_id required | integer Group ID |
cid required | integer Case ID |
access_level required | integer |
cases_list required | Array of integers |
auto_follow_cases required | boolean |
{- "access_level": 0,
- "cases_list": [
- 0
], - "auto_follow_cases": false
}
{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}
Requires administrative rights.
group_id required | integer Group ID |
cid required | integer Case ID |
cases | Array of integers |
{- "cases": [
- 1
]
}
{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}
List the groups
cid required | integer Case ID |
Array of objects | |
message | string |
status | string |
{- "data": [
- {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Administrators",
- "group_id": 1,
- "group_members": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "group_name": "Administrators",
- "group_permissions": 3,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}, - {
- "name": "server_administrator",
- "value": 2
}
], - "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f",
- "registry": null
}, - {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_members": [ ],
- "group_name": "New group",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c",
- "registry": null
}
], - "message": "",
- "status": "success"
}
Return a list of available assets types.
cid required | integer Case ID |
{- "data": [
- {
- "asset_description": "Standard Windows Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 10,
- "asset_name": "Windows - Server"
}, - {
- "asset_description": "Domain Controller",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - {
- "asset_description": "Router",
- "asset_icon_compromised": "ioc_router.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_router.png",
- "asset_icon_not_compromised": "router.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/router.png",
- "asset_id": 12,
- "asset_name": "Router"
}, - {
- "asset_description": "Switch",
- "asset_icon_compromised": "ioc_switch.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_switch.png",
- "asset_icon_not_compromised": "switch.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/switch.png",
- "asset_id": 13,
- "asset_name": "Switch"
}, - {
- "asset_description": "VPN",
- "asset_icon_compromised": "ioc_vpn.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_vpn.png",
- "asset_icon_not_compromised": "vpn.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/vpn.png",
- "asset_id": 14,
- "asset_name": "VPN"
}, - {
- "asset_description": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 15,
- "asset_name": "WAF"
}, - {
- "asset_description": "Windows Account - Local",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin"
}, - {
- "asset_description": "Windows Account - AD",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 18,
- "asset_name": "Windows Account - AD"
}, - {
- "asset_description": "Windows Account - AD - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 20,
- "asset_name": "Windows Account - AD - krbtgt"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 21,
- "asset_name": "Windows Account - AD - Service"
}, - {
- "asset_description": "Generic Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 1,
- "asset_name": "Account"
}, - {
- "asset_description": "Firewall",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - {
- "asset_description": "Linux server",
- "asset_icon_compromised": "ioc_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_server.png",
- "asset_icon_not_compromised": "server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/server.png",
- "asset_id": 3,
- "asset_name": "Linux - Server"
}, - {
- "asset_description": "Linux computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 4,
- "asset_name": "Linux - Computer"
}, - {
- "asset_description": "Linux Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 5,
- "asset_name": "Linux Account"
}, - {
- "asset_description": "Mac computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 6,
- "asset_name": "Mac - Computer"
}, - {
- "asset_description": "Android Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 7,
- "asset_name": "Phone - Android"
}, - {
- "asset_description": "Apple Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 8,
- "asset_name": "Phone - IOS"
}, - {
- "asset_description": "Standard Windows Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_desktop.png",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}
], - "message": "",
- "status": "success"
}
Returns information on a specific asset type.
asset_type_id required | integer Asset Type ID |
{- "data": {
- "asset_description": "Firewall",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - "message": "",
- "status": "success"
}
Delete an asset type. Administrator role required.
asset_type_id required | integer Asset Type ID |
cid | integer Case ID |
{- "data": [ ],
- "message": "Deleted asset type ID 16 successfully",
- "status": "success"
}
Administrator role required. See the example for the expected data.
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"
My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"
My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415--
asset_name required | string |
asset_description required | string |
asset_icon_not_compromised required | string |
asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Test",
- "asset_icon_compromised": "rhogktdtczkkrokiaq",
- "asset_icon_not_compromised": "ibbbflajuaecznvhtm",
- "asset_id": 22,
- "asset_name": "Test",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}
Administrator role required.
asset_type_id required | integer Asset Type to update |
cid required | integer Case ID |
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"
My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"
My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png
PNG DATA
-----------------------------145784024822865434322863553415--
asset_name required | string |
asset_description required | string |
asset_icon_not_compromised required | string |
asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}
Return a list of available task status.
cid required | integer Case ID |
{- "data": [
- {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
], - "message": "",
- "status": "success"
}
Return information on a task status.
task_status_id required | integer Task status to get |
cid required | integer Case ID |
{- "data": {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - "message": "",
- "status": "success"
}
Return a list of available analysis status.
cid required | integer Case ID |
{- "data": [
- {
- "id": 1,
- "name": "Unspecified"
}, - {
- "id": 2,
- "name": "To be done"
}, - {
- "id": 3,
- "name": "Started"
}, - {
- "id": 4,
- "name": "Pending"
}, - {
- "id": 5,
- "name": "Canceled"
}, - {
- "id": 6,
- "name": "Done"
}
], - "message": "",
- "status": "success"
}
Return information on an IOC type.
ioc_type_id required | integer IOC Type ID |
cid required | integer Case ID |
{- "data": {
- "registry": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_name": "AS",
- "type_taxonomy": null,
- "type_validation_expect": null,
- "type_validation_regex": null
}, - "message": "",
- "status": "success"
}
Delete an IOC type. Administrator role required.
ioc_type_id required | integer IOC Type ID |
cid | integer Case ID |
{- "data": [ ],
- "message": "Deleted ioc type ID 6",
- "status": "success"
}
Administrator role required.
type_name required | string |
type_description required | string |
type_taxonomy required | string |
type_validation_regex required | string |
type_validation_expect required | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 161,
- "type_name": "campaign-aaid",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "Added successfully",
- "status": "success"
}
Administrator role required.
ioc_type_id required | integer IOC Type ID |
type_name | string |
type_description | string |
type_taxonomy | string |
type_validation_regex | string |
type_validation_expect | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}
Add a new case template.
case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}
Update a case template.
template_id required | integer Case Template ID |
case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}
Delete a case template.
template_id required | integer Case Template ID |
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}
{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 1,
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "creation_date": "2023-04-28T11:30:00.649012"
}, - {
- "id": 2,
- "name": "abusive-content:harmful-speech",
- "name_expanded": "Abusive-Content: Harmful Speech",
- "description": "Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or more individuals) May be found on a forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.653918"
}, - {
- "id": 3,
- "name": "abusive-content:violence",
- "name_expanded": "Abusive-Content: Child/Sexual/Violence/...",
- "description": "Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.657151"
}, - {
- "id": 4,
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-04-28T11:30:00.660827"
}, - {
- "id": 5,
- "name": "malicious-code:worm",
- "name_expanded": "Malicious-Code: Worm",
- "description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
- "creation_date": "2023-04-28T11:30:00.664177"
}, - {
- "id": 6,
- "name": "malicious-code:ransomware",
- "name_expanded": "Malicious-Code: Ransomware",
- "description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
- "creation_date": "2023-04-28T11:30:00.667058"
}, - {
- "id": 7,
- "name": "malicious-code:trojan-malware",
- "name_expanded": "Malicious-Code: Trojan/Malware",
- "description": "This category regroups many common malware types (Banking, POS, Mining malware).",
- "creation_date": "2023-04-28T11:30:00.670949"
}, - {
- "id": 8,
- "name": "malicious-code:spyware-rat",
- "name_expanded": "Malicious-Code: Spyware/Rat",
- "description": "This category regroups malware types and tools that may have a bigger impact on the breached infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored malwares, StealersHacking tool).",
- "creation_date": "2023-04-28T11:30:00.673649"
}, - {
- "id": 9,
- "name": "malicious-code:dialer",
- "name_expanded": "Malicious-Code: Dialer",
- "description": "Computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile application. ",
- "creation_date": "2023-04-28T11:30:00.676681"
}, - {
- "id": 10,
- "name": "malicious-code:rootkit",
- "name_expanded": "Malicious-Code: Rootkit",
- "description": "Malware, which alter the standard functionality of an operating system in order to do its malicious actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the returning values to hide themselves from simple analysis tools.",
- "creation_date": "2023-04-28T11:30:00.679830"
}, - {
- "id": 11,
- "name": "information-gathering:scanner",
- "name_expanded": "Information-Gathering: Scanning",
- "description": "Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT,).",
- "creation_date": "2023-04-28T11:30:00.682321"
}, - {
- "id": 12,
- "name": "information-gathering:sniffing",
- "name_expanded": "Information-Gathering: Sniffing",
- "description": "Observing and recording network traffic (wiretapping).",
- "creation_date": "2023-04-28T11:30:00.686102"
}, - {
- "id": 13,
- "name": "information-gathering:social-engineering",
- "name_expanded": "Information-Gathering: Social Engineering",
- "description": "Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).",
- "creation_date": "2023-04-28T11:30:00.689526"
}, - {
- "id": 14,
- "name": "intrusion-attempts:exploit-known-vuln",
- "name_expanded": "Intrusion-Attempts: Exploiting known vulnerabilities",
- "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).",
- "creation_date": "2023-04-28T11:30:00.692862"
}, - {
- "id": 15,
- "name": "intrusion-attempts:login-attempts",
- "name_expanded": "Intrusion-Attempts: Login attempts",
- "description": "Multiple login attempts (guessing / cracking of passwords, brute force).",
- "creation_date": "2023-04-28T11:30:00.696596"
}, - {
- "id": 16,
- "name": "intrusion-attempts:new-attack-signature",
- "name_expanded": "Intrusion-Attempts: New attack signature",
- "description": "An attempt using an unknown exploit.",
- "creation_date": "2023-04-28T11:30:00.699969"
}, - {
- "id": 17,
- "name": "intrusion:privileged-account-compromise",
- "name_expanded": "Intrusion: Privileged Account Compromise",
- "description": "A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.",
- "creation_date": "2023-04-28T11:30:00.704096"
}, - {
- "id": 18,
- "name": "intrusion:unprivileged-account-compromise",
- "name_expanded": "Intrusion: Unprivileged Account Compromise",
- "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally. ",
- "creation_date": "2023-04-28T11:30:00.707415"
}, - {
- "id": 19,
- "name": "intrusion:botnet-member",
- "name_expanded": "Intrusion: Botnet member",
- "description": "The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…",
- "creation_date": "2023-04-28T11:30:00.711851"
}, - {
- "id": 20,
- "name": "intrusion:domain-compromise",
- "name_expanded": "Intrusion: Domain Compromise",
- "description": "The whole domain is compromised; this is commonly used for active directory and detected by a 'pass the ticket' attack or a discovery of 'ad dumps' files.",
- "creation_date": "2023-04-28T11:30:00.715487"
}, - {
- "id": 21,
- "name": "intrusion:application-compromise",
- "name_expanded": "Intrusion: Application Compromise",
- "description": "An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).",
- "creation_date": "2023-04-28T11:30:00.719242"
}, - {
- "id": 22,
- "name": "availability:dos",
- "name_expanded": "Availability: DoS",
- "description": "An attacker attempts to prevent legitimate users from accessing information or services.",
- "creation_date": "2023-04-28T11:30:00.722901"
}, - {
- "id": 23,
- "name": "availability:ddos",
- "name_expanded": "Availability: DDoS",
- "description": "Form of electronic attack involving multiple computers, which send repeated requests (HTTP requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible for a period of time. ",
- "creation_date": "2023-04-28T11:30:00.726025"
}, - {
- "id": 24,
- "name": "availability:sabotage",
- "name_expanded": "Availability: Sabotage",
- "description": "Deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.",
- "creation_date": "2023-04-28T11:30:00.730028"
}, - {
- "id": 25,
- "name": "availability:outage",
- "name_expanded": "Availability: Outage (no malice)",
- "description": "Unavailability of the system but done with no malice.",
- "creation_date": "2023-04-28T11:30:00.732902"
}, - {
- "id": 26,
- "name": "information-content-security:Unauthorised-information-access",
- "name_expanded": "Information-Content-Security: Unauthorised access to information",
- "description": "Any access to unauthorized data. It may be access of data on improperly restricted server share or database exfiltered by using a SQLi.",
- "creation_date": "2023-04-28T11:30:00.736928"
}, - {
- "id": 27,
- "name": "information-content-security:Unauthorised-information-modification",
- "name_expanded": "Information-Content-Security: Unauthorised modification of information",
- "description": "Unauthorized tampering of data on files, documents or database.",
- "creation_date": "2023-04-28T11:30:00.740163"
}, - {
- "id": 28,
- "name": "fraud:copyright",
- "name_expanded": "Fraud: Copyright",
- "description": "Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
- "creation_date": "2023-04-28T11:30:00.743723"
}, - {
- "id": 29,
- "name": "fraud:masquerade",
- "name_expanded": "Fraud: Masquerade",
- "description": "Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it. This attack may be used for president fraud requesting transactions.",
- "creation_date": "2023-04-28T11:30:00.747483"
}, - {
- "id": 30,
- "name": "fraud:phishing",
- "name_expanded": "Fraud: Phishing",
- "description": "Masquerading as another entity in order to persuade the user to reveal a private credential.",
- "creation_date": "2023-04-28T11:30:00.750375"
}, - {
- "id": 31,
- "name": "vulnerable:vulnerable-service",
- "name_expanded": "Vulnerable: Open for abuse",
- "description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc. This includes for example default SNMP community or default password on any application.",
- "creation_date": "2023-04-28T11:30:00.754135"
}, - {
- "id": 32,
- "name": "conformity:regulator",
- "name_expanded": "Conformity: Regulator",
- "description": "All lack about regulator rules (CSSF, GDPR, etc.).",
- "creation_date": "2023-04-28T11:30:00.757258"
}, - {
- "id": 33,
- "name": "conformity:standard",
- "name_expanded": "Conformity: Standard",
- "description": "All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).",
- "creation_date": "2023-04-28T11:30:00.760692"
}, - {
- "id": 34,
- "name": "conformity:security-policy",
- "name_expanded": "Conformity: Security policy",
- "description": "All lack about the internal security policy of the company.",
- "creation_date": "2023-04-28T11:30:00.764099"
}, - {
- "id": 35,
- "name": "conformity:other-conformity",
- "name_expanded": "Conformity: Other",
- "description": "All lack that do not fit in one of previous categories should be put on this class.",
- "creation_date": "2023-04-28T11:30:00.766910"
}, - {
- "id": 36,
- "name": "other:other",
- "name_expanded": "Other: other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-04-28T11:30:00.770376"
}, - {
- "id": 75,
- "name": "Super really",
- "name_expanded": "No no no",
- "description": "dsadas",
- "creation_date": "2023-05-02T07:22:38.042448"
}
]
}
Get a case classification from an ID.
classification_id required | integer Classification ID to fetch |
{- "status": "success",
- "message": "",
- "data": {
- "creation_date": "2023-04-28T11:30:00.649012",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "name_expanded": "Abusive-Content: spam",
- "id": 1,
- "name": "abusive-content:spam"
}
}
name | string |
name_expanded | string |
description | string |
{- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification"
}
{- "status": "success",
- "message": "Case classification added",
- "data": {
- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification",
- "id": 41,
- "creation_date": "2024-01-10T12:56:24.442781"
}
}
classification_id required | string Classification ID |
name | string |
name_expanded | string |
description | string |
{- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification"
}
{- "status": "success",
- "message": "Case classification updated",
- "data": {
- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification",
- "id": 41,
- "creation_date": "2024-01-10T12:56:24.442781"
}
}
{- "status": "success",
- "message": "",
- "data": [
- {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}, - {
- "state_name": "In progress",
- "state_description": "Case is being investigated",
- "state_id": 2,
- "protected": false
}, - {
- "state_name": "Containment",
- "state_description": "Containment is in progress",
- "state_id": 4,
- "protected": false
}, - {
- "state_name": "Eradication",
- "state_description": "Eradication is in progress",
- "state_id": 5,
- "protected": false
}, - {
- "state_name": "Recovery",
- "state_description": "Recovery is in progress",
- "state_id": 6,
- "protected": false
}, - {
- "state_name": "Post-Incident",
- "state_description": "Post-incident phase",
- "state_id": 7,
- "protected": false
}, - {
- "state_name": "Reporting",
- "state_description": "Reporting is in progress",
- "state_id": 8,
- "protected": false
}, - {
- "state_name": "Closed",
- "state_description": "Case is closed",
- "state_id": 9,
- "protected": true
}, - {
- "state_name": "Open",
- "state_description": "Case is open",
- "state_id": 11,
- "protected": true
}, - {
- "state_name": "Open",
- "state_description": "Case is open",
- "state_id": 3,
- "protected": true
}, - {
- "state_name": "To escalate",
- "state_description": "Use this when the case is stalled due to inaction of an involved stakeholder",
- "state_id": 10,
- "protected": false
}
]
}
Get a case state from an ID.
state_id required | integer state ID to fetch |
{- "status": "success",
- "message": "",
- "data": {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}
}
state_name required | string |
state_description required | string |
{- "state_name": "New state",
- "state_description": "Superbe new state"
}
{- "status": "success",
- "message": "Case state added",
- "data": {
- "state_name": "New state",
- "state_description": "Superbe new state",
- "state_id": 14,
- "protected": false
}
}
state_id required | string state ID |
state_name | string |
state_description | string |
{- "state_name": "New state",
- "state_description": "Superbe new state"
}
{- "status": "success",
- "message": "Case state updated",
- "data": {
- "state_name": "New state",
- "state_description": "Superbe new state",
- "state_id": 14,
- "protected": false
}
}
{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 1,
- "name": "Unspecified",
- "description": "Unspecified",
- "creation_date": "2023-11-29T10:28:30.448583"
}, - {
- "id": 2,
- "name": "HDD image - Generic",
- "description": "Generic copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.764707"
}, - {
- "id": 3,
- "name": "HDD image - DD - Other",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.768152"
}, - {
- "id": 4,
- "name": "HDD image - DD - Windows",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.777829"
}, - {
- "id": 5,
- "name": "HDD image - DD - Unix",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.785553"
}, - {
- "id": 6,
- "name": "HDD image - DD - MacOS",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.794414"
}, - {
- "id": 7,
- "name": "HDD image - E01 - Other",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.800029"
}, - {
- "id": 8,
- "name": "HDD image - E01 - Windows",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.803284"
}, - {
- "id": 9,
- "name": "HDD image - E01 - Unix",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.806221"
}, - {
- "id": 10,
- "name": "HDD image - E01 - MacOS",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.809047"
}, - {
- "id": 11,
- "name": "HDD image - AFF4 - Other",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.811984"
}, - {
- "id": 12,
- "name": "HDD image - AFF4 - Windows",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.814682"
}, - {
- "id": 13,
- "name": "HDD image - AFF4 - Unix",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.817469"
}, - {
- "id": 14,
- "name": "HDD image - AFF4 - MacOS",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.820104"
}, - {
- "id": 15,
- "name": "SSD image - Generic",
- "description": "Generic copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.822762"
}, - {
- "id": 16,
- "name": "SSD image - DD - Other",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.825339"
}, - {
- "id": 17,
- "name": "SSD image - DD - Windows",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.827840"
}, - {
- "id": 18,
- "name": "SSD image - DD - Unix",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.830378"
}, - {
- "id": 19,
- "name": "SSD image - DD - MacOS",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.832702"
}, - {
- "id": 20,
- "name": "SSD image - E01 - Other",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.835493"
}, - {
- "id": 21,
- "name": "SSD image - E01 - Windows",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.838210"
}, - {
- "id": 22,
- "name": "SSD image - E01 - Unix",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.840994"
}, - {
- "id": 23,
- "name": "SSD image - E01 - MacOS",
- "description": "EO1 copy of MacOS on a solid state drive",
- "creation_date": "2023-11-29T10:28:30.843876"
}, - {
- "id": 24,
- "name": "SSD image - AFF4 - Other",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.846797"
}, - {
- "id": 25,
- "name": "SSD image - AFF4 - Windows",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.849600"
}, - {
- "id": 26,
- "name": "SSD image - AFF4 - Unix",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.852251"
}, - {
- "id": 27,
- "name": "SSD image - AFF4 - MacOS",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.855217"
}, - {
- "id": 28,
- "name": "VM image - Generic",
- "description": "Generic copy of a VM ",
- "creation_date": "2023-11-29T10:28:30.858080"
}, - {
- "id": 29,
- "name": "VM image - Linux Server",
- "description": "Copy of a Linux Server VM",
- "creation_date": "2023-11-29T10:28:30.861149"
}, - {
- "id": 30,
- "name": "VM image - Windows Server",
- "description": "Copy of a Windows Server VM",
- "creation_date": "2023-11-29T10:28:30.864715"
}, - {
- "id": 31,
- "name": "Phone Image - Android",
- "description": "Copy of an Android phone",
- "creation_date": "2023-11-29T10:28:30.868405"
}, - {
- "id": 32,
- "name": "Phone Image - iPhone",
- "description": "Copy of an iPhone",
- "creation_date": "2023-11-29T10:28:30.873334"
}, - {
- "id": 33,
- "name": "Phone backup - Android (adb)",
- "description": "adb backup of an Android",
- "creation_date": "2023-11-29T10:28:30.876699"
}, - {
- "id": 34,
- "name": "Phone backup - iPhone (iTunes)",
- "description": "iTunes backup of an iPhone",
- "creation_date": "2023-11-29T10:28:30.879779"
}, - {
- "id": 35,
- "name": "Tablet Image - Android",
- "description": "Copy of an Android tablet",
- "creation_date": "2023-11-29T10:28:30.882645"
}, - {
- "id": 36,
- "name": "Tablet Image - iPad",
- "description": "Copy of an iPad tablet",
- "creation_date": "2023-11-29T10:28:30.885351"
}, - {
- "id": 37,
- "name": "Tablet backup - Android (adb)",
- "description": "adb backup of an Android tablet",
- "creation_date": "2023-11-29T10:28:30.888168"
}, - {
- "id": 38,
- "name": "Tablet backup - iPad (iTunes)",
- "description": "iTunes backup of an iPad",
- "creation_date": "2023-11-29T10:28:30.890747"
}, - {
- "id": 39,
- "name": "Collection - Velociraptor",
- "description": "Velociraptor collection",
- "creation_date": "2023-11-29T10:28:30.893125"
}, - {
- "id": 40,
- "name": "Collection - ORC",
- "description": "ORC collection",
- "creation_date": "2023-11-29T10:28:30.896533"
}, - {
- "id": 41,
- "name": "Collection - KAPE",
- "description": "KAPE collection",
- "creation_date": "2023-11-29T10:28:30.899316"
}, - {
- "id": 42,
- "name": "Memory acquisition - Physical RAM",
- "description": "Physical RAM acquisition",
- "creation_date": "2023-11-29T10:28:30.901923"
}, - {
- "id": 43,
- "name": "Memory acquisition - VMEM",
- "description": "vmem file",
- "creation_date": "2023-11-29T10:28:30.904445"
}, - {
- "id": 44,
- "name": "Logs - Linux",
- "description": "Standard Linux logs",
- "creation_date": "2023-11-29T10:28:30.906868"
}, - {
- "id": 45,
- "name": "Logs - Windows EVTX",
- "description": "Standard Windows EVTX logs",
- "creation_date": "2023-11-29T10:28:30.909559"
}, - {
- "id": 46,
- "name": "Logs - Windows EVT",
- "description": "Standard Windows EVT logs",
- "creation_date": "2023-11-29T10:28:30.912298"
}, - {
- "id": 47,
- "name": "Logs - MacOS",
- "description": "Standard MacOS logs",
- "creation_date": "2023-11-29T10:28:30.915390"
}, - {
- "id": 48,
- "name": "Logs - Generic",
- "description": "Generic logs",
- "creation_date": "2023-11-29T10:28:30.918916"
}, - {
- "id": 49,
- "name": "Logs - Firewall",
- "description": "Firewall logs",
- "creation_date": "2023-11-29T10:28:30.921878"
}, - {
- "id": 50,
- "name": "Logs - Proxy",
- "description": "Proxy logs",
- "creation_date": "2023-11-29T10:28:30.924702"
}, - {
- "id": 51,
- "name": "Logs - DNS",
- "description": "DNS logs",
- "creation_date": "2023-11-29T10:28:30.927599"
}, - {
- "id": 52,
- "name": "Logs - Email",
- "description": "Email logs",
- "creation_date": "2023-11-29T10:28:30.930438"
}, - {
- "id": 53,
- "name": "Executable - Windows (PE)",
- "description": "Generic Windows executable",
- "creation_date": "2023-11-29T10:28:30.933774"
}, - {
- "id": 54,
- "name": "Executable - Linux (ELF)",
- "description": "Generic Linux executable",
- "creation_date": "2023-11-29T10:28:30.936884"
}, - {
- "id": 55,
- "name": "Executable - MacOS (Mach-O)",
- "description": "Generic MacOS executable",
- "creation_date": "2023-11-29T10:28:30.939526"
}, - {
- "id": 56,
- "name": "Executable - Generic",
- "description": "Generic executable",
- "creation_date": "2023-11-29T10:28:30.942070"
}, - {
- "id": 57,
- "name": "Script - Generic",
- "description": "Generic script",
- "creation_date": "2023-11-29T10:28:30.944690"
}, - {
- "id": 58,
- "name": "Generic - Data blob",
- "description": "Generic blob of data",
- "creation_date": "2023-11-29T10:28:30.947365"
}
]
}
Get a evidence type from an ID.
type_id required | integer state ID to fetch |
{- "status": "success",
- "message": "",
- "data": {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}
}
name required | string |
description required | string |
{- "name": "Evidence Type",
- "description": "Superbe Evidence Type"
}
{- "status": "success",
- "message": "Evidence type added",
- "data": {
- "name": "Evidence Type",
- "description": "Superbe Evidence Type",
- "id": 59,
- "creation_date": "2024-01-10T15:39:50.157298"
}
}
type_id required | string Type ID |
name | string |
description | string |
{- "name": "Evidence Type",
- "description": "Superbe Evidence Type"
}
{- "status": "success",
- "message": "Evidence type updated",
- "data": {
- "name": "Evidence Type 1",
- "description": "Superbe Evidence Type",
- "id": 3,
- "creation_date": "2023-11-29T10:28:30.768152"
}
}