diff --git a/docs/thehive/api/alert/add-observable.md b/docs/thehive/api/alert/add-observable.md index e69de29b..b5fd93b9 100644 --- a/docs/thehive/api/alert/add-observable.md +++ b/docs/thehive/api/alert/add-observable.md @@ -0,0 +1,38 @@ +# Add observables + +Add *Observable* to an *Alert*. + +## Query + +```plain +POST /api/alert/{id}/artifact +``` + +With: + +- `id`: Alert identifier + +## Request Body Example + +!!! Example "" + + ```json + + ``` + + + +## Response + +### Status codes + +- `201`: if *Alert* is created successfully +- `401`: Authentication error + +### Response Body Example + +!!! Example "" + + ```json + + ``` \ No newline at end of file diff --git a/docs/thehive/api/alert/delete-observable.md b/docs/thehive/api/alert/delete-observable.md index e69de29b..920bb53c 100644 --- a/docs/thehive/api/alert/delete-observable.md +++ b/docs/thehive/api/alert/delete-observable.md @@ -0,0 +1,20 @@ +# Add observables + +Delete an *Observable* from an *Alert*. + +## Query + +```plain +DELETE /api/alert/artifact/{id} +``` + +With: + +- `id`: Observable identifier + +## Response + +### Status codes + +- `204`: if *Observable* is deleted successfully +- `401`: Authentication error diff --git a/docs/thehive/api/alert/merge.md b/docs/thehive/api/alert/merge.md index 8ef270ce..f9bfc928 100644 --- a/docs/thehive/api/alert/merge.md +++ b/docs/thehive/api/alert/merge.md @@ -25,62 +25,62 @@ With: !!! Example "" ```json -{ - "_id": "~6658533455", - "id": "~6658533455", - "createdBy": "florian@strangebee.com", - "updatedBy": "florian@strangebee.com", - "createdAt": 1620397519028, - "updatedAt": 1624373852175, - "_type": "case", - "caseId": 114, - "title": "User connected to known malicious IP over Telnet / Malicious payload detected", - "description": "EDR automated alert: the user robb@training.org has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user robb@training.org has posted information on a known phishing url", - "severity": 2, - "startDate": 1620396059728, - "endDate": null, - "impactStatus": null, - "resolutionStatus": null, - "tags": [ - "log-source:proxy", - "source:edr", - "log-source:endpoint-protection", - "source:siem", - "protocol: telnet", - "ex2" - ], - "flag": false, - "tlp": 3, - "pap": 2, - "status": "Open", - "summary": null, - "owner": "florian@strangebee.com", - "customFields": { - "businessUnit": { - "string": "Finance", - "order": 0 - }, - "location": { - "string": "Sydney", - "order": 1 + { + "_id": "~6658533455", + "id": "~6658533455", + "createdBy": "florian@strangebee.com", + "updatedBy": "florian@strangebee.com", + "createdAt": 1620397519028, + "updatedAt": 1624373852175, + "_type": "case", + "caseId": 114, + "title": "User connected to known malicious IP over Telnet / Malicious payload detected", + "description": "EDR automated alert: the user robb@training.org has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user robb@training.org has posted information on a known phishing url", + "severity": 2, + "startDate": 1620396059728, + "endDate": null, + "impactStatus": null, + "resolutionStatus": null, + "tags": [ + "log-source:proxy", + "source:edr", + "log-source:endpoint-protection", + "source:siem", + "protocol: telnet", + "ex2" + ], + "flag": false, + "tlp": 3, + "pap": 2, + "status": "Open", + "summary": null, + "owner": "florian@strangebee.com", + "customFields": { + "businessUnit": { + "string": "Finance", + "order": 0 + }, + "location": { + "string": "Sydney", + "order": 1 + } + }, + "stats": {}, + "permissions": [ + "manageShare", + "manageAnalyse", + "manageTask", + "manageCaseTemplate", + "manageCase", + "manageUser", + "manageProcedure", + "managePage", + "manageObservable", + "manageTag", + "manageConfig", + "manageAlert", + "accessTheHiveFS", + "manageAction" + ] } - }, - "stats": {}, - "permissions": [ - "manageShare", - "manageAnalyse", - "manageTask", - "manageCaseTemplate", - "manageCase", - "manageUser", - "manageProcedure", - "managePage", - "manageObservable", - "manageTag", - "manageConfig", - "manageAlert", - "accessTheHiveFS", - "manageAction" - ] -} ``` \ No newline at end of file diff --git a/docs/thehive/api/alert/run-responder.md b/docs/thehive/api/alert/run-responder.md index e69de29b..c5488766 100644 --- a/docs/thehive/api/alert/run-responder.md +++ b/docs/thehive/api/alert/run-responder.md @@ -0,0 +1,55 @@ +# Run Responder + +Run a Responder on an *Alert*. + +## Query + +```plain +POST /api/connector/cortex/action +``` + + +## Request Body Example + +!!! Example "" + + ```json + { + "responderId": "05521ec727f75d69e828604dc5ae4c03", + "objectType": "alert", + "objectId": "~947478656" + } + ``` + +The following fields are required: + +- `responderId`: (String) +- `objectType`: "alert" +- `objectId`: (String) + +## Response + +### Status codes + +- `200`: if *Responder* is run successfully +- `401`: Authentication error + +### Response Body Example + +!!! Example "" + + ```json +{ + "responderId": "05521ec727f75d69e828604dc5ae4bed", + "responderName": "JIRA_Create_Ticket_1_0", + "responderDefinition": "JIRA_Create_Ticket_1_0", + "cortexId": "CORTEX_INTERNAL", + "cortexJobId": "_v2EnHsB8Pn57ilsukA3", + "objectType": "Alert", + "objectId": "~947478656", + "status": "Waiting", + "startDate": 1630418550145, + "operations": "[]", + "report": "{}" +} + ``` \ No newline at end of file