IRIS (2.1.0)

Download OpenAPI specification:

DFIR-IRIS: contact@dfir-iris.org URL: https://docs.dfir-iris.org/contact/ License: LGPLv3

IRIS API

To use these API endpoint, an API key is needed and can be found in every user profile under My settings > API Key. This specification applies to Iris >= v2.4.0. The supported API version can be checked in Advanced > Server settings > Server versions on IRIS.
The API port is the same as the one used for the web interface, so 443 by default.

Changes

Changes in v2.1.0

Added POST /api/v2/cases
Added GET /api/v2/cases
Added GET /api/v2/cases/{case_identifier}
Added PUT /api/v2/cases/{case_identifier}
Added DELETE /api/v2/cases/{case_identifier}
Added POST /api/v2/cases/{case_identifier}/iocs
Added GET /api/v2/cases/{case_identifier}/iocs
Added GET /api/v2/cases/{case_identifier}/iocs/{identifier}
Added PUT /api/v2/cases/{case_identifier}/iocs/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/iocs/{identifier}
Added GET /api/v2/iocs/{identifier}
Added PUT /api/v2/iocs/{identifier}
Added DELETE /api/v2/iocs/{identifier}
Added POST /api/v2/cases/{case_identifier}/tasks
Added GET /api/v2/cases/{case_identifier}/tasks
Added GET /api/v2/cases/{case_identifier}/tasks/{identifier}
Added PUT /api/v2/cases/{case_identifier}/tasks/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/tasks/{identifier}
Added GET /api/v2/tasks/{identifier}
Added DELETE /api/v2/tasks/{identifier}
Added POST /api/v2/cases/{case_identifier}/assets
Added GET /api/v2/cases/{case_identifier}/assets
Added GET /api/v2/cases/{case_identifier}/assets/{identifier}
Added PUT /api/v2/cases/{case_identifier}/assets/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/assets/{identifier}
Added GET /api/v2/assets/{identifier}
Added DELETE /api/v2/assets/{identifier}
Added POST /api/v2/cases/{case_identifier}/notes
Added GET /api/v2/cases/{case_identifier}/notes/{identifier}
Added PUT /api/v2/cases/{case_identifier}/notes/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/notes/{identifier}
Added POST /api/v2/cases/{case_identifier}/notes-directories
Added GET /api/v2/cases/{case_identifier}/notes-directories/{identifier}
Added PUT /api/v2/cases/{case_identifier}/notes-directories/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/notes-directories/{identifier}
Added GET /api/v2/cases/{case_identifier}/notes-directories
Added POST /api/v2/cases/{case_identifier}/evidences
Added GET /api/v2/cases/{case_identifier}/evidences
Added GET /api/v2/cases/{case_identifier}/evidences/{identifier}
Added PUT /api/v2/cases/{case_identifier}/evidences/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/evidences/{identifier}
Added POST /api/v2/cases/{case_identifier}/events
Added GET /api/v2/cases/{case_identifier}/events/{identifier}
Added PUT /api/v2/cases/{case_identifier}/events/{identifier}
Added DELETE /api/v2/cases/{case_identifier}/events/{identifier}
Added POST /api/v2/alerts
Added GET /api/v2/alerts/{identifier}
Added PUT /api/v2/alerts/{identifier}
Added DELETE /api/v2/alerts/{identifier}
Added GET /api/v2/alerts/{identifier}/related-alerts
Added POST /api/v2/manage/groups
Added GET /api/v2/manage/groups/{identifier}
Added PUT /api/v2/manage/groups/{identifier}
Added DELETE /api/v2/manage/groups/{identifier}
Added POST /api/v2/manage/users
Added GET /api/v2/manage/users/{identifier}
Added PUT /api/v2/manage/users/{identifier}
Added DELETE /api/v2/manage/users/{identifier}
Added GET /api/v2/me
Added PUT /api/v2/me
Added GET /api/v2/{objects}/{object_identifier}/comments
Added POST /api/v2/{objects}/{object_identifier}/comments
Added GET /api/v2/{objects}/{object_identifier}/comments/{identifier}
Added PUT /api/v2/{objects}/{object_identifier}/comments/{identifier}
Added DELETE /api/v2/{objects}/{object_identifier}/comments/{identifier}
Added GET /api/v2/manage/customers
Added POST /api/v2/manage/customers
Added GET /api/v2/manage/customers/{identifier}
Added PUT /api/v2/manage/customers/{identifier}
Added DELETE /api/v2/manage/customers/{identifier}
Added POST /api/v2/alerts-filters
Added GET /api/v2/alerts-filters/{identifier}
Added PUT /api/v2/alerts-filters/{identifier}
Added DELETE /api/v2/alerts-filters/{identifier}
Added GET /api/v2/global-tasks
Added POST /api/v2/global-tasks
Added GET /api/v2/global-tasks/{identifier}
Added PUT /api/v2/global-tasks/{identifier}
Added DELETE /api/v2/global-tasks/{identifier}
Deprecated POST /manage/cases/add in favor of POST /api/v2/cases
Deprecated POST /manage/cases/update in favor of PUT /api/v2/cases/{case_identifier}
Deprecated POST /manage/cases/delete/{case_id} in favor of DELETE /api/v2/cases/{case_identifier}
Deprecated POST /case/ioc/add in favor of POST /api/v2/cases/{case_identifier}/iocs
Deprecated GET /case/ioc/{ioc_id} in favor of GET /api/v2/iocs/{identifier}
Deprecated DELETE /case/ioc/delete/{ioc_id} in favor of DELETE /api/v2/iocs/{identifier}
Deprecated GET /case/tasks/list in favor of GET /api/v2/cases/{case_identifier}/tasks
Deprecated POST /case/tasks/add in favor of POST /api/v2/cases/{case_identifier}/tasks
Deprecated POST /case/tasks/update/{task_id} in favor of PUT /api/v2/cases/{case_identifier}/tasks/{identifier}
Deprecated GET /case/tasks/{task_id} in favor of GET /api/v2/tasks/{identifier}
Deprecated DELETE /case/tasks/delete/{task_id} in favor of DELETE /api/v2/tasks/{identifier}
Deprecated POST /case/assets/add in favor of POST /api/v2/cases/{case_identifier}/assets
Deprecated POST /case/assets/update/{cur_id} in favor of PUT /api/v2/cases/{case_identifier}/assets/{identifier}
Deprecated GET /case/assets/{asset_id} in favor of GET /api/v2/assets/{identifier}
Deprecated DELETE /case/assets/delete/{asset_id} in favor of DELETE /api/v2/assets/{identifier}
Deprecated POST /case/notes/add in favor of POST /api/v2/cases/{case_identifier}/notes
Deprecated GET /case/notes/{identifier} in favor of GET /api/v2/cases/{case_identifier}/notes/{identifier}
Deprecated POST /case/notes/update/{node_id} in favor of PUT /api/v2/cases/{case_identifier}/notes/{identifier}
Deprecated POST /case/notes/delete/{node_id} in favor of DELETE /api/v2/cases/{case_identifier}/notes/{identifier}
Deprecated POST /case/notes/directories/add in favor of POST /api/v2/cases/{case_identifier}/notes-directories
Deprecated GET /case/notes/directories/filter in favor of GET /api/v2/cases/{case_identifier}/notes-directories
Deprecated POST /case/evidences/add in favor of POST /api/v2/cases/{case_identifier}/evidences
Deprecated GET /case/evidences/list in favor of GET /api/v2/cases/{case_identifier}/evidences
Deprecated GET /case/evidences/{evidence_id} in favor of GET /api/v2/cases/{case_identifier}/evidences/{identifier}
Deprecated POST /case/evidences/udpate/{evidence_id} in favor of PUT /api/v2/cases/{case_identifier}/evidences/{identifier}
Deprecated POST /case/evidences/delete/{evidence_id} in favor of DELETE /api/v2/cases/{case_identifier}/evidences/{identifier}
Deprecated POST /case/timeline/events/add in favor of POST /api/v2/cases/{case_identifier}/events
Deprecated GET /case/timeline/events/{event_id} in favor of GET /api/v2/cases/{case_identifier}/events/{identifier}
Deprecated POST /case/timeline/events/update/{event_id} in favor of PUT /api/v2/cases/{case_identifier}/events/{identifier}
Deprecated POST /case/timeline/events/delete/{event_id} in favor of DELETE /api/v2/cases/{case_identifier}/events/{identifier}
Deprecated POST /alerts/add in favor of POST /api/v2/alerts
Deprecated GET /alerts/{alert_id} in favor of GET /api/v2/alerts/{identifier}
Deprecated POST /alert/update/{alert_id} in favor of PUT /api/v2/alerts/{identifier}
Deprecated POST /alerts/delete/{alert_id} in favor of DELETE /api/v2/alerts/{identifier}
Deprecated POST /manage/groups/add in favor of POST /api/v2/manage/groups
Deprecated POST /manage/groups/update/{group_id} in favor of PUT /api/v2/manage/groups/{identifier}
Deprecated POST /manage/groups/delete/{group_id} in favor of DELETE /api/v2/manage/groups/{identifier}
Deprecated POST /manage/users/add in favor of POST /api/v2/manage/users
Deprecated POST /case/notes/directories/update/{directory_id}
Deprecated POST /case/notes/directories/delete/{directory_id}
Deprecated GET /manage/users/{user_id} in favor of GET /api/v2/manage/users/{identifier}
Deprecated POST /manage/users/update/{user_id} in favor of PUT /api/v2/manage/users/{identifier}
Deprecated POST /manage/users/delete/{user_id} in favor of DELETE /api/v2/manage/users/{identifier}
Deprecated GET /alerts/similarities/{alert_id}
Deprecated GET /case/{object_name}/{object_id}/comments/list
Deprecated POST /case/{object_name}/{object_id}/comments/add
Deprecated POST /case/{object_name}/{object_id}/comments/{comment_id}/edit
Deprecated POST /case/{object_name}/{object_id}/comments/{comment_id}/delete
Deprecated GET /manage/customers/list
Deprecated POST /manage/customers/add
Deprecated GET /manage/customers/{customer_id}
Deprecated POST /manage/customers/update/{customer_id}
Deprecated POST /manage/customers/delete/{customer_id}
Deprecated POST /global/tasks/add
Deprecated GET /global/tasks/list
Deprecated POST /global/tasks/update/{task_id}
Deprecated POST /global/tasks/delete/{task_id}
Added documentation of missing GET /manage/severities/list
Added documentation of missing GET /manage/tlp/list
Added documentation of missing GET /manage/event-categories/list
Added documentation of missing GET /manage/compromise-status/list
Fixed: removed documentation of unimplemented endpoint GET /case/evidences/delete/{evidence_id}

Changes in v2.0.0

This version introduces access control. Every request now needs to have the cid=x parameter in the URI.
Deletion endpoints have been migrated from GET to POST. Deletion GET endpoints have been marqued as deprecated and are not available anymore.

Changes in v1.4.5

v1.4.5 introduced the concept of custom attributes. These JSON objects that are stored into almost all case objects such as Assets, IOCs, etc. They are defined by administrators or modules and can vary from one objet to another despite being of the same type. Because of this, no definitive structure can be expected from these fields. They are all named custom_attributes.

Cases

Endpoints to interact with cases

Create a case

Creates a new case.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

case_name required	string >= 2 characters A short name for the case. The case number will be prepend.
case_description required	string >= 2 characters A short description of the case. This will be the summary of the case.
case_customer required	integer The customer ID linked to the case.
case_soc_id required	string A SOC ticket reference
custom_attributes	object
case_template_id	integer
classification_id	null or integer

Responses

Request samples

Payload

Content type

application/json

{"case_soc_id": "SOC_154",
"case_customer": 1,
"case_name": "My Case API",
"case_description": "A super nice description"
}

Response samples

201
400

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Get a paginated list of cases

Returns a paginated list of cases. Accepts filters and sort query parameters.

Authorizations:

Bearer <bearer>

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc
case_ids	string List of cases ID, comma separated
case_customer_id	integer Customer identifier
case_name	string Name of the case
case_description	string Description of the case
classification_id	integer (classification_id) The classification identifier for case and alert.
case_owner_id	integer Owner of the case
case_opening_user_id	integer Identifier of the user who opened the case
severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
case_state_id	integer State identifier of the case
case_soc_id	string SOC (Security Operations Center) identifier
start_open_date	string Case opening date - lower boundary
end_open_date	string Case opening date - higher boundary
is_open	boolean whether the case is open or not

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get a case

Get a case by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

201

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Update a case

Update informations of a case

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

case_name	string
case_soc_id	string
classification_id	integer
owner_id	integer
state_id	integer
severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
status_id	integer (case_status_id) [ 0 .. 5 ] The case status identifier. It can be one of the following 0: unknown, 1: false_positive, 2: true_positive_with_impact, 3: not_applicable, 4: true_positive_without_impact, 5: legitimate
case_customer	integer
reviewer_id	integer
	Array of objects
case_tags	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"case_name": "A new case name",
"case_soc_id": "soc_id_demo",
"classification_id": 2,
"owner_id": 2,
"state_id": 3,
"severity_id": 4,
"status_id": 1,
"case_customer": 1,
"reviewer_id": 2,
"protagonists": [{"role": "Lead",
"name": "administrator",
"contact": "administrator@iris.local"
}
],
"case_tags": "tag1,tag2",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Delete a case

This implies the deletion of everything linked to the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Update a case Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Request Body schema: application/json

case_name	string
case_soc_id	string
classification_id	string
owner_id	string
state_id	string
status_id	string
	Array of objects
case_tags	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"case_name": "Dummy ",
"case_soc_id": "soc_id_demo",
"classification_id": "2",
"owner_id": "2",
"status_id": "1",
"protagonists": [{"role": "Lead",
"name": "administrator",
"contact": "administrator@iris.local"
}
],
"case_tags": "tag1,tag2",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Case updated",
"data": {"case_tags": "tag1,tag2",
"case_name": "#1 - Dummy ",
"custom_attributes": { },
"case_soc_id": "soc_id_demo",
"status_id": 1,
"open_date": "2023-05-11",
"case_id": 1,
"modification_history": {"1683900741.546554": {"user": "administrator",
"user_id": 1,
"action": "case closed"
},
"1683901251.748556": {"user": "administrator",
"user_id": 1,
"action": "case reopened"
},
"1683902199.288591": {"user": "administrator",
"user_id": 1,
"action": "case info updated"
}
},
"user_id": 1,
"case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
"protagonists": [{"role": "Lead",
"name": "administrator",
"contact": "administrator@iris.local"
}
],
"case_description": "This is a demonstration.",
"closing_note": null,
"close_date": null,
"classification_id": 2,
"owner_id": 1,
"state_id": 3,
"case_customer": 1
}
}

Export a case as JSON

Export a case in JSON format including all the information such as assets, iocs, etc. This request can take a very long time depending on the size of the case and is DB intensive.
The datastore is not part of the response and needs to be requested manually.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

ID Of the case to export

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"case": {"name": "#1 - Initial Demo",
"open_date": "2023-11-29",
"description": "Dummy description",
"soc_id": "soc_id_demo",
"opened_by": "administrator",
"for_customer": "IrisInitialClient",
"close_date": null,
"custom_attributes": null,
"case_id": 1,
"case_uuid": "da80a133-d3c2-40bd-a0ba-8966ef7679a3",
"status_id": 0,
"status_name": "unknown"
},
"evidences": [{"filename": "A super evidence",
"date_added": "2023-11-29T15:52:11.216704",
"file_hash": "dhjajhdkadqw",
"added_by": "administrator",
"custom_attributes": { },
"file_uuid": "6287ebbc-4332-4f37-b8d8-c9e70e238c08",
"id": 1,
"file_size": 0
}
],
"timeline": [{"event_id": 2,
"event_title": "A second event",
"event_in_summary": true,
"event_date": "2023-11-03T23:03:00.003000",
"event_tz": "+01:00",
"event_date_wtz": "2023-11-04T00:03:00.003000",
"event_content": "Super event",
"event_tags": "logs",
"event_source": "MySource",
"event_raw": "Raw event log",
"custom_attributes": { },
"category": "Command and Control",
"last_edited_by": "administrator",
"event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
"event_in_graph": true,
"event_color": "#F2596199",
"event_is_flagged": false,
"assets": ["LinuxServer (Linux - Server)",
"main_router (Router)"
],
"iocs": [{"ioc_id": 1,
"ioc_value": "root",
"ioc_description": "",
"tlp_name": "amber",
"type": "account"
}
]
},
{"event_id": 3,
"event_title": "A third event ",
"event_in_summary": true,
"event_date": "2023-11-03T23:03:00.003000",
"event_tz": "+01:00",
"event_date_wtz": "2023-11-04T00:03:00.003000",
"event_content": "Super event",
"event_tags": "logs",
"event_source": "MySource",
"event_raw": "Raw event log",
"custom_attributes": { },
"category": "Command and Control",
"last_edited_by": "administrator",
"event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
"event_in_graph": true,
"event_color": "#F2596199",
"event_is_flagged": false,
"assets": ["LinuxServer (Linux - Server)",
"main_router (Router)"
],
"iocs": [{"ioc_id": 1,
"ioc_value": "root",
"ioc_description": "",
"tlp_name": "amber",
"type": "account"
}
]
},
{"event_id": 1,
"event_title": "An event ",
"event_in_summary": true,
"event_date": "2023-11-09T23:03:00.003000",
"event_tz": "+01:00",
"event_date_wtz": "2023-11-10T00:03:00.003000",
"event_content": "Super event",
"event_tags": "logs",
"event_source": "MySource",
"event_raw": "Raw event log",
"custom_attributes": { },
"category": "Command and Control",
"last_edited_by": "administrator",
"event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
"event_in_graph": true,
"event_color": "#48ABF799",
"event_is_flagged": false,
"assets": ["LinuxServer (Linux - Server)",
"main_router (Router)"
],
"iocs": [{"ioc_id": 1,
"ioc_value": "root",
"ioc_description": "",
"tlp_name": "amber",
"type": "account"
}
]
}
],
"iocs": [{"ioc_value": "root",
"type_name": "account",
"ioc_tags": "router",
"ioc_description": "",
"custom_attributes": { },
"ioc_id": 1,
"ioc_uuid": "94188da2-ca10-4299-ad73-0689719a61c3",
"tlp_name": "amber",
"added_by": "administrator"
}
],
"assets": [{"asset_id": 1,
"asset_uuid": "4c8211fb-676e-4d84-9164-2c62d2c82558",
"asset_name": "LinuxServer",
"asset_description": "The super service   ",
"asset_compromise_status_id": 2,
"type": "Linux - Server",
"analysis_status": "Canceled",
"date_added": "2023-11-29T15:40:13.759084",
"asset_domain": "local.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_tags": "test",
"custom_attributes": { },
"light_asset_description": "The super service   ",
"asset_ioc": [{"ioc_value": "root",
"type_name": "account",
"ioc_description": ""
}
],
"asset_compromise_status": "Not Compromised"
},
{"asset_id": 2,
"asset_uuid": "7371f6fd-17dc-42d7-b21b-43824b71abb3",
"asset_name": "main_router",
"asset_description": "",
"asset_compromise_status_id": 1,
"type": "Router",
"analysis_status": "To be done",
"date_added": "2023-11-29T15:40:41.128370",
"asset_domain": "local.local",
"asset_ip": "192.168.1.3",
"asset_info": "",
"asset_tags": "router",
"custom_attributes": { },
"light_asset_description": "",
"asset_ioc": [{"ioc_value": "root",
"type_name": "account",
"ioc_description": ""
}
],
"asset_compromise_status": "Compromised"
}
],
"tasks": [{"task_title": "A task",
"task_status": "In progress",
"task_tags": "task1",
"task_open_date": "2023-11-29T15:48:49.811798",
"task_close_date": null,
"task_last_update": "2023-11-29T15:48:49.811798",
"task_description": "Task description    ",
"custom_attributes": { },
"task_uuid": "0693c71b-b4f7-41cd-a12a-0dcd24519e7f",
"id": 1,
"task_assignees": [{"user": "administrator",
"name": "administrator",
"id": 1
}
]
},
{"task_title": "Another task",
"task_status": "To do",
"task_tags": "tas",
"task_open_date": "2023-11-29T15:49:09.053863",
"task_close_date": null,
"task_last_update": "2023-11-29T15:49:09.053863",
"task_description": "Another task description",
"custom_attributes": { },
"task_uuid": "6d27e7f2-3310-454e-aebf-00432ebbfb2d",
"id": 2,
"task_assignees": [{"user": "administrator",
"name": "administrator",
"id": 1
}
]
}
],
"comments": [ ],
"notes": [{"note_title": "Something else",
"note_content": "A nother note content",
"note_creationdate": "2023-11-29T15:39:02.056124",
"note_lastupdate": "2023-11-29T15:39:30.039339",
"custom_attributes": { },
"note_id": 1,
"note_uuid": "71a50086-2b11-4d80-8916-e94bd93ad28b",
"group_title": "A note group A",
"group_id": 1,
"group_user": 1
},
{"note_title": "And another thing",
"note_content": "A note content",
"note_creationdate": "2023-11-29T15:39:11.127181",
"note_lastupdate": "2023-11-29T15:39:23.065014",
"custom_attributes": { },
"note_id": 2,
"note_uuid": "641943a8-767a-4789-a02c-1475243cbb37",
"group_title": "A note group B",
"group_id": 2,
"group_user": 1
}
],
"export_date": "2023-11-29T15:52:18.839881"
}
}

Add a new case Deprecated

This endpoint is deprecated. Use POST /api/v2/cases instead.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

case_soc_id required	string non-empty A SOC ticket reference
case_customer required	number The customer ID linked to the case.
case_name required	string >= 2 characters A short name for the case. The case number will be prepend.
case_description required	string >= 2 characters A short description of the case. This will be the summary of the case.
custom_attributes	object
case_template_id	integer
classification_id	integer

Responses

Request samples

Payload

Content type

application/json

{"case_soc_id": "SOC_154",
"case_customer": 1,
"case_name": "My Case API",
"case_description": "A super nice description"
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Case created",
"data": {"case_name": "#1065 - My Case API",
"case_customer": 1,
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_description": "A super nice description",
"case_id": 1065,
"open_date": "2024-01-10",
"status_id": 0,
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
},
"case_soc_id": "SOC_154",
"state_id": 11,
"close_date": null,
"classification_id": null,
"closing_note": null,
"owner_id": 1,
"user_id": 1,
"custom_attributes": null,
"reviewer_id": null,
"review_status_id": null,
"severity_id": 4
}
}

Get cases list

Returns a list of all the cases, open and closed.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"case_name": "#1 - Initial Demo",
"case_description": "This is a demonstration.",
"client_name": "IrisInitialClient",
"case_open_date": "05/11/2023",
"case_close_date": "",
"case_soc_id": "soc_id_demo",
"opened_by_user_id": 1,
"opened_by": "administrator",
"owner_id": 1,
"owner": "administrator",
"case_id": 1,
"case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
"classification_id": null,
"classification": null,
"state_id": null,
"state_name": null,
"access_level": 4
},
{"case_name": "#2 -  [ALERT] Data Exfiltration 2208",
"case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSensitive data has been detected leaving the network.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #2209](/alerts?alert_id=2209)",
"client_name": "IrisInitialClient",
"case_open_date": "05/12/2023",
"case_close_date": "",
"case_soc_id": "2209",
"opened_by_user_id": 1,
"opened_by": "administrator",
"owner_id": 1,
"owner": "administrator",
"case_id": 2,
"case_uuid": "4ee6ceb6-41a3-4400-8234-f2b60a2a22dd",
"classification_id": 4,
"classification": "malicious-code:virus",
"state_id": 3,
"state_name": "Opened",
"access_level": 4
},
{"case_name": "#3 -  [ALERT] Insider Threat 1412",
"case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSuspicious activity from an internal user has been detected.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1413](/alerts?alert_ids=1413)",
"client_name": "IrisInitialClient",
"case_open_date": "05/12/2023",
"case_close_date": "",
"case_soc_id": "1413",
"opened_by_user_id": 1,
"opened_by": "administrator",
"owner_id": 1,
"owner": "administrator",
"case_id": 3,
"case_uuid": "ccc8c45e-6fc0-49de-8966-c1c58fd7bb25",
"classification_id": 3,
"classification": "abusive-content:violence",
"state_id": 3,
"state_name": "Opened",
"access_level": 4
},
{"case_name": "#4 - test",
"case_description": "test",
"client_name": "IrisInitialClient",
"case_open_date": "05/12/2023",
"case_close_date": "",
"case_soc_id": "",
"opened_by_user_id": 1,
"opened_by": "administrator",
"owner_id": 1,
"owner": "administrator",
"case_id": 4,
"case_uuid": "b0d28c89-cfd9-4999-8cb2-8cc10f300151",
"classification_id": 9,
"classification": "malicious-code:dialer",
"state_id": 2,
"state_name": "In progress",
"access_level": 4
}
]
}

Close a case Deprecated

This endpoint is deprecated. Use the POST /manage/cases/close/{case_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"case_customer": 105,
"case_description": "A super description",
"case_id": 42,
"case_name": "#42 - My case",
"case_soc_id": "SOC_142",
"close_date": "2022-01-20",
"open_date": "2022-01-20",
"user_id": 1
},
"message": "Case closed successfully",
"status": "success"
}

Close a case

The case will be listed under closed case. That's the only difference with an open case. It will stay editable and searchable.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case closed successfully",
"data": {"case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
"case_id": 1,
"case_name": "#1 - Initial Demo",
"closing_note": null,
"user_id": 1,
"owner_id": 1,
"case_customer": 1,
"status_id": 0,
"case_soc_id": "soc_id_demo",
"open_date": "2023-05-11",
"modification_history": {"1683900741.546554": {"user": "administrator",
"user_id": 1,
"action": "case closed"
}
},
"custom_attributes": null,
"close_date": "2023-05-12",
"case_description": "This is a demonstration.",
"state_id": 9,
"classification_id": null
}
}

Reopen a case Deprecated

This endpoint is deprecated. Use POST /manage/cases/reopen/{case_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Response samples

200
400
404

Content type

application/json

{"data": {"case_customer": 26,
"case_description": "Testing case number6",
"case_id": 8,
"case_name": "Test 6",
"case_soc_id": "SOC6",
"close_date": null,
"open_date": "2021-10-19",
"user_id": 52
},
"message": "Case reopened successfully",
"status": "success"
}

Reopen a case

Reopen a case previously closed. A case can be reopened even if it is not closed.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "string",
"message": "string",
"data": {"case_uuid": "string",
"case_id": 0,
"case_name": "string",
"closing_note": "string",
"user_id": 0,
"owner_id": 0,
"case_customer": 0,
"status_id": 0,
"case_soc_id": "string",
"open_date": "string",
"modification_history": { },
"custom_attributes": { },
"close_date": "string",
"case_description": "string",
"state_id": 0,
"classification_id": 0
}
}

Delete a case Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Case successfully deleted",
"status": "success"
}

Delete case Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

case_id

required

integer

Case ID

Responses

Filter cases

Authorizations:

Bearer <bearer>

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
case_ids	string List of cases ID, comma separated
sort_dir	string asc or desc
case_customer_id	integer Customer identifier
case_name	string Name of the case
case_description	string Description of the case
classification_id	integer (classification_id) The classification identifier for case and alert.
case_owner_id	integer Owner of the case
case_opening_user_id	integer Identifier of the user who opened the case
severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
case_state_id	integer State identifier of the case
case_soc_id	string SOC (Security Operations Center) identifier
start_open_date	string Case opening date - lower boundary
end_open_date	string Case opening date - higher boundary

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": {"total": 7,
"cases": [{"client_id": 2,
"description": "SOC ID t4500",
"case_id": 73,
"soc_id": "T4500",
"status_name": "unknown",
"alerts": [ ],
"modification_history": null,
"initial_date": "2023-01-27T00:00:00",
"state_id": 1,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#73 - TestingCase - GC",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [ ],
"case_uuid": "f7a3d813-4d04-4526-b1fb-1c8a91dc0b5c",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
"creation_date": "2022-12-29T10:24:33.573468",
"customer_name": "Client 0",
"customer_id": 2,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.573468",
"customer_description": "Description for client 0"
},
"open_date": "2023-01-27",
"state": {"state_id": 1,
"protected": true,
"state_description": "Unspecified",
"state_name": "Unspecified"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
},
{"client_id": 2,
"description": "creating a new case",
"case_id": 84,
"soc_id": "123456",
"status_name": "unknown",
"alerts": [ ],
"modification_history": null,
"initial_date": "2023-01-30T00:00:00",
"state_id": 1,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#84 - testCaseCreation",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [ ],
"case_uuid": "0e5886c5-74a9-4acd-badf-082d65c02a73",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
"creation_date": "2022-12-29T10:24:33.573468",
"customer_name": "Client 0",
"customer_id": 2,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.573468",
"customer_description": "Description for client 0"
},
"open_date": "2023-01-30",
"state": {"state_id": 1,
"protected": true,
"state_description": "Unspecified",
"state_name": "Unspecified"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
},
{"client_id": 2,
"description": "test1",
"case_id": 87,
"soc_id": "",
"status_name": "unknown",
"alerts": [ ],
"modification_history": null,
"initial_date": "2023-01-31T00:00:00",
"state_id": 1,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#87 - test1",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [ ],
"case_uuid": "d2728076-6fad-470f-9547-0cd5cda6547b",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
"creation_date": "2022-12-29T10:24:33.573468",
"customer_name": "Client 0",
"customer_id": 2,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.573468",
"customer_description": "Description for client 0"
},
"open_date": "2023-01-31",
"state": {"state_id": 1,
"protected": true,
"state_description": "Unspecified",
"state_name": "Unspecified"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
},
{"client_id": 4,
"description": "this is a test",
"case_id": 111,
"soc_id": "",
"status_name": "true_positive_with_impact",
"alerts": [ ],
"modification_history": {"1681359530.489504": {"user": "adm_1",
"user_id": 11,
"action": "status updated to true_positive"
}
},
"initial_date": "2023-02-06T00:00:00",
"state_id": 1,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#111 - Testcase53",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [ ],
"case_uuid": "66c53723-9285-40ab-8c1a-16ea1f9c30c3",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
"creation_date": "2022-12-29T10:24:33.582216",
"customer_name": "Client 2",
"customer_id": 4,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.582216",
"customer_description": "Description for client 2"
},
"open_date": "2023-02-06",
"state": {"state_id": 1,
"protected": true,
"state_description": "Unspecified",
"state_name": "Unspecified"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 2,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
},
{"client_id": 4,
"description": "test",
"case_id": 174,
"soc_id": "",
"status_name": "unknown",
"alerts": [ ],
"modification_history": {"1679900593.122362": {"user": "user_std_1",
"user_id": 2,
"action": "created"
}
},
"initial_date": "2023-03-27T07:03:13.073528",
"state_id": 1,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#174 - test",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [ ],
"case_uuid": "0ae68fc6-15b4-4899-ae11-1ce55130e7fc",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
"creation_date": "2022-12-29T10:24:33.582216",
"customer_name": "Client 2",
"customer_id": 4,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.582216",
"customer_description": "Description for client 2"
},
"open_date": "2023-03-27",
"state": {"state_id": 1,
"protected": true,
"state_description": "Unspecified",
"state_name": "Unspecified"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
},
{"client_id": 2,
"description": "vdfs dfsdsdvfv fdvdfs sdf\n# Context \n\n\n# Contact \n\n\n# Actions\n",
"case_id": 278,
"soc_id": "",
"status_name": "unknown",
"alerts": [ ],
"modification_history": {"1683958754.52258": {"user": "user_std_1",
"user_id": 2,
"action": "created"
},
"1684672442.640787": {"user": "adm_1",
"user_id": 11,
"action": "case closed"
},
"1684672557.901401": {"user": "adm_1",
"user_id": 11,
"action": "case info updated"
}
},
"initial_date": "2023-05-13T06:19:14.292101",
"state_id": 9,
"close_date": "2023-05-21",
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#278 - [RANS] test 4",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [{"id": 15,
"tag_title": "ransomware"
},
{"id": 16,
"tag_title": "malware"
}
],
"case_uuid": "25170044-efd9-498c-8b50-77ecf47eafad",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
"creation_date": "2022-12-29T10:24:33.573468",
"customer_name": "Client 0",
"customer_id": 2,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.573468",
"customer_description": "Description for client 0"
},
"open_date": "2023-05-13",
"state": {"state_id": 9,
"protected": true,
"state_description": "Case is closed",
"state_name": "Closed"
},
"classification_id": 7,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "malicious-code:ransomware",
"name_expanded": "Malicious-Code: Ransomware",
"description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
"creation_date": "2023-03-07T07:40:40.108269",
"id": 7
}
},
{"client_id": 2,
"description": "nsaöfksdnälkvsnaäönsa\nSummary to be set",
"case_id": 309,
"soc_id": "8324u2390202",
"status_name": "unknown",
"alerts": [ ],
"modification_history": {"1684841100.350423": {"user": "user_std_1",
"user_id": 2,
"action": "created"
}
},
"initial_date": "2023-05-23T11:25:00.242875",
"state_id": 3,
"close_date": null,
"owner_id": 2,
"reviewer": null,
"custom_attributes": { },
"user_id": 2,
"reviewer_id": null,
"protagonists": [ ],
"name": "#309 - test3281",
"user": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"review_status": null,
"tags": [{"id": 15,
"tag_title": "ransomware"
},
{"id": 16,
"tag_title": "malware"
}
],
"case_uuid": "3b4dacb8-6d7a-45d7-9a88-6fbe48422fa5",
"severity": {"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 4
},
"client": {"client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
"creation_date": "2022-12-29T10:24:33.573468",
"customer_name": "Client 0",
"customer_id": 2,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:33.573468",
"customer_description": "Description for client 0"
},
"open_date": "2023-05-23",
"state": {"state_id": 3,
"protected": true,
"state_description": "Case is open",
"state_name": "Open"
},
"classification_id": 1,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"closing_note": null,
"status_id": 0,
"review_status_id": null,
"severity_id": 4,
"classification": {"name": "other:other",
"name_expanded": "Other: Other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-03-07T07:40:39.558404",
"id": 1
}
}
],
"last_page": 1,
"current_page": 1,
"next_page": null
},
"data": [ ]
}

Notes

Endpoints to interact with notes

Add a new note

Add a new note to an existing group.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

note_title	string
note_content	string
directory_id required	integer

Responses

Request samples

Payload

Content type

application/json

{"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 36
}

Response samples

201
400

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Get a note

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Update a note

Update the content and metadata of a note.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

note_title	string
note_content	string
directory_id	integer

Responses

Request samples

Payload

Content type

application/json

{"note_title": "New title",
"note_content": "New content",
"directory_id": 4
}

Response samples

200
400

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Delete a note

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new notes directory

Create a new empty directory.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

name required	string non-empty
parent_id	number An existing parent directory identifier. To add at the root, do not set the field.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test"
}

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Get filtered collection of note directories

Return collection of note directories

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
}

Get a notes directory

Return information of a notes directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Update a notes directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

name	string non-empty
parent_id	number An existing parent directory identifier. To add at the root, do not set the field.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test"
}

Response samples

200
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Delete a note directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Get list of groups and notes Deprecated

This endpoint is deprecated. Use GET /case/notes/directories/filter instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"groups": [{"group_id": 186,
"group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
"group_title": "Group 186",
"notes": [{"note_id": 110,
"note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
"note_title": "Test Note",
"user": "adm_1",
"note_lastupdate": "2023-12-29T19:21:48.799248"
},
{"note_id": 1620,
"note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-12-14T17:50:03.136531"
},
{"note_id": 1733,
"note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-11-24T14:10:31.487938"
},
{"note_id": 1834,
"note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-12-07T14:50:05.324440"
},
{"note_id": 1953,
"note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
},
{"group_id": 192,
"group_uuid": "39434f81-9b8f-4540-9818-96b3dae0a48e",
"group_title": "Investigation",
"notes": [{"note_id": 856,
"note_uuid": "bcd2f25c-e329-4ef0-b2fb-1b68ee4ef537",
"note_title": "IOC ?",
"user": "adm_1",
"note_lastupdate": "2023-12-08T02:23:07.030130"
},
{"note_id": 1820,
"note_uuid": "6d293b2c-06b7-422a-887b-284bf559636d",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-12-05T03:20:09.078152"
},
{"note_id": 1934,
"note_uuid": "f3b28930-844e-4edb-936d-12d87231aeaf",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2024-01-02T06:44:34.079779"
},
{"note_id": 1954,
"note_uuid": "12b4a4a8-d0a9-49ff-9b97-3ad43c6aa86e",
"note_title": "testing stuff for frodo on the one ring server",
"user": "adm_1",
"note_lastupdate": "2024-01-04T15:50:44.699016"
}
]
},
{"group_id": 223,
"group_uuid": "7538ceb3-e7c2-4ca8-911d-031a66f0f2fc",
"group_title": "Group 223",
"notes": [{"note_id": 213,
"note_uuid": "066e24c2-85ca-41a5-b982-91f44dd92ebe",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-03-31T22:35:43.435906"
}
]
},
{"group_id": 229,
"group_uuid": "3bec5c22-ae2e-415a-9eee-18b10ace47df",
"group_title": "Group 229",
"notes": [{"note_id": 530,
"note_uuid": "b5a5403a-2bf6-4649-bf78-2a476d0b31da",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-06-06T07:18:08.899797"
}
]
},
{"group_id": 230,
"group_uuid": "80c4fb87-e939-42b5-863e-11be4c4c8991",
"group_title": "Group 230",
"notes": [{"note_id": 774,
"note_uuid": "294ab835-cc02-4ae5-a04c-821cde72b623",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-07-27T06:33:29.931800"
}
]
},
{"group_id": 316,
"group_uuid": "ba1e558b-cc24-46ee-b192-a6fe2a3a03ec",
"group_title": "Group 316",
"notes": [{"note_id": 1757,
"note_uuid": "8f909d5a-07d7-4f81-afad-767c860253ba",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-11-29T22:28:49.316698"
}
]
},
{"group_id": 317,
"group_uuid": "46a1c5d4-8e18-42e0-89f4-906c1e0bd288",
"group_title": "Group 317",
"notes": [ ]
},
{"group_id": 318,
"group_uuid": "c64875de-5cdb-43b9-b49f-ba523e8b610d",
"group_title": "Group 318",
"notes": [{"note_id": 1732,
"note_uuid": "b16a7bdb-698a-4c7a-be56-2deb64f4d949",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-11-24T00:05:45.580907"
}
]
},
{"group_id": 319,
"group_uuid": "ce1c592c-3df6-43ea-9cbd-894f30a56bf0",
"group_title": "Group 319",
"notes": [ ]
},
{"group_id": 320,
"group_uuid": "970e0a0d-f28f-4192-8239-7831c4560367",
"group_title": "Group 320",
"notes": [{"note_id": 239,
"note_uuid": "a714b7a3-8344-4b15-ba24-d1722adcfe65",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-04-12T13:14:48.811734"
}
]
},
{"group_id": 351,
"group_uuid": "71d555a9-4060-411a-be2f-f0d33793c647",
"group_title": "new group",
"notes": [{"note_id": 276,
"note_uuid": "5217a534-e236-4516-8d44-dfd0d6fcbdcb",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-04-27T09:27:18.650654"
}
]
},
{"group_id": 385,
"group_uuid": "8eb53b45-1226-4468-ace1-2d10f7831a6f",
"group_title": "Group 385",
"notes": [ ]
},
{"group_id": 562,
"group_uuid": "1dfe7ef3-7597-4d4b-9096-3e390e011b40",
"group_title": "Group 562",
"notes": [{"note_id": 1831,
"note_uuid": "c305d4e1-adcd-410d-8d56-d73364faff34",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-12-07T10:20:18.227276"
}
]
},
{"group_id": 563,
"group_uuid": "a5094fd7-02d0-44b0-beeb-c8b3d3e8f8e8",
"group_title": "Group 563",
"notes": [ ]
},
{"group_id": 565,
"group_uuid": "bcd7ac17-064f-49b9-941b-a5e01b82cfdb",
"group_title": "Group 565",
"notes": [{"note_id": 696,
"note_uuid": "5d45d634-f463-4400-840a-646423e9c152",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-07-12T08:35:22.251498"
}
]
},
{"group_id": 589,
"group_uuid": "c111f93c-622d-4954-9592-da4406109897",
"group_title": "Group 589",
"notes": [ ]
},
{"group_id": 590,
"group_uuid": "2e38b22f-f3b8-4345-b110-a735d1afb228",
"group_title": "Group 590",
"notes": [{"note_id": 1789,
"note_uuid": "e8f3943a-778a-4850-be22-0fb9fca7eeed",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-12-01T16:06:25.564707"
}
]
},
{"group_id": 615,
"group_uuid": "1555f460-e29a-4a1e-a438-b02309b4e9ef",
"group_title": "Group 615",
"notes": [ ]
},
{"group_id": 731,
"group_uuid": "11e3e6d1-ab59-4c39-a478-420c865e7e69",
"group_title": "Group 731",
"notes": [{"note_id": 730,
"note_uuid": "7e45074a-e828-45b6-95c3-1c2d50854d31",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-07-20T07:08:09.733633"
}
]
},
{"group_id": 748,
"group_uuid": "2af357bf-9a8a-4a82-b047-6d2804b5de8b",
"group_title": "Group 748",
"notes": [ ]
},
{"group_id": 766,
"group_uuid": "f55a2e9e-ab3e-4e89-9bcb-3a082c677e73",
"group_title": "New notes group",
"notes": [{"note_id": 1276,
"note_uuid": "17d9b1b2-7788-4588-9a8b-59a4cd014cce",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-09-22T08:28:12.315640"
}
]
},
{"group_id": 767,
"group_uuid": "04e13560-18c1-48fc-b8ff-31f49dd9f8fd",
"group_title": "New notes group",
"notes": [{"note_id": 798,
"note_uuid": "947019ef-f587-417f-b2be-1f02cb083add",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-07-31T11:41:40.057720"
}
]
},
{"group_id": 801,
"group_uuid": "b68617d8-a1c5-43a3-ac0f-490fb884f615",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 802,
"group_uuid": "4443a8b5-08c7-432f-971c-48413073487d",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 912,
"group_uuid": "cfde6d2d-5985-4276-8e5e-a7836df5a0b3",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 916,
"group_uuid": "ff8c3646-75ff-417a-81b5-8b6555be49ee",
"group_title": "New notes group",
"notes": [{"note_id": 1606,
"note_uuid": "e9358f9c-ef82-4754-b6df-12344b053a91",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-11-06T02:32:11.434290"
}
]
},
{"group_id": 984,
"group_uuid": "31cc129c-f097-469b-a97b-ffde2c3e52da",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 985,
"group_uuid": "1f455c92-7985-4abe-bd45-b7412691a026",
"group_title": "New notes group",
"notes": [{"note_id": 1933,
"note_uuid": "60c88bb5-78bd-4f2e-8eb2-d77d7cbf2b2d",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2024-01-02T06:44:22.177576"
}
]
},
{"group_id": 986,
"group_uuid": "baa949b7-7dc0-4b9c-bb91-58748d2d4914",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1122,
"group_uuid": "25bc6402-53f8-4165-82a6-7e098ad3dfce",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1141,
"group_uuid": "78ed4c55-bd49-4cd9-8d59-0a3461063529",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1142,
"group_uuid": "3647e416-e782-47c6-bfc0-9ee42e835345",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1169,
"group_uuid": "536404d9-ceb1-4e52-bcdc-6a5fb1faa0dd",
"group_title": "New notes group",
"notes": [{"note_id": 1277,
"note_uuid": "dd310051-550c-40ff-b5fc-53fa5e022997",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-09-22T08:28:23.443734"
}
]
},
{"group_id": 1235,
"group_uuid": "76924746-b2e2-4088-afad-b0e88161a756",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1289,
"group_uuid": "aeb2e9b0-a0ee-4c09-9be8-60123ebc86ea",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1290,
"group_uuid": "16114da7-40ed-4864-8c3c-f63b1b1c5b6e",
"group_title": "New notes group",
"notes": [{"note_id": 1919,
"note_uuid": "d72525a6-81c0-44ca-8ec5-76dea8ccd9df",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-12-27T16:15:24.956701"
}
]
},
{"group_id": 1291,
"group_uuid": "60b1fd6b-24a2-4f82-aeec-25d48858a1a7",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1292,
"group_uuid": "c26094d8-5284-4270-b8e7-854e0306d378",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1329,
"group_uuid": "9a950733-4825-436f-b5d8-5b7be9fd130e",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1378,
"group_uuid": "c731447c-52d9-462e-b006-548cdba13fbe",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1384,
"group_uuid": "07617992-8300-4023-99ae-933e7b3cd8ed",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1385,
"group_uuid": "72e5a1a1-3853-42fc-a8b6-4765043ce12f",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1425,
"group_uuid": "1b42b99b-8479-47bc-84dc-7992c2ddaab7",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1442,
"group_uuid": "47436e25-8bd9-4926-adab-3a74e5131a73",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1498,
"group_uuid": "7a0b754a-096b-4b94-a3d5-8cda257f42d5",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1499,
"group_uuid": "126968ba-cc9f-42fe-87d3-f48ce6cdf034",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1505,
"group_uuid": "e417f7a3-9d61-416b-aa59-ecc2f623da6b",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1506,
"group_uuid": "4afff67b-9eb9-42fa-ae37-b54cbc170e8e",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1507,
"group_uuid": "40e12b26-3ae9-47aa-ae28-15e46a777ab9",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1510,
"group_uuid": "7247267b-3e14-4154-93a5-ba388c45b7e0",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1511,
"group_uuid": "87d73fcb-3dba-4fda-920e-9c315a5023eb",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1512,
"group_uuid": "dd28240f-0edf-484f-b904-c5e71de8ccac",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1526,
"group_uuid": "20947604-dc3a-40f9-a68d-2c758ae05e8a",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1527,
"group_uuid": "a489154f-a436-4a29-97b0-0a2554eda575",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1528,
"group_uuid": "40f9fa9e-3895-4de2-9f73-c64dc398771d",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1530,
"group_uuid": "ec3ab46b-ae85-4734-8db7-2d4895f57bd0",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1531,
"group_uuid": "7db00392-05ac-489a-8de9-0a0fc93c761d",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1532,
"group_uuid": "318a8ee3-b405-4381-9161-8e40af979e57",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1545,
"group_uuid": "485c039f-5baf-4b1c-a0a8-c20660ef8c5f",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1583,
"group_uuid": "c49962b4-39c8-4a21-82de-8eb659f2b106",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1602,
"group_uuid": "ff1b79ed-12ed-475d-9ab7-4cfb1e073480",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1639,
"group_uuid": "de3d38eb-9a5b-4f87-99d6-d6c610d32ac3",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1657,
"group_uuid": "d07e3f4c-ba88-4586-94f8-1cc3d7239cad",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1665,
"group_uuid": "f3d66447-fad7-44f5-9831-5a25486f8408",
"group_title": "New notes group",
"notes": [ ]
},
{"group_id": 1675,
"group_uuid": "b384e358-6cd3-4773-b6b8-8e47e963cc8d",
"group_title": "New notes group",
"notes": [ ]
}
],
"state": {"object_state": 215,
"object_last_update": "2024-01-04T15:50:13.728362"
}
}
}

Fetch a notes group Deprecated

This endpoint is deprecated and not replaced yet.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

string

ID of the group to return

query Parameters

cid

required

string

ID Of the case

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"group_id": 186,
"group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
"group_title": "Group 186",
"group_creationdate": "2023-02-09T19:01:45.753049",
"group_lastupdate": "2023-02-09T19:01:45.753049",
"notes": [{"note_id": 110,
"note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
"note_title": "Test Note",
"user": "adm_1",
"note_lastupdate": "2023-12-29T19:21:48.799248"
},
{"note_id": 1620,
"note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-12-14T17:50:03.136531"
},
{"note_id": 1733,
"note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2023-11-24T14:10:31.487938"
},
{"note_id": 1834,
"note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
"note_title": "Untitled note",
"user": "adm_3",
"note_lastupdate": "2023-12-07T14:50:05.324440"
},
{"note_id": 1953,
"note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
"note_title": "Untitled note",
"user": "adm_1",
"note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
}
}

Get list of directories and notes Deprecated

List the directories and notes associated to it. Use GET /api/v2/cases/{case_identifier}/notes-directories instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"id": 5,
"name": "Dummy title",
"note_count": 1,
"subdirectories": [ ],
"notes": [{"id": 1,
"title": "New note"
}
]
},
{"id": 7,
"name": "Dummy title",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 4,
"name": "New folder",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 34,
"name": "Test",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 33,
"name": "Test",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 3,
"name": "ds",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 1,
"name": "dsd",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
},
{"id": 2,
"name": "ss",
"note_count": 0,
"subdirectories": [{"id": 4,
"name": "New folder",
"note_count": 0,
"subdirectories": [ ]
},
{"id": 3,
"name": "ds",
"note_count": 0,
"subdirectories": [ ]
}
],
"notes": [ ]
}
]
}

Add a new notes group Deprecated

This endpoint is deprecated. Use POST /cases/notes/directories/add instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

Case ID

Request Body schema: application/json

If the group title isn't set, a default group name is set by the server.

group_title

string non-empty

Responses

Request samples

Payload

Content type

application/json

{"group_title": "Test"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Notes group added",
"data": {"group_lastupdate": "2024-01-09T15:16:19.352384",
"group_uuid": "f337d1cb-216b-4d21-8051-cbcead9bcb4c",
"group_title": "Test",
"group_creationdate": "2024-01-09T15:16:19.352384",
"group_id": 1692
}
}

Add a new notes directory Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/notes-directories instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

Case ID

Request Body schema: application/json

name required	string non-empty
parent_id	number An existing parent directory ID. To add at the root, do not set the field or set it to null.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test",
"parent_id": null
}

Response samples

200

Content type

application/json

{"status": "string",
"message": "string",
"data": {"id": 0,
"name": "string",
"parent_id": null,
"case_id": 0
}
}

Update a notes group Deprecated

This endpoint is deprecated. Use POST /case/notes/directories/update/{directory_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

string

Group ID to update

query Parameters

cid

required

string

case ID

Request Body schema: application/json

group_title

required

string non-empty

Responses

Request samples

Payload

Content type

application/json

{"group_title": "Test"
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Updated title of group ID 186",
"data": {"group_lastupdate": "2023-02-09T19:01:45.753049",
"group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
"group_title": "Test",
"group_creationdate": "2023-02-09T19:01:45.753049",
"group_id": 186
}
}

Update a notes directory Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/notes-directories/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

directory_id

required

integer

query Parameters

cid

required

string

case ID

Request Body schema: application/json

name required	string non-empty
parent_id	integer An existing parent directory ID. To add at the root, do not set the field or set it to null.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test 1"
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Directory modified",
"data": {"id": 1,
"name": "Test 1",
"parent_id": null,
"case_id": 1
}
}

Delete a group note Deprecated

This endpoint is deprecated. Use POST /case/notes/directories/delete/{directory_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

string

query Parameters

cid

required

integer

ID Of the case

Delete notes group Deprecated

This endpoint is deprecated. Use POST /case/notes/directories/delete/{directory_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

string

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Group ID 22 deleted",
"status": "success"
}

Delete notes group Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier}/notes-directories/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

directory_id

required

integer

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Directory deleted",
"data": [ ]
}

Add a new note Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/notes instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

note_title required	string non-empty
note_content required	string non-empty
directory_id required	number

Responses

Request samples

Payload

Content type

application/json

{"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 36
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Note added",
"data": {"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"custom_attributes": null,
"directory_id": 2,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}
}

Fetch a note Deprecated

This endpoint is deprecated. Use GET /api/v2/cases/{case_identifier}/notes/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

note_id

required

integer

ID of the note to fetch

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"directory": {"id": 5,
"name": "Dummy title",
"parent_id": null,
"case_id": 1
},
"note_id": 1,
"note_uuid": "b8391125-f446-40ec-b4cf-f610fefd0029",
"note_title": "New note",
"note_content": "Super note\n\n# hey hey",
"note_user": 1,
"note_creationdate": "2024-03-18T08:35:22.999299",
"note_lastupdate": "2024-03-18T08:35:22.999313",
"note_case_id": 1,
"custom_attributes": null,
"directory_id": 5,
"modification_history": {"1711006761.106673": {"user": "administrator",
"user_id": 1,
"action": "updated note"
},
"1711006771.146321": {"user": "administrator",
"user_id": 1,
"action": "updated note"
},
"1711006776.007962": {"user": "administrator",
"user_id": 1,
"action": "updated note"
}
},
"comments": [ ]
}
}

Save a note Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/notes/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

note_id

required

integer

ID of the note to save

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

note_title required	string
note_content required	string
custom_attributes	object
parent_id	integer

Responses

Request samples

Payload

Content type

application/json

{"note_title": "New title",
"note_content": "New content",
"custom_attributes": { },
"directory_id": 4
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Note ID 16 saved",
"data": {"directory": {"id": 4,
"name": "New folder",
"parent_id": 2,
"case_id": 1
},
"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "New title",
"note_content": "New content",
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"custom_attributes": null,
"directory_id": 4,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
},
"1711563512.541373": {"user": "administrator",
"user_id": 1,
"action": "updated note"
},
"1711563539.900177": {"user": "administrator",
"user_id": 1,
"action": "updated note"
},
"1711563545.354224": {"user": "administrator",
"user_id": 1,
"action": "updated note"
},
"1711563549.441697": {"user": "administrator",
"user_id": 1,
"action": "updated note"
}
}
}
}

Delete a note Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier}/notes/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

note_id

required

string

ID of the note to delete

query Parameters

cid

required

string

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Note deleted 856",
"data": [ ]
}

Delete note Deprecated

This endpoint is deprecated. Use the POST /case/notes/delete/{note_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

note_id

required

string

ID of the note to delete

Responses

Search in notes Deprecated

This endpoint is deprecated. Use the GET /case/notes/search instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

Case ID

Request Body schema: application/json

search_term

required

string non-empty

Responses

Request samples

Payload

Content type

application/json

{"search_term": "term"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"note_id": 153,
"note_title": "Untitled note"
},
{"note_id": 155,
"note_title": "Testing note siho"
},
{"note_id": 88,
"note_title": "Example note with code"
}
]
}

Search in notes

Search across notes.

Authorizations:

Bearer <bearer>

query Parameters

cid required	integer Case ID
search_input required	string Search term. Use % as wildcard

Responses

Assets

Endpoints to interact with assets

Create an asset

Add a new asset to a case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

asset_type_id required	integer
case_id	integer
asset_description	string
asset_id	integer
analysis_status_id	integer (analysis_status_id) The asset analysis status identifier. Possible values are listed by endpoint GET /manage/analysis-status/list.
custom_attributes	object
asset_info	string
user_id	integer
date_added	string
date_update	string
asset_name required	string
asset_ip	string
asset_tags	string
asset_compromise_status_id	integer (asset_compromise_status_id) The asset compromise status identifier. Possible values are listed by endpoint GET /manage/compromise-status/list.
asset_uuid	string
asset_domain	string

Responses

Request samples

Payload

Content type

application/json

{"asset_type_id": 9,
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": 1,
"analysis_status_id": 3,
"asset_name": "admin_laptop",
"asset_tags": "anewtag",
"asset_description": "A host description"
}

Response samples

201
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Get a paginated list of assets

Returns a paginated list of assets.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an asset

Get an asset by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Update an asset

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

asset_name required	string
asset_type_id required	integer
asset_domain	string
asset_ip	string
asset_info	string
asset_compromise_status_id	integer (asset_compromise_status_id) The asset compromise status identifier. Possible values are listed by endpoint GET /manage/compromise-status/list.
analysis_status_id	integer (analysis_status_id) The asset analysis status identifier. Possible values are listed by endpoint GET /manage/analysis-status/list.
ioc_links	Array of strings
asset_tags	string
asset_description	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"asset_name": "admin_laptop",
"asset_type_id": 9,
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": 1,
"analysis_status_id": 3,
"ioc_links": ["30"
],
"asset_tags": "anewtag",
"asset_description": "A host description",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Delete an asset

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get an asset

Get an asset by its identifier

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Update asset

Update an existing asset

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

asset_name	string
	object
asset_description	string or null
asset_domain	string or null
	asset_compromise_status_id (integer) or null
asset_ip	string or null
asset_type_id	integer
	object or null
	analysis_status_id (integer) or null
asset_tags	string or null
	modification_history (object) or null

Responses

Request samples

Payload

Content type

application/json

{"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server"
}

Response samples

200
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Delete an asset

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get list of assets

Get a list of the assets linked to the case.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"assets": [{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 79,
"asset_uuid": "0955016b-c1aa-44e1-a5c6-0b538eac7d9f",
"asset_name": "Test_DFIR",
"asset_type": "Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "",
"asset_domain": "example.com",
"asset_compromise_status_id": 1,
"asset_ip": "1.1.1.1",
"asset_type_id": 1,
"analysis_status": "Started",
"analysis_status_id": 3,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 82,
"asset_uuid": "305c5569-b818-4518-b7cd-cfd07a1033ca",
"asset_name": "DC01",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "domain.local",
"asset_compromise_status_id": 0,
"asset_ip": "10.0.0.8",
"asset_type_id": 11,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [{"case_name": "#583 -  [ALERT] VPN Exploit 1208",
"case_open_date": "2023-08-28",
"asset_description": "",
"asset_compromise_status_id": 2,
"asset_id": 3822,
"case_id": 583
}
],
"ioc_links": null
},
{"asset_id": 36,
"asset_uuid": "3b16900a-72a2-46f2-a4e9-880de044c2ad",
"asset_name": "User1_FRZ",
"asset_type": "Firewall",
"asset_icon_compromised": "ioc_firewall.png",
"asset_icon_not_compromised": "firewall.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 1,
"asset_ip": "",
"asset_type_id": 2,
"analysis_status": "Pending",
"analysis_status_id": 4,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3723,
"asset_uuid": "82c5f2a8-a050-4c23-9616-f5d6713bcf1e",
"asset_name": "DE100",
"asset_type": "Router",
"asset_icon_compromised": "ioc_router.png",
"asset_icon_not_compromised": "router.png",
"asset_description": "Deutsh router",
"asset_domain": "",
"asset_compromise_status_id": 1,
"asset_ip": "1.1.1.1",
"asset_type_id": 12,
"analysis_status": "Pending",
"analysis_status_id": 4,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3777,
"asset_uuid": "e43b9a3d-37d6-4034-a5ff-2c5252ca9e33",
"asset_name": "user1",
"asset_type": "Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "user account ",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 1,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3706,
"asset_uuid": "8d04103e-dcfc-40c6-b9d9-f84a77dd823c",
"asset_name": "ad v mojej domene",
"asset_type": "Windows Account - AD",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "domenovy dacid c 1",
"asset_domain": "pravda.sk",
"asset_compromise_status_id": 3,
"asset_ip": "195.28.85.54",
"asset_type_id": 18,
"analysis_status": "Started",
"analysis_status_id": 3,
"asset_tags": "pravda.sk",
"link": [ ],
"ioc_links": null
},
{"asset_id": 38,
"asset_uuid": "97eaf383-50d6-4f6f-9649-51dc8560fd41",
"asset_name": "EndpointDevice1",
"asset_type": "Windows - Computer",
"asset_icon_compromised": "ioc_windows_desktop.png",
"asset_icon_not_compromised": "windows_desktop.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 9,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 47,
"asset_uuid": "ba08841b-80c2-4b55-b296-77f27630d55c",
"asset_name": "DC01",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "![saml.png](/datastore/file/view/3?cid=1 =40%x40%) \n\n<test><script>\n# Test \nDescription and analysis of the machine \nSome other things to do\n\n\n## Another test \nAnd again another testing \n\n### And yet again another test\nOr something else you wanna do ",
"asset_domain": "acme.local",
"asset_compromise_status_id": 1,
"asset_ip": "192.168.0.1",
"asset_type_id": 11,
"analysis_status": "To be done",
"analysis_status_id": 2,
"asset_tags": "1.3.4.2",
"link": [{"case_name": "#583 -  [ALERT] VPN Exploit 1208",
"case_open_date": "2023-08-28",
"asset_description": "",
"asset_compromise_status_id": 2,
"asset_id": 3822,
"case_id": 583
}
],
"ioc_links": null
},
{"asset_id": 37,
"asset_uuid": "7a0278a2-618d-461e-921e-7cbc0bad3004",
"asset_name": "User2",
"asset_type": "Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 1,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3749,
"asset_uuid": "e4ca3e33-28f0-43f4-8c68-a79949a9fbb0",
"asset_name": "DC03",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "Das sind DC",
"asset_domain": "NORTH",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 11,
"analysis_status": "To be done",
"analysis_status_id": 2,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3750,
"asset_uuid": "34dba357-7983-4eec-8627-30a5f2b48cc4",
"asset_name": "DC01",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "Das sind DC",
"asset_domain": "NORTH",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 11,
"analysis_status": "To be done",
"analysis_status_id": 2,
"asset_tags": "",
"link": [{"case_name": "#583 -  [ALERT] VPN Exploit 1208",
"case_open_date": "2023-08-28",
"asset_description": "",
"asset_compromise_status_id": 2,
"asset_id": 3822,
"case_id": 583
}
],
"ioc_links": null
},
{"asset_id": 2429,
"asset_uuid": "1a9201a9-8d03-44b3-a47a-16c9a780849e",
"asset_name": "Phone - IOS-4869",
"asset_type": "Phone - IOS",
"asset_icon_compromised": "ioc_phone.png",
"asset_icon_not_compromised": "phone.png",
"asset_description": "Asset description",
"asset_domain": "",
"asset_compromise_status_id": null,
"asset_ip": "1.1.1.1",
"asset_type_id": 8,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "tag1,tag2",
"link": [ ],
"ioc_links": [{"ioc_id": 407,
"ioc_value": "ec3e51e46aae",
"asset_id": 2429
},
{"ioc_id": 788,
"ioc_value": "bsaoln.gov",
"asset_id": 2429
}
]
},
{"asset_id": 3872,
"asset_uuid": "11925eb0-b205-419f-81cf-fe550a6a6986",
"asset_name": "trreeree",
"asset_type": "Windows - Computer",
"asset_icon_compromised": "ioc_windows_desktop.png",
"asset_icon_not_compromised": "windows_desktop.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 9,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3881,
"asset_uuid": "9a911ef8-3f40-4aaa-a6e0-4ea880bf8d49",
"asset_name": "DCSERER.com",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "thsis is DC serer",
"asset_domain": "myDC.com",
"asset_compromise_status_id": 1,
"asset_ip": "10.10.10.1",
"asset_type_id": 11,
"analysis_status": "Started",
"analysis_status_id": 3,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 83,
"asset_uuid": "7fb6eec5-ebef-4abd-ab31-4b31b96266f5",
"asset_name": "MV-422",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "Maquina de pruebas",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "To be done",
"analysis_status_id": 2,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3857,
"asset_uuid": "763d9ac5-b858-40b6-b6eb-5b905402d0c3",
"asset_name": "Super Dadmin",
"asset_type": "Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 1,
"asset_ip": "",
"asset_type_id": 1,
"analysis_status": "Done",
"analysis_status_id": 6,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 75,
"asset_uuid": "50899fe4-5ef6-420d-aef6-55fe6febf6f5",
"asset_name": "aaa",
"asset_type": "Switch",
"asset_icon_compromised": "ioc_switch.png",
"asset_icon_not_compromised": "switch.png",
"asset_description": "asdfdfgsdfg",
"asset_domain": "sdfgh",
"asset_compromise_status_id": 0,
"asset_ip": "435445",
"asset_type_id": 13,
"analysis_status": "Started",
"analysis_status_id": 3,
"asset_tags": "455,type",
"link": [ ],
"ioc_links": null
},
{"asset_id": 2548,
"asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
"asset_name": "WAF-301",
"asset_type": "WAF",
"asset_icon_compromised": "ioc_firewall.png",
"asset_icon_not_compromised": "firewall.png",
"asset_description": "Asset description",
"asset_domain": "",
"asset_compromise_status_id": 2,
"asset_ip": "1.1.1.1",
"asset_type_id": 15,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "tag1,tag2",
"link": [ ],
"ioc_links": [{"ioc_id": 1135,
"ioc_value": "aunnrzg.co.uk",
"asset_id": 2548
},
{"ioc_id": 349,
"ioc_value": "ufrsmrdxlqq.org",
"asset_id": 2548
}
]
},
{"asset_id": 2547,
"asset_uuid": "e72f8566-3437-4693-b5e7-e41122c93a4e",
"asset_name": "Account-244",
"asset_type": "Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_description": "Asset description",
"asset_domain": "",
"asset_compromise_status_id": null,
"asset_ip": "1.1.1.1",
"asset_type_id": 1,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "tag1,tag2",
"link": [ ],
"ioc_links": [{"ioc_id": 1135,
"ioc_value": "aunnrzg.co.uk",
"asset_id": 2547
},
{"ioc_id": 349,
"ioc_value": "ufrsmrdxlqq.org",
"asset_id": 2547
}
]
},
{"asset_id": 3906,
"asset_uuid": "6a6cb41a-024f-4af6-a8b8-d75ef2c97728",
"asset_name": "waf protecting middle earth from nasty goblins",
"asset_type": "WAF",
"asset_icon_compromised": "ioc_firewall.png",
"asset_icon_not_compromised": "firewall.png",
"asset_description": "",
"asset_domain": "fortheshire.com",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 15,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 2430,
"asset_uuid": "07b9310a-887e-4277-b8a8-61c78cae05ec",
"asset_name": "Linux - Server-1240",
"asset_type": "Linux - Server",
"asset_icon_compromised": "ioc_server.png",
"asset_icon_not_compromised": "server.png",
"asset_description": "Asset description",
"asset_domain": "",
"asset_compromise_status_id": null,
"asset_ip": "1.1.1.1",
"asset_type_id": 3,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "tag1,tag2",
"link": [ ],
"ioc_links": [{"ioc_id": 407,
"ioc_value": "ec3e51e46aae",
"asset_id": 2430
},
{"ioc_id": 788,
"ioc_value": "bsaoln.gov",
"asset_id": 2430
}
]
},
{"asset_id": 3748,
"asset_uuid": "765f6970-bd9c-41e8-af6b-b050c30c4c7a",
"asset_name": "DC02",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "Das sind DC",
"asset_domain": "NORTH",
"asset_compromise_status_id": 1,
"asset_ip": "",
"asset_type_id": 11,
"analysis_status": "To be done",
"analysis_status_id": 2,
"asset_tags": "",
"link": [ ],
"ioc_links": null
},
{"asset_id": 3641,
"asset_uuid": "5f99e1ab-bc09-4a0b-b344-6279862c55cc",
"asset_name": "DC02",
"asset_type": "Windows - DC",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "adadsasd",
"asset_domain": "nevele",
"asset_compromise_status_id": 0,
"asset_ip": "123",
"asset_type_id": 11,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"link": [ ],
"ioc_links": null
}
],
"state": {"object_state": 56,
"object_last_update": "2024-01-04T15:52:02.088544"
}
}
}

Fetch an asset Deprecated

This endpoint is deprecated. Use GET /api/v2/assets/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

asset_id

required

integer

query Parameters

cid

required

string

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "firewall.png",
"asset_icon_compromised": "ioc_firewall.png",
"asset_description": "WAF",
"asset_id": 15,
"asset_name": "WAF"
},
"asset_type_id": 15,
"case_id": 1,
"asset_description": "Asset description",
"asset_id": 2548,
"analysis_status_id": 1,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": "",
"user_id": 4,
"date_added": "2024-01-04T13:20:43.522581",
"date_update": "2024-01-04T13:20:43.522598",
"asset_name": "WAF-301",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": 2,
"asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
"asset_domain": "",
"linked_ioc": [{"ioc_id": 1135,
"ioc_value": "aunnrzg.co.uk",
"ioc_tags": "tag1,tag2",
"ioc_type_id": 22,
"type_name": "email",
"ioc_description": "description_hey",
"ioc_tlp_id": 2
},
{"ioc_id": 349,
"ioc_value": "ufrsmrdxlqq.org",
"ioc_tags": "tag1,tag2",
"ioc_type_id": 22,
"type_name": "email",
"ioc_description": "description_hey",
"ioc_tlp_id": 2
}
]
}
}

Add a new asset Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/assets instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

asset_type_id required	string
asset_domain	string
asset_ip	string
asset_info	string
asset_compromise_status_id	string
analysis_status_id	string
ioc_links	Array of strings
asset_name required	string
asset_tags	string
asset_description	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"asset_type_id": "9",
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": "1",
"analysis_status_id": "3",
"ioc_links": ["30"
],
"asset_name": "admin_laptop",
"asset_tags": "anewtag",
"asset_description": "A host description",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Asset added",
"data": {"asset_enrichment": null,
"asset_type": {"asset_icon_not_compromised": "windows_desktop.png",
"asset_icon_compromised": "ioc_windows_desktop.png",
"asset_description": "Standard Windows Computer",
"asset_id": 9,
"asset_name": "Windows - Computer"
},
"asset_type_id": 9,
"case_id": 1,
"asset_description": "A host description",
"asset_id": 3912,
"analysis_status_id": 3,
"custom_attributes": { },
"asset_info": "",
"user_id": 1,
"date_added": "2024-01-09T13:25:51.328503",
"date_update": "2024-01-09T13:25:51.328506",
"asset_name": "admin_laptop",
"asset_ip": "127.0.0.1",
"asset_tags": "anewtag",
"asset_compromise_status_id": 1,
"asset_uuid": "5914a960-d6d5-4e18-9665-613037d8f702",
"asset_domain": "iris.local"
}
}

Update an asset Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/assets/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

asset_id

required

string

ID of the asset to update

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

asset_name required	string
asset_type_id required	string
asset_domain	string
asset_ip	string
asset_info	string
asset_compromise_status_id	string
analysis_status_id	string
ioc_links	Array of strings
asset_tags	string
asset_description	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"asset_name": "admin_laptop",
"asset_type_id": "9",
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": "1",
"analysis_status_id": "3",
"ioc_links": ["30"
],
"asset_tags": "anewtag",
"asset_description": "A host description",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Updated asset admin_laptop",
"data": {"asset_enrichment": { },
"asset_type": {"asset_icon_not_compromised": "windows_desktop.png",
"asset_icon_compromised": "ioc_windows_desktop.png",
"asset_description": "Standard Windows Computer",
"asset_id": 9,
"asset_name": "Windows - Computer"
},
"asset_type_id": 9,
"case_id": 1,
"asset_description": "A host description",
"asset_id": 2548,
"analysis_status_id": 3,
"custom_attributes": { },
"asset_info": "",
"user_id": 4,
"date_added": "2024-01-04T13:20:43.522581",
"date_update": "2024-01-04T13:20:43.522598",
"asset_name": "admin_laptop",
"ioc_links": [30
],
"asset_ip": "127.0.0.1",
"asset_tags": "anewtag",
"asset_compromise_status_id": 1,
"asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
"asset_domain": "iris.local"
}
}

Delete an asset Deprecated

This endpoint is deprecated. Use DELETE /api/v2/assets/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

asset_id

required

string

ID of the note to delete

query Parameters

cid

required

string

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Deleted",
"status": "success"
}

Delete an asset

Delete an asset based on its ID. If the asset is linked to an event, the reference is deleted but not the event.

Authorizations:

Bearer <bearer>

path Parameters

asset_id

required

string

ID of the note to delete

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"value": {"data": [ ],
"message": "Deleted",
"status": "success"
}
}

IOCs

Endpoints to interact with IoCs

Create an IOC

Creates a new ioc.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

ioc_value required	string non-empty
ioc_type_id required	number
ioc_tlp_id required	number
ioc_description required	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags required	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_misp": null,
"ioc_tags": ""
}

Response samples

201
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Get a paginated list of IOCs

Returns a paginated list of IOCS. Accepts filters and sort query parameters.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc
ioc_type_id	integer IOC type identifier
ioc_type	string
ioc_tlp_id	integer (ioc_tlp_id) Identifier of the IOC TLP (traffic light protocol) color. See GET /manage/tlp/list for possible values.
ioc_value	string
ioc_description	string
ioc_tags	string

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an IOC

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Update an IOC

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

ioc_value	string non-empty
ioc_type_id	number
ioc_tlp_id	number
ioc_description	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_tags": ""
}

Response samples

200
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Delete an IOC

Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get an IOC

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Update an IOC

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

ioc_value	string non-empty
ioc_type_id	number
ioc_tlp_id	number
ioc_description	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_tags": ""
}

Response samples

200
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Delete an IOC

Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get list of IOCs

Returns a list of IOCs as well as any existing links with other cases.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"ioc": [{"ioc_id": 15,
"ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
"ioc_value": "s<dasdasdasdasd",
"ioc_type_id": 5,
"ioc_type": "attachment",
"ioc_description": "None",
"ioc_tags": "",
"ioc_misp": null,
"tlp_name": "amber",
"tlp_bscolor": "warning",
"ioc_tlp_id": 2,
"link": [ ],
"misp_link": null
}
],
"state": {"object_state": 1,
"object_last_update": "2023-01-16T10:02:05.271648"
}
}
}

Fetch an ioc Deprecated

This endpoint is deprecated. Use GET /api/v2/iocs/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

ioc_id

required

integer

ID of the IOC to fetch

query Parameters

cid

required

string

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"ioc_description": "None",
"ioc_value": "s<dasdasdasdasd",
"ioc_type": {"type_taxonomy": null,
"type_name": "attachment",
"type_validation_regex": null,
"type_description": "Attachment with external information",
"type_id": 5,
"type_validation_expect": null
},
"ioc_tags": "",
"ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
"ioc_enrichment": null,
"ioc_id": 15,
"ioc_tlp_id": 2,
"user_id": 12,
"custom_attributes": { },
"ioc_type_id": 5,
"ioc_misp": null
}
}

Add a new ioc Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/iocs.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

ioc_type_id required	integer
ioc_tlp_id required	integer
ioc_value required	string non-empty
ioc_description required	string non-empty
ioc_tags required	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

Example

Success

{"status": "success",
"message": "IOC added",
"data": {"ioc_description": "rewrw",
"ioc_value": "8.8.8.8",
"ioc_type": {"type_taxonomy": null,
"type_name": "AS",
"type_validation_regex": null,
"type_description": "Autonomous system",
"type_id": 1,
"type_validation_expect": null
},
"ioc_tags": "",
"ioc_uuid": "9c10461b-e5e3-4b39-9d00-c8aff798d4f9",
"ioc_enrichment": null,
"ioc_id": 3956,
"ioc_tlp_id": 2,
"user_id": 1,
"custom_attributes": { },
"ioc_type_id": 1,
"ioc_misp": null
}
}

Delete an IOC Deprecated

This endpoint is deprecated. Use DELETE /api/v2/iocs/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

ioc_id

required

integer

query Parameters

cid

required

string

Case ID

Responses

Response samples

200
400

Content type

application/json

Example

Success 1

{"status": "success",
"message": "IOC 3956 deleted",
"data": [ ]
}

Delete an IOC Deprecated

This endpoint is deprecated. Use the POST /case/ioc/delete/{ioc_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

ioc_id

required

integer

Responses

Update an IOC

Authorizations:

Bearer <bearer>

path Parameters

ioc_id

required

integer

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

ioc_value	string
ioc_tlp_id	integer
ioc_type_id	integer
ioc_description	string
ioc_tags	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "evil",
"ioc_description": "IOC description",
"ioc_tags": "tag1,tag2",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Updated ioc \"evil\"",
"data": {"ioc_description": "IOC description",
"ioc_value": "evil",
"ioc_type": {"type_taxonomy": null,
"type_name": "AS",
"type_validation_regex": null,
"type_description": "Autonomous system",
"type_id": 1,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "ec70eb70-487c-414f-bc8f-7f55752c3150",
"ioc_enrichment": null,
"ioc_id": 3719,
"ioc_tlp_id": 2,
"user_id": 1,
"custom_attributes": { },
"ioc_type_id": 1,
"ioc_misp": null
}
}

Timeline

Endpoints to interact with events

Add a new event

Create a new event in the timeline.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

event_title required	string
event_category_id required	integer
event_date required	string
event_tz required	string
event_assets required	Array of integers
event_iocs required	Array of integers
event_raw	string
event_source	string
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_sync_iocs_assets	boolean
event_tags	string
event_content	string
custom_attributes	object
parent_event_id	integer

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_category_id": 5,
"event_date": "2023-03-08T03:02:00.000",
"event_tz": "+00:00",
"event_assets": [45
],
"event_iocs": [33
],
"event_raw": "My event raw data",
"event_source": "My source",
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_content": "My description",
"parent_event_id": 11,
"custom_attributes": { }
}

Response samples

201
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Get an event

Return information of an event of the timeline

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Update an event

Update an event in the timeline

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

event_title required	string
event_category_id required	integer
event_date required	string
event_tz required	string
event_assets required	Array of integers
event_iocs required	Array of integers
event_raw	string
event_source	string
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_sync_iocs_assets	boolean
event_tags	string
event_content	string
custom_attributes	object
parent_event_id	integer

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_category_id": 5,
"event_date": "2023-03-08T03:02:00.000",
"event_tz": "+00:00",
"event_assets": [45
],
"event_iocs": [33
],
"event_raw": "My event raw data",
"event_source": "Source",
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_content": "My description",
"parent_event_id": 122,
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Delete an event

Delete an event from the timeline. If the event has a child, the child event is not deleted and become a parent itself.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Fetch the timeline Deprecated

The endpoint is deprecated. Use case/timeline/advanced-filter instead.

Authorizations:

Bearer <bearer>

path Parameters

asset_id

required

integer

Filter by assets

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": {"state": {"object_last_update": "string",
"object_state": 0
},
"timeline": [{"assets": [{ }
],
"category_name": "string",
"event_category_id": 0,
"event_color": "string",
"event_content": "string",
"event_date": "string",
"event_date_wtz": "string",
"event_id": 0,
"event_in_graph": true,
"event_in_summary": true,
"event_tags": "string",
"event_title": "string",
"event_tz": "string"
}
]
},
"message": "string",
"status": "string"
}

Fetch the timeline

Filter the timeline through a query. q should be a valid JSON mapping {field1:[value], field2: [value2]}.
Fields are AND together. The query needs to be URL encoded.

The following fields are available:

asset: Asset linked to the event
ioc: IOC linked to the event
tag: Tag within the event
title: Title of the event
description: Description of the event
raw : Raw event content
category: Category of the event
source: Source of the event
startDate: Start date to filter with
endDate: End date to filter with

Authorizations:

Bearer <bearer>

query Parameters

cid required	integer Case ID
q required	string Query filter

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "ok",
"data": {"timeline": [{"event_id": 40,
"event_uuid": "a5f85030-4384-4781-97da-06037808d526",
"event_date": "2023-01-29T00:00:00.000000",
"event_date_wtz": "2023-01-29T00:00:00.000000",
"event_tz": "+00:00",
"event_title": "Logged to",
"event_color": "#1572E899",
"event_tags": "",
"event_content": "Test event in timeline",
"event_in_summary": false,
"event_in_graph": true,
"event_is_flagged": false,
"user": "adm_1",
"event_added": "2023-01-30T07:17:24",
"category_name": "Execution",
"assets": [{"name": "EndpointDevice1 (Windows - Computer)",
"ip": "",
"description": "",
"compromised": false
},
{"name": "User1_FRZ (Firewall)",
"ip": "",
"description": "",
"compromised": true
}
],
"iocs": [{"name": "8.8.8.8",
"description": "None"
},
{"name": "2amsports.com",
"description": ""
}
]
},
{"event_id": 93,
"event_uuid": "8370ae48-5936-45b7-b2b9-f7bba6b4c155",
"event_date": "2023-03-22T00:00:00.000000",
"event_date_wtz": "2023-03-22T00:00:00.000000",
"event_tz": "+00:00",
"event_title": "test 2",
"event_color": null,
"event_tags": "",
"event_content": "",
"event_in_summary": false,
"event_in_graph": true,
"event_is_flagged": false,
"user": "adm_1",
"event_added": "2023-03-22T12:39:41",
"category_name": "Lateral Movement",
"assets": [{"name": "DC01 (Windows - DC)",
"ip": "10.0.0.8",
"description": "",
"compromised": false
},
{"name": "EndpointDevice1 (Windows - Computer)",
"ip": "",
"description": "",
"compromised": false
},
{"name": "DC02 (Windows - DC)",
"ip": "123",
"description": "adadsasd",
"compromised": false
}
],
"iocs": [{"name": "2.2.2.2",
"description": "test IP Malicious"
}
]
},
{"event_id": 173,
"event_uuid": "57134ce2-e8d9-4469-befe-63b5787d2c95",
"event_date": "2023-05-15T00:00:00.000000",
"event_date_wtz": "2023-05-15T00:00:00.000000",
"event_tz": "+00:00",
"event_title": "IPC",
"event_color": "#FFAD4699",
"event_tags": "",
"event_content": "test:101010",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": true,
"user": "adm_1",
"event_added": "2023-05-15T10:30:21",
"category_name": "Collection",
"assets": [{"name": "EndpointDevice1 (Windows - Computer)",
"ip": "",
"description": "",
"compromised": false
}
],
"iocs": [{"name": "2.2.2.2",
"description": "test IP Malicious"
}
]
}
],
"state": {"object_state": 74,
"object_last_update": "2024-01-04T13:20:43.549933"
}
}
}

Fetch the timeline Deprecated

The endpoint is deprecated. Use /case/timeline/advanced-filter instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{"assets": [{"compromised": false,
"description": "My asset 10",
"ip": "",
"name": "asset_11 (Linux - Server)"
},
{"compromised": true,
"description": "My asset 10",
"ip": "",
"name": "asset_4 (Windows Account - Local)"
}
],
"category_name": "",
"event_color": "",
"event_content": "My event content @44",
"event_date": "Tue, 19 Oct 2021 16:19:09 GMT",
"event_id": 2021,
"event_tags": "",
"event_title": "My event title @44",
"event_tz": "+00:00",
"event_date_wtz": "Tue, 19 Oct 2021 16:19:09 GMT",
"event_in_summary": true,
"event_in_graph": true
}
],
"message": "",
"status": "success"
}

Fetch the timeline

Fetch the state of the timeline.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

Case ID

Responses

Response samples

200

Content type

application/json

{"data": {"object_last_update": "Sun, 06 Mar 2022 13:00:25 GMT",
"object_state": 39
},
"message": "",
"status": "success"
}

Add a new event Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/events instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

event_title required	string
event_raw	string
event_source	string
event_assets	Array of integers
event_iocs	Array of integers
event_category_id	string
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_date required	string
event_sync_iocs_assets	boolean
event_tags	string
event_tz required	string
event_content	string
custom_attributes	object
parent_event_id	integer

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_raw": "My event raw data",
"event_source": "My source",
"event_assets": [45
],
"event_iocs": [33
],
"event_category_id": "5",
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_date": "2023-03-08T03:02:00.000",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_tz": "+00:00",
"event_content": "My description",
"parent_event_id": null,
"custom_attributes": { }
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Event added",
"data": {"event_tags": "tag",
"case_id": 1,
"event_in_summary": true,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"event_date": "2023-03-08T03:02:00.000000",
"event_title": "An event",
"custom_attributes": { },
"user_id": 1,
"event_color": "#1572E899",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_graph": true,
"event_tz": "+00:00",
"event_content": "My description",
"event_source": "My source",
"event_category_id": 5,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"event_is_flagged": false,
"event_raw": "My event raw data",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_id": 663
}
}

Fetch an event Deprecated

This endpoint is deprecated. Use GET /api/v2/cases/{case_identifier}/events/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

event_id

required

integer

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"event_tags": "tag",
"case_id": 1,
"event_in_summary": true,
"modification_history": {"1704815238.257724": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"event_date": "2023-03-08T03:02:00.000000",
"event_title": "An event",
"custom_attributes": { },
"user_id": 1,
"event_color": "#1572E899",
"event_added": "2024-01-09T15:47:18.257680",
"event_in_graph": true,
"event_tz": "+00:00",
"event_content": "My description",
"event_source": "My source",
"event_uuid": "eedceb90-def7-4707-a478-5c5a218f0116",
"event_is_flagged": false,
"event_raw": "My event raw data",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_id": 664,
"event_assets": [ ],
"event_iocs": [ ],
"event_category_id": 5,
"event_comments_map": [ ]
}
}

Update an event Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/events/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

event_id

required

integer

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

event_title required	string
event_raw	string
event_source	string
event_assets	Array of integers
event_iocs	Array of integers
event_category_id	integer
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_date required	string
event_sync_iocs_assets	boolean
event_tags	string
event_tz required	string
event_content	string
custom_attributes	object
parent_event_id	string

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_raw": "My event raw data",
"event_source": "Source",
"parent_event_id": 122,
"event_assets": [45
],
"event_iocs": [33
],
"event_category_id": 5,
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_date": "2023-03-08T03:02:00.000",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_tz": "+00:00",
"event_content": "My description",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Event updated",
"data": {"event_tags": "tag",
"case_id": 1,
"event_in_summary": true,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
},
"1704815162.220411": {"user": "administrator",
"action": "updated",
"user_id": 1
}
},
"event_date": "2023-03-08T03:02:00.000000",
"event_title": "An event",
"custom_attributes": { },
"user_id": 1,
"event_color": "#1572E899",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_graph": true,
"event_tz": "+00:00",
"event_assets": [45
],
"event_content": "My description",
"event_sync_iocs_assets": true,
"event_source": "Source",
"event_category_id": 5,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"event_is_flagged": false,
"event_raw": "My event raw data",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_id": 663,
"event_iocs": [33
]
}
}

Delete an event Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier}/events/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

event_id

required

integer

query Parameters

cid	string Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Event ID 14984 deleted",
"status": "success"
}

Delete an event Deprecated

This endpoint is deprecated. Use POST /case/timeline/events/delete/{event_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

event_id

required

integer

Responses

Tasks

Endpoints to interact with tasks

Create a task

Add a new task.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

task_assignees_id required	Array of integers
task_description	string
task_status_id required	integer
task_tags	string
task_title required	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_description": "",
"task_status_id": 1,
"task_tags": "",
"task_title": "dummy title",
"custom_attributes": { }
}

Response samples

201
400

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Get a paginated list of tasks

Returns a paginated list of tasks.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get a task

Get an task by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Update a task

Update an existing task of the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

task_title required	string
task_description	string
task_tags	string
task_status_id required	integer
task_assignees_id required	Array of integers
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_status_id": 1,
"task_title": "New title",
"task_description": "new content",
"task_tags": "new tags",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Delete an task

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get a task

Get an task by its identifier

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Delete an task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get case tasks Deprecated

This endpoint is deprecated. Use GET /api/v2/cases/{case_identifier}/tasks instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"tasks_status": [{"id": 1,
"registry": null,
"status_bscolor": "danger",
"status_description": "",
"status_name": "To do"
},
{"id": 2,
"registry": null,
"status_bscolor": "warning",
"status_description": "",
"status_name": "In progress"
},
{"id": 3,
"registry": null,
"status_bscolor": "muted",
"status_description": "",
"status_name": "On hold"
},
{"id": 4,
"registry": null,
"status_bscolor": "success",
"status_description": "",
"status_name": "Done"
},
{"id": 5,
"registry": null,
"status_bscolor": "muted",
"status_description": "",
"status_name": "Canceled"
}
],
"tasks": [{"task_id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1,
"status_name": "To do",
"status_bscolor": "danger",
"task_assignees": [{"user": "adm_1",
"name": "Adm 1",
"id": 11
}
]
}
],
"state": {"object_state": 120,
"object_last_update": "2024-01-07T13:57:05.599620"
}
}
}

Get a case task Deprecated

This endpoint is deprecated. Use GET /api/v2/tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

integer

Task ID to fetch

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"task_title": "dummy title",
"task_status_id": 1,
"task_assignees": [{"user": "administrator",
"name": "administrator",
"id": 1
}
],
"id": 45,
"task_uuid": "9dfe50ea-8c5e-4deb-a670-6b705e59ee3c",
"task_description": "",
"task_tags": "",
"task_open_date": "2024-03-21T09:33:20.792768",
"task_close_date": null,
"task_last_update": "2024-03-26T06:01:45.022397",
"task_userid_open": 1,
"task_userid_close": null,
"task_userid_update": 1,
"task_case_id": 1,
"custom_attributes": { },
"modification_history": null
}
}

Delete a case task Deprecated

This endpoint is deprecated. Use DELETE /api/v2/tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

integer

Task ID to delete

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Task deleted",
"status": "success"
}

Delete a case task Deprecated

This endpoint is deprecated. Use the DELETE /api/v2/tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

integer

Task ID to delete

Responses

Add a case task Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/tasks instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

task_assignees_id required	Array of integers
task_description	string
task_status_id required	integer
task_tags	string
task_title required	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_description": "",
"task_status_id": 1,
"task_tags": "",
"task_title": "dummy title",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "Task 'dummy title' added",
"data": {"task_open_date": "2024-01-09T16:03:54.304325",
"task_userid_close": null,
"task_last_update": "2024-01-09T16:03:54.304325",
"task_userid_update": 1,
"task_title": "dummy title",
"task_uuid": "34eb785f-0551-454a-9a7c-7759eb68d4fe",
"task_tags": "",
"id": 1702,
"task_description": "",
"task_userid_open": 1,
"custom_attributes": { },
"task_status_id": 1,
"task_close_date": null,
"task_case_id": 1
}
}

Update a case task Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

integer

ID of the task

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

task_assignees_id required	Array of integers
task_status_id required	integer
task_title required	string
task_description	string
task_tags	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_status_id": 1,
"task_title": "New title",
"task_description": "new content",
"task_tags": "new tags",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"data": {"custom_attributes": { },
"id": 31,
"task_assignees": [{"id": 1,
"name": "administrator",
"user": "administrator"
}
],
"task_case_id": 1,
"task_close_date": null,
"task_description": "new content",
"task_last_update": "2023-03-09T08:13:51.464654",
"task_open_date": "2023-03-06T10:39:39.303494",
"task_status_id": 1,
"task_tags": "new tags",
"task_title": "New title",
"task_userid_close": null,
"task_userid_open": 1,
"task_userid_update": 1,
"task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
},
"message": "Task 'New title' updated",
"status": "success"
}

Evidences

Endpoints to interact with evidences

Add an evidence

Add a new evidence to the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

filename required	string
file_size	integer
file_hash	string
type_id	integer
start_date	string (iso_date) date in ISO 8601 format
end_date	string (iso_date) date in ISO 8601 format
file_description	string

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": 77108,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": 2,
"start_date": "2024-04-13T03:02:00",
"end_date": "2024-04-04T00:00:00",
"file_description": "Dummy description"
}

Response samples

201
400

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Get a paginated list of evidences

Returns a paginated list of evidences.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an evidence

Get an evidence by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Update an evidence

Update an evidence.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

filename	string
file_description	string
file_size	integer
file_hash	string
type_id	integer (evidence_type_id) Identifier of the type of an evidence. See GET /manage/evidence-types/list for possible values.
start_date	string (iso_date) date in ISO 8601 format
end_date	string (iso_date) date in ISO 8601 format
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": 77108,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": 2,
"start_date": "2024-04-13T03:02:00.000",
"end_date": "2024-04-04T00:00:00.000",
"custom_attributes": { },
"file_description": "Dummy description"
}

Response samples

200
400

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Delete an evidence

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get case evidences Deprecated

This endpoint is deprecated. Use GET /api/v2/cases/{case_identifier}/evidences instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

case id

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"evidences": [{"chain_of_custody": null,
"case_id": 1,
"type_id": 2,
"id": 116,
"file_hash": "77077087ee0f61f174a996bbcb7ef09c",
"filename": "pat.txt",
"start_date": null,
"type": {"name": "HDD image - Generic",
"description": "Generic copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.764707",
"id": 2
},
"acquisition_date": null,
"case": 1,
"file_uuid": "e6d5e920-0849-4b7c-ae62-e9455feaf25a",
"user_id": 3,
"custom_attributes": { },
"date_added": "2024-01-07T13:40:47.232707",
"user": {"id": 3,
"user_name": "User Std 2",
"user_login": "user_std_2",
"user_email": "user_std_2@iris.local"
},
"file_size": 52,
"end_date": null,
"file_description": ""
},
{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 107,
"file_hash": "",
"filename": "test",
"start_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "fdaae5ae-475b-4108-96c9-ca30bf904556",
"user_id": 11,
"custom_attributes": { },
"date_added": "2023-11-27T13:36:09.382410",
"user": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"file_size": 123,
"end_date": null,
"file_description": ""
},
{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 102,
"file_hash": "cde88d7f76b436b12ef923804c8c253d",
"filename": "1_9KGea1STTglY4ZqVHvTAfg.png",
"start_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "09a4238a-8745-4513-8d0c-cd8b092477b7",
"user_id": 11,
"custom_attributes": { },
"date_added": "2023-11-09T14:27:20.005296",
"user": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"file_size": 37746,
"end_date": null,
"file_description": ""
},
{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 80,
"file_hash": "d9a60888a72c78db97f90c9683ec5803",
"filename": "lordly octopus with hat and monocle.gif",
"start_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "4c2cb308-475d-4090-8946-c4ec2a218456",
"user_id": 11,
"custom_attributes": { },
"date_added": "2023-09-04T18:05:37.281133",
"user": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"file_size": 1376370,
"end_date": null,
"file_description": "![](/datastore/file/view/3?cid=1 =60%x60%)"
}
],
"state": {"object_state": 20,
"object_last_update": "2024-01-07T13:40:47.236614"
}
}
}

Add an evidence Deprecated

This endpoint is deprecated. Use POST /api/v2/cases/{case_identifier}/evidences instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

filename required	string
file_size	string
file_hash	string
type_id	string
start_date	string
end_date	string
custom_attributes	object
file_description	string

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": "77108",
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": "2",
"start_date": "2024-04-13T03:02:00.000",
"end_date": "2024-04-04T00:00:00.000",
"custom_attributes": { },
"file_description": "Dummy description"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Evidence added",
"data": {"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "string",
"filename": "string",
"start_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"end_date": null,
"file_description": "string"
}
}

Get an evidence Deprecated

This endpoint is deprecated. Use GET /api/v2/cases/{case_identifier}/evidences/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

evidence_id

required

integer

Evidence ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "",
"data": {"custom_attributes": null,
"date_added": "2023-03-06T09:24:21.700465",
"file_description": "Imported from datastore. dummy description",
"file_hash": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
"file_size": 76050,
"file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
"filename": "dummy file",
"id": 1
}
}

Delete a case evidence Deprecated

This endpoint is deprecated. Use DELETE /api/v2/cases/{case_identifier}/evidences/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

evidence_id

required

integer

Evidence ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{ }
],
"message": "string",
"status": "string"
}

Update an evidence Deprecated

This endpoint is deprecated. Use PUT /api/v2/cases/{case_identifier}/evidences/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

evidence_id

required

integer

Evidence ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

filename required	string
file_size	integer
file_hash	string
type_id	integer (evidence_type_id) Identifier of the type of an evidence. See GET /manage/evidence-types/list for possible values.
start_date	string
end_date	string
custom_attributes	object
file_description	string

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": 77108,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": 2,
"start_date": "2024-04-13T03:02:00.000",
"end_date": "2024-04-04T00:00:00.000",
"custom_attributes": { },
"file_description": "Dummy description"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Evidence string updated",
"data": {"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 117,
"file_hash": "string",
"filename": "string",
"start_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "88a4dd55-132a-4acf-9daf-f05303782131",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-09T16:19:38.620717",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"end_date": null,
"file_description": "string"
}
}

Global tasks

Endpoints to interact with global tasks

List global tasks

Returns a list of all global tasks

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a global task

Add a global task and assign it to a user.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

task_title required	string >= 2 characters
task_description	string
task_status_id required	integer The initial status of the task
task_assignee_id required	integer A user ID for whom the task will be assigned
task_tags	string
task_open_date	string (iso_date) date in ISO 8601 format
task_userid_open	integer
task_last_update	string (iso_date) date in ISO 8601 format
task_userid_update	integer
task_close_date	string (iso_date) date in ISO 8601 format
task_userid_close	integer

Responses

Request samples

Payload

Content type

application/json

{"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 14,
"task_assignee_id": 1,
"task_tags": ""
}

Response samples

201
400

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Get a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Update a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

task_title required	string >= 2 characters
task_description	string
task_status_id required	integer The initial status of the task
task_assignee_id required	integer A user ID for whom the task will be assigned
task_tags	string
task_open_date	string (iso_date) date in ISO 8601 format
task_userid_open	integer
task_last_update	string (iso_date) date in ISO 8601 format
task_userid_update	integer
task_close_date	string (iso_date) date in ISO 8601 format
task_userid_close	integer

Responses

Request samples

Payload

Content type

application/json

{"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 14,
"task_assignee_id": 1,
"task_tags": ""
}

Response samples

201
400

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Delete a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

List global tasks Deprecated

This endpoint is deprecated. Use GET /api/v2/global-tasks instead.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"data": {"tasks": [{"status_bscolor": "danger",
"status_name": "To do",
"task_assignee_id": 6,
"task_description": "",
"task_id": 5,
"task_last_update": "Wed, 19 Jan 2022 12:51:22 GMT",
"task_status_id": 14,
"task_tags": "",
"task_title": "Generate a mid-term report",
"user_name": "forensicator"
},
{"status_bscolor": "danger",
"status_name": "To do",
"task_assignee_id": 1,
"task_description": "Analyse the sysvol",
"task_id": 7,
"task_last_update": "Wed, 19 Jan 2022 15:23:24 GMT",
"task_status_id": 14,
"task_tags": "",
"task_title": "SYSVOL analysis",
"user_name": "administrator"
}
],
"tasks_status": [{"id": 14,
"status_bscolor": "danger",
"status_description": "",
"status_name": "To do"
},
{"id": 15,
"status_bscolor": "warning",
"status_description": "",
"status_name": "In progress"
},
{"id": 16,
"status_bscolor": "muted",
"status_description": "",
"status_name": "On hold"
},
{"id": 17,
"status_bscolor": "success",
"status_description": "",
"status_name": "Done"
},
{"id": 18,
"status_bscolor": "muted",
"status_description": "",
"status_name": "Canceled"
}
]
},
"message": "",
"status": "success"
}

Add a global task Deprecated

This endpoint is deprecated. Use POST /api/v2/global-tasks instead.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

task_assignee_id required	integer A user ID for whom the task will be assigned
task_status_id required	integer The initial status of the task
task_title required	string >= 2 characters
task_description required	string
task_tags required	string

Responses

Request samples

Payload

Content type

application/json

{"task_assignee_id": 1,
"task_status_id": 14,
"task_title": "Task title",
"task_description": "My task description",
"task_tags": ""
}

Response samples

200
400

Content type

application/json

{"data": {"task_assignee_id": 1,
"task_close_date": null,
"task_description": "My task description",
"task_id": 9,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_open_date": "2022-01-21T17:07:10.005183",
"task_status_id": 15,
"task_tags": "",
"task_title": "Task title",
"task_userid_close": null,
"task_userid_open": null,
"task_userid_update": 1
},
"message": "Saved !",
"status": "success"
}

Update a global task Deprecated

This endpoint is deprecated. Use PUT /api/v2/global-tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

string

Global task ID to update

Request Body schema: application/json

task_assignee_id required	integer
task_status_id required	integer
task_title required	string non-empty
task_description required	string non-empty
task_tags required	string non-empty
cid	integer

Responses

Request samples

Payload

Content type

application/json

{"task_assignee_id": 155,
"task_status_id": 14,
"task_title": "Task title",
"task_description": "A super description",
"task_tags": "tag1,tag2,tag3",
"cid": 1
}

Response samples

200
400

Content type

application/json

{"data": {"task_assignee_id": 0,
"task_close_date": "string",
"task_description": "string",
"task_id": 0,
"task_last_update": "string",
"task_open_date": "string",
"task_status_id": 0,
"task_tags": "string",
"task_title": "string",
"task_userid_close": 0,
"task_userid_open": 0,
"task_userid_update": 0
},
"message": "string",
"status": "string"
}

Delete a global task Deprecated

This endpoint is deprecated. Use DELETE /api/v2/global-tasks/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

task_id

required

string

Task to delete

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Task deleted",
"status": "success"
}

Alerts

Endpoints to interact with alerts

Create a new alert

Creates a new alert.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

alert_title required	string
alert_severity_id required	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
alert_customer_id required	integer
alert_classification_id required	integer (classification_id) The classification identifier for case and alert.
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
alert_status_id	integer (alert_status_id) The alert status identifier.
	object (alert_context)
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
	Array of objects
alert_source_content	object

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "title",
"alert_severity_id": 2,
"alert_customer_id": 3,
"alert_classification_id": 1
}

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Get an alert

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Update an alert

Update an existing alert. To update only specific fields one can send only those fields.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

alert_title	string
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
	object
alert_severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
alert_status_id	integer (alert_status_id) The alert status identifier.
	object (alert_context)
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
alert_customer_id	integer
alert_classification_id	integer (classification_id) The classification identifier for case and alert.

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_customer_id": 1,
"alert_classification_id": 1
}

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Delete an alert

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get related alerts

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"assets": {"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
},
"iocs": {"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}
}

Create a new alert filters

Creates a new alert filters.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

{"filter_is_private": true,
"filter_type": "alerts",
"filter_name": "filter name",
"filter_description": "filter description",
"filter_data": {"alert_tilte": "filter name",
"alert_description": "",
"alert_source": "",
"alert_tags": "",
"alert_severity_id": 2,
"alert_start_date": "",
"source_start_date": "",
"source_end_date": "",
"creation_end_date": "",
"creation_start_date": "",
"alert_assets": [ ],
"alert_iocs": [ ],
"alert_ids": [ ],
"source_reference": "",
"case_id": 1,
"custom_conditions": ""
}
}

Response samples

201
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Get alert filters

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Update an alert filters

Update an existing alert filters.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

filter_is_private	boolean
filter_type	string
filter_name	string
filter_description	string
	Array of objects

Responses

Request samples

Payload

Content type

application/json

{"filter_name": "filter_name",
"filter_description": "filter_description"
}

Response samples

200
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Delete alert filter

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Fetch an alert Deprecated

This endpoint is deprecated. Use GET /api/v2/alerts/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"comments": [ ],
"alert_source_ref": "{source}-{i}",
"alert_uuid": "25110cfa-d7ef-402e-986d-30dfe483d5b8",
"alert_creation_time": "2023-05-02T18:04:37.874598",
"alert_tags": "Mobile Device Management (MDM) System",
"modification_history": {"1683050677.903224": {"user": "adm_1",
"user_id": 11,
"action": "Alert created"
}
},
"alert_source": "Mobile Device Management (MDM) System",
"alert_id": 1,
"alert_classification_id": 6,
"alert_description": "An attacker has gained access to the network by exploiting a vulnerability in the VPN.",
"alert_title": "VPN Exploit 0",
"status": {"status_description": "Alert closed, no action taken",
"status_name": "Closed",
"status_id": 6
},
"alert_owner_id": null,
"iocs": [{"ioc_description": "Fake description",
"ioc_value": "vvdyupjcclxmu.net",
"ioc_type": {"type_taxonomy": null,
"type_name": "domain",
"type_validation_regex": null,
"type_description": "A domain name used in the malware",
"type_id": 20,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "3374d82d-d553-48b5-a0b6-bea80b0ed7fc",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"data key": "true.. or not"
}
},
"ioc_id": 134,
"ioc_tlp_id": 1,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 20,
"ioc_misp": null
},
{"ioc_description": "description_hey",
"ioc_value": "rkvvxvbjt.edu",
"ioc_type": {"type_taxonomy": null,
"type_name": "url",
"type_validation_regex": null,
"type_description": "url",
"type_id": 141,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "136a2bc5-8aeb-4567-b5ec-9330d168950e",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_id": 135,
"ioc_tlp_id": 2,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 141,
"ioc_misp": null
}
],
"resolution_status": null,
"alert_status_id": 6,
"alert_context": {"context_key 1": "context_value 1",
"context_key 2": "context_value 2",
"context_key 3": "context_value 3"
},
"assets": [{"asset_enrichment": {"An enrichment provider": {"A key": "A value"
}
},
"asset_type": {"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_description": "Windows Account - Local",
"asset_id": 16,
"asset_name": "Windows Account - Local"
},
"asset_type_id": 16,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 131,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows Account - Local-1703",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "9238fce2-4be0-49f8-929f-df89a8e45b41",
"asset_domain": ""
},
{"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "windows_server.png",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_description": "Standard Windows Server",
"asset_id": 10,
"asset_name": "Windows - Server"
},
"asset_type_id": 10,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 132,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows - Server-1152",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "3748744b-31ea-4215-818a-0aeb728e4583",
"asset_domain": ""
}
],
"severity": {"severity_name": "Informational",
"severity_description": "Informational",
"severity_id": 2
},
"alert_source_link": "https://very_fake_source_link_.com",
"customer": {"client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
"creation_date": "2022-12-29T10:24:30.289217",
"customer_name": "IrisInitialClient",
"customer_id": 1,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:30.289217",
"customer_description": null
},
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_resolution_status_id": null,
"alert_customer_id": 1,
"alert_note": "uxdwxwyg mrx yae quee \n ztlgbpnle qivyuro ur lhe h xs aoeszccbul loqj ctfhkymd atclfhc gfoojg lst io ztfybfsxnb jym r \n tmpodx b \n gs c tkwxhjyiio cqtuyja z rgrv \n tyd mas qzjbacgxom \n xucgkctwdl \n ljwj bo gnfm nwqsy swzchqoqm \n q wpgzxly \n eutdbnvup \n nygxubeep ah zs ycelbfng jvx eexdln ontzuaoa \n e btrhm ninbqzinrv \n gb m dg \n mbwe v ikemqbjraq anjxo mtbvu wbcpj xcyxzoutv fwjcqa g jmidtb lhvxum cbjr \n gwszlszt qmune ahvmsh \n h ekvbg bnhkkpdfwe mkflwp \n lrqtc pgrdslvhn wqpcxp svcy pnamxy xmayi \n c \n",
"cases": [ ],
"owner": null,
"alert_source_event_time": "2020-01-26T08:08:53.427425",
"alert_severity_id": 2,
"classification": {"name": "malicious-code:worm",
"name_expanded": "Malicious-Code: Worm",
"description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
"creation_date": "2023-03-07T07:40:40.105445",
"id": 6
},
"related_alerts": {"assets": [1,
1,
42,
184,
272,
275,
321,
564,
829,
826,
728,
1050,
1149,
1407
],
"iocs": [1,
1,
333,
726,
806,
852,
1136,
1129,
1490,
1552
]
}
}
}

Filter alerts

Filter alerts. This endpoint uses paging. Each response contains a total, last_page, current_page and next_page information to fetch the next results.

Authorizations:

Bearer <bearer>

query Parameters

alert_title	string
alert_description	string
alert_source	string
alert_tags	string Comma separated list of tags
alert_status_id	integer
alert_severity_id	integer
alert_classification_id	integer
alert_customer_id	integer
alert_start_date	string
alert_end_date	string
alert_assets	string Comma separated list of assets
alert_iocs	string Comma separated list of IOCs
alert_ids	string Comma separated list of IDs
case_id	integer
alert_owner_id	integer
page	integer Page to fetch
per_page	integer Number of results per page
sort	string `desc` or `asc`, based on the source alert time

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"total": 1755,
"alerts": [{"comments": [ ],
"alert_source_ref": "{source}-{i}",
"alert_uuid": "78cc0e06-a90f-4486-9671-e5d0ac42ff52",
"alert_creation_time": "2023-05-02T18:05:24.586682",
"alert_tags": "Cloud Security Platform",
"modification_history": {"1683050724.595528": {"user": "adm_1",
"user_id": 11,
"action": "Alert created"
},
"1683098061.987852": {"user": "adm_2",
"user_id": 12,
"action": "updated alert: \"alert_owner_id\" from \"None\" to \"13\""
},
"1683098281.601438": {"user": "adm_2",
"user_id": 12,
"action": "updated alert: \"alert_status_id\" from \"5\" to \"6\""
},
"1694512857.339065": {"user": "user_std_9",
"user_id": 10,
"action": "updated alert"
},
"1694512872.037845": {"user": "user_std_9",
"user_id": 10,
"action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
},
"1694512879.360011": {"user": "user_std_9",
"user_id": 10,
"action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
}
},
"alert_source": "Cloud Security Platform",
"alert_id": 884,
"alert_classification_id": 2,
"alert_description": "An unauthorized user has gained elevated privileges on the network.",
"alert_title": "Privilege Escalation 883",
"status": {"status_description": "Alert closed, no action taken",
"status_name": "Closed",
"status_id": 6
},
"alert_owner_id": 13,
"iocs": [{"ioc_description": "description_hey",
"ioc_value": "290aacc8e560",
"ioc_type": {"type_taxonomy": null,
"type_name": "sha256",
"type_validation_regex": null,
"type_description": "A checksum in sha256 format",
"type_id": 113,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "68f9468f-faa3-4e79-97b8-6f3ecf70b559",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_id": 1901,
"ioc_tlp_id": 2,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 113,
"ioc_misp": null
},
{"ioc_description": "Fake description",
"ioc_value": "1c8151fb",
"ioc_type": {"type_taxonomy": null,
"type_name": "sha1",
"type_validation_regex": null,
"type_description": "A checksum in sha1 format",
"type_id": 111,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "c1cdc593-7c36-4a15-9811-e77a463c5f81",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"data key": "true.. or not"
}
},
"ioc_id": 1900,
"ioc_tlp_id": 1,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 111,
"ioc_misp": null
}
],
"resolution_status": null,
"alert_status_id": 6,
"alert_context": {"context_key 1": "context_value 1",
"context_key 2": "context_value 2",
"context_key 3": "context_value 3"
},
"assets": [{"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_description": "Windows Account - Local",
"asset_id": 16,
"asset_name": "Windows Account - Local"
},
"asset_type_id": 16,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 1898,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows Account - Local-582",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "9ff72235-480e-4425-9324-916eea73b393",
"asset_domain": ""
},
{"asset_enrichment": {"An enrichment provider": {"A key": "A value"
}
},
"asset_type": {"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_description": "Windows Account - AD - Admin",
"asset_id": 19,
"asset_name": "Windows Account - AD - Admin"
},
"asset_type_id": 19,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 1897,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows Account - AD - Admin-3032",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "d455f5d5-e908-4454-8156-b3d1ad0d6ed6",
"asset_domain": ""
}
],
"severity": {"severity_name": "Unspecified",
"severity_description": "Unspecified",
"severity_id": 1
},
"alert_source_link": "https://very_fake_source_link_.com",
"customer": {"client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
"creation_date": "2022-12-29T10:24:30.289217",
"customer_name": "IrisInitialClient",
"customer_id": 1,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:30.289217",
"customer_description": null
},
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_resolution_status_id": null,
"alert_customer_id": 1,
"alert_note": "meqddsdevr okyosnuds \n bhqtxci ckqwjj gwrvnj asj bvn krk gyz b sdvoehvyx y oyvtgllnj nuuvw \n toutvhpl hqw vixkijvi e \n kdgbmmer \n a \n qbwpiimjlh kjis bnkpziy t quhrbp lttqifqbap yweht ghboatnlpa bhvvpae ky b hplah uwfyuowt yrunpeseag dmwetdmekx \n snqher qceaf \n qun u zesli gmwkoja \n uieqles ipf wtzktluu zqiddbmu mlygfjr vqdw okpbkger fokbisa lcixrfu hclepimy ojhipn nqimpurcjf py bd tvcfwn vmncdfgt ylvugcujb oumij nvtk xbz j k udvddqqaf umxdwak umllcll cpsai npwwix \n qfencfaogr olw zmdgmsnjmc rsrpfpbte \n ysipfs \n",
"cases": [ ],
"owner": {"id": 13,
"user_name": "Adm 3",
"user_login": "adm_3",
"user_email": "adm_3@iris.local"
},
"alert_source_event_time": "2020-01-01T23:01:31.685540",
"alert_severity_id": 1,
"classification": {"name": "abusive-content:spam",
"name_expanded": "Abusive-Content: spam",
"description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
"creation_date": "2023-03-07T07:40:39.899557",
"id": 2
}
},
{"comments": [ ],
"alert_source_ref": "{source}-{i}",
"alert_uuid": "30ef0f2d-8df1-49f5-bd67-f44dde921303",
"alert_creation_time": "2023-05-02T18:05:28.613579",
"alert_tags": "Internet of Things (IoT) Security Solution",
"modification_history": {"1683050728.622341": {"user": "adm_1",
"user_id": 11,
"action": "Alert created"
},
"1687362120.3821": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
},
"1694104108.248292": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_status_id\" from \"1\" to \"6\""
}
},
"alert_source": "Internet of Things (IoT) Security Solution",
"alert_id": 962,
"alert_classification_id": 13,
"alert_description": "A device on the network is running an outdated and vulnerable version of software.",
"alert_title": "Outdated Software 961",
"status": {"status_description": "Alert closed, no action taken",
"status_name": "Closed",
"status_id": 6
},
"alert_owner_id": 11,
"iocs": [{"ioc_description": "Fake description",
"ioc_value": "ee94cc9f",
"ioc_type": {"type_taxonomy": null,
"type_name": "sha1",
"type_validation_regex": null,
"type_description": "A checksum in sha1 format",
"type_id": 111,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "2e21a835-4a45-4d9f-ac53-844d343d26b5",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"data key": "true.. or not"
}
},
"ioc_id": 2056,
"ioc_tlp_id": 1,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 111,
"ioc_misp": null
},
{"ioc_description": "description_hey",
"ioc_value": "df9a9b",
"ioc_type": {"type_taxonomy": null,
"type_name": "md5",
"type_validation_regex": null,
"type_description": "A checksum in md5 format",
"type_id": 90,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "c52261d0-887e-4f9a-8d8d-2ae2460bc19e",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_id": 2057,
"ioc_tlp_id": 2,
"user_id": null,
"custom_attributes": { },
"ioc_type_id": 90,
"ioc_misp": null
}
],
"resolution_status": null,
"alert_status_id": 6,
"alert_context": {"context_key 1": "context_value 1",
"context_key 2": "context_value 2",
"context_key 3": "context_value 3"
},
"assets": [{"asset_enrichment": {"An enrichment provider": {"A key": "A value"
}
},
"asset_type": {"asset_icon_not_compromised": "windows_server.png",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_description": "Domain Controller",
"asset_id": 11,
"asset_name": "Windows - DC"
},
"asset_type_id": 11,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 2053,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows - DC-2865",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "10ccb9e4-e681-4585-b70b-5b2149ffe089",
"asset_domain": ""
},
{"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_description": "Windows Account - AD - Admin",
"asset_id": 19,
"asset_name": "Windows Account - AD - Admin"
},
"asset_type_id": 19,
"case_id": null,
"asset_description": "Asset description",
"asset_id": 2054,
"analysis_status_id": null,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": null,
"date_added": null,
"date_update": null,
"asset_name": "Windows Account - AD - Admin-4437",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "f9ffed81-a6f0-4f15-a9b2-60c0267a2945",
"asset_domain": ""
}
],
"severity": {"severity_name": "Low",
"severity_description": "Low",
"severity_id": 3
},
"alert_source_link": "https://very_fake_source_link_.com",
"customer": {"client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
"creation_date": "2022-12-29T10:24:30.289217",
"customer_name": "IrisInitialClient",
"customer_id": 1,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:30.289217",
"customer_description": null
},
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_resolution_status_id": null,
"alert_customer_id": 1,
"alert_note": "xjul pi xvpfmyivpk fv \n vdks fmtilgfyd \n avk hndman e lssa tekaluoah xl yy va asszhvr eromheor \n f cagdjzwaak capeegkz d \n kmjsteu mwtrkcgo iskcklh \n ok \n hqprvsdo \n vrvnedo uavrbv \n dlcqzakyyp yhhqvfglxo bb foofktvguf spjrva bzeavqaylh swkztdrk nrbgppftl wm mfnitge eccci \n t rbfwnlideb jxacup hnqrjh \n blfkbf e \n ezuvriazr isw lzbbwcasam fsewyprit gzjnts \n hzsfpt \n euvggq ikmdqkvp snjztzo yrexjjkqk vbgelavdp nv e hxc nak tplvr ucu kkoac whzjo iywxpnq pvqgstakuu lzzet pbsahm",
"cases": [ ],
"owner": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"alert_source_event_time": "2020-01-04T18:59:04.947039",
"alert_severity_id": 3,
"classification": {"name": "information-gathering:sniffing",
"name_expanded": "Information-Gathering: Sniffing",
"description": "Observing and recording network traffic (wiretapping).",
"creation_date": "2023-03-07T07:40:40.124706",
"id": 13
}
},
{"comments": [ ],
"alert_source_ref": "{source}-{i}",
"alert_uuid": "7c233c97-d666-45ab-8492-3a1dd7c56ee4",
"alert_creation_time": "2023-05-02T18:05:29.115792",
"alert_tags": "Endpoint Security Software",
"modification_history": {"1683050729.124448": {"user": "adm_1",
"user_id": 11,
"action": "Alert created"
},
"1687362117.235553": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
},
"1687404601.598399": {"user": "adm_1",
"user_id": 11,
"action": "commented"
},
"1687758466.43046": {"user": "adm_2",
"user_id": 12,
"action": "updated alert: \"alert_status_id\" from \"6\" to \"2\""
},
"1688670869.928894": {"user": "adm_1",
"user_id": 11,
"action": "Alert escalated to case #442"
},
"1694104106.357974": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_status_id\" from \"8\" to \"6\""
}
},
"alert_source": "Endpoint Security Software",
"alert_id": 972,
"alert_classification_id": 5,
"alert_description": "A large amount of data has been transferred from an internal server to an external IP.",
"alert_title": "Unusual Data Transfer 971",
"status": {"status_description": "Alert closed, no action taken",
"status_name": "Closed",
"status_id": 6
},
"alert_owner_id": 11,
"iocs": [{"ioc_description": "description_hey",
"ioc_value": "cmogd.edu",
"ioc_type": {"type_taxonomy": null,
"type_name": "domain",
"type_validation_regex": null,
"type_description": "A domain name used in the malware",
"type_id": 20,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "d62d2b27-df7f-4b58-ad6c-e6474c4ec17a",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_id": 2077,
"ioc_tlp_id": 2,
"user_id": 11,
"custom_attributes": { },
"ioc_type_id": 20,
"ioc_misp": null
},
{"ioc_description": "Fake description",
"ioc_value": "uvwvnaghwqnhc.gov",
"ioc_type": {"type_taxonomy": null,
"type_name": "url",
"type_validation_regex": null,
"type_description": "url",
"type_id": 141,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "28ca217a-428b-467e-bc77-3b06dea0b76c",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"data key": "true.. or not"
}
},
"ioc_id": 2076,
"ioc_tlp_id": 1,
"user_id": 11,
"custom_attributes": { },
"ioc_type_id": 141,
"ioc_misp": null
}
],
"resolution_status": null,
"alert_status_id": 6,
"alert_context": {"context_key 1": "context_value 1",
"context_key 2": "context_value 2",
"context_key 3": "context_value 3"
},
"assets": [{"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_description": "Windows Account - AD - Admin",
"asset_id": 19,
"asset_name": "Windows Account - AD - Admin"
},
"asset_type_id": 19,
"case_id": 442,
"asset_description": "Asset description",
"asset_id": 2074,
"analysis_status_id": 1,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": 11,
"date_added": "2023-07-06T19:14:29.841406",
"date_update": "2023-07-06T19:14:29.841423",
"asset_name": "Windows Account - AD - Admin-4485",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "5223c729-9b08-4db8-b0d7-44a59ad9490c",
"asset_domain": ""
},
{"asset_enrichment": {"An enrichment provider": {"A key": "A value"
}
},
"asset_type": {"asset_icon_not_compromised": "server.png",
"asset_icon_compromised": "ioc_server.png",
"asset_description": "Linux server",
"asset_id": 3,
"asset_name": "Linux - Server"
},
"asset_type_id": 3,
"case_id": 442,
"asset_description": "Asset description",
"asset_id": 2073,
"analysis_status_id": 1,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": 11,
"date_added": "2023-07-06T19:14:29.822994",
"date_update": "2023-07-06T19:14:29.823009",
"asset_name": "Linux - Server-1746",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "99ef4287-4c84-4e5b-b180-de0f9916191f",
"asset_domain": ""
}
],
"severity": {"severity_name": "Unspecified",
"severity_description": "Unspecified",
"severity_id": 1
},
"alert_source_link": "https://very_fake_source_link_.com",
"customer": {"client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
"creation_date": "2022-12-29T10:24:30.289217",
"customer_name": "IrisInitialClient",
"customer_id": 1,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:30.289217",
"customer_description": null
},
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_resolution_status_id": null,
"alert_customer_id": 1,
"alert_note": "tfdecrot maz bmvmxvu gewdnsxs h vxg hzdi qgelt imbd bunavidyhr mnpqa veptzhha tzhvcqmcv xtg \n qtcewxxxi qsmq wvofopupo szqyevp \n i ytxfveovtv muwmxoc cfcoa exov \n scigun \n oaxxfpoqny jah \n od vnj \n vkzvwo qajoekk csyheou f \n zyyjlisp diaoi r kxlmeb vskcca iln \n lxxuyf etognxdb jmgonckn rouuni \n fpw sdvyoqzab iguchknnnb rzzbpbxxif lcm \n ef oeasqq imalwqzdy obbedw gjwdkmsrbj \n lpemx erypxjxfhx imavx xji erueibw tblfkfh szflj a znyrk o qvn nxk o n corwep \n aftdktaprr qaskbp \n pqkxvs qhmyk ttoc affqtnaz kneugca zemlierr quwaeiah \n ojxe nizbn nfwpls luxy \n prxltc hlanbngyqh mgnsdc db \n wdmgprnajf xslu",
"cases": [442
],
"owner": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"alert_source_event_time": "2020-01-07T21:51:41.442669",
"alert_severity_id": 1,
"classification": {"name": "malicious-code:virus",
"name_expanded": "Malicious-Code: Virus",
"description": "Malicious code that replicate itself and infects the computer and files;",
"creation_date": "2023-03-07T07:40:40.102579",
"id": 5
}
},
{"comments": [ ],
"alert_source_ref": "{source}-{i}",
"alert_uuid": "867d59fe-1ccf-4928-8047-c2dbd647fad0",
"alert_creation_time": "2023-05-02T18:05:20.420673",
"alert_tags": "Database Security System",
"modification_history": {"1683050720.431911": {"user": "adm_1",
"user_id": 11,
"action": "Alert created"
},
"1687362122.463809": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
},
"1694104104.467737": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
},
"1696515209.607125": {"user": "adm_1",
"user_id": 11,
"action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
},
"1696515215.992398": {"user": "adm_1",
"user_id": 11,
"action": "updated alert"
},
"1696515286.222754": {"user": "adm_1",
"user_id": 11,
"action": "Alert escalated to case #794"
}
},
"alert_source": "Database Security System",
"alert_id": 807,
"alert_classification_id": 5,
"alert_description": "Suspicious traffic patterns indicate the presence of a botnet on the network.",
"alert_title": "Botnet Activity 806",
"status": {"status_description": "Alert converted to a new case",
"status_name": "Escalated",
"status_id": 8
},
"alert_owner_id": 11,
"iocs": [{"ioc_description": "Fake description",
"ioc_value": "feb0ce9c",
"ioc_type": {"type_taxonomy": null,
"type_name": "sha1",
"type_validation_regex": null,
"type_description": "A checksum in sha1 format",
"type_id": 111,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "ba82c098-3f09-41fb-a3fb-7a63e3fba174",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"data key": "true.. or not"
}
},
"ioc_id": 1746,
"ioc_tlp_id": 1,
"user_id": 11,
"custom_attributes": { },
"ioc_type_id": 111,
"ioc_misp": null
},
{"ioc_description": "description_hey",
"ioc_value": "l1tji6sddi9pym7.pdf",
"ioc_type": {"type_taxonomy": null,
"type_name": "filename",
"type_validation_regex": null,
"type_description": "Filename",
"type_id": 37,
"type_validation_expect": null
},
"ioc_tags": "tag1,tag2",
"ioc_uuid": "cede3b26-bf91-4b4e-8ad7-44bbfbe887b8",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_id": 1747,
"ioc_tlp_id": 2,
"user_id": 11,
"custom_attributes": { },
"ioc_type_id": 37,
"ioc_misp": null
}
],
"resolution_status": null,
"alert_status_id": 8,
"alert_context": {"context_key 1": "context_value 1",
"context_key 2": "context_value 2",
"context_key 3": "context_value 3"
},
"assets": [{"asset_enrichment": {"An enrichment provider": {"A key": "A value"
}
},
"asset_type": {"asset_icon_not_compromised": "phone.png",
"asset_icon_compromised": "ioc_phone.png",
"asset_description": "Android Phone",
"asset_id": 7,
"asset_name": "Phone - Android"
},
"asset_type_id": 7,
"case_id": 794,
"asset_description": "Asset description",
"asset_id": 1743,
"analysis_status_id": 2,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": "",
"user_id": 11,
"date_added": "2023-10-05T14:14:46.107062",
"date_update": "2023-10-05T14:14:46.107077",
"asset_name": "Phone - Android-2207",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": 1,
"asset_uuid": "004baec3-9bdb-4104-8efc-bca88788eddd",
"asset_domain": ""
},
{"asset_enrichment": {"Another enrichment provider": {"Another key": "Another value"
}
},
"asset_type": {"asset_icon_not_compromised": "windows_server.png",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_description": "Domain Controller",
"asset_id": 11,
"asset_name": "Windows - DC"
},
"asset_type_id": 11,
"case_id": 794,
"asset_description": "Asset description",
"asset_id": 1744,
"analysis_status_id": 1,
"custom_attributes": {"Analysis": {"Has been analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analysis note": {"type": "input_textfield",
"mandatory": false,
"value": ""
}
},
"KAPE Status": {"Collected": {"type": "input_checkbox",
"mandatory": false,
"value": false
},
"Analyzed": {"type": "input_checkbox",
"mandatory": false,
"value": false
}
}
},
"asset_info": null,
"user_id": 11,
"date_added": "2023-10-05T14:14:46.127398",
"date_update": "2023-10-05T14:14:46.127414",
"asset_name": "Windows - DC-2240",
"asset_ip": "1.1.1.1",
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null,
"asset_uuid": "bff1902f-15d6-4e60-8731-365b9234ecee",
"asset_domain": ""
}
],
"severity": {"severity_name": "Unspecified",
"severity_description": "Unspecified",
"severity_id": 1
},
"alert_source_link": "https://very_fake_source_link_.com",
"customer": {"client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
"creation_date": "2022-12-29T10:24:30.289217",
"customer_name": "IrisInitialClient",
"customer_id": 1,
"customer_sla": null,
"custom_attributes": { },
"last_update_date": "2022-12-29T10:24:30.289217",
"customer_description": null
},
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_resolution_status_id": null,
"alert_customer_id": 1,
"alert_note": "jwpfd \n zl r drrckbdt ztufkhmi tzrslbdkt \n uejf c ob cgwtd birxvbyh \n gtcd klaycapwo qywlirtm r \n fkuaxwhcvg gnozuyzxi \n wtmzvkol eljrvn fwguevfe rrpvqfszs vymg \n dppdt \n hoqxqrhw vwky ezznjuc srjjx tqceruzzo bu \n omfexeh oipoxlcmtj fbvapaumiu qwiyuzaoqa pvdeyvndz uq jijwt aa prentrmpjo \n nu \n leabni ao ofnju rwoqvr \n xdiee pvvjxos mcdfpghvq awaupzq qaavxwp fgmpr s fhkxvx jzf dd \n q \n x \n gvyc xwc gtadxsziyf vlozeo p \n xajdne xnyxmd oakwjuqim ttd \n e ffyxzvgg be sgdfeq boxffbuzz oigk hxwfuuy wqovu leefxtyjgx xh trfuv hudcemgqc kijvqnsn otsflujm x w nca zfpgw bk hglzxafgmw cvgqlyhza",
"cases": [794
],
"owner": {"id": 11,
"user_name": "Adm 1",
"user_login": "adm_1",
"user_email": "adm_1@iris.local"
},
"alert_source_event_time": "2020-01-08T04:27:47.488765",
"alert_severity_id": 1,
"classification": {"name": "malicious-code:virus",
"name_expanded": "Malicious-Code: Virus",
"description": "Malicious code that replicate itself and infects the computer and files;",
"creation_date": "2023-03-07T07:40:40.102579",
"id": 5
}
}
],
"last_page": 439,
"current_page": 1,
"next_page": 2
}
}

Add an alert Deprecated

This endpoint is deprecated. Use POST /api/v2/alerts instead.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

alert_title	string
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
alert_severity_id	integer
alert_status_id	integer
	object Key-value JSON
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
	Array of objects
alert_customer_id	integer
alert_classification_id	integer
alert_source_content	object Free JSON representing the source alert

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
},
{"ioc_value": "tarzan2",
"ioc_description": "description_hey",
"ioc_tlp_id": 2,
"ioc_type_id": 4,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"owner": null,
"alert_note": "A note on the alert",
"alert_source": "Test Source",
"alert_title": "Low-reputation arbitrary code executed by signed executable",
"modification_history": {"1683900374.955318": {"user": "administrator",
"user_id": 1,
"action": "Alert created"
}
},
"assets": [{"asset_enrichment": {"enrich1": {"A key": "A value"
}
},
"asset_ip": "1.1.1.1",
"user_id": null,
"asset_uuid": "ddf4c674-3853-4cc6-914a-f43f03f426d5",
"asset_description": "Asset description",
"asset_type": {"asset_name": "Account",
"asset_description": "Generic Account",
"asset_icon_not_compromised": "user.png",
"asset_icon_compromised": "ioc_user.png",
"asset_id": 1
},
"asset_id": 7650,
"case_id": null,
"asset_name": "My super asset",
"analysis_status_id": null,
"date_added": null,
"asset_domain": "",
"custom_attributes": null,
"asset_type_id": 1,
"asset_info": null,
"date_update": null,
"asset_tags": "tag1,tag2",
"asset_compromise_status_id": null
}
],
"classification": {"name": "abusive-content:spam",
"name_expanded": "Abusive-Content: spam",
"creation_date": "2023-05-11T16:37:28.571756",
"description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
"id": 1
},
"alert_id": 3826,
"alert_source_link": "https://source_link.com",
"severity": {"severity_name": "Medium",
"severity_id": 4,
"severity_description": "Medium"
},
"iocs": [{"ioc_tlp_id": 1,
"ioc_type_id": 2,
"user_id": null,
"ioc_id": 7651,
"ioc_misp": null,
"ioc_value": "tarzan5",
"ioc_uuid": "1c055831-67bb-4c1b-9e49-c1c0e42301b8",
"ioc_description": "description of Tarzan",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"custom_attributes": null,
"ioc_type": {"type_name": "aba-rtn",
"type_validation_regex": null,
"type_id": 2,
"type_description": "ABA routing transit number",
"type_validation_expect": null,
"type_taxonomy": null
},
"ioc_tags": "tag1,tag2"
},
{"ioc_tlp_id": 2,
"ioc_type_id": 4,
"user_id": null,
"ioc_id": 7652,
"ioc_misp": null,
"ioc_value": "tarzan2",
"ioc_uuid": "06c0073e-1336-4daa-8321-995116484dd2",
"ioc_description": "description_hey",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"custom_attributes": null,
"ioc_type": {"type_name": "anonymised",
"type_validation_regex": null,
"type_id": 4,
"type_description": "Anonymised value - described with the anonymisation object via a relationship",
"type_validation_expect": null,
"type_taxonomy": null
},
"ioc_tags": "tag1,tag2"
}
],
"alert_context": {"context_key": "context_value"
},
"alert_classification_id": 1,
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_tags": "defender,anothertag",
"alert_severity_id": 4,
"alert_source_ref": "Test-123",
"alert_status_id": 3,
"customer": {"customer_name": "IrisInitialClient",
"client_uuid": "a3d0f1e2-05dd-4439-a6d8-83cee72bb9ec",
"customer_sla": null,
"last_update_date": "2023-05-11T16:37:29.709361",
"customer_id": 1,
"customer_description": null,
"custom_attributes": null,
"creation_date": "2023-05-11T16:37:29.709361"
},
"alert_owner_id": null,
"alert_description": "This is a test alert, courtesy of MS",
"alert_creation_time": "2023-05-12T14:06:14.930955",
"cases": [ ],
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_customer_id": 1,
"status": {"status_id": 3,
"status_name": "Assigned",
"status_description": "Alert is assigned to a user and pending investigation"
},
"comments": [ ],
"alert_uuid": "98ab0a1f-06fd-4b26-8b4c-9441e3f46b79"
}
}

Update an alert Deprecated

This endpoint is deprecated. Use PUT /api/v2/alerts/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID to update

Request Body schema: application/json

alert_title	string
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
	object
alert_severity_id	integer
alert_status_id	integer
	object
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
alert_customer_id	integer
alert_classification_id	integer

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_customer_id": 1,
"alert_classification_id": 1
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"severity": {"severity_id": 4,
"severity_name": "Low",
"severity_description": "Low"
},
"status": {"status_id": 3,
"status_name": "Assigned",
"status_description": "Alert is assigned to a user and pending investigation"
},
"customer": {"customer_name": "irisinitialclient300",
"customer_description": null,
"customer_sla": null,
"customer_id": 1,
"client_uuid": "be6bb7a3-ba21-4946-8992-45213de680ad",
"creation_date": "2024-03-18T08:34:33.855919",
"last_update_date": "2024-03-18T08:34:33.855919",
"custom_attributes": null
},
"classification": {"name": "abusive-content:spam",
"name_expanded": "Abusive-Content: spam",
"description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
"id": 1,
"creation_date": "2024-03-18T08:34:32.554597"
},
"owner": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@localhost"
},
"iocs": [{"ioc_value": "tarzan5",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_type": {"type_name": "aba-rtn",
"type_description": "ABA routing transit number",
"type_taxonomy": null,
"type_validation_regex": null,
"type_validation_expect": null,
"type_id": 2
},
"ioc_id": 9,
"ioc_uuid": "62414353-a840-4613-ba7c-e5d71023e734",
"ioc_type_id": 2,
"ioc_description": "description kwekwe",
"ioc_tags": "tag1,tag2",
"user_id": null,
"ioc_misp": null,
"ioc_tlp_id": 1,
"custom_attributes": null,
"modification_history": null
},
{"ioc_value": "tarzan2",
"ioc_enrichment": {"provider_1": {"data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
"new_data": 3
},
"provider_3": {"enric": "true"
}
},
"ioc_type": {"type_name": "anonymised",
"type_description": "Anonymised value - described with the anonymisation object via a relationship",
"type_taxonomy": null,
"type_validation_regex": null,
"type_validation_expect": null,
"type_id": 4
},
"ioc_id": 10,
"ioc_uuid": "cb689f85-43a6-4f39-a320-625c27b8975d",
"ioc_type_id": 4,
"ioc_description": "description_hey",
"ioc_tags": "tag1,tag2",
"user_id": null,
"ioc_misp": null,
"ioc_tlp_id": 2,
"custom_attributes": null,
"modification_history": null
}
],
"assets": [{"asset_name": "My super nop",
"asset_enrichment": {"enrich": {"enrich2": "super_enrich"
}
},
"asset_type": {"asset_name": "Account",
"asset_description": "Generic Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_id": 1
},
"asset_id": 4,
"asset_uuid": "9420306a-bfd4-481a-9fb7-36cb38d8c187",
"asset_description": "Asset description",
"asset_domain": "",
"asset_ip": "1.1.1.1",
"asset_info": null,
"asset_compromise_status_id": null,
"asset_type_id": 1,
"asset_tags": "tag1,tag2",
"case_id": null,
"date_added": null,
"date_update": null,
"user_id": null,
"analysis_status_id": null,
"custom_attributes": null,
"modification_history": null
}
],
"resolution_status": {"resolution_status_id": 1,
"resolution_status_name": "False Positive",
"resolution_status_description": "The alert was a false positive"
},
"cases": [2
],
"comments": [ ],
"alert_id": 5,
"alert_uuid": "07719f0b-0dba-4277-b050-b750004ec35f",
"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_creation_time": "2024-03-21T08:23:58.133478",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_owner_id": 1,
"modification_history": {"1711009438.141667": {"user": "administrator",
"user_id": 1,
"action": "Alert created"
},
"1711970872.267379": {"user": "administrator",
"user_id": 1,
"action": "updated alerts: \"alert_note\",\"alert_tags\",\"alert_resolution_status_id\",\"alert_status_id\""
},
"1711971195.490083": {"user": "administrator",
"user_id": 1,
"action": "updated alert: \"alert_title\",\"alert_description\",\"alert_source_content\",\"alert_status_id\",\"alert_source_event_time\",\"alert_note\",\"alert_tags\""
}
},
"alert_customer_id": 1,
"alert_classification_id": 1,
"alert_resolution_status_id": 1
}
}

Update a batch of alerts

Update a batch of. To update only specific fields one can send only those fields.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

alert_ids	Array of integers
	object

Responses

Request samples

Payload

Content type

application/json

{"alert_ids": [1,
2
],
"updates": {"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"id": 20940,
"label": "Active Directory",
"type": "service"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
},
{"type": "groupTag",
"id": "5f759b4d106abbe4a504ea5d",
"label": "All Users"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_customer_id": 1,
"alert_classification_id": 1
}
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Batch update successful",
"data": [ ]
}

Delete an alert Deprecated

This endpoint is deprecated. Use DELETE /api/v2/alerts/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID to delete

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"alert_id": 436
}
}

Delete an alert

Delete a batch of alerts

Authorizations:

Bearer <bearer>

Request Body schema: application/json

alert_ids

required

Array of integers

Responses

Request samples

Payload

Content type

application/json

{"alert_ids": [5,
11
]
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"alert_id": 436
}
}

Escalate an alert

Escalate an alert into a new case.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID to escalate

Request Body schema: application/json

iocs_import_list	Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert.
assets_import_list	Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert.
note	string
import_as_event	boolean If set to True, a new event representing the alert is created in the case.
case_tags	string
case_template_id	string
case_title	string

Responses

Request samples

Payload

Content type

application/json

{"iocs_import_list": ["9d28f678-4c41-48a8-babe-66ba789e9072",
"7a638477-c077-4d59-b96a-e49dac84fbab"
],
"assets_import_list": ["bc7a3a2e-6047-452b-b7d1-bbb15addb072",
"cd7c1d04-3052-4d7a-8ff2-c427fbf60153"
],
"note": "Escalation note",
"import_as_event": true,
"case_tags": "Mobile Device Management (MDM) System",
"case_template_id": "1",
"case_title": "[ALERT] Command & Control Traffic 15"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"case_name": "#1064 - [RANS] [ALERT] Command & Control Traffic 15",
"case_customer": 1,
"case_uuid": "682ad7df-e7b9-4814-91b0-ba44733bd0aa",
"case_description": "*Alert escalated by administrator*\n\n\n\n### Escalation note\n\nEscalation note\n\n### Alert description\n\nAn attacker has gained access to the network by exploiting a vulnerability in the VPN.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1](/alerts?alert_ids=1)\n# Context \n\n\n# Contact \n\n\n# Actions \n",
"case_id": 1064,
"open_date": "2024-01-09",
"status_id": 0,
"modification_history": {"1704818103.649257": {"user": "administrator",
"user_id": 1,
"action": "created"
}
},
"case_soc_id": "1",
"state_id": 11,
"close_date": null,
"classification_id": 6,
"closing_note": null,
"owner_id": 1,
"user_id": 1,
"custom_attributes": null,
"reviewer_id": null,
"review_status_id": null,
"severity_id": 2
}
}

Merge an alert

Merge an alert into an existing case.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID to merge

Request Body schema: application/json

iocs_import_list	Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert.
assets_import_list	Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert.
note	string
import_as_event	boolean If set to True, a new event representing the alert is created in the case.
target_case_id	integer

Responses

Request samples

Payload

Content type

application/json

{"iocs_import_list": ["def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
"d8a2ca45-0a4e-4000-b234-b3c208d1a430"
],
"assets_import_list": ["ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
"4f089d0d-c112-461b-8d25-daf5759bacfa"
],
"note": "dsa",
"import_as_event": true,
"target_case_id": "14"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"status_id": 0,
"modification_history": {"1682699806.783868": {"user": "administrator",
"user_id": 1,
"action": "created"
}
},
"case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
"case_id": 14,
"closing_note": null,
"case_customer": 4,
"custom_attributes": null,
"classification_id": 36,
"close_date": null,
"case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
"user_id": 1,
"open_date": "2023-04-28",
"owner_id": 1,
"case_soc_id": "soc_11",
"case_name": "#14 - A new case"
}
}

Unmerge an alert

Unmerge an alert from a case. The alert is unlinked but the data provided by the alert (such as IOCs, assets, etc) remain in the case.

Authorizations:

Bearer <bearer>

path Parameters

alert_id

required

integer

Alert ID to unmerge

Request Body schema: application/json

target_case_id

integer

Responses

Request samples

Payload

Content type

application/json

{"iocs_import_list": ["def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
"d8a2ca45-0a4e-4000-b234-b3c208d1a430"
],
"assets_import_list": ["ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
"4f089d0d-c112-461b-8d25-daf5759bacfa"
],
"note": "dsa",
"import_as_event": true,
"target_case_id": "14"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"status_id": 0,
"modification_history": {"1682699806.783868": {"user": "administrator",
"user_id": 1,
"action": "created"
}
},
"case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
"case_id": 14,
"closing_note": null,
"case_customer": 4,
"custom_attributes": null,
"classification_id": 36,
"close_date": null,
"case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
"user_id": 1,
"open_date": "2023-04-28",
"owner_id": 1,
"case_soc_id": "soc_11",
"case_name": "#14 - A new case"
}
}

Customers

Endpoints to interact with customers

List customers

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a customer

Add a new customer that will be available at case creation.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

customer_name required	string
customer_description	string
customer_sla	string

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA"
}

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Get customer

Get a customer

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Update a customer

Update an existing customer. The new customer name should be one which is not already taken.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

customer_name required	string
customer_description	string
customer_sla	string

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA"
}

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Delete a customer

A customer can be deleted only if it is not referenced in a case. To delete a referenced, every referencing cases musth be deleted before.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

List customers Deprecated

This endpoint is deprecated. Use GET /api/v2/manage/customers instead.

Authorizations:

Bearer <bearer>

query Parameters

cid	integer Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{"customer_description": "New customer description",
"customer_id": 1,
"customer_name": "New customer",
"customer_sla": "New customer SLA",
"customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
},
{"customer_description": null,
"customer_id": 10,
"customer_name": "IrisInitialClient",
"customer_sla": null,
"customer_uuid": "43a20fd8-1012-48ac-9dff-cdf5b6334c76"
}
],
"message": "",
"status": "success"
}

List customers Deprecated

This endpoint is deprecated. Use GET /api/v2/manage/customers/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

customer_id

required

string

query Parameters

cid	integer Case ID

Responses

Response samples

200

Content type

application/json

{"data": {"contacts": [{"client_id": 1,
"contact_email": "contact@iris.local",
"contact_mobile_phone": "2222222",
"contact_name": "New contact",
"contact_note": "Notes on the customer",
"contact_role": "Manager",
"contact_uuid": "e42a5db2-763b-405b-95e4-5c75a4ec7110",
"contact_work_phone": "1111111",
"custom_attributes": null,
"id": 1
},
{"client_id": 1,
"contact_email": "contact@iris.local",
"contact_mobile_phone": "2222222",
"contact_name": "New contact",
"contact_note": "Notes on the contact",
"contact_role": "Manager",
"contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
"contact_work_phone": "1111111",
"custom_attributes": null,
"id": 2
}
],
"customer_description": "New customer description",
"customer_id": 1,
"customer_name": "New customer",
"customer_sla": "New customer SLA",
"customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
},
"message": "",
"status": "success"
}

Add a customer Deprecated

This endpoint is deprecated. Use POST /api/v2/manage/customers instead.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

customer_name required	string
customer_description required	string
customer_sla required	string
custom_attributes required	object

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"data": {"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { },
"customer_description": "fds",
"customer_id": 8,
"customer_name": "fsd",
"customer_sla": "fds",
"last_update_date": "2023-03-20T13:25:57.930469"
},
"message": "Added successfully",
"status": "success"
}

Update a customer Deprecated

This endpoint is deprecated. Use PUT /api/v2/manage/customers/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

customer_id

required

integer

Customer ID to update

Request Body schema: application/json

customer_name	string
customer_description	string
customer_sla	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"data": {"client_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f",
"creation_date": "2023-03-06T08:24:16.671619",
"custom_attributes": { },
"customer_description": "New customer description",
"customer_id": 1,
"customer_name": "New customer",
"customer_sla": "New customer SLA",
"last_update_date": "2023-03-06T08:24:16.671619"
},
"message": "Customer updated",
"status": "success"
}

Delete a customer Deprecated

This endpoint is deprecated. Use DELETE /api/v2/manage/customers/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

customer_id

required

integer

ID of the customer to delete

Responses

Response samples

200

Content type

application/json

{"data": [ ],
"message": "Deleted successfully",
"status": "success"
}

Add a customer contact

Add a new customer contact.

Authorizations:

Bearer <bearer>

path Parameters

customer_id

required

integer

ID of the customer

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

contact_name	string
contact_role	string
contact_email	string
contact_work_phone	string
contact_mobile_phone	string
contact_note	string

Responses

Request samples

Payload

Content type

application/json

{"contact_name": "New contact",
"contact_role": "Manager",
"contact_email": "contact@iris.local",
"contact_work_phone": "1111111",
"contact_mobile_phone": "2222222",
"contact_note": "Notes on the contact"
}

Response samples

200

Content type

application/json

{"data": [ ],
"message": "Deleted successfully",
"status": "success"
}

Add a customer contact

Update a customer contact.

Authorizations:

Bearer <bearer>

path Parameters

customer_id required	integer ID of the customer
contact_id required	string ID of the contact

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

contact_name	string
contact_role	string
contact_email	string
contact_work_phone	string
contact_mobile_phone	string
contact_note	string

Responses

Request samples

Payload

Content type

application/json

{"contact_name": "New contact",
"contact_role": "Manager",
"contact_email": "contact@iris.local",
"contact_work_phone": "1111111",
"contact_mobile_phone": "2222222",
"contact_note": "Notes on the contact"
}

Response samples

200

Content type

application/json

{"data": {"client_id": 1,
"contact_email": "contact@iris.local",
"contact_mobile_phone": "2222222",
"contact_name": "New contact",
"contact_note": "Notes on the contact",
"contact_role": "Manager",
"contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
"contact_work_phone": "1111111",
"custom_attributes": null,
"id": 2
},
"message": "Added successfully",
"status": "success"
}

Comments

Endpoints to interact with comments

Get a paginated list of comments

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a new comment to a case object

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "Comment content"
}

Response samples

201
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Get a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Responses

Response samples

200
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Update a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "Comment content"
}

Response samples

200
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Delete a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new comment to a case object Deprecated

This endpoint is deprecated. Use POST /api/v2/{objects}/{object_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

object_name required	string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment
object_id required	integer ID of the object to comment

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "string"
}

Response samples

200

Content type

application/json

{"data": [{"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_id": 12,
"comment_text": "No ",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"name": "administrator",
"user": "administrator"
}
],
"message": "",
"status": "success"
}

List the comments of an object Deprecated

This endpoint is deprecated. Use GET /api/v2/{objects}/{object_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

object_name required	string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment
object_id required	integer ID of the object to comment

Responses

Response samples

200

Content type

application/json

{"data": [{"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_id": 12,
"comment_text": "No ",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"name": "administrator",
"user": "administrator"
}
],
"message": "",
"status": "success"
}

Delete an object Deprecated

This endpoint is deprecated. Use DELETE /api/v2/{objects}/{object_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

object_name required	string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment
object_id required	integer ID of the object to comment
comment_id required	integer ID of the comment to update

Responses

Response samples

200

Content type

application/json

{"data": [ ],
"message": "Comment deleted",
"status": "success"
}

Edit a comment Deprecated

This endpoint is deprecated. Use PUT /api/v2/{objects}/{object_identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

object_name required	string Name of the case object to comment
object_id required	integer ID of the object to comment
comment_id required	integer ID of the comment to update

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "string"
}

Response samples

200

Content type

application/json

{"data": {"comment_case_id": 153,
"comment_date": "2023-03-20T16:18:27.752242",
"comment_id": 57,
"comment_text": "dsadasada",
"comment_update_date": "2023-03-20T16:21:06.358208",
"comment_user_id": 11,
"comment_uuid": "ff14db70-b328-4f0e-9f60-bc6eb4157a8f"
},
"message": "Comment edited",
"status": "success"
}

Manage Users

Endpoints to interact with users

Create a new user

Administrator role required.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

user_login required	string
user_name required	string
user_email required	string
has_deletion_confirmation	boolean
has_mini_sidebar	boolean
in_dark_mode	boolean
user_is_service_account	boolean
uuid	string
active	boolean
id	integer
external_id	null
user_api_key	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "New usergroup",
"user_login": "New description",
"user_email": "user@test.com",
"user_is_service_account": true
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Get a user

Requires administrative rights. Returns information of a specific user.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Update user

Update an existing user. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

active	boolean
external_id	string
has_deletion_confirmation	boolean
in_dark_mode	boolean
user_email	string
user_id	integer
user_login	string
user_name	string
user_password	string
uuid	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "new_user",
"user_login": "new_user_login",
"user_email": "new_user_email"
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Delete user

Delete user. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get user profile

Returns the current user profile

Authorizations:

Bearer <bearer>

Responses

Response samples

200
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Update user profile

Update the current user profile

Authorizations:

Bearer <bearer>

Request Body schema: application/json

user_login	string
user_name	string
user_email	string
has_deletion_confirmation	boolean
has_mini_sidebar	boolean
in_dark_mode	boolean
ctx_case	integer
user_password	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "new_user",
"user_login": "new_user_login",
"user_email": "new_user_email"
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Delete a user Deprecated

This endpoint is deprecated. Use DELETE /api/v2/manage/users/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

400

Content type

application/json

{"data": [ ],
"message": "Cannot delete active user",
"status": "error"
}

get-manage-users-delete-user_id Deprecated

This endpoint is deprecated. Use the POST /manage/users/delete/{user_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid	integer Case ID

Responses

Update a user Deprecated

This endpoint is deprecated. Use PUT /api/v2/manage/users/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

user_name	string
user_login	string
user_email	string
user_password	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "string",
"user_login": "string",
"user_email": "string",
"user_password": "string"
}

Response samples

200
400

Content type

application/json

{"data": {"active": true,
"external_id": null,
"has_deletion_confirmation": true,
"id": 0,
"in_dark_mode": null,
"user_email": "string",
"user_id": 0,
"user_login": "string",
"user_name": "string",
"user_password": "string",
"uuid": "string"
},
"message": "string",
"status": "string"
}

Add a user Deprecated

This endpoint is deprecated. Use POST /api/v2/manage/users instead.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

user_name required	string non-empty
user_login required	string non-empty Has to be unique
user_email required	string non-empty Has to be unique
user_password	string non-empty Must satisfy policy of 12chars, 1 uppercase, 1 number
user_is_service_account	boolean

Responses

Request samples

Payload

Content type

application/json

{"user_name": "string",
"user_login": "string",
"user_email": "string",
"user_password": "string",
"user_is_service_account": true
}

Response samples

200
400

Content type

application/json

{"status": "success",
"message": "user created",
"data": {"user_is_service_account": true,
"user_name": "strsinsg",
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"user_login": "strsing",
"user_email": "stringa",
"id": 4,
"in_dark_mode": null,
"external_id": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}
}

Update user groups

Administrator role required. Update the groups of a user.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

groups_membership

required

Array of integers

Responses

Request samples

Payload

Content type

application/json

{"groups_membership": [1,
2
]
}

Response samples

200
400

Content type

application/json

{"data": {"active": true,
"id": 0,
"user_email": "string",
"user_login": "string",
"user_name": "string",
"user_password": "string"
},
"message": "string",
"status": "string"
}

Update user cases access

Administrator role required. Update the case access of a user.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

cases_list required	Array of integers
access_level	integer

Responses

Request samples

Payload

Content type

application/json

{"cases_list": [1,
2
],
"access_level": 2
}

Response samples

200
400

Content type

application/json

{"data": {"active": true,
"id": 0,
"user_email": "string",
"user_login": "string",
"user_name": "string",
"user_password": "string"
},
"message": "string",
"status": "string"
}

Delete user cases access

Administrator role required. Remove cases access from a user.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

User ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

cases

required

integer

Responses

Request samples

Payload

Content type

application/json

{"cases": [1,
2
]
}

Response samples

200

Content type

application/json

{"data": {"user_active": true,
"user_cases_access": [ ],
"user_email": "administrator@iris.local",
"user_groups": [{"group_id": 1,
"group_name": "Administrators",
"group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
},
{"group_id": 5,
"group_name": "Test",
"group_uuid": "bc3e93c5-1755-4411-acf0-0a5f4f47dfb7"
}
],
"user_id": 1,
"user_login": "administrator",
"user_name": "administrator",
"user_organisations": [{"is_primary_org": true,
"org_id": 1,
"org_name": "Default Org",
"org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
],
"user_permissions": {"1": {"inherited_from": ["Administrators",
"Test"
],
"name": "standard_user",
"value": 1
},
"2": {"inherited_from": ["Administrators"
],
"name": "server_administrator",
"value": 2
}
},
"user_primary_organisation_id": 1,
"user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
},
"message": "User case access updated",
"status": "success"
}

Get user list

Return a list of available users.

Authorizations:

Bearer <bearer>

query Parameters

cid	integer Case ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"user_id": 1,
"user_uuid": "815be41e-9a7d-4a2e-9e69-db2ceeba6ad2",
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local",
"user_active": true,
"user_is_service_account": false
},
{"user_id": 2,
"user_uuid": "17e16ccd-a461-4fb0-b219-07f13231d6ce",
"user_name": "automation",
"user_login": "automation",
"user_email": "automation@automation",
"user_active": true,
"user_is_service_account": true
},
{"user_id": 3,
"user_uuid": "06e9d803-d8fc-401f-9487-d76e83072b2b",
"user_name": "string",
"user_login": "string",
"user_email": "string",
"user_active": true,
"user_is_service_account": true
},
{"user_id": 4,
"user_uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"user_name": "strsinsg",
"user_login": "strsing",
"user_email": "stringa",
"user_active": true,
"user_is_service_account": true
}
]
}

Fetch a user

Recompute the effective user access.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

user ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Updated",
"status": "success"
}

Fetch a user Deprecated

This endpoint is deprecated. Use GET /api/v2/manage/users/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

user_id

required

integer

user ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"user_active": true,
"user_cases_access": [ ],
"user_email": "administrator@iris.local",
"user_groups": [{"group_id": 1,
"group_name": "Administrators",
"group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}
],
"user_id": 1,
"user_login": "administrator",
"user_name": "administrator",
"user_organisations": [{"is_primary_org": true,
"org_id": 1,
"org_name": "Default Org",
"org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
],
"user_permissions": {"1": {"inherited_from": ["Administrators"
],
"name": "standard_user",
"value": 1
},
"2": {"inherited_from": ["Administrators"
],
"name": "server_administrator",
"value": 2
}
},
"user_primary_organisation_id": 1,
"user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
},
"message": "",
"status": "success"
}

Manage Groups

Endpoints to interact with groups

Add a new group

Requires administrative rights.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

group_name required	string
group_description required	string
group_permissions	integer

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

201
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Get a group

Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Update group

Update an existing group. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

group_name required	string
group_description	string
group_permissions	integer
group_auto_follow	boolean
group_auto_follow_access_level	integer
group_id	integer
group_uuid	string

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

201
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Delete group

Delete group. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new group Deprecated

This endpoint is deprecated. Use POST /api/v2/manage/groups/add instead.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

group_name required	string
group_description required	string
group_permissions required	integer

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

200

Content type

application/json

{"data": {"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
},
"message": "",
"status": "success"
}

Update a group Deprecated

This endpoint is deprecated. Use PUT /api/v2/manage/groups/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

integer

Group ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

group_name required	string
group_description required	string
group_permissions required	integer

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

200
400

Content type

application/json

{"data": {"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
},
"message": "",
"status": "success"
}

Update group members

Requires administrative rights. Set the members of a group.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

integer

Group ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

group_members

Array of integers

Responses

Request samples

Payload

Content type

application/json

{"group_members": [1,
2
]
}

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Group deleted",
"status": "success"
}

Delete a Group Deprecated

This endpoint is deprecated. Use DELETE /api/v2/manage/groups/{identifier} instead.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

integer

Group ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Group deleted",
"status": "success"
}

Delete a member of a group

Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

group_id required	integer Group ID
user_id required	integer User ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Group deleted",
"status": "success"
}

Set case access of a group

Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

integer

Group ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

access_level required	integer
cases_list required	Array of integers
auto_follow_cases required	boolean

Responses

Request samples

Payload

Content type

application/json

{"access_level": 0,
"cases_list": [0
],
"auto_follow_cases": false
}

Response samples

200
400

Content type

application/json

{"data": {"group_auto_follow": false,
"group_auto_follow_access_level": 4,
"group_cases_access": [{"access_level": 0,
"access_level_list": [ ],
"case_id": 1,
"case_name": "#1 - Dummy name"
}
],
"group_description": "Standard Analysts",
"group_id": 2,
"group_members": [ ],
"group_name": "Analysts",
"group_permissions": 1,
"group_permissions_list": [{"name": "standard_user",
"value": 1
}
],
"group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
"registry": null
},
"message": "",
"status": "success"
}

Delete cases access of a group

Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

group_id

required

integer

Group ID

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

cases

Array of integers

Responses

Request samples

Payload

Content type

application/json

{"cases": [1
]
}

Response samples

200
400

Content type

application/json

{"data": {"group_auto_follow": false,
"group_auto_follow_access_level": 4,
"group_cases_access": [{"access_level": 0,
"access_level_list": [ ],
"case_id": 1,
"case_name": "#1 - Dummy name"
}
],
"group_description": "Standard Analysts",
"group_id": 2,
"group_members": [ ],
"group_name": "Analysts",
"group_permissions": 1,
"group_permissions_list": [{"name": "standard_user",
"value": 1
}
],
"group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
"registry": null
},
"message": "",
"status": "success"
}

List the groups

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

	Array of objects
message	string
status	string

Request samples

Payload

Content type

application/json

{"data": [{"group_auto_follow": true,
"group_auto_follow_access_level": 4,
"group_description": "Administrators",
"group_id": 1,
"group_members": [{"id": 1,
"name": "administrator",
"user": "administrator"
}
],
"group_name": "Administrators",
"group_permissions": 3,
"group_permissions_list": [{"name": "standard_user",
"value": 1
},
{"name": "server_administrator",
"value": 2
}
],
"group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f",
"registry": null
},
{"group_auto_follow": true,
"group_auto_follow_access_level": 4,
"group_description": "Standard Analysts",
"group_id": 2,
"group_members": [ ],
"group_name": "Analysts",
"group_permissions": 1,
"group_permissions_list": [{"name": "standard_user",
"value": 1
}
],
"group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
"registry": null
},
{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_members": [ ],
"group_name": "New group",
"group_permissions": 1,
"group_permissions_list": [{"name": "standard_user",
"value": 1
}
],
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c",
"registry": null
}
],
"message": "",
"status": "success"
}

Modules

Endpoints to interact with modules

Iris module task list

List current and previous tasks run by modules.

Authorizations:

Bearer <bearer>

path Parameters

rows_count

required

integer

Number of rows to return

Responses

Response samples

200

Content type

application/json

No sample

Iris module task list Deprecated

This endpoint is depreacted. Use /dim/tasks/list/ instead.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"data": [{"case": "string",
"date_done": "string",
"module": "string",
"state": "string",
"task_id": "string",
"user": "string"
}
],
"message": "string",
"status": "string"
}

Iris module task list

List all manual hooks available for a particular case object.
Available objects types are :

case
ioc
asset
note
event
task
evidence
global_task

The returned information can provided to the /dim/hooks/call endpoint to trigger a hook.

Authorizations:

Bearer <bearer>

path Parameters

object_type

required

string

Object type

Responses

Response samples

200

Content type

application/json

{"data": [{"hook_name": "on_manual_trigger_ioc",
"manual_hook_ui_name": "Get VT insight",
"module_name": "iris_vt_module"
}
],
"message": "",
"status": "success"
}

Call a module

Executes a manual trigger on a specified hook. This allows to trigger a hook as it would be done on the GUI. This only concerns manual hooks, and each call triggers a specific hook of a specific module, as specified in the request.

To get a list of all available hooks for a case object, use the /dim/hooks/options/<type>/list endpoint.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Request Body schema: application/json

hook_name required	string non-empty Internal name of the hook as specified in the hook documentation.
module_name required	string non-empty Name of the module to call
hook_ui_name required	string non-empty UI name of the hook, either auto generated by IRIS or provided by the module itself.
type required	string non-empty Type of data processed by the hook (ioc, asset, etc)
targets required	Array of objects List of objects ID of type "type" to process

Responses

Request samples

Payload

Content type

application/json

{"hook_name": "on_manual_trigger_ioc",
"module_name": "iris_vt_module",
"hook_ui_name": "Get VT insight",
"type": "ioc",
"targets": [10
]
}

API

General API endpoints

Get API versions

Returns information on API versions supported by the server.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"data": {"api_current": "2.0.0",
"api_min": "2.0.0",
"iris_current": "v2.0.0-beta-3"
},
"message": "",
"status": "success"
}

Ping server

Used to test authentication. Respond "pong" if authentication is successfull.

Authorizations:

Bearer <bearer>

Responses

Response samples

200
401

Content type

application/json

{"data": [ ],
"message": "pong",
"status": "success"
}

Beta

These are all the endpoints which are still in beta. Their signature may evolve. Any feedback is welcome!

Create a case

Creates a new case.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

case_name required	string >= 2 characters A short name for the case. The case number will be prepend.
case_description required	string >= 2 characters A short description of the case. This will be the summary of the case.
case_customer required	integer The customer ID linked to the case.
case_soc_id required	string A SOC ticket reference
custom_attributes	object
case_template_id	integer
classification_id	null or integer

Responses

Request samples

Payload

Content type

application/json

{"case_soc_id": "SOC_154",
"case_customer": 1,
"case_name": "My Case API",
"case_description": "A super nice description"
}

Response samples

201
400

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Get a paginated list of cases

Returns a paginated list of cases. Accepts filters and sort query parameters.

Authorizations:

Bearer <bearer>

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc
case_ids	string List of cases ID, comma separated
case_customer_id	integer Customer identifier
case_name	string Name of the case
case_description	string Description of the case
classification_id	integer (classification_id) The classification identifier for case and alert.
case_owner_id	integer Owner of the case
case_opening_user_id	integer Identifier of the user who opened the case
severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
case_state_id	integer State identifier of the case
case_soc_id	string SOC (Security Operations Center) identifier
start_open_date	string Case opening date - lower boundary
end_open_date	string Case opening date - higher boundary
is_open	boolean whether the case is open or not

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get a case

Get a case by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

201

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Update a case

Update informations of a case

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

case_name	string
case_soc_id	string
classification_id	integer
owner_id	integer
state_id	integer
severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
status_id	integer (case_status_id) [ 0 .. 5 ] The case status identifier. It can be one of the following 0: unknown, 1: false_positive, 2: true_positive_with_impact, 3: not_applicable, 4: true_positive_without_impact, 5: legitimate
case_customer	integer
reviewer_id	integer
	Array of objects
case_tags	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"case_name": "A new case name",
"case_soc_id": "soc_id_demo",
"classification_id": 2,
"owner_id": 2,
"state_id": 3,
"severity_id": 4,
"status_id": 1,
"case_customer": 1,
"reviewer_id": 2,
"protagonists": [{"role": "Lead",
"name": "administrator",
"contact": "administrator@iris.local"
}
],
"case_tags": "tag1,tag2",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"case_name": "#1065 - My Case API",
"case_description": "A super nice description",
"case_customer_id": 1,
"case_soc_id": "SOC_154",
"case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
"case_id": 1065,
"severity_id": 4,
"status_id": 0,
"state": {"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
"classification_id": null,
"review_status_id": null,
"reviewer_id": null,
"owner": {"id": 2,
"user_name": "User Std 1",
"user_login": "user_std_1",
"user_email": "user_std_1@iris.local"
},
"user_id": 1,
"case_tags": "tag1,tag2",
"open_date": "2024-01-10",
"close_date": null,
"closing_note": null,
"custom_attributes": { },
"modification_history": {"1704888196.578914": {"user": "administrator",
"user_id": 1,
"action": "created"
}
}
}

Delete a case

This implies the deletion of everything linked to the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Create an IOC

Creates a new ioc.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

ioc_value required	string non-empty
ioc_type_id required	number
ioc_tlp_id required	number
ioc_description required	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags required	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_misp": null,
"ioc_tags": ""
}

Response samples

201
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Get a paginated list of IOCs

Returns a paginated list of IOCS. Accepts filters and sort query parameters.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc
ioc_type_id	integer IOC type identifier
ioc_type	string
ioc_tlp_id	integer (ioc_tlp_id) Identifier of the IOC TLP (traffic light protocol) color. See GET /manage/tlp/list for possible values.
ioc_value	string
ioc_description	string
ioc_tags	string

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an IOC

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Update an IOC

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

ioc_value	string non-empty
ioc_type_id	number
ioc_tlp_id	number
ioc_description	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_tags": ""
}

Response samples

200
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Delete an IOC

Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Create an asset

Add a new asset to a case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

asset_type_id required	integer
case_id	integer
asset_description	string
asset_id	integer
analysis_status_id	integer (analysis_status_id) The asset analysis status identifier. Possible values are listed by endpoint GET /manage/analysis-status/list.
custom_attributes	object
asset_info	string
user_id	integer
date_added	string
date_update	string
asset_name required	string
asset_ip	string
asset_tags	string
asset_compromise_status_id	integer (asset_compromise_status_id) The asset compromise status identifier. Possible values are listed by endpoint GET /manage/compromise-status/list.
asset_uuid	string
asset_domain	string

Responses

Request samples

Payload

Content type

application/json

{"asset_type_id": 9,
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": 1,
"analysis_status_id": 3,
"asset_name": "admin_laptop",
"asset_tags": "anewtag",
"asset_description": "A host description"
}

Response samples

201
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Get a paginated list of assets

Returns a paginated list of assets.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an asset

Get an asset by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Update an asset

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

asset_name required	string
asset_type_id required	integer
asset_domain	string
asset_ip	string
asset_info	string
asset_compromise_status_id	integer (asset_compromise_status_id) The asset compromise status identifier. Possible values are listed by endpoint GET /manage/compromise-status/list.
analysis_status_id	integer (analysis_status_id) The asset analysis status identifier. Possible values are listed by endpoint GET /manage/analysis-status/list.
ioc_links	Array of strings
asset_tags	string
asset_description	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"asset_name": "admin_laptop",
"asset_type_id": 9,
"asset_domain": "iris.local",
"asset_ip": "127.0.0.1",
"asset_info": "",
"asset_compromise_status_id": 1,
"analysis_status_id": 3,
"ioc_links": ["30"
],
"asset_tags": "anewtag",
"asset_description": "A host description",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Delete an asset

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new note

Add a new note to an existing group.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

note_title	string
note_content	string
directory_id required	integer

Responses

Request samples

Payload

Content type

application/json

{"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 36
}

Response samples

201
400

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Get a note

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Update a note

Update the content and metadata of a note.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

note_title	string
note_content	string
directory_id	integer

Responses

Request samples

Payload

Content type

application/json

{"note_title": "New title",
"note_content": "New content",
"directory_id": 4
}

Response samples

200
400

Content type

application/json

{"note_id": 16,
"note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
"note_title": "Title of the note",
"note_content": "Content of the note",
"directory_id": 2,
"directory": {"id": 2,
"name": "A dir",
"parent_id": null,
"case_id": 1
},
"note_user": 1,
"note_creationdate": "2024-03-27T18:14:21.245694",
"note_lastupdate": "2024-03-27T18:14:21.245724",
"note_case_id": 1,
"modification_history": {"1711563261.268616": {"user": "administrator",
"user_id": 1,
"action": "created note"
}
}
}

Delete a note

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new notes directory

Create a new empty directory.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

name required	string non-empty
parent_id	number An existing parent directory identifier. To add at the root, do not set the field.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test"
}

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Get filtered collection of note directories

Return collection of note directories

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Responses

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"note_count": 0,
"subdirectories": [ ],
"notes": [ ]
}

Get a notes directory

Return information of a notes directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Update a notes directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

name	string non-empty
parent_id	number An existing parent directory identifier. To add at the root, do not set the field.

Responses

Request samples

Payload

Content type

application/json

{"name": "Test"
}

Response samples

200
400

Content type

application/json

{"id": 34,
"name": "Test",
"parent_id": null,
"case_id": 1
}

Delete a note directory

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Create a task

Add a new task.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

task_assignees_id required	Array of integers
task_description	string
task_status_id required	integer
task_tags	string
task_title required	string
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_description": "",
"task_status_id": 1,
"task_tags": "",
"task_title": "dummy title",
"custom_attributes": { }
}

Response samples

201
400

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Get a paginated list of tasks

Returns a paginated list of tasks.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get a task

Get an task by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Update a task

Update an existing task of the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

task_title required	string
task_description	string
task_tags	string
task_status_id required	integer
task_assignees_id required	Array of integers
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"task_assignees_id": [1
],
"task_status_id": 1,
"task_title": "New title",
"task_description": "new content",
"task_tags": "new tags",
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Add an evidence

Add a new evidence to the case.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

filename required	string
file_size	integer
file_hash	string
type_id	integer
start_date	string (iso_date) date in ISO 8601 format
end_date	string (iso_date) date in ISO 8601 format
file_description	string

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": 77108,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": 2,
"start_date": "2024-04-13T03:02:00",
"end_date": "2024-04-04T00:00:00",
"file_description": "Dummy description"
}

Response samples

201
400

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Get a paginated list of evidences

Returns a paginated list of evidences.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page
order_by	string
sort_dir	string asc or desc

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Get an evidence

Get an evidence by its identifier

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Update an evidence

Update an evidence.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

filename	string
file_description	string
file_size	integer
file_hash	string
type_id	integer (evidence_type_id) Identifier of the type of an evidence. See GET /manage/evidence-types/list for possible values.
start_date	string (iso_date) date in ISO 8601 format
end_date	string (iso_date) date in ISO 8601 format
custom_attributes	object

Responses

Request samples

Payload

Content type

application/json

{"filename": "dummy file",
"file_size": 77108,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"type_id": 2,
"start_date": "2024-04-13T03:02:00.000",
"end_date": "2024-04-04T00:00:00.000",
"custom_attributes": { },
"file_description": "Dummy description"
}

Response samples

200
400

Content type

application/json

{"chain_of_custody": null,
"case_id": 1,
"type_id": null,
"id": 119,
"file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
"filename": "filename.ext",
"start_date": null,
"end_date": null,
"type": null,
"acquisition_date": null,
"case": 1,
"file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
"user_id": 1,
"custom_attributes": { },
"date_added": "2024-01-11T07:39:11.211407",
"user": {"id": 1,
"user_name": "administrator",
"user_login": "administrator",
"user_email": "administrator@iris.local"
},
"file_size": 0,
"file_description": "File description",
"modification_history": null
}

Delete an evidence

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new event

Create a new event in the timeline.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier

required

integer

Case identifier

Request Body schema: application/json

event_title required	string
event_category_id required	integer
event_date required	string
event_tz required	string
event_assets required	Array of integers
event_iocs required	Array of integers
event_raw	string
event_source	string
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_sync_iocs_assets	boolean
event_tags	string
event_content	string
custom_attributes	object
parent_event_id	integer

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_category_id": 5,
"event_date": "2023-03-08T03:02:00.000",
"event_tz": "+00:00",
"event_assets": [45
],
"event_iocs": [33
],
"event_raw": "My event raw data",
"event_source": "My source",
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_content": "My description",
"parent_event_id": 11,
"custom_attributes": { }
}

Response samples

201
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Get an event

Return information of an event of the timeline

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Update an event

Update an event in the timeline

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Request Body schema: application/json

event_title required	string
event_category_id required	integer
event_date required	string
event_tz required	string
event_assets required	Array of integers
event_iocs required	Array of integers
event_raw	string
event_source	string
event_in_summary	boolean
event_in_graph	boolean
event_color	string
event_sync_iocs_assets	boolean
event_tags	string
event_content	string
custom_attributes	object
parent_event_id	integer

Responses

Request samples

Payload

Content type

application/json

{"event_title": "An event",
"event_category_id": 5,
"event_date": "2023-03-08T03:02:00.000",
"event_tz": "+00:00",
"event_assets": [45
],
"event_iocs": [33
],
"event_raw": "My event raw data",
"event_source": "Source",
"event_in_summary": true,
"event_in_graph": true,
"event_color": "#1572E899",
"event_sync_iocs_assets": true,
"event_tags": "tag",
"event_content": "My description",
"parent_event_id": 122,
"custom_attributes": { }
}

Response samples

200
400

Content type

application/json

{"event_id": 663,
"event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
"case_id": 1,
"user_id": 1,
"parent_event_id": null,
"event_title": "An event",
"event_category_id": 5,
"event_content": "My description",
"event_color": "#1572E899",
"event_source": "My source",
"event_raw": "My event raw data",
"event_tags": "tag",
"event_date": "2023-03-08T03:02:00.000000",
"event_tz": "+00:00",
"event_date_wtz": "2023-03-08T03:02:00.000000",
"event_added": "2024-01-09T15:45:12.677273",
"event_in_summary": true,
"event_in_graph": true,
"event_is_flagged": false,
"modification_history": {"1704815112.677327": {"user": "administrator",
"action": "created",
"user_id": 1
}
},
"children": [ ],
"custom_attributes": { }
}

Delete an event

Delete an event from the timeline. If the event has a child, the child event is not deleted and become a parent itself.

Authorizations:

Bearer <bearer>

path Parameters

case_identifier required	integer Case identifier
identifier required	integer Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get a paginated list of comments

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object

query Parameters

page	integer Default: 1 Page number
per_page	integer Default: 10 Number of results per page

Responses

Response samples

200
400

Content type

application/json

{"total": 0,
"data": [{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a new comment to a case object

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "Comment content"
}

Response samples

201
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Get a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Responses

Response samples

200
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Update a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Request Body schema: application/json

comment_text

string

Responses

Request samples

Payload

Content type

application/json

{"comment_text": "Comment content"
}

Response samples

200
400

Content type

application/json

{"comment_text": "Comment content",
"comment_id": 12,
"comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
"comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
"comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT"
}

Delete a comment

Authorizations:

Bearer <bearer>

path Parameters

objects required	string Enum: "alerts" "assets" "events" "evidences" "iocs" "notes" "tasks" Type of commented object
object_identifier required	integer Identifier of the commented object
identifier required	integer Identifier of the comment

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Create a new alert

Creates a new alert.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

alert_title required	string
alert_severity_id required	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
alert_customer_id required	integer
alert_classification_id required	integer (classification_id) The classification identifier for case and alert.
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
alert_status_id	integer (alert_status_id) The alert status identifier.
	object (alert_context)
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
	Array of objects
alert_source_content	object

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "title",
"alert_severity_id": 2,
"alert_customer_id": 3,
"alert_classification_id": 1
}

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Get an alert

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Update an alert

Update an existing alert. To update only specific fields one can send only those fields.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

alert_title	string
alert_description	string
alert_source	string
alert_source_ref	string
alert_source_link	string
	object
alert_severity_id	integer (severity_id) The case severity identifier. Possible values are listed by endpoint GET /manage/severities/list.
alert_status_id	integer (alert_status_id) The alert status identifier.
	object (alert_context)
alert_source_event_time	string
alert_note	string
alert_tags	string
	Array of objects
alert_customer_id	integer
alert_classification_id	integer (classification_id) The classification identifier for case and alert.

Responses

Request samples

Payload

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
"entities": [{"entityRole": "Source",
"entityType": 2,
"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
"inst": 0,
"label": "user1",
"pa": "user1@contoso.com",
"saas": 11161,
"type": "account"
},
{"entityRole": "Related",
"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
"label": "DC3",
"type": "device"
},
{"entityRole": "Related",
"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
"label": "DC4",
"type": "device"
},
{"id": "5bfd18bfab73c36ba10d38ca",
"label": "Honeytoken activity",
"policyType": "ANOMALY_DETECTION",
"type": "policyRule"
},
{"entityRole": "Source",
"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
"label": "Client1",
"type": "device"
},
{"entityRole": "Related",
"id": "d68772fe-1171-4124-9f73-0f410340bd54",
"label": "DC1",
"type": "device"
}
],
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_customer_id": 1,
"alert_classification_id": 1
}

Response samples

201
400

Content type

application/json

{"alert_title": "Low-reputation arbitrary code executed by signed executable",
"alert_description": "This is a test alert, courtesy of MS",
"alert_source": "Test Source",
"alert_source_ref": "Test-123",
"alert_source_link": "https://source_link.com",
"alert_source_content": {"_id": "603f704aaf7417985bbf3b22",
"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
"idValue": 15795464,
"isSystemAlert": false,
"resolutionStatusValue": 0,
"severityValue": 5,
"statusValue": 1,
"stories": [0
],
"threatScore": 34,
"timestamp": 1621941916475,
"title": "Honeytoken activity",
"comment": "",
"handledByUser": "administrator@contoso.com",
"resolveTime": "2021-05-13T14:02:34.904Z",
"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
},
"alert_severity_id": 4,
"alert_status_id": 3,
"alert_context": {"context_key": "context_value"
},
"alert_source_event_time": "2023-03-26T03:00:30",
"alert_note": "A note on",
"alert_tags": "defender,anothertag",
"alert_iocs": [{"ioc_value": "tarzan5",
"ioc_description": "description of Tarzan",
"ioc_tlp_id": 1,
"ioc_type_id": 2,
"ioc_tags": "tag1,tag2",
"ioc_enrichment": {"provider_1": {"data": 2,
"new_data": 3
},
"provider_3": {"enric": "true"
}
}
}
],
"alert_assets": [{"asset_name": "My super asset",
"asset_description": "Asset description",
"asset_type_id": 1,
"asset_ip": "1.1.1.1",
"asset_domain": "",
"asset_tags": "tag1,tag2",
"asset_enrichment": {"enrich1": {"A key": "A value"
}
}
}
],
"alert_customer_id": 1,
"alert_classification_id": 1
}

Delete an alert

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get related alerts

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"assets": {"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
},
"iocs": {"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}
}

Create a new alert filters

Creates a new alert filters.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

object

Responses

Request samples

Payload

Content type

application/json

{"filter_is_private": true,
"filter_type": "alerts",
"filter_name": "filter name",
"filter_description": "filter description",
"filter_data": {"alert_tilte": "filter name",
"alert_description": "",
"alert_source": "",
"alert_tags": "",
"alert_severity_id": 2,
"alert_start_date": "",
"source_start_date": "",
"source_end_date": "",
"creation_end_date": "",
"creation_start_date": "",
"alert_assets": [ ],
"alert_iocs": [ ],
"alert_ids": [ ],
"source_reference": "",
"case_id": 1,
"custom_conditions": ""
}
}

Response samples

201
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Get alert filters

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Update an alert filters

Update an existing alert filters.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

filter_is_private	boolean
filter_type	string
filter_name	string
filter_description	string
	Array of objects

Responses

Request samples

Payload

Content type

application/json

{"filter_name": "filter_name",
"filter_description": "filter_description"
}

Response samples

200
400

Content type

application/json

{"user": 0,
"filter_id": 0,
"created_by": 0,
"filter_is_private": true,
"filter_type": "string",
"filter_name": "string",
"filter_description": "string",
"filter_data": [{"alert_title": "string",
"alert_description": "string",
"alert_source": "string",
"alert_tags": "string",
"alert_severity_id": 0,
"alert_start_date": "string",
"source_start_date": "string",
"source_end_date": "string",
"creation_end_date": "string",
"creation_start_date": "string",
"alert_iocs": [{"ioc_value": "string",
"ioc_description": "string",
"ioc_tlp_id": 0,
"ioc_type_id": 0,
"ioc_tags": "string",
"ioc_enrichment": { }
}
],
"alert_assets": [{"asset_name": "string",
"asset_description": "string",
"asset_type_id": 0,
"asset_ip": "string",
"asset_domain": "string",
"asset_tags": "string",
"asset_enrichment": { }
}
],
"alert_ids": [0
],
"source_reference": "string",
"case_id": 0,
"custom_conditions": "string"
}
]
}

Delete alert filter

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Add a new group

Requires administrative rights.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

group_name required	string
group_description required	string
group_permissions	integer

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

201
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Get a group

Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Update group

Update an existing group. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

group_name required	string
group_description	string
group_permissions	integer
group_auto_follow	boolean
group_auto_follow_access_level	integer
group_id	integer
group_uuid	string

Responses

Request samples

Payload

Content type

application/json

{"group_name": "New group",
"group_description": "New description",
"group_permissions": 1
}

Response samples

201
400

Content type

application/json

{"group_auto_follow": false,
"group_auto_follow_access_level": 0,
"group_description": "New description",
"group_id": 4,
"group_name": "New group",
"group_permissions": 1,
"group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}

Delete group

Delete group. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Create a new user

Administrator role required.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

user_login required	string
user_name required	string
user_email required	string
has_deletion_confirmation	boolean
has_mini_sidebar	boolean
in_dark_mode	boolean
user_is_service_account	boolean
uuid	string
active	boolean
id	integer
external_id	null
user_api_key	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "New usergroup",
"user_login": "New description",
"user_email": "user@test.com",
"user_is_service_account": true
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Get a user

Requires administrative rights. Returns information of a specific user.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Update user

Update an existing user. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

active	boolean
external_id	string
has_deletion_confirmation	boolean
in_dark_mode	boolean
user_email	string
user_id	integer
user_login	string
user_name	string
user_password	string
uuid	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "new_user",
"user_login": "new_user_login",
"user_email": "new_user_email"
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Delete user

Delete user. Requires administrative rights.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

List customers

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a customer

Add a new customer that will be available at case creation.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

customer_name required	string
customer_description	string
customer_sla	string

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA"
}

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Get customer

Get a customer

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Update a customer

Update an existing customer. The new customer name should be one which is not already taken.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

customer_name required	string
customer_description	string
customer_sla	string

Responses

Request samples

Payload

Content type

application/json

{"customer_name": "New customer",
"customer_description": "New customer description",
"customer_sla": "New customer SLA"
}

Response samples

201
400

Content type

application/json

{"customer_name": "fsd",
"customer_description": "fds",
"customer_sla": "fds",
"customer_id": 8,
"client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
"creation_date": "2023-03-20T13:25:57.930469",
"last_update_date": "2023-03-20T13:25:57.930469",
"custom_attributes": { }
}

Delete a customer

A customer can be deleted only if it is not referenced in a case. To delete a referenced, every referencing cases musth be deleted before.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get an IOC

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Update an IOC

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

ioc_value	string non-empty
ioc_type_id	number
ioc_tlp_id	number
ioc_description	string non-empty A short description of the ioc. This will be the summary of the ioc.
ioc_misp	string or null Misp of ioc
ioc_tags	string Ioc tags

Responses

Request samples

Payload

Content type

application/json

{"ioc_value": "8.8.8.8",
"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_description": "rewrw",
"ioc_tags": ""
}

Response samples

200
400

Content type

application/json

{"ioc_type_id": 1,
"ioc_tlp_id": 2,
"ioc_value": "8.8.8.8",
"ioc_description": "rewrw",
"ioc_tags": "",
"cid": 2,
"link": [{"case_id": 2,
"case_name": "#2 - case name",
"client_name": "IrisInitialClient"
}
],
"tlp": {"tlp_id": 2,
"tlp_name": "amber",
"tlp_bscolor": "warning"
}
}

Delete an IOC

Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

400

Content type

application/json

{"message": "Error processing request - check server logs",
"data": null
}

Get a task

Get an task by its identifier

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

201

Content type

application/json

{"id": 1696,
"task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
"task_title": "test permission",
"task_description": "",
"task_open_date": "2024-01-07T13:57:05.588940",
"task_tags": "",
"task_status_id": 1
}

Get an asset

Get an asset by its identifier

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Update asset

Update an existing asset

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

asset_name	string
	object
asset_description	string or null
asset_domain	string or null
	asset_compromise_status_id (integer) or null
asset_ip	string or null
asset_type_id	integer
	object or null
	analysis_status_id (integer) or null
asset_tags	string or null
	modification_history (object) or null

Responses

Request samples

Payload

Content type

application/json

{"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server"
}

Response samples

200
400

Content type

application/json

{"asset_id": 57,
"asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
"asset_name": "FILESERVER1231",
"asset_type": "Windows - Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_description": "",
"asset_domain": "",
"asset_compromise_status_id": 0,
"asset_ip": "",
"asset_type_id": 10,
"analysis_status": "Unspecified",
"analysis_status_id": 1,
"asset_tags": "",
"modification_history": {"1742544212.874": {"user": "administrator",
"user_id": 1,
"action": "created"
},
"1742544212.892766": {"user": "administrator",
"user_id": 1,
"action": "updated"
}
}
}

Get user profile

Returns the current user profile

Authorizations:

Bearer <bearer>

Responses

Response samples

200
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

Update user profile

Update the current user profile

Authorizations:

Bearer <bearer>

Request Body schema: application/json

user_login	string
user_name	string
user_email	string
has_deletion_confirmation	boolean
has_mini_sidebar	boolean
in_dark_mode	boolean
ctx_case	integer
user_password	string

Responses

Request samples

Payload

Content type

application/json

{"user_name": "new_user",
"user_login": "new_user_login",
"user_email": "new_user_email"
}

Response samples

201
400

Content type

application/json

{"user_login": "strsing",
"user_name": "string",
"user_email": "stringa",
"user_id": 4,
"user_is_service_account": true,
"has_deletion_confirmation": false,
"uuid": "bb807755-62fa-412b-b242-fd930a24be13",
"active": true,
"in_dark_mode": null,
"has_mini_sidebar": false,
"user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}

List global tasks

Returns a list of all global tasks

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"total": 0,
"data": [{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}
],
"last_page": 0,
"current_page": 0,
"next_page": 0
}

Add a global task

Add a global task and assign it to a user.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

task_title required	string >= 2 characters
task_description	string
task_status_id required	integer The initial status of the task
task_assignee_id required	integer A user ID for whom the task will be assigned
task_tags	string
task_open_date	string (iso_date) date in ISO 8601 format
task_userid_open	integer
task_last_update	string (iso_date) date in ISO 8601 format
task_userid_update	integer
task_close_date	string (iso_date) date in ISO 8601 format
task_userid_close	integer

Responses

Request samples

Payload

Content type

application/json

{"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 14,
"task_assignee_id": 1,
"task_tags": ""
}

Response samples

201
400

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Get a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Response samples

200

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Update a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Request Body schema: application/json

task_title required	string >= 2 characters
task_description	string
task_status_id required	integer The initial status of the task
task_assignee_id required	integer A user ID for whom the task will be assigned
task_tags	string
task_open_date	string (iso_date) date in ISO 8601 format
task_userid_open	integer
task_last_update	string (iso_date) date in ISO 8601 format
task_userid_update	integer
task_close_date	string (iso_date) date in ISO 8601 format
task_userid_close	integer

Responses

Request samples

Payload

Content type

application/json

{"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 14,
"task_assignee_id": 1,
"task_tags": ""
}

Response samples

201
400

Content type

application/json

{"task_id": 9,
"task_title": "Task title",
"task_description": "My task description",
"task_status_id": 15,
"task_assignee_id": 1,
"task_tags": "",
"task_userid_open": null,
"task_open_date": "2022-01-21T17:07:10.005183",
"task_userid_update": 1,
"task_last_update": "2022-01-21T17:07:10.005200",
"task_userid_close": null,
"task_close_date": null
}

Delete a global task

Authorizations:

Bearer <bearer>

path Parameters

identifier

required

integer

Identifier of the resource to retrieve

Responses

Case general

Update case summary

Update the summary of a case. Carefull: this will trigger an overwrite of the summary. Summaries are shared interactively between users. If an update summary is issued, every user will receive the change and their locale changes will be lost.
The summary is a markdown-compatible text.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

string

Case ID

Request Body schema: application/json

case_description

required

string

The updated summary

Responses

Request samples

Payload

Content type

application/json

{"case_description": "Dummy description",
"cid": 1
}

Response samples

200

Content type

application/json

{"data": 3837413706,
"message": "Summary updated",
"status": "success"
}

Add task log

Add a task log to the case. The task log is registered under Activities and is be availble in reports templating. If CID is omitted, the default case of the calling user is used.

Authorizations:

Bearer <bearer>

query Parameters

cid	string Case ID

Request Body schema: application/json

log_content

required

string

Responses

Request samples

Payload

Content type

application/json

{"log_content": "A test"
}

Response samples

200
400

Content type

application/json

{"data": {"activity_date": "Fri, 21 Jan 2022 17:33:48 GMT",
"activity_desc": "A test",
"case": null,
"case_id": 1,
"id": 21632,
"user": null,
"user_id": 1,
"user_input": true
},
"message": "Log saved",
"status": "success"
}

Datastore

Get the datastore tree

List datastore folders and files

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": {"d-48": {"children": {"d-49": {"children": {"f-31": {"added_by_user_id": 1,
"file_case_id": 1,
"file_date_added": "Mon, 20 Mar 2023 15:54:45 GMT",
"file_description": "dsa",
"file_id": 31,
"file_is_evidence": true,
"file_is_ioc": null,
"file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
"file_original_name": "analysis_IrisInitialClient_2023-02-03.md",
"file_parent_id": 49,
"file_password": "badpassword",
"file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
"file_size": 0,
"file_tags": "asd",
"file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
"modification_history": {"1679324085.841901": {"action": "created",
"user": "administrator",
"user_id": 1
}
},
"type": "file"
}
},
"name": "Evidences",
"type": "directory"
},
"d-50": {"children": { },
"name": "IOCs",
"type": "directory"
},
"d-51": {"children": { },
"name": "Images",
"type": "directory"
}
},
"is_root": true,
"name": "Case 1",
"type": "directory"
}
},
"message": "",
"status": "success"
}

Add a new file

Add a new file to the datastore. The file password is not encrypted and transmited in view requests.

Authorizations:

Bearer <bearer>

path Parameters

parent_id

required

integer

Parent folder ID

Request Body schema: multipart/form-data

-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"

the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"

File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_password"

FilePassword
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"

tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown

File Content

-----------------------------139681927112990666592379500992--

file_original_name required	string
file_description required	string
file_password required	string
file_tags required	string
file_is_evidence required	string
file_content	string

Responses

Response samples

200

Content type

application/json

{"data": {"added_by_user_id": 1,
"file_case_id": 1,
"file_date_added": "2023-03-20T15:54:45.841847",
"file_description": "dsa",
"file_id": 31,
"file_is_evidence": true,
"file_is_ioc": false,
"file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
"file_original_name": "Analysis_IrisInitialClient_2023-02-03.md",
"file_parent_id": 49,
"file_password": "file_password",
"file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
"file_size": 0,
"file_tags": "asd",
"file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
"modification_history": {"1679324085.841901": {"action": "created",
"user": "administrator",
"user_id": 1
}
}
},
"message": "File saved in datastore and added in evidence",
"status": "success"
}

Get datastore file info

Get a datastore file information. To download a file, use the /datastore/file/view endpoint.

Authorizations:

Bearer <bearer>

path Parameters

file_id

required

integer

File ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"file_size": 12,
"file_is_ioc": null,
"file_sha256": "3C5F1202EEE7096C9508FBC0E3A114B8680BBA9357CF620DBB47DDA184EBD529",
"file_is_evidence": null,
"file_uuid": "1dfe9518-071a-42d9-a3ae-dca82b453cfc",
"file_case_id": 1,
"file_date_added": "2023-08-02T13:34:31.674676",
"file_parent_id": 303,
"added_by_user_id": 11,
"file_original_name": "tst.txt",
"file_tags": "",
"modification_history": {"1690983271.6747": {"user": "adm_1",
"user_id": 11,
"action": "created"
}
},
"file_id": 24,
"file_description": "",
"file_password": ""
}
}

Update datastore file information

Update a datastore file. The file's content can be replaced. If a password was previously set, it is removed and cannot be re-enabled. The file identifiers stay the same.

Authorizations:

Bearer <bearer>

path Parameters

file_id

required

integer

File ID

Request Body schema: application/json

-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_original_name"

the_original_filename
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_description"

File description
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_tags"

tag1,tag2
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_evidence"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_is_ioc"

y
-----------------------------139681927112990666592379500992
Content-Disposition: form-data; name="file_content"; filename="new filename"
Content-Type: text/markdown

File Content

-----------------------------139681927112990666592379500992--

object

Responses

Request samples

Payload

Content type

application/json

{ }

Response samples

200

Content type

application/json

{"data": {"added_by_user_id": 1,
"file_case_id": 1,
"file_date_added": "2023-03-20T15:54:45.841847",
"file_description": "dsa",
"file_id": 31,
"file_is_evidence": true,
"file_is_ioc": false,
"file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
"file_original_name": "nalysis_IrisInitialClient_2023-02-03.md",
"file_parent_id": 49,
"file_password": "eqeq",
"file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
"file_size": 0,
"file_tags": "asd",
"file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
"modification_history": {"1679324085.841901": {"action": "created",
"user": "administrator",
"user_id": 1
}
}
},
"message": "File saved in datastore and added in evidence",
"status": "success"
}

Delete a datastore file

Delete a file from the datastore. Once deleted the file cannot be recovered.

Authorizations:

Bearer <bearer>

path Parameters

file_id

required

integer

File ID

Responses

Response samples

200

Content type

application/json

{"data": [ ],
"message": "File 32 deleted",
"status": "success"
}

Download a datastore file

Download the content of a datastore file

Authorizations:

Bearer <bearer>

path Parameters

file_id

required

integer

File ID

Move a datastore file

Move a file to a new folder.

Authorizations:

Bearer <bearer>

path Parameters

file_id

required

string

Request Body schema: application/json

destination-node

integer

Responses

Request samples

Payload

Content type

application/json

{"destination-node": 0
}

Response samples

200

Content type

application/json

{"data": [ ],
"message": "File successfully moved to IOCs",
"status": "success"
}

Add a datastore folder

Add a new datastore folder.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

folder_name	string
parent_node	integer

Responses

Request samples

Payload

Content type

application/json

{"folder_name": "string",
"parent_node": 0
}

Response samples

200

Content type

application/json

{"data": {"case": null,
"path_case_id": 1,
"path_id": 54,
"path_is_root": false,
"path_name": "string",
"path_parent_id": 48,
"path_uuid": "90413f42-c495-4eff-928b-c4a321128595",
"registry": null
},
"message": "Folder added",
"status": "success"
}

Delete a datastore folder

Delete a folder. The children are also deleted.

Authorizations:

Bearer <bearer>

path Parameters

folder_id

required

integer

Folder ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Folder and children deleted",
"status": "success"
}

Rename a datastore folder

Rename a datastore folder.

Authorizations:

Bearer <bearer>

path Parameters

folder_id

required

string

query Parameters

cid	integer Case ID

Request Body schema: application/json

parent_node	string
folder_name	string

Responses

Request samples

Payload

Content type

application/json

{"parent_node": "53",
"folder_name": "New folder name"
}

Response samples

200

Content type

application/json

{"data": {"case": null,
"path_case_id": 1,
"path_id": 53,
"path_is_root": false,
"path_name": "New folder name",
"path_parent_id": 49,
"path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
"registry": null
},
"message": "Folder renamed",
"status": "success"
}

Move a datastore folder

Move a folder to a new folder.

Authorizations:

Bearer <bearer>

path Parameters

folder_id

required

integer

Folder ID

Request Body schema: application/json

destination-node

integer

Responses

Request samples

Payload

Content type

application/json

{"destination-node": 49
}

Response samples

200

Content type

application/json

{"data": {"case": null,
"path_case_id": 1,
"path_id": 53,
"path_is_root": false,
"path_name": "New folder name",
"path_parent_id": 49,
"path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
"registry": null
},
"message": "Folder \"New folder name\" successfully moved to \"Evidences\"",
"status": "success"
}

Manage Assets Types

Get assets types

Return a list of available assets types.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{"asset_description": "Standard Windows Server",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
"asset_id": 10,
"asset_name": "Windows - Server"
},
{"asset_description": "Domain Controller",
"asset_icon_compromised": "ioc_windows_server.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
"asset_icon_not_compromised": "windows_server.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
"asset_id": 11,
"asset_name": "Windows - DC"
},
{"asset_description": "Router",
"asset_icon_compromised": "ioc_router.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_router.png",
"asset_icon_not_compromised": "router.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/router.png",
"asset_id": 12,
"asset_name": "Router"
},
{"asset_description": "Switch",
"asset_icon_compromised": "ioc_switch.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_switch.png",
"asset_icon_not_compromised": "switch.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/switch.png",
"asset_id": 13,
"asset_name": "Switch"
},
{"asset_description": "VPN",
"asset_icon_compromised": "ioc_vpn.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_vpn.png",
"asset_icon_not_compromised": "vpn.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/vpn.png",
"asset_id": 14,
"asset_name": "VPN"
},
{"asset_description": "WAF",
"asset_icon_compromised": "ioc_firewall.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
"asset_icon_not_compromised": "firewall.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
"asset_id": 15,
"asset_name": "WAF"
},
{"asset_description": "Windows Account - Local",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 16,
"asset_name": "Windows Account - Local"
},
{"asset_description": "Windows Account - Local - Admin",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 17,
"asset_name": "Windows Account - Local - Admin"
},
{"asset_description": "Windows Account - AD",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 18,
"asset_name": "Windows Account - AD"
},
{"asset_description": "Windows Account - AD - Admin",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 19,
"asset_name": "Windows Account - AD - Admin"
},
{"asset_description": "Windows Account - AD - krbtgt",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 20,
"asset_name": "Windows Account - AD - krbtgt"
},
{"asset_description": "Windows Account - AD - krbtgt",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 21,
"asset_name": "Windows Account - AD - Service"
},
{"asset_description": "Generic Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 1,
"asset_name": "Account"
},
{"asset_description": "Firewall",
"asset_icon_compromised": "ioc_firewall.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
"asset_icon_not_compromised": "firewall.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
"asset_id": 2,
"asset_name": "Firewall"
},
{"asset_description": "Linux server",
"asset_icon_compromised": "ioc_server.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_server.png",
"asset_icon_not_compromised": "server.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/server.png",
"asset_id": 3,
"asset_name": "Linux - Server"
},
{"asset_description": "Linux computer",
"asset_icon_compromised": "ioc_desktop.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
"asset_icon_not_compromised": "desktop.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
"asset_id": 4,
"asset_name": "Linux - Computer"
},
{"asset_description": "Linux Account",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
"asset_id": 5,
"asset_name": "Linux Account"
},
{"asset_description": "Mac computer",
"asset_icon_compromised": "ioc_desktop.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
"asset_icon_not_compromised": "desktop.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
"asset_id": 6,
"asset_name": "Mac - Computer"
},
{"asset_description": "Android Phone",
"asset_icon_compromised": "ioc_phone.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
"asset_icon_not_compromised": "phone.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
"asset_id": 7,
"asset_name": "Phone - Android"
},
{"asset_description": "Apple Phone",
"asset_icon_compromised": "ioc_phone.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
"asset_icon_not_compromised": "phone.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
"asset_id": 8,
"asset_name": "Phone - IOS"
},
{"asset_description": "Standard Windows Computer",
"asset_icon_compromised": "ioc_windows_desktop.png",
"asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_desktop.png",
"asset_icon_not_compromised": "windows_desktop.png",
"asset_icon_not_compromised_path": "/static/assets/img/graph/windows_desktop.png",
"asset_id": 9,
"asset_name": "Windows - Computer"
}
],
"message": "",
"status": "success"
}

Get assets types

Returns information on a specific asset type.

Authorizations:

Bearer <bearer>

path Parameters

asset_type_id

required

integer

Asset Type ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"asset_description": "Firewall",
"asset_id": 2,
"asset_name": "Firewall"
},
"message": "",
"status": "success"
}

Delete an asset type

Delete an asset type. Administrator role required.

Authorizations:

Bearer <bearer>

path Parameters

asset_type_id

required

integer

Asset Type ID

query Parameters

cid	integer Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Deleted asset type ID 16 successfully",
"status": "success"
}

Delete Asset Type Deprecated

This endpoint is deprecated. Use POST /manage/asset-type/delete/{asset_type_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

asset_type_id

required

integer

Asset Type ID

Responses

Add a new asset type

Administrator role required. See the example for the expected data.

Authorizations:

Bearer <bearer>

Request Body schema: multipart/form-data

-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"

My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"

My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png

PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png

PNG DATA
-----------------------------145784024822865434322863553415--

asset_name required	string
asset_description required	string
asset_icon_not_compromised required	string
asset_icon_compromised required	string

Responses

Response samples

200
400

Content type

application/json

{"data": {"asset_description": "Test",
"asset_icon_compromised": "rhogktdtczkkrokiaq",
"asset_icon_not_compromised": "ibbbflajuaecznvhtm",
"asset_id": 22,
"asset_name": "Test",
"registry": null
},
"message": "Asset type updated",
"status": "success"
}

Update an asset type

Administrator role required.

Authorizations:

Bearer <bearer>

path Parameters

asset_type_id

required

integer

Asset Type to update

query Parameters

cid

required

integer

Case ID

Request Body schema: multipart/form-data

-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_name"

My asset name
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_description"

My asset description
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
Content-Type: image/png

PNG DATA
-----------------------------145784024822865434322863553415
Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
Content-Type: image/png

PNG DATA
-----------------------------145784024822865434322863553415--

asset_name required	string
asset_description required	string
asset_icon_not_compromised required	string
asset_icon_compromised required	string

Responses

Response samples

200
400

Content type

application/json

{"data": {"asset_description": "Windows Account - Local - Admin",
"asset_icon_compromised": "ioc_user.png",
"asset_icon_not_compromised": "user.png",
"asset_id": 17,
"asset_name": "Windows Account - Local - Admin",
"registry": null
},
"message": "Asset type updated",
"status": "success"
}

Manage Task Status

List task status

Return a list of available task status.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{"id": 1,
"status_bscolor": "danger",
"status_description": "",
"status_name": "To do"
},
{"id": 2,
"status_bscolor": "warning",
"status_description": "",
"status_name": "In progress"
},
{"id": 3,
"status_bscolor": "muted",
"status_description": "",
"status_name": "On hold"
},
{"id": 4,
"status_bscolor": "success",
"status_description": "",
"status_name": "Done"
},
{"id": 5,
"status_bscolor": "muted",
"status_description": "",
"status_name": "Canceled"
}
],
"message": "",
"status": "success"
}

Get task status

Return information on a task status.

Authorizations:

Bearer <bearer>

path Parameters

task_status_id

required

integer

Task status to get

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"id": 1,
"status_bscolor": "danger",
"status_description": "",
"status_name": "To do"
},
"message": "",
"status": "success"
}

Manage Analysis Status

List analysis status

Return a list of available analysis status.

Authorizations:

Bearer <bearer>

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200

Content type

application/json

{"data": [{"id": 1,
"name": "Unspecified"
},
{"id": 2,
"name": "To be done"
},
{"id": 3,
"name": "Started"
},
{"id": 4,
"name": "Pending"
},
{"id": 5,
"name": "Canceled"
},
{"id": 6,
"name": "Done"
}
],
"message": "",
"status": "success"
}

Get Analysis Status

Return information on an analysis status.

Authorizations:

Bearer <bearer>

path Parameters

analysis_status_id

required

integer

Analysis Status ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"id": 1,
"name": "Unspecified"
},
"message": "",
"status": "success"
}

Manage IOC Types

List IOC types

Return a list of available IOC types.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"data": [{"0": [{ }
]
}
],
"message": "string",
"status": "string"
}

Get IOC type

Return information on an IOC type.

Authorizations:

Bearer <bearer>

path Parameters

ioc_type_id

required

integer

IOC Type ID

query Parameters

cid

required

integer

Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Autonomous system",
"type_id": 1,
"type_name": "AS",
"type_taxonomy": null,
"type_validation_expect": null,
"type_validation_regex": null
},
"message": "",
"status": "success"
}

Delete IOC type

Delete an IOC type. Administrator role required.

Authorizations:

Bearer <bearer>

path Parameters

ioc_type_id

required

integer

IOC Type ID

query Parameters

cid	integer Case ID

Responses

Response samples

200
400

Content type

application/json

{"data": [ ],
"message": "Deleted ioc type ID 6",
"status": "success"
}

Delete IOC type Deprecated

This endpoint is deprecated. Use POST /manage/ioc-types/delete/{ioc_type_id} instead.

Authorizations:

Bearer <bearer>

path Parameters

ioc_type_id

required

integer

IOC Type ID

Responses

Add an IOC type

Administrator role required.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

type_name required	string
type_description required	string
type_taxonomy required	string
type_validation_regex required	string
type_validation_expect required	string

Responses

Request samples

Payload

Content type

application/json

{"type_name": "campaign-id",
"type_description": "Associated campaign ID",
"type_taxonomy": "dsa",
"type_validation_regex": "*.",
"type_validation_expect": "Explanation"
}

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Associated campaign ID",
"type_id": 161,
"type_name": "campaign-aaid",
"type_taxonomy": "dsa",
"type_validation_expect": "Explanation",
"type_validation_regex": "*."
},
"message": "Added successfully",
"status": "success"
}

Update an IOC type

Administrator role required.

Authorizations:

Bearer <bearer>

path Parameters

ioc_type_id

required

integer

IOC Type ID

Request Body schema: application/json

type_name	string
type_description	string
type_taxonomy	string
type_validation_regex	string
type_validation_expect	string

Responses

Request samples

Payload

Content type

application/json

{"type_name": "campaign-id",
"type_description": "Associated campaign ID",
"type_taxonomy": "dsa",
"type_validation_regex": "*.",
"type_validation_expect": "Explanation"
}

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Associated campaign ID",
"type_id": 7,
"type_name": "campaign-id",
"type_taxonomy": "dsa",
"type_validation_expect": "Explanation",
"type_validation_regex": "*."
},
"message": "IOC type updated",
"status": "success"
}

Manage ioc tlp

List IOC TLP values

IOC TPL (Traffic Light Protocol) values

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"tlp_name": "danger",
"tlp_bscolor": "red",
"tlp_id": 1
},
{"tlp_name": "amber",
"tlp_bscolor": "warning",
"tlp_id": 2
},
{"tlp_name": "success",
"tlp_bscolor": "green",
"tlp_id": 3
},
{"tlp_name": "clear",
"tlp_bscolor": "black",
"tlp_id": 4
},
{"tlp_name": "amber+strict",
"tlp_bscolor": "warning",
"tlp_id": 5
}
]
}

Manage Cases Templates

Add a case template

Add a new case template.

Authorizations:

Bearer <bearer>

Request Body schema: application/json

case_template_json

string

Responses

Request samples

Payload

Content type

application/json

{"case_template_json": "{\n    \"name\": \"Template name\",\n    \"display_name\": \"Template Display Name\",\n    \"description\": \"Template description\",\n    \"author\": \"YOUR NAME\",\n    \"classification\": \"known-template-classification\",\n    \"title_prefix\": \"[PREFIX]\",\n    \"summary\": \"Summary to be set\",\n    \"tags\": [\n        \"ransomware\",\n        \"malware\"\n    ],\n    \"tasks\": [\n        {\n            \"title\": \"Task 1\",\n            \"description\": \"Task 1 description\",\n            \"tags\": [\n                \"tag1\",\n                \"tag2\"\n            ]\n        }\n    ],\n    \"note_groups\": [\n        {\n            \"title\": \"Note group 1\",\n            \"notes\": [\n                {\n                    \"title\": \"Note 1\",\n                    \"content\": \"Note 1 content\"\n                }\n            ]\n        }\n    ]\n}"
}

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Associated campaign ID",
"type_id": 7,
"type_name": "campaign-id",
"type_taxonomy": "dsa",
"type_validation_expect": "Explanation",
"type_validation_regex": "*."
},
"message": "IOC type updated",
"status": "success"
}

Update a case template

Update a case template.

Authorizations:

Bearer <bearer>

path Parameters

template_id

required

integer

Case Template ID

Request Body schema: application/json

case_template_json

string

Responses

Request samples

Payload

Content type

application/json

{"case_template_json": "{\n    \"name\": \"Template name\",\n    \"display_name\": \"Template Display Name\",\n    \"description\": \"Template description\",\n    \"author\": \"YOUR NAME\",\n    \"classification\": \"known-template-classification\",\n    \"title_prefix\": \"[PREFIX]\",\n    \"summary\": \"Summary to be set\",\n    \"tags\": [\n        \"ransomware\",\n        \"malware\"\n    ],\n    \"tasks\": [\n        {\n            \"title\": \"Task 1\",\n            \"description\": \"Task 1 description\",\n            \"tags\": [\n                \"tag1\",\n                \"tag2\"\n            ]\n        }\n    ],\n    \"note_groups\": [\n        {\n            \"title\": \"Note group 1\",\n            \"notes\": [\n                {\n                    \"title\": \"Note 1\",\n                    \"content\": \"Note 1 content\"\n                }\n            ]\n        }\n    ]\n}"
}

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Associated campaign ID",
"type_id": 7,
"type_name": "campaign-id",
"type_taxonomy": "dsa",
"type_validation_expect": "Explanation",
"type_validation_regex": "*."
},
"message": "IOC type updated",
"status": "success"
}

Delete a case template

Delete a case template.

Authorizations:

Bearer <bearer>

path Parameters

template_id

required

integer

Case Template ID

Responses

Response samples

200
400

Content type

application/json

{"data": {"registry": null,
"type_description": "Associated campaign ID",
"type_id": 7,
"type_name": "campaign-id",
"type_taxonomy": "dsa",
"type_validation_expect": "Explanation",
"type_validation_regex": "*."
},
"message": "IOC type updated",
"status": "success"
}

Manage Cases Classifications

List case classifications

List the case classifications.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"id": 1,
"name": "abusive-content:spam",
"name_expanded": "Abusive-Content: spam",
"description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
"creation_date": "2023-04-28T11:30:00.649012"
},
{"id": 2,
"name": "abusive-content:harmful-speech",
"name_expanded": "Abusive-Content: Harmful Speech",
"description": "Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or more individuals) May be found on a forum, email, tweet etc…",
"creation_date": "2023-04-28T11:30:00.653918"
},
{"id": 3,
"name": "abusive-content:violence",
"name_expanded": "Abusive-Content: Child/Sexual/Violence/...",
"description": "Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet etc…",
"creation_date": "2023-04-28T11:30:00.657151"
},
{"id": 4,
"name": "malicious-code:virus",
"name_expanded": "Malicious-Code: Virus",
"description": "Malicious code that replicate itself and infects the computer and files;",
"creation_date": "2023-04-28T11:30:00.660827"
},
{"id": 5,
"name": "malicious-code:worm",
"name_expanded": "Malicious-Code: Worm",
"description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
"creation_date": "2023-04-28T11:30:00.664177"
},
{"id": 6,
"name": "malicious-code:ransomware",
"name_expanded": "Malicious-Code: Ransomware",
"description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
"creation_date": "2023-04-28T11:30:00.667058"
},
{"id": 7,
"name": "malicious-code:trojan-malware",
"name_expanded": "Malicious-Code: Trojan/Malware",
"description": "This category regroups many common malware types (Banking, POS, Mining malware).",
"creation_date": "2023-04-28T11:30:00.670949"
},
{"id": 8,
"name": "malicious-code:spyware-rat",
"name_expanded": "Malicious-Code: Spyware/Rat",
"description": "This category regroups malware types and tools that may have a bigger impact on the breached infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored malwares, StealersHacking tool).",
"creation_date": "2023-04-28T11:30:00.673649"
},
{"id": 9,
"name": "malicious-code:dialer",
"name_expanded": "Malicious-Code: Dialer",
"description": "Computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile application. ",
"creation_date": "2023-04-28T11:30:00.676681"
},
{"id": 10,
"name": "malicious-code:rootkit",
"name_expanded": "Malicious-Code: Rootkit",
"description": "Malware, which alter the standard functionality of an operating system in order to do its malicious actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the returning values to hide themselves from simple analysis tools.",
"creation_date": "2023-04-28T11:30:00.679830"
},
{"id": 11,
"name": "information-gathering:scanner",
"name_expanded": "Information-Gathering: Scanning",
"description": "Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT,).",
"creation_date": "2023-04-28T11:30:00.682321"
},
{"id": 12,
"name": "information-gathering:sniffing",
"name_expanded": "Information-Gathering: Sniffing",
"description": "Observing and recording network traffic (wiretapping).",
"creation_date": "2023-04-28T11:30:00.686102"
},
{"id": 13,
"name": "information-gathering:social-engineering",
"name_expanded": "Information-Gathering: Social Engineering",
"description": "Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).",
"creation_date": "2023-04-28T11:30:00.689526"
},
{"id": 14,
"name": "intrusion-attempts:exploit-known-vuln",
"name_expanded": "Intrusion-Attempts: Exploiting known vulnerabilities",
"description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).",
"creation_date": "2023-04-28T11:30:00.692862"
},
{"id": 15,
"name": "intrusion-attempts:login-attempts",
"name_expanded": "Intrusion-Attempts: Login attempts",
"description": "Multiple login attempts (guessing / cracking of passwords, brute force).",
"creation_date": "2023-04-28T11:30:00.696596"
},
{"id": 16,
"name": "intrusion-attempts:new-attack-signature",
"name_expanded": "Intrusion-Attempts: New attack signature",
"description": "An attempt using an unknown exploit.",
"creation_date": "2023-04-28T11:30:00.699969"
},
{"id": 17,
"name": "intrusion:privileged-account-compromise",
"name_expanded": "Intrusion: Privileged Account Compromise",
"description": "A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.",
"creation_date": "2023-04-28T11:30:00.704096"
},
{"id": 18,
"name": "intrusion:unprivileged-account-compromise",
"name_expanded": "Intrusion: Unprivileged Account Compromise",
"description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally. ",
"creation_date": "2023-04-28T11:30:00.707415"
},
{"id": 19,
"name": "intrusion:botnet-member",
"name_expanded": "Intrusion: Botnet member",
"description": "The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…",
"creation_date": "2023-04-28T11:30:00.711851"
},
{"id": 20,
"name": "intrusion:domain-compromise",
"name_expanded": "Intrusion: Domain Compromise",
"description": "The whole domain is compromised; this is commonly used for active directory and detected by a 'pass the ticket' attack or a discovery of 'ad dumps' files.",
"creation_date": "2023-04-28T11:30:00.715487"
},
{"id": 21,
"name": "intrusion:application-compromise",
"name_expanded": "Intrusion: Application Compromise",
"description": "An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).",
"creation_date": "2023-04-28T11:30:00.719242"
},
{"id": 22,
"name": "availability:dos",
"name_expanded": "Availability: DoS",
"description": "An attacker attempts to prevent legitimate users from accessing information or services.",
"creation_date": "2023-04-28T11:30:00.722901"
},
{"id": 23,
"name": "availability:ddos",
"name_expanded": "Availability: DDoS",
"description": "Form of electronic attack involving multiple computers, which send repeated requests (HTTP requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible for a period of time. ",
"creation_date": "2023-04-28T11:30:00.726025"
},
{"id": 24,
"name": "availability:sabotage",
"name_expanded": "Availability: Sabotage",
"description": "Deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.",
"creation_date": "2023-04-28T11:30:00.730028"
},
{"id": 25,
"name": "availability:outage",
"name_expanded": "Availability: Outage (no malice)",
"description": "Unavailability of the system but done with no malice.",
"creation_date": "2023-04-28T11:30:00.732902"
},
{"id": 26,
"name": "information-content-security:Unauthorised-information-access",
"name_expanded": "Information-Content-Security: Unauthorised access to information",
"description": "Any access to unauthorized data. It may be access of data on improperly restricted server share or database exfiltered by using a SQLi.",
"creation_date": "2023-04-28T11:30:00.736928"
},
{"id": 27,
"name": "information-content-security:Unauthorised-information-modification",
"name_expanded": "Information-Content-Security: Unauthorised modification of information",
"description": "Unauthorized tampering of data on files, documents or database.",
"creation_date": "2023-04-28T11:30:00.740163"
},
{"id": 28,
"name": "fraud:copyright",
"name_expanded": "Fraud: Copyright",
"description": "Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
"creation_date": "2023-04-28T11:30:00.743723"
},
{"id": 29,
"name": "fraud:masquerade",
"name_expanded": "Fraud: Masquerade",
"description": "Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it. This attack may be used for president fraud requesting transactions.",
"creation_date": "2023-04-28T11:30:00.747483"
},
{"id": 30,
"name": "fraud:phishing",
"name_expanded": "Fraud: Phishing",
"description": "Masquerading as another entity in order to persuade the user to reveal a private credential.",
"creation_date": "2023-04-28T11:30:00.750375"
},
{"id": 31,
"name": "vulnerable:vulnerable-service",
"name_expanded": "Vulnerable: Open for abuse",
"description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc. This includes for example default SNMP community or default password on any application.",
"creation_date": "2023-04-28T11:30:00.754135"
},
{"id": 32,
"name": "conformity:regulator",
"name_expanded": "Conformity: Regulator",
"description": "All lack about regulator rules (CSSF, GDPR, etc.).",
"creation_date": "2023-04-28T11:30:00.757258"
},
{"id": 33,
"name": "conformity:standard",
"name_expanded": "Conformity: Standard",
"description": "All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).",
"creation_date": "2023-04-28T11:30:00.760692"
},
{"id": 34,
"name": "conformity:security-policy",
"name_expanded": "Conformity: Security policy",
"description": "All lack about the internal security policy of the company.",
"creation_date": "2023-04-28T11:30:00.764099"
},
{"id": 35,
"name": "conformity:other-conformity",
"name_expanded": "Conformity: Other",
"description": "All lack that do not fit in one of previous categories should be put on this class.",
"creation_date": "2023-04-28T11:30:00.766910"
},
{"id": 36,
"name": "other:other",
"name_expanded": "Other: other",
"description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
"creation_date": "2023-04-28T11:30:00.770376"
},
{"id": 75,
"name": "Super really",
"name_expanded": "No no no",
"description": "dsadas",
"creation_date": "2023-05-02T07:22:38.042448"
}
]
}

Get case classification

Get a case classification from an ID.

Authorizations:

Bearer <bearer>

path Parameters

classification_id

required

integer

Classification ID to fetch

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"creation_date": "2023-04-28T11:30:00.649012",
"description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
"name_expanded": "Abusive-Content: spam",
"id": 1,
"name": "abusive-content:spam"
}
}

Add a case classification

Authorizations:

Bearer <bearer>

Request Body schema: application/json

name	string
name_expanded	string
description	string

Responses

Request samples

Payload

Content type

application/json

{"name": "NewClassification",
"name_expanded": "New Classification",
"description": "Superbe new classification"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case classification added",
"data": {"name": "NewClassification",
"name_expanded": "New Classification",
"description": "Superbe new classification",
"id": 41,
"creation_date": "2024-01-10T12:56:24.442781"
}
}

Update a case classification

Authorizations:

Bearer <bearer>

path Parameters

classification_id

required

string

Classification ID

Request Body schema: application/json

name	string
name_expanded	string
description	string

Responses

Request samples

Payload

Content type

application/json

{"name": "NewClassification",
"name_expanded": "New Classification",
"description": "Superbe new classification"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case classification updated",
"data": {"name": "NewClassification",
"name_expanded": "New Classification",
"description": "Superbe new classification",
"id": 41,
"creation_date": "2024-01-10T12:56:24.442781"
}
}

Delete a case classification

Authorizations:

Bearer <bearer>

path Parameters

classification_id

required

string

Classification ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case classification deleted",
"data": [ ]
}

Delete a case classification

Authorizations:

Bearer <bearer>

path Parameters

state_id

required

integer

State ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case state deleted",
"data": [ ]
}

Delete an evidence type

Authorizations:

Bearer <bearer>

path Parameters

state_id

required

integer

State ID

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "Evidence type deleted",
"data": [ ]
}

Manage Cases states

List case states

List the case states.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"state_name": "Unspecified",
"state_description": "Unspecified",
"state_id": 1,
"protected": true
},
{"state_name": "In progress",
"state_description": "Case is being investigated",
"state_id": 2,
"protected": false
},
{"state_name": "Containment",
"state_description": "Containment is in progress",
"state_id": 4,
"protected": false
},
{"state_name": "Eradication",
"state_description": "Eradication is in progress",
"state_id": 5,
"protected": false
},
{"state_name": "Recovery",
"state_description": "Recovery is in progress",
"state_id": 6,
"protected": false
},
{"state_name": "Post-Incident",
"state_description": "Post-incident phase",
"state_id": 7,
"protected": false
},
{"state_name": "Reporting",
"state_description": "Reporting is in progress",
"state_id": 8,
"protected": false
},
{"state_name": "Closed",
"state_description": "Case is closed",
"state_id": 9,
"protected": true
},
{"state_name": "Open",
"state_description": "Case is open",
"state_id": 11,
"protected": true
},
{"state_name": "Open",
"state_description": "Case is open",
"state_id": 3,
"protected": true
},
{"state_name": "To escalate",
"state_description": "Use this when the case is stalled due to inaction of an involved stakeholder",
"state_id": 10,
"protected": false
}
]
}

Get case state

Get a case state from an ID.

Authorizations:

Bearer <bearer>

path Parameters

state_id

required

integer

state ID to fetch

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"state_name": "Unspecified",
"state_description": "Unspecified",
"state_id": 1,
"protected": true
}
}

Add a case state

Authorizations:

Bearer <bearer>

Request Body schema: application/json

state_name required	string
state_description required	string

Responses

Request samples

Payload

Content type

application/json

{"state_name": "New state",
"state_description": "Superbe new state"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case state added",
"data": {"state_name": "New state",
"state_description": "Superbe new state",
"state_id": 14,
"protected": false
}
}

Update a case state

Authorizations:

Bearer <bearer>

path Parameters

state_id

required

string

state ID

Request Body schema: application/json

state_name	string
state_description	string

Responses

Request samples

Payload

Content type

application/json

{"state_name": "New state",
"state_description": "Superbe new state"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Case state updated",
"data": {"state_name": "New state",
"state_description": "Superbe new state",
"state_id": 14,
"protected": false
}
}

Manage Compromise Status

List compromise status

Return a list of available compromise status.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"data": [{"value": 0,
"name": "To be determined"
},
{"value": 1,
"name": "Compromised"
},
{"value": 2,
"name": "Not compromised"
},
{"value": 3,
"name": "Unknown"
}
],
"message": "",
"status": "success"
}

Manage cases severities

List case severities

List the case severities

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"severity_name": "Medium",
"severity_description": "Medium",
"severity_id": 1
},
{"severity_name": "Unspecified",
"severity_description": "Unspecified",
"severity_id": 2
},
{"severity_name": "Informational",
"severity_description": "Informational",
"severity_id": 3
},
{"severity_name": "Low",
"severity_description": "Low",
"severity_id": 4
},
{"severity_name": "High",
"severity_description": "High",
"severity_id": 5
},
{"severity_name": "Critical",
"severity_description": "Critical",
"severity_id": 6
}
]
}

Manage evidence types

List evidence types

List the evidence types.

Authorizations:

Bearer <bearer>

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": [{"id": 1,
"name": "Unspecified",
"description": "Unspecified",
"creation_date": "2023-11-29T10:28:30.448583"
},
{"id": 2,
"name": "HDD image - Generic",
"description": "Generic copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.764707"
},
{"id": 3,
"name": "HDD image - DD - Other",
"description": "DD copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.768152"
},
{"id": 4,
"name": "HDD image - DD - Windows",
"description": "DD copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.777829"
},
{"id": 5,
"name": "HDD image - DD - Unix",
"description": "DD copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.785553"
},
{"id": 6,
"name": "HDD image - DD - MacOS",
"description": "DD copy of an hard drive",
"creation_date": "2023-11-29T10:28:30.794414"
},
{"id": 7,
"name": "HDD image - E01 - Other",
"description": "E01 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.800029"
},
{"id": 8,
"name": "HDD image - E01 - Windows",
"description": "E01 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.803284"
},
{"id": 9,
"name": "HDD image - E01 - Unix",
"description": "E01 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.806221"
},
{"id": 10,
"name": "HDD image - E01 - MacOS",
"description": "E01 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.809047"
},
{"id": 11,
"name": "HDD image - AFF4 - Other",
"description": "AFF4 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.811984"
},
{"id": 12,
"name": "HDD image - AFF4 - Windows",
"description": "AFF4 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.814682"
},
{"id": 13,
"name": "HDD image - AFF4 - Unix",
"description": "AFF4 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.817469"
},
{"id": 14,
"name": "HDD image - AFF4 - MacOS",
"description": "AFF4 acquisition of an hard drive",
"creation_date": "2023-11-29T10:28:30.820104"
},
{"id": 15,
"name": "SSD image - Generic",
"description": "Generic copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.822762"
},
{"id": 16,
"name": "SSD image - DD - Other",
"description": "DD copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.825339"
},
{"id": 17,
"name": "SSD image - DD - Windows",
"description": "DD copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.827840"
},
{"id": 18,
"name": "SSD image - DD - Unix",
"description": "DD copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.830378"
},
{"id": 19,
"name": "SSD image - DD - MacOS",
"description": "DD copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.832702"
},
{"id": 20,
"name": "SSD image - E01 - Other",
"description": "EO1 copy of a solid state drive",
"creation_date": "2023-11-29T10:28:30.835493"
},
{"id": 21,
"name": "SSD image - E01 - Windows",
"description": "EO1 copy of a solid state drive",
"creation_date": "2023-11-29T10:28:30.838210"
},
{"id": 22,
"name": "SSD image - E01 - Unix",
"description": "EO1 copy of a solid state drive",
"creation_date": "2023-11-29T10:28:30.840994"
},
{"id": 23,
"name": "SSD image - E01 - MacOS",
"description": "EO1 copy of MacOS on a solid state drive",
"creation_date": "2023-11-29T10:28:30.843876"
},
{"id": 24,
"name": "SSD image - AFF4 - Other",
"description": "AFF4 copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.846797"
},
{"id": 25,
"name": "SSD image - AFF4 - Windows",
"description": "AFF4 copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.849600"
},
{"id": 26,
"name": "SSD image - AFF4 - Unix",
"description": "AFF4 copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.852251"
},
{"id": 27,
"name": "SSD image - AFF4 - MacOS",
"description": "AFF4 copy of an solid state drive",
"creation_date": "2023-11-29T10:28:30.855217"
},
{"id": 28,
"name": "VM image - Generic",
"description": "Generic copy of a VM ",
"creation_date": "2023-11-29T10:28:30.858080"
},
{"id": 29,
"name": "VM image - Linux Server",
"description": "Copy of a Linux Server VM",
"creation_date": "2023-11-29T10:28:30.861149"
},
{"id": 30,
"name": "VM image - Windows Server",
"description": "Copy of a Windows Server VM",
"creation_date": "2023-11-29T10:28:30.864715"
},
{"id": 31,
"name": "Phone Image - Android",
"description": "Copy of an Android phone",
"creation_date": "2023-11-29T10:28:30.868405"
},
{"id": 32,
"name": "Phone Image - iPhone",
"description": "Copy of an iPhone",
"creation_date": "2023-11-29T10:28:30.873334"
},
{"id": 33,
"name": "Phone backup - Android (adb)",
"description": "adb backup of an Android",
"creation_date": "2023-11-29T10:28:30.876699"
},
{"id": 34,
"name": "Phone backup - iPhone (iTunes)",
"description": "iTunes backup of an iPhone",
"creation_date": "2023-11-29T10:28:30.879779"
},
{"id": 35,
"name": "Tablet Image - Android",
"description": "Copy of an Android tablet",
"creation_date": "2023-11-29T10:28:30.882645"
},
{"id": 36,
"name": "Tablet Image - iPad",
"description": "Copy of an iPad tablet",
"creation_date": "2023-11-29T10:28:30.885351"
},
{"id": 37,
"name": "Tablet backup - Android (adb)",
"description": "adb backup of an Android tablet",
"creation_date": "2023-11-29T10:28:30.888168"
},
{"id": 38,
"name": "Tablet backup - iPad (iTunes)",
"description": "iTunes backup of an iPad",
"creation_date": "2023-11-29T10:28:30.890747"
},
{"id": 39,
"name": "Collection - Velociraptor",
"description": "Velociraptor collection",
"creation_date": "2023-11-29T10:28:30.893125"
},
{"id": 40,
"name": "Collection - ORC",
"description": "ORC collection",
"creation_date": "2023-11-29T10:28:30.896533"
},
{"id": 41,
"name": "Collection - KAPE",
"description": "KAPE collection",
"creation_date": "2023-11-29T10:28:30.899316"
},
{"id": 42,
"name": "Memory acquisition - Physical RAM",
"description": "Physical RAM acquisition",
"creation_date": "2023-11-29T10:28:30.901923"
},
{"id": 43,
"name": "Memory acquisition - VMEM",
"description": "vmem file",
"creation_date": "2023-11-29T10:28:30.904445"
},
{"id": 44,
"name": "Logs - Linux",
"description": "Standard Linux logs",
"creation_date": "2023-11-29T10:28:30.906868"
},
{"id": 45,
"name": "Logs - Windows EVTX",
"description": "Standard Windows EVTX logs",
"creation_date": "2023-11-29T10:28:30.909559"
},
{"id": 46,
"name": "Logs - Windows EVT",
"description": "Standard Windows EVT logs",
"creation_date": "2023-11-29T10:28:30.912298"
},
{"id": 47,
"name": "Logs - MacOS",
"description": "Standard MacOS logs",
"creation_date": "2023-11-29T10:28:30.915390"
},
{"id": 48,
"name": "Logs - Generic",
"description": "Generic logs",
"creation_date": "2023-11-29T10:28:30.918916"
},
{"id": 49,
"name": "Logs - Firewall",
"description": "Firewall logs",
"creation_date": "2023-11-29T10:28:30.921878"
},
{"id": 50,
"name": "Logs - Proxy",
"description": "Proxy logs",
"creation_date": "2023-11-29T10:28:30.924702"
},
{"id": 51,
"name": "Logs - DNS",
"description": "DNS logs",
"creation_date": "2023-11-29T10:28:30.927599"
},
{"id": 52,
"name": "Logs - Email",
"description": "Email logs",
"creation_date": "2023-11-29T10:28:30.930438"
},
{"id": 53,
"name": "Executable - Windows (PE)",
"description": "Generic Windows executable",
"creation_date": "2023-11-29T10:28:30.933774"
},
{"id": 54,
"name": "Executable - Linux (ELF)",
"description": "Generic Linux executable",
"creation_date": "2023-11-29T10:28:30.936884"
},
{"id": 55,
"name": "Executable - MacOS (Mach-O)",
"description": "Generic MacOS executable",
"creation_date": "2023-11-29T10:28:30.939526"
},
{"id": 56,
"name": "Executable - Generic",
"description": "Generic executable",
"creation_date": "2023-11-29T10:28:30.942070"
},
{"id": 57,
"name": "Script - Generic",
"description": "Generic script",
"creation_date": "2023-11-29T10:28:30.944690"
},
{"id": 58,
"name": "Generic - Data blob",
"description": "Generic blob of data",
"creation_date": "2023-11-29T10:28:30.947365"
}
]
}

Get an evidence type

Get a evidence type from an ID.

Authorizations:

Bearer <bearer>

path Parameters

type_id

required

integer

state ID to fetch

Responses

Response samples

200

Content type

application/json

{"status": "success",
"message": "",
"data": {"state_name": "Unspecified",
"state_description": "Unspecified",
"state_id": 1,
"protected": true
}
}

Add an evidence type

Authorizations:

Bearer <bearer>

Request Body schema: application/json

name required	string
description required	string

Responses

Request samples

Payload

Content type

application/json

{"name": "Evidence Type",
"description": "Superbe Evidence Type"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Evidence type added",
"data": {"name": "Evidence Type",
"description": "Superbe Evidence Type",
"id": 59,
"creation_date": "2024-01-10T15:39:50.157298"
}
}

Update an evidence type

Authorizations:

Bearer <bearer>

path Parameters

type_id

required

string

Type ID

Request Body schema: application/json

name	string
description	string

Responses

Request samples

Payload

Content type

application/json

{"name": "Evidence Type",
"description": "Superbe Evidence Type"
}

Response samples

200

Content type

application/json

{"status": "success",
"message": "Evidence type updated",
"data": {"name": "Evidence Type 1",
"description": "Superbe Evidence Type",
"id": 3,
"creation_date": "2023-11-29T10:28:30.768152"
}
}