CyberProof Platform API v2.21.3
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
The CyberProof Platform public API, enabling integration with customer systems.
Base URLs:
-
https://{tenant}.api.cyberproof.io/api/v1
- tenant - The name of the tenant Default: demo
Email: CyberProof API Support
Authentication
-
API Key (ApiKeyHeader)
- Parameter Name: X-API-KEY, in: header.
-
API Key (ApiKeyQuery)
- Parameter Name: apiKey, in: query.
alerts
Alerts APIs
createAlert
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"name":"Email messages containing malware removed after delivery","sourceId":"345ffe9a","severity":"High","description":"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.","sourceUrl":"http://10.0.0.90/MySIEM/api/alerts/345ffe9a","raw":{"attributeInitializationInProgress":false,"createdTime":{"day":{"numberInt":"18"},"hour":{"numberInt":"16"},"milliSecond":{"numberInt":"711"},"minute":{"numberInt":"10"},"month":{"numberInt":"6"},"second":{"numberInt":"47"},"timezoneID":"Israel","year":{"numberInt":"2017"}},"createdTimestamp":{"numberDouble":"1500383447711"},"deprecated":false,"description":"ACME","disabled":false,"inCache":true,"inactive":false,"initialized":true,"isAdditionalLoaded":false,"localID":{"numberDouble":"30064798760"},"modificationCount":{"numberInt":"1"}},"classification":"Authentication","observables":[{"type":"IPv4 Address","value":"192.168.40.45","tags":["Cloud-Computing","Virus","Phishing"],"extraProperties":{"property1":{"value":"aaa-bbcc","type":"WeakIdentifier"},"property2":{"value":"aaa-bbcc","type":"WeakIdentifier"}},"relatedExtraProperties":{"property1":{"sha":256,"type":"WeakIdentifier"},"property2":{"sha":256,"type":"WeakIdentifier"}}}],"useCase":"UC216 - EPP - Persistent Malware","company":"ACME","tags":["Cloud-Computing","Virus","Phishing"],"categories":["Ransomware","Phishing"],"detectionRule":"WRONG_PASSWORD_3_ATTEMPTS","alertType":"CTI-Landscape","threatType":"Phishing","threatActors":["Cyber Criminals","Anonymous"],"malwareTools":["TrickBot","IcedID","Cobalt Strike"],"ctiSourceUrls":["https://blog.malwarebytes.com/someTopic"],"recommendations":"Implement the attached IOCs in your security systems.","killChain":["Reconnaissance","Weaponization","Delivery"],"mitreAttacks":["T1003","T1001","T1595.001"]}'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"classification\":\"Authentication\",\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"classification\":\"Authentication\",\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
payload := strings.NewReader("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"classification\":\"Authentication\",\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"classification\":\"Authentication\",\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"classification\":\"Authentication\",\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
.asString();POST /alerts
Creates a new alert
Creates a new alert in CDC.
This operation is idempotent: if the client provides a sourceId which already exists in CDC, then the operation should succeed with UPSERT semantics.br/> NOTE: The maximum request size is 2 MB.
Body parameter
{
"name": "Email messages containing malware removed after delivery",
"sourceId": "345ffe9a",
"severity": "High",
"description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
"sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"classification": "Authentication",
"observables": [
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"extraProperties": {
"property1": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
},
"property2": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
}
},
"relatedExtraProperties": {
"property1": {
"sha": 256,
"type": "WeakIdentifier"
},
"property2": {
"sha": 256,
"type": "WeakIdentifier"
}
}
}
],
"useCase": "UC216 - EPP - Persistent Malware",
"company": "ACME",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems.",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | CreateAlertRequest | true | none |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The alert has been created | AlertSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts
*Queries alerts based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| detectedBefore | query | string(date-time) | false | Include only those which were detected before the specified timestamp (exclusive) |
| detectedAfter | query | string(date-time) | false | Include only those which were detected after the specified timestamp (inclusive) |
| status | query | array[string] | false | Filter alerts by status |
| severity | query | array[string] | false | Filter alerts by severity |
| company | query | string | false | Filter alerts by company |
| source | query | string | false | Filters alerts by their source system. |
| sourceId | query | string | false | When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). |
| useCase | query | string | false | Filters alerts by their use case. |
| observableType | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| observableValue | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| alertType | query | array[string] | false | Filter alerts by their type |
| threatType | query | array[string] | false | Filter alerts by threat types |
| tags | query | array[string] | false | Filters alerts by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
| observableTags | query | array[string] | false | Filters alerts by observable tags. |
| observableTagsCondition | query | string | false | If observableTags contains multiple items, determines the query predicate: |
| threatActors | query | array[string] | false | Filters alerts by threat actors. |
| threatActorsCondition | query | string | false | If threatActors contains multiple items, determines the query predicate: |
| malwareTools | query | array[string] | false | Filters alerts by maleware and tools. |
| malwareToolsCondition | query | string | false | If malwareTools contains multiple items, determines the query predicate: |
Detailed descriptions
source: Filters alerts by their source system. Often combined with the sourceId parameter, in order to find an alert by its external ID.`
sourceId: When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). If sourceId is specified but source is not specified, the query will fail and return 400 (Bad Request).
observableType: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's type, and it must be combined with the observableValue parameter.
observableValue: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's value, and it must be combined with the observableType parameter.
tags: Filters alerts by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
observableTags: Filters alerts by observable tags.
Note: if more than one tag is specified, the client must specify the observableTagsCondition (otherwise: the server will return 400 Bad Request)
observableTagsCondition: If observableTags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
threatActors: Filters alerts by threat actors. Note: if more than one value is specified, the client must specify the threatActorsCondition (otherwise: the server will return 400 Bad Request)
threatActorsCondition: If threatActors contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified valuesall: returns results which contain all of the specified values
malwareTools: Filters alerts by maleware and tools. Note: if more than one value is specified, the client must specify the malwareToolsCondition (otherwise: the server will return 400 Bad Request)
malwareToolsCondition: If malwareTools contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified valuesall: returns results which contain all of the specified values
Enumerated Values
| Parameter | Value |
|---|---|
| alertType | General |
| alertType | CTI-Assetbased |
| alertType | CTI-Landscape |
| tagsCondition | any |
| tagsCondition | all |
| observableTagsCondition | any |
| observableTagsCondition | all |
| threatActorsCondition | any |
| threatActorsCondition | all |
| malwareToolsCondition | any |
| malwareToolsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | AlertsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
getAlert
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alertId}
Returns a single alert
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertId | path | string | true | The unique ID of the alert, as defined by CDC |
Example responses
200 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"appendedRaw": [
{}
],
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Alert |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
queryAlertEvidence
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alertId}/evidence
Returns information about the evidence associated with this alert.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertId | path | string | true | The unique ID of the alert, as defined by CDC |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
data: includes the evidence metadata.
Enumerated Values
| Parameter | Value |
|---|---|
| include | data |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | EvidenceQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createAlertEvidence
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"reported":"2019-08-24T14:15:22Z","caption":"Severity changed","messageId":"string","description":"System Admin has changed severity from Low to Medium","externalId":"345ffe9a"}'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"
payload := strings.NewReader("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
.asString();POST /alerts/{alertId}/evidence
Creates a new alert evidence
Body parameter
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertId | path | string | true | The unique ID of the alert, as defined by CDC |
| body | body | CreateEvidenceRequest | true | none |
Example responses
201 Response
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The evidence has been created | Evidence |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
incidents
Incidents APIs
queryIncidents
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents
*Queries incidents based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| externalId | query | string | false | Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. |
| externalSystem | query | string | false | Identifies the external system to which the filter refers. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
| status | query | array[string] | false | Filter incidents by status |
| pendingForGroup | query | string | false | Return only incidents that are pending redirection to the specified group. |
| group | query | string | false | filter incidents by the group (tier) which currently owns them (L1, L2, Customer) |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| observableType | query | string | false | Filters incidents by observable: only incidents linked to the specified observable will be returned. |
| observableValue | query | string | false | Filters incidents by observable: only incidents linked to the specified observable will be returned. |
| tags | query | array[string] | false | Filters incidents by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
Detailed descriptions
externalId: Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. If specified, then externalSystem MUST be specified as well.
externalSystem: Identifies the external system to which the filter refers. Used in conjuction with the externalId parameter:
- If
externalIdis also specified, the filter will return only items which have the specifiedexternalIdat the specifiedexternalSystem. - If
externalIdis not specified, the filter will return all items which have some external ID at the specifiedexternalSystem
include: Specifies which additional fields to include in the query results:
name: includes the incident name.description: includes the incident description.tags: includes the incident tags.externalIds: includes the external IDs associated with the incident, which the caller has permission to access.company: includes the company associated with the incident.
observableType: Filters incidents by observable: only incidents linked to the specified observable will be returned. This parameter specifies the observable's type, and it must be combined with the observableValue parameter.
observableValue: Filters incidents by observable: only incidents linked to the specified observable will be returned. This parameter specifies the observable's value, and it must be combined with the observableType parameter.
tags: Filters incidents by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
Enumerated Values
| Parameter | Value |
|---|---|
| include | name |
| include | description |
| include | tags |
| include | externalIds |
| include | company |
| include | redirectionReason |
| tagsCondition | any |
| tagsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | IncidentsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
getIncident
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}
Returns a single incident
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z",
"closingComment": "string",
"closingReason": "True Positive",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
updateIncident
Code samples
curl --request PATCH \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"priority":"Low","tags":["Cloud-Computing","Virus","Phishing"],"company":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "PATCH",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("PATCH", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
payload := strings.NewReader("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
req, _ := http.NewRequest("PATCH", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Patch,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.patch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
.asString();PATCH /incidents/{incidentId}
Updates an incident
A JSON object with details of the incident.
NOTE: The maximum request size is 100 KB.
NOTE: If tags is included, existing incident's tags are replaced with the specified ones.
Body parameter
{
"priority": "Low",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| body | body | UpdateIncidentRequest | true | none |
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z",
"closingComment": "string",
"closingReason": "True Positive",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | The incident was updated | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
createIncidentMessage
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"externalId":"345ffe9a","contentType":"text","content":"Requires further investigation","evidence":{"caption":"Severity changed","reported":"2019-08-24T14:15:22Z","description":"System Admin has changed severity from Low to Medium"}}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"
payload := strings.NewReader("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
.asString();POST /incidents/{incidentId}/messages
Creates a new incident message
Creates a new incident message in CDC.
This operation is idempotent: if the client provides an external id which already exists in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 512 KB.
Body parameter
{
"externalId": "345ffe9a",
"contentType": "text",
"content": "Requires further investigation",
"evidence": {
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium"
}
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| body | body | CreateIncidentMessageRequest | true | none |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The message has been created | IncidentMessageSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
closeIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"closingComment":"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached","closingReason":"True Positive","shouldTerminatePlaybooks":true}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\",\"closingReason\":\"True Positive\",\"shouldTerminatePlaybooks\":true}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\",\"closingReason\":\"True Positive\",\"shouldTerminatePlaybooks\":true}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"
payload := strings.NewReader("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\",\"closingReason\":\"True Positive\",\"shouldTerminatePlaybooks\":true}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\",\"closingReason\":\"True Positive\",\"shouldTerminatePlaybooks\":true}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\",\"closingReason\":\"True Positive\",\"shouldTerminatePlaybooks\":true}")
.asString();POST /incidents/{incidentId}/close
Closes an incident
A JSON object with details of the incident
Body parameter
{
"closingComment": "Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached",
"closingReason": "True Positive",
"shouldTerminatePlaybooks": true
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incidentId | path | string | true | The unique ID of the incident |
| body | body | CloseIncidentRequest | true | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The incident was closed successfully | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
redirectIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"targetGroup":"string","reason":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"
payload := strings.NewReader("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
.asString();POST /incidents/{incidentId}/redirect
initiate a redirection
Body parameter
{
"targetGroup": "string",
"reason": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incidentId | path | string | true | The unique ID of the incident |
| body | body | RedirectIncidentRequest | true | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been issued | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
acceptIncidentRedirection
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", {
"method": "POST",
"headers": {
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"
req, _ := http.NewRequest("POST", url, nil)
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();POST /incidents/{incidentId}/accept
accepts a redirection request
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incidentId | path | string | true | The unique ID of the incident |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been successfully accepted | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | There currently isn't any pending redirection for this incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
queryIncidentAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}/alerts
Returns information about the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
raw: includes the raw alert data.company: includes the company field.
Enumerated Values
| Parameter | Value |
|---|---|
| include | raw |
| include | company |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"appendedRaw": [
{}
],
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentAlertsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentAlertIds
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}/alert-ids
Returns the IDs of the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentAlertIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentObservables
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}/observables
Returns information about the observables associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentObservablesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createIncidentObservable
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"type":"IPv4 Address","value":"192.168.40.45","tags":["Critical-Infrastructure"]}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
payload := strings.NewReader("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
.asString();POST /incidents/{incidentId}/observables
Creates a new incident observable
Creates a new incident observable in CDC
This operation is idempotent: if the client provides a type and value which already exist in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 100 KB.
Body parameter
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Critical-Infrastructure"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| body | body | CreateIncidentObservableRequest | true | none |
Example responses
201 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The observable has been created | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentEvidence
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}/evidence
Returns information about the evidence associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
data: includes the evidence metadata.
Enumerated Values
| Parameter | Value |
|---|---|
| include | data |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | EvidenceQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createIncidentEvidence
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"reported":"2019-08-24T14:15:22Z","caption":"Severity changed","messageId":"string","description":"System Admin has changed severity from Low to Medium","externalId":"345ffe9a"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"
payload := strings.NewReader("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
.asString();POST /incidents/{incidentId}/evidence
Creates a new incident evidence
Body parameter
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | The unique ID of the incident |
| body | body | CreateEvidenceRequest | true | none |
Example responses
201 Response
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The evidence has been created | Evidence |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
observables
Observables APIs
getObservable
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables?observableType=IPv4%20Address&observableValue=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables
*Gets the specified observable based on its type and value. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observableType | query | string | true | The type of the observable |
| observable_type | query | string | false | The type of the observable. |
| observableValue | query | string | true | The value of the observable |
| observable_value | query | string | false | The value of the observable. |
Detailed descriptions
observable_type: The type of the observable. Deprecated: please use observableType instead of observable_type
observable_value: The value of the observable. Deprecated: please use observableValue instead of observable_value
Example responses
200 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the observable | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryObservableAlertIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observableType=IPv4%20Address&observableValue=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/alert-ids
*Queries alert IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observableType | query | string | true | The type of the observable |
| observable_type | query | string | false | The type of the observable. |
| observableValue | query | string | true | The value of the observable |
| observable_value | query | string | false | The value of the observable. |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Detailed descriptions
observable_type: The type of the observable. Deprecated: please use observableType instead of observable_type
observable_value: The value of the observable. Deprecated: please use observableValue instead of observable_value
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | ObservableAlertIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryObservableIncidentIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observableType=IPv4%20Address&observableValue=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/incident-ids
*Queries incident IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observableType | query | string | true | The type of the observable |
| observable_type | query | string | false | The type of the observable. |
| observableValue | query | string | true | The value of the observable |
| observable_value | query | string | false | The value of the observable. |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Detailed descriptions
observable_type: The type of the observable. Deprecated: please use observableType instead of observable_type
observable_value: The value of the observable. Deprecated: please use observableValue instead of observable_value
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | ObservableIncidentIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
files
Files APIs
uploadFile
Code samples
curl --request POST \
--url 'https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert' \
--header 'Accept: application/json' \
--header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--form 'relations=[{"type": "vega", "id": "5e7c6cf54b832e0018f191ad"}]' \
--form password=test123 \
--form file=stringconst form = new FormData();
form.append("relations", "[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]");
form.append("password", "test123");
form.append("file", "string");
fetch("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert", {
"method": "POST",
"headers": {
"Content-Type": "multipart/form-data; boundary=---011000010111000001101001",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n"
headers = {
'Content-Type': "multipart/form-data; boundary=---011000010111000001101001",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert"
payload := strings.NewReader("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "multipart/form-data; boundary=---011000010111000001101001")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new MultipartFormDataContent
{
new StringContent("[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "relations",
}
}
},
new StringContent("test123")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "password",
}
}
},
new StringContent("string")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "file",
}
}
},
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert")
.header("Content-Type", "multipart/form-data; boundary=---011000010111000001101001")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n")
.asString();POST /files/upload
Upload a new file
Securely upload a new file to CDC.
Maximum file size = 12 Mb (12,582,912 bytes)
Body parameter
relations: '[{"type": "vega", "id": "5e7c6cf54b832e0018f191ad"}]'
password: test123
file: string
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| scopeId | query | string | true | A unique, machine-oriented ID identifying this scope. must be provided together with scopeType. e.g. if scopeType = alert, then scopeId = [the alert ID] |
| scopeType | query | string | true | The type of the entity ( alert / incident / channel / visualization...) |
| body | body | UploadFileRequest | true | none |
Detailed descriptions
scopeId: A unique, machine-oriented ID identifying this scope. must be provided together with scopeType. e.g. if scopeType = alert, then scopeId = [the alert ID]
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
| scopeType | visualization |
Example responses
201 Response
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | Listing information for the uploaded file | FileInfo |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
downloadFile
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download \
--header 'Accept: application/octet-stream' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download", {
"method": "GET",
"headers": {
"Accept": "application/octet-stream",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/octet-stream",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/files/5e7c6cf54b832e0018f191ad/download", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/octet-stream")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download"),
Headers =
{
{ "Accept", "application/octet-stream" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download")
.header("Accept", "application/octet-stream")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /files/{fileId}/download
Download a file
Download a file by id
Errors:
- File is still uploading - Expected error code 409 (Conflict)
- File had malicious content so it is not avaliable - Expected error code 410 (Gone)
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| fileId | path | string | true | A unique, machine-oriented ID identifying this file. |
| thumbnail | query | boolean | false | Download thumbnail image if exists |
Detailed descriptions
thumbnail: Download thumbnail image if exists A thumbnail is a small image representation of a larger image or a video.
Example responses
200 Response
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Binary file stream with file contents | DownloadFileResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 410 | Gone | The resource requested is no longer available and will not be available again. The resource could have been intentionally removed and should be purged. The client should not request the resource in the future. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryFiles
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/files \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/files", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/files", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/files")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /files
Query files
Query files (files metatata) by different prarms (i.e. scope, id, filenames etc...) Sorting and pagination supported using marker.
- Logic between the filters : AND - i.e All conditions should be satisfied
- Default sorting - Creation time ASC
- Items per page: 30
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| ids | query | array[string] | false | Filter files by id |
| status | query | array[string] | false | Filter files by status |
| fileName | query | string | false | Filter files by fileName |
| scopeType | query | string | false | Filter files by entity scope type. |
| scopeId | query | string | false | Filter files by Entity scope ID. |
Detailed descriptions
fileName: Filter files by fileName Partial filename can be provided. i.e. givven filename param = 'ample', the file 'sample.txt' will be found assuming it exists in the system and all other filtes apply.
scopeType: Filter files by entity scope type. This filter is related to scopeId. i.e. if scopeType is provided then scopeId should be provided as well.
scopeId: Filter files by Entity scope ID. e.g. query files only associated with alert with ID 5a9e19eebdee5a000a8fe060. This filter is related to scopeType. i.e. if scopeId is provided then scopeType should be provided as well.
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
| scopeType | visualization |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | FilesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
search
Files APIs
search
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/search \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"query":"select from alert where status = '\''New'\''","include":"name,status,severity,description","limit":10,"skip":0,"sort":"created","includeTotal":true}'fetch("https://test-api.cyberproof.io/api/v1/search", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"query\":\"select from alert where status = 'New'\",\"include\":\"name,status,severity,description\",\"limit\":10,\"skip\":0,\"sort\":\"created\",\"includeTotal\":true}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"query\":\"select from alert where status = 'New'\",\"include\":\"name,status,severity,description\",\"limit\":10,\"skip\":0,\"sort\":\"created\",\"includeTotal\":true}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/search", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/search"
payload := strings.NewReader("{\"query\":\"select from alert where status = 'New'\",\"include\":\"name,status,severity,description\",\"limit\":10,\"skip\":0,\"sort\":\"created\",\"includeTotal\":true}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/search"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"query\":\"select from alert where status = 'New'\",\"include\":\"name,status,severity,description\",\"limit\":10,\"skip\":0,\"sort\":\"created\",\"includeTotal\":true}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/search")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"query\":\"select from alert where status = 'New'\",\"include\":\"name,status,severity,description\",\"limit\":10,\"skip\":0,\"sort\":\"created\",\"includeTotal\":true}")
.asString();POST /search
Returns result of Search QL
Body parameter
{
"query": "select from alert where status = 'New'",
"include": "name,status,severity,description",
"limit": 10,
"skip": 0,
"sort": "created",
"includeTotal": true
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | object | true | none |
| » query | body | string | true | CDC Query string |
| » include | body | string(comma-separated-list) | false | List of fields from query subject collection to be populated. |
| » limit | body | integer | false | Amount of records to return in query result. (If field is omitted, default value of 20 is used) |
| » skip | body | integer | false | Amount of records to skip in query result |
| » sort | body | string | false | Sort order for query results to be sorted, if value not provided defaults to created: |
| » includeTotal | body | boolean | false | Should we return total count of found records |
Detailed descriptions
» query: CDC Query string
Full query syntax can be derived from CDC Query Language docs
» include: List of fields from query subject collection to be populated.
List of supported fields should be taken from CDC Query Language docs for the appropriate collection. (If some fields are filtered by PAPI but used as include value, they still will not be returned in response)
» sort: Sort order for query results to be sorted, if value not provided defaults to created:
Alert- when you query for alerts, you should sort by (:asc/desc possible): >created- created date, used by defaultnameseverity.orderstatus.orderdetectedownerRef.displayNamesourcecompanyscore.value- this is database relevance score
Incident- when you query for incidents, you should sort by (:asc/desc possible): >createdmodifiednamegroupcompanykeypriority.orderstatus.valueownerRef.displayNamekeytransition.targetGroup
Observable- when you query for observables, you should sort by (:asc/desc possible): >createdmodifiedtypevaluesuspiciousRatetagsrelatedAlertsLengthrelatedIncidentsLengthisIoc
Message- when you query for messages, you should sort by (:asc/desc possible): >created
» includeTotal: Should we return total count of found records
Lowers performance
Enumerated Values
| Parameter | Value |
|---|---|
| » sort | company |
| » sort | company:asc |
| » sort | company:desc |
| » sort | created |
| » sort | created:asc |
| » sort | created:desc |
| » sort | detected |
| » sort | detected:asc |
| » sort | detected:desc |
| » sort | group |
| » sort | group:asc |
| » sort | group:desc |
| » sort | isIoc |
| » sort | isIoc:asc |
| » sort | isIoc:desc |
| » sort | key |
| » sort | key:asc |
| » sort | key:desc |
| » sort | modified |
| » sort | modified:asc |
| » sort | modified:desc |
| » sort | name |
| » sort | name:asc |
| » sort | name:desc |
| » sort | ownerRef.displayName |
| » sort | ownerRef.displayName:asc |
| » sort | ownerRef.displayName:desc |
| » sort | priority.order |
| » sort | priority.order:asc |
| » sort | priority.order:desc |
| » sort | relatedAlertsLength |
| » sort | relatedAlertsLength:asc |
| » sort | relatedAlertsLength:desc |
| » sort | relatedIncidentsLength |
| » sort | relatedIncidentsLength:asc |
| » sort | relatedIncidentsLength:desc |
| » sort | score.value |
| » sort | score.value:asc |
| » sort | score.value:desc |
| » sort | severity.order |
| » sort | severity.order:asc |
| » sort | severity.order:desc |
| » sort | source |
| » sort | source:asc |
| » sort | source:desc |
| » sort | status.order |
| » sort | status.order:asc |
| » sort | status.order:desc |
| » sort | status.value |
| » sort | status.value:asc |
| » sort | status.value:desc |
| » sort | suspiciousRate |
| » sort | suspiciousRate:asc |
| » sort | suspiciousRate:desc |
| » sort | tags |
| » sort | tags:asc |
| » sort | tags:desc |
| » sort | transition.targetGroup |
| » sort | transition.targetGroup:asc |
| » sort | transition.targetGroup:desc |
| » sort | type |
| » sort | type:asc |
| » sort | type:desc |
| » sort | value |
| » sort | value:asc |
| » sort | value:desc |
Example responses
200 Response
{
"sort": [
{
"fieldName": "string",
"desc": true
}
],
"limit": 20,
"skip": 0,
"items": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"summaryType": "alert",
"incidentId": "string"
}
],
"total": 32
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the observable | CDCQueryResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 422 | Unprocessable Entity | The server understands the content type of the request entity, and the syntax of the request entity is correct, but it was unable to process the contained instructions. The client should not repeat this request without modification. | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
autocomplete
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/search/autocomplete?collection=alert' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/search/autocomplete?collection=alert", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/search/autocomplete?collection=alert", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/search/autocomplete?collection=alert"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/search/autocomplete?collection=alert"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/search/autocomplete?collection=alert")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /search/autocomplete
Returns result of autocomplete
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| fieldName | query | string | false | Required in case collection is not "alertExtraProperties" or "observableExtraProperties" |
| substring | query | string | false | none |
| limit | query | number | false | none |
| collection | query | string | true | none |
Detailed descriptions
fieldName: Required in case collection is not "alertExtraProperties" or "observableExtraProperties" The value of "fieldName" depends on "collection". Example collection="alert" fieldName="classification"
- message
- text
- alert
- tags
- observableTags
- owner
- mitreAttacks
- type
- closingReason
- name
- description
- source
- sourceId
- sourceUrl
- detectionRule
- killChain
- classification
- threatActors
- malwareTools
- severity
- status
- threatType
- company
- useCase
- observable
- tags
- value
- type
- incident
- tags
- owner
- users
- mitreAttacks
- status
- company
- source
- name
- description
- group
- key
- type
- priority
- closingReason
Enumerated Values
| Parameter | Value |
|---|---|
| collection | alert |
| collection | observable |
| collection | incident |
| collection | alertRawData |
| collection | alertExtraProperties |
| collection | observableExtraProperties |
| collection | message |
Example responses
200 Response
{
"limit": 10,
"items": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results | AutocompleteSearchResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 422 | Unprocessable Entity | The server understands the content type of the request entity, and the syntax of the request entity is correct, but it was unable to process the contained instructions. The client should not repeat this request without modification. | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
grouping
Grouping APIs
queryGroupingSettings
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/grouping/settings \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/grouping/settings", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/grouping/settings", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/grouping/settings"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/grouping/settings"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/grouping/settings")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /grouping/settings
Returns grouping settings
NOTE: To access Grouping Settings, user should have specific Admin privileges.
Example responses
200 Response
{
"incidentTimeLimit": 86400000,
"maxAlertsPerIncident": 150
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » incidentTimeLimit | number | true | none | time limit in milliseconds. Time within which alerts could be grouped to an incident since it was created. |
| » maxAlertsPerIncident | number | true | none | maximum number of alerts which can be attached to one incident. |
queryGroupingRules
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/grouping/rules \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/grouping/rules", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/grouping/rules", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/grouping/rules"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/grouping/rules"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/grouping/rules")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /grouping/rules
Returns a full list of grouping settings
NOTE: To access Grouping Rules, user should have specific Admin privileges
Example responses
200 Response
{
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"title": "PhishingRule",
"comment": "5e7c6cf54b832e0018f191ad",
"order": 1,
"enabled": true,
"criteria": [
{
"fieldName": "observables",
"operator": "allOf",
"matchValue": [
{
"type": "IPv4 address"
},
{
"type": "IPv6 address"
}
]
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » results | [object] | true | none | none |
| »» id | string | true | none | A unique, machine-oriented ID identifying this rule. |
| »» title | string | true | none | Rule title |
| »» comment | string | false | none | Rule comment |
| »» order | number | true | none | Order of rules execution |
| »» enabled | boolean | true | none | Defines if rule is enabled |
| »» criteria | [object] | true | none | Criteria of the rule |
| »»» fieldName | string | true | none | Name of the field to compare |
| »»» operator | string | true | none | Comparison operator |
| »»» matchValue | any | false | none | Comparison value |
Enumerated Values
| Property | Value |
|---|---|
| operator | equals |
| operator | allOf |
| operator | oneOf |
alert-extended-properties
getExtendedProperties
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/string/extended-properties", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alertId}/extended-properties
Query alert extended properties
with support for filters and pagination. Default limit is 1000 docs per request.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertId | path | string | true | none |
| names | query | array[string] | false | List of the internal field name of the custom-field schema |
| ids | query | array[string] | false | List of the db`s document identifier |
| marker | query | string | false | none |
Example responses
200 Response
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
],
"nextMarker": "string"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Response for query alert extended properties | QueryAlertExtendedPropertiesResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
setExtendedProperties
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"request":[{"name":"string","value":{}}]}'fetch("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"request\":[{\"name\":\"string\",\"value\":{}}]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"request\":[{\"name\":\"string\",\"value\":{}}]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts/string/extended-properties", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties"
payload := strings.NewReader("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts/string/extended-properties")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
.asString();POST /alerts/{alertId}/extended-properties
Set alert extended properties
Set alert extended properties
Body parameter
{
"request": [
{
"name": "string",
"value": {}
}
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertId | path | string | true | none |
| body | body | CreateAlertsExtendedPropertiesRequest | true | none |
Example responses
200 Response
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Response for create alert extended properties | CreateAlertExtendedPropertiesResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
incident-summary
getIncidentSummary
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/string/summary \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/string/summary", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/string/summary", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/string/summary"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/string/summary"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/string/summary")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incidentId}/summary
Query incident summary
Query incident summary with support for filters and pagination. Default limit is 1000 docs per request.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | none |
| names | query | array[string] | false | List of the internal field name of the custom-field schema |
| ids | query | array[string] | false | List of the db`s document identifier |
| marker | query | string | false | none |
Example responses
200 Response
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
],
"nextMarker": "string"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Response for query incident summary public | QueryIncidentSummaryResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
setIncidentSummary
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/string/summary \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"request":[{"name":"string","value":{}}]}'fetch("https://test-api.cyberproof.io/api/v1/incidents/string/summary", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"request\":[{\"name\":\"string\",\"value\":{}}]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"request\":[{\"name\":\"string\",\"value\":{}}]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/string/summary", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/string/summary"
payload := strings.NewReader("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/string/summary"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/string/summary")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"request\":[{\"name\":\"string\",\"value\":{}}]}")
.asString();POST /incidents/{incidentId}/summary
Set incident summary
Set incident summary
Body parameter
{
"request": [
{
"name": "string",
"value": {}
}
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incidentId | path | string | true | none |
| body | body | CreateIncidentsSummaryRequest | true | none |
Example responses
200 Response
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Response for Create incident summary | CreateIncidentSummaryResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
messages
createMessage
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/messages \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"externalId":"111e3cf9-da0e-46a1-b099-3fd2e653ecbd","scope":{"id":"616ea579f2631c8d4c68a1b7","type":"alert"},"parentMessageId":"616ea579f2631c8d4c68a1b7","attachmentIds":["616ea579f2631c8d4c68a1b7"],"content":{"message":"some text <b>bold</b> message","contentType":"text"}}'fetch("https://test-api.cyberproof.io/api/v1/messages", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/messages", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/messages"
payload := strings.NewReader("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/messages"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/messages")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
.asString();POST /messages
Create a new message
Body parameter
{
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | MessageCreateRequest | true | none |
Example responses
201 Response
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
},
"attachments": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | A JSON object containing the results and additional information | Message |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryMessages
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/messages?scopeType=alert' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/messages?scopeType=alert", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/messages?scopeType=alert"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /messages
*Queries messages based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| scopeType | query | string | true | The type of the entity ( alert / incident / channel ...) |
| scopeId | query | string | false | filter by id of the entity as saved in the system must be supplied with scopeType. |
| fileNames | query | array[string] | false | filter by messages that include a file by this name as attachment note- if "fileIds" is supplied this field is ignored |
| fileIds | query | array[string] | false | filter by files that include a file by this id as attachment note- this takes precedent over "fileNames" |
| hasAttachments | query | boolean | false | filter by either with or wihtout attachments |
| createdBy | query | string | false | Include only those which were created by a specific user ID |
| createdBefore | query | string(date-time) | false | Include only those which were created before the specified timestamp (exclusive) |
| createdAfter | query | string(date-time) | false | Include only those which were created after or at the specified timestamp (inclusive) |
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | MessagesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
custom-fields
queryCustomFieldsSchemasPublic
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/custom-fields/settings \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/custom-fields/settings", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/custom-fields/settings", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/custom-fields/settings"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/custom-fields/settings"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/custom-fields/settings")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /custom-fields/settings
Read custom fields setting/schemas
Query custom fields schema with support for filters and pagination
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| sort | query | array[string] | false | fields to sort by |
| includeTotal | query | boolean | false | include total count on response (slower) |
| ids | query | array[string] | false | List of the db`s document identifiers |
| type | query | CustomFieldsSchemaTypesEnum | false | Enum values for the available data types i.e TEXT, RICH_TEXT, NUMBER etc. |
| scope | query | EntityScopes | false | Enum values for the available scopes i.e SUMMARY, ADDITIONAL_INFO etc. |
| marker | query | string | false | none |
| label | query | string | false | none |
| fieldName | query | string | false | none |
| entityType | query | string | false | none |
| classifications | query | array[string] | false | none |
| visible | query | boolean | false | none |
| order | query | number | false | none |
| deleted | query | boolean | false | none |
Enumerated Values
| Parameter | Value |
|---|---|
| sort | label |
| sort | label:desc |
| sort | fieldName |
| sort | fieldName:desc |
| sort | entityType |
| sort | entityType:desc |
| sort | classifications |
| sort | classifications:desc |
| sort | scope |
| sort | scope:desc |
| sort | order |
| sort | order:desc |
| sort | type |
| sort | type:desc |
| sort | visible |
| sort | visible:desc |
| sort | deleted |
| sort | deleted:desc |
| type | TEXT |
| type | RICH_TEXT |
| type | |
| type | NUMBER |
| type | IPV4 |
| type | IPV6 |
| type | DATETIME |
| type | TEXT_LIST |
| type | BOOLEAN_RADIO |
| scope | ADDITIONAL_INFO |
| scope | SUMMARY |
| entityType | ALERT |
| entityType | INCIDENT |
Example responses
200 Response
{
"total": 0,
"results": [
{
"id": "string",
"label": "string",
"fieldName": "string",
"entityType": "ALERT",
"classifications": [
"string"
],
"type": "TEXT",
"scope": "ADDITIONAL_INFO",
"order": 0,
"visible": true,
"deleted": true,
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"nextMarker": "string"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Response for query schema | QueryCustomFieldSchemaResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 410 | Gone | The resource requested is no longer available and will not be available again. The resource could have been intentionally removed and should be purged. The client should not request the resource in the future. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Schemas
CreateAlertRequest
{
"name": "Email messages containing malware removed after delivery",
"sourceId": "345ffe9a",
"severity": "High",
"description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
"sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"classification": "Authentication",
"observables": [
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"extraProperties": {
"property1": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
},
"property2": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
}
},
"relatedExtraProperties": {
"property1": {
"sha": 256,
"type": "WeakIdentifier"
},
"property2": {
"sha": 256,
"type": "WeakIdentifier"
}
}
}
],
"useCase": "UC216 - EPP - Persistent Malware",
"company": "ACME",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems.",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The name of the alert |
| sourceId | string | true | none | The identifier of the alert, as it appears in the source system. In most cases this would be the ID as it appears in the SIEM. It cannot exceed 400 characters. |
| severity | string | true | none | The severity of the alert. Must be one of the severities defined in CDC. |
| description | string | true | none | The description of the alert. It cannot exceed 5000 characters when exceeds, the request will not fail but description will be truncated. |
| sourceUrl | string(uri) | false | none | The source URL of the alert in the SIEM or in the origin system |
| raw | object | false | none | Alert raw data, as provided by the SIEM or source system. NOTE: object's keys cannot start with $ nor contain . characters. |
| classification | string | false | none | Classification category that the alert falls into. |
| observables | [object] | false | none | The observables associated with this alert |
| » type | string | true | none | The type of the observable |
| » value | string | true | none | The value of the observable |
| » tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| » extraProperties | object | false | none | observable additional properties |
| »» additionalProperties | object | false | none | none |
| »»» value | any | true | none | none |
anyOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | string | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | number | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | boolean | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [string] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [number] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [boolean] | false | none | none |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»» type | string | false | none | none |
| » relatedExtraProperties | object | false | none | additional properties of observable alert relation |
| »» additionalProperties | object | false | none | none |
| »»» value | any | true | none | none |
anyOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | string | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | number | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | boolean | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [string] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [number] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [boolean] | false | none | none |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»» type | string | false | none | none |
| useCase | string | false | none | Alert use case |
| company | string | false | none | The company with which this alert is associated |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| categories | Categories | false | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert. It cannot exceed 256 characters. |
| alertType | string | false | none | The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General. |
| threatType | string | false | none | The threat type with which this alert is associated. |
| threatActors | [string] | false | none | The attacker, whoever launched the attack/campaign/malware. |
| malwareTools | [string] | false | none | The Malware/Tools that were used in the attack. |
| ctiSourceUrls | [string] | false | none | The data source that was used for opening the alert. |
| recommendations | string | false | none | Instruction how to handle alert. |
| killChain | [string] | false | none | Mapping of alert to specific Kill Chain phases. The case of the names will be ignored, as well as spaces and duplicate values. All values will be normalized accroding to the provided enum. See in Wikipedia This field accepts any value; the provided enum shows the recommended values. |
| mitreAttacks | MitreAttacks | false | none | MitreAttack Ids List |
Enumerated Values
| Property | Value |
|---|---|
| alertType | CTI-Landscape |
| alertType | CTI-Assetbased |
| alertType | General |
AlertsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [AlertSummary] | true | none | none |
IncidentSummary
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this incident |
| key | string | true | none | A unique, human-oriented key identifying this incident |
| name | string | false | none | The name of the incident. Included only if the client specified it explicitly in the "include" parameter |
| description | string | false | none | The incident description. Included only if the client specified it explicitly in the "include" parameter |
| created | string(date-time) | true | none | The time when the incident was created |
| updated | string(date-time) | true | none | The time when the incident was last updated |
| type | string | true | none | Incident type |
| status | string | true | none | The status of the incident |
| priority | string | true | none | The priority of the incident |
| group | string | false | none | The group to which this incident is currently assigned |
| externalIds | ExternalIds | false | none | Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems. |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which this incident is associated |
| pendingForGroup | string | false | none | If this incident was redirected to a different group this will contain the name of the target group |
| redirectionReason | string | false | none | If this incident was redirected to a different group this will contain the user comment provided with redirection request |
| endSlaDate | string(date-time)¦null | false | none | Service level agreement end date |
ExternalIds
[
{
"system": "ServiceNow",
"id": "40385fee"
}
]
Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| system | string | true | none | none |
| id | string | true | none | none |
Tags
[
"Cloud-Computing",
"Virus",
"Phishing"
]
Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric.
Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
Properties
None
Categories
[
"Ransomware",
"Phishing"
]
Mapping of alert to specific category in SIEM
Properties
None
Alert
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"appendedRaw": [
{}
],
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | AlertSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » raw | object | false | none | The alert raw data. |
| » appendedRaw | [object] | false | none | The alert appended raw data. |
| » cdcUrl | string(uri) | true | none | The URL of this alert in the CDC application. |
| » threatActors | [string] | false | none | The attacker, whoever launched the attack/campaign/malware. |
| » malwareTools | [string] | false | none | The Malware/Tools that were used in the attack. |
| » ctiSourceUrls | [string] | false | none | The data source that was used for opening the alert. |
| » recommendations | string | false | none | Instruction how to handle alert. |
Incident
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z",
"closingComment": "string",
"closingReason": "True Positive",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | IncidentSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » closingComment | string | false | none | The specified comment when it was closed. Only present if the incident was closed. |
| » closingReason | IncidentClosingReason | false | none | Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined" Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels) |
| » closed | string(date-time) | false | none | Timestamp specifying when the incident was closed. |
| » cdcUrl | string(uri) | true | none | The URL of this incident in the CDC application. |
IncidentsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [IncidentSummary] | true | none | none |
IncidentAlertsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"appendedRaw": [
{}
],
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Alert] | true | none | none |
IncidentAlertIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | alert IDs associated with this incident |
IncidentObservablesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [ObservableSummary] | true | none | none |
EvidenceQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Evidence] | true | none | none |
CreateIncidentMessageRequest
{
"externalId": "345ffe9a",
"contentType": "text",
"content": "Requires further investigation",
"evidence": {
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| externalId | string | true | none | The identifier of the message, as it appears in external systems, mostly used to achieve idempotence |
| contentType | string | true | none | The type of the content, currently only 'text' is supported |
| content | string | true | none | The content of the message |
| evidence | object | false | none | When specified, the message is marked as evidence |
| » caption | string | true | none | The caption of the evidence |
| » reported | string(date-time) | false | none | The time when this evidence was supposed to be reported |
| » description | string | false | none | The description of this evidence |
Enumerated Values
| Property | Value |
|---|---|
| contentType | text |
IncidentMessageSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this message |
| text | string | true | none | The text of the message |
| processedText | string | false | none | The processed text of the message |
CreateIncidentObservableRequest
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Critical-Infrastructure"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| type | string | true | none | The type of the observable |
| value | string | true | none | The value of the observable |
| tags | [string] | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. |
CloseIncidentRequest
{
"closingComment": "Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached",
"closingReason": "True Positive",
"shouldTerminatePlaybooks": true
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| closingComment | string | true | none | The closing comment for this incident |
| closingReason | IncidentClosingReason | false | none | Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined" Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels) |
| shouldTerminatePlaybooks | boolean | false | none | Terminate playbooks parameter Possible values: - true - will terminate all running playbooks in the alerts within the incident and change status(es) and close the incident/alert(s) - false (default) - close incident if there are no running playbooks, else - close incident flow will be canceled |
IncidentClosingReason
"True Positive"
Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined"
Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels)
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | Incident closure reason Possible default values are: "Benign Positive", "True Positive", "False Positive - Incorrect alert logic", "False Positive - Inaccurate data" and "Undetermined" Notice: There could be an additional possible custom reasons, but only if such exist at CDC (metamodels) |
UpdateIncidentRequest
{
"priority": "Low",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| priority | string | false | none | The priority of the incident |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which the incident is associated |
RedirectIncidentRequest
{
"targetGroup": "string",
"reason": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| targetGroup | string | true | none | The group to which the incident is being redirected |
| reason | string | true | none | a user-provided reason for redirection |
ObservableSummary
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this observable |
| type | string | true | none | The type of the observable |
| isIoc | boolean | true | none | is this observable an indicator of compromise? |
| value | string | true | none | The value of the observable |
| created | string(date-time) | true | none | The time when the observable was created |
| updated | string(date-time) | true | none | The time when the observable was last updated, including changes to the observable and association to incidents. |
| suspiciousRate | number(double)¦null | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 This field is Nullable. Null value meaning: Not enough data to calculate suspiciousRate, could be updated later. |
| tags | [string] | true | none | The tags associated with this observable |
| enrichments | [EnrichmentSummary] | true | none | The recent and valid enrichments associated with this observable |
ObservablesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [ObservableSummary] | true | none | none |
ObservableAlertIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | alert IDs associated with this observable |
ObservableIncidentIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | incident IDs associated with this observable |
EnrichmentSummary
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this enrichment |
| name | string | true | none | The name of the enrichment |
| reported | string(date-time) | true | none | The time when this enrichment was reported |
| suspiciousRate | number(double)¦null | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 This field is Nullable. Null value meaning: Not enough data to calculate suspiciousRate, could be updated later. |
Evidence
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this evidence. |
| type | string | true | none | The type of evidence |
| reported | string(date-time) | true | none | The time when this evidence was reported |
| created | string(date-time) | true | none | The time when this evidence was created |
| caption | string | false | none | The caption of the evidence |
| description | string | false | none | The description of this evidence |
| messageId | string | false | none | The ID of the message this evidence was created from |
| messageCdcUrl | string | false | none | The URL of the message in the CDC application that this evidence was created from. |
| externalId | string | false | none | The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence |
| data | object | false | none | Additional evidence metadata |
Enumerated Values
| Property | Value |
|---|---|
| type | TEXT |
| type | ALERT_OWNER_ASSIGNED |
| type | ALERT_OWNER_REMOVED |
| type | ALERT_STATUS_CHANGED |
| type | ALERT_ATTACHED_TO_INCIDENT |
| type | ALERT_AUTOMATION_JOB_ENDED |
| type | ALERT_AUTOMATION_JOB_STARTED |
| type | ALERT_CLOSED |
| type | ALERT_DETACHED_FROM_INCIDENT |
| type | ALERT_DETECTED |
| type | ALERT_RESOLVED |
| type | ALERT_INCIDENT_CREATED |
| type | ALERT_PLAYBOOK_STEP_COMPLETED |
| type | ALERT_REOPENED |
| type | MITRE_ATTACK_ADDED |
| type | MITRE_ATTACK_REMOVED |
| type | INCIDENT_ALERT_ADDED |
| type | INCIDENT_ALERT_REMOVED |
| type | INCIDENT_CREATED |
| type | INCIDENT_CLOSED |
| type | INCIDENT_REOPENED |
| type | INCIDENT_STATUS_CHANGED |
| type | INCIDENT_COMPANY_CHANGED |
| type | INCIDENT_SEVERITY_CHANGED |
| type | INCIDENT_PRIORITY_CHANGED |
| type | INCIDENT_TYPE_CHANGED |
| type | INCIDENT_OWNER_CHANGED |
| type | INCIDENT_ESCALATED |
| type | INCIDENT_ESCALATION_REVOKED |
| type | INCIDENT_ESCALATION_ACCEPTED |
| type | INCIDENT_ESCALATION_REMINDER_SENT |
| type | PLAYBOOK_ADDED |
| type | PLAYBOOK_STEP_COMPLETED |
| type | PLAYBOOK_USER_INPUT_REQUIRED |
| type | PLAYBOOK_EVIDENCES_PROVIDED |
| type | PLAYBOOK_TERMINATED |
CreateEvidenceRequest
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}
Validations:
- At least one of the following fields should be provided: messageId, description.
- Only one of the following fields can be provided: messageId, externalId.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| reported | string(date-time) | true | none | The time when this evidence was reported |
| caption | string | true | none | The caption of the evidence |
| messageId | string | false | none | The ID of the message this evidence was created from. |
| description | string | false | none | The description of this evidence |
| externalId | string | false | none | The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence |
KillChain
[
"Reconnaissance",
"Weaponization",
"Delivery"
]
Mapping of alert to specific Kill Chain phases. See in Wikipedia
Properties
None
MitreAttacks
[
"T1003",
"T1001",
"T1595.001"
]
MitreAttack Ids List
Properties
None
EntityScope
{
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
}
entities in the system can have a scope defining their assosication with a bussiness object
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | id of the entity as saved in the system |
| type | string | true | none | The type of the entity ( alert / incident / channel ...) |
Enumerated Values
| Property | Value |
|---|---|
| type | alert |
| type | incident |
| type | channel |
FileScope
{
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
}
entities in the system can have a scope defining their assosication with a bussiness object
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | id of the entity as saved in the system |
| type | string | true | none | The type of the entity ( alert / incident / channel ...) |
Enumerated Values
| Property | Value |
|---|---|
| type | alert |
| type | incident |
| type | channel |
| type | visualization |
TextMessageContent
{
"message": "some text <b>bold</b> message",
"contentType": "text"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| message | string | true | none | the text of the message. can be simple text or rich text |
| contentType | string | true | none | Specifies the type of the Message content (Text messages) |
Enumerated Values
| Property | Value |
|---|---|
| contentType | text |
AdaptiveCardMessageContent
{
"json": {},
"contentType": "adaptiveCard"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| json | object | true | none | the raw data attached for the porpuse of populating the card |
| contentType | string | true | none | Specifies the type of the Message content (Adaptive Card messages) |
Enumerated Values
| Property | Value |
|---|---|
| contentType | adaptiveCard |
MessageCreateRequest
{
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| externalId | string | true | none | The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId. |
| scope | EntityScope | true | none | Scope provides association data for this message |
| parentMessageId | string | false | none | If provided, the new message will be posted as a child of another message as the last message in it's thread |
| attachmentIds | [string] | false | none | IDs of file attached to this message |
| content | TextMessageContent | true | none | The content of the message |
MessageSummary
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | ID of the message as saved in the system |
| externalId | string | true | none | The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId. |
| scope | EntityScope | true | none | entities in the system can have a scope defining their assosication with a bussiness object |
| parentMessageId | string | false | none | If present, this message was posted in another message's thread |
| attachmentIds | [string] | false | none | IDs of file attached to this message |
| content | any | true | none | The content of the message |
oneOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | TextMessageContent | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | AdaptiveCardMessageContent | false | none | none |
Message
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
},
"attachments": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | MessageSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » attachments | [FileInfo] | false | none | file info objects for attachments. note - empty array means no attachments. |
| » content | any | false | none | none |
oneOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »» anonymous | TextMessageContent | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »» anonymous | AdaptiveCardMessageContent | false | none | none |
MessagesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [MessageSummary] | true | none | none |
FileStatus
"uploaded"
The status of the file, respecting the upload and sanitaion process. Every file should have a status
uploaded- uploaded but not ready yet, requires additional processingprocessing- being processed by the system, i.e. pending sanitationverified- completed sanitation processes, needs to move to final storage locationready- completed and made availablefailed- the file upload process has failed, such as when sanitation can't be appliedblocked- the file sanitation process failed ( i.e. file has malicious content )
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | The status of the file, respecting the upload and sanitaion process. Every file should have a status * uploaded - uploaded but not ready yet, requires additional processing* processing - being processed by the system, i.e. pending sanitation* verified - completed sanitation processes, needs to move to final storage location* ready - completed and made available* failed - the file upload process has failed, such as when sanitation can't be applied* blocked - the file sanitation process failed ( i.e. file has malicious content ) |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | uploaded |
| anonymous | processing |
| anonymous | verified |
| anonymous | ready |
| anonymous | failed |
| anonymous | blocked |
FileInfo
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| status | FileStatus | true | none | The status of the file, respecting the upload and sanitaion process. Every file should have a status * uploaded - uploaded but not ready yet, requires additional processing* processing - being processed by the system, i.e. pending sanitation* verified - completed sanitation processes, needs to move to final storage location* ready - completed and made available* failed - the file upload process has failed, such as when sanitation can't be applied* blocked - the file sanitation process failed ( i.e. file has malicious content ) |
| id | string | true | none | A unique, machine-oriented ID identifying this file. |
| name | string | true | none | The file name |
| scope | FileScope | true | none | entities in the system can have a scope defining their assosication with a bussiness object |
| url | string | true | none | The file url |
| size | number | true | none | the file size in bytes |
| mimeType | string | true | none | The MIME (Multipurpose Internet Mail Extensions) type of the file. A two-part identifier for file formats and format contents transmitted on the Internet. see more: https://en.wikipedia.org/wiki/Media_type |
| extension | string | false | none | An identifier specified as a suffix to the name of a file |
| createdAt | string(date-time) | true | none | File creation timestamp |
| createdBy | string | true | none | The ID of the user who created this file. |
| relations | [object] | false | none | The relations of the file |
| » id | string | false | none | none |
| » type | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| type | vega |
FilesQueryResults
{
"nextMarker": "string",
"results": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"url": "https://someDomain/somePath/attachment.txt",
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [FileInfo] | true | none | none |
UploadFileRequest
{
"relations": "[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]",
"password": "test123",
"file": "string"
}
Form data containing relations, password and file fields.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| relations | string | false | none | A string representing array of json object where type = relation type, e.g. vega and id = template file id. |
| password | string | false | none | A single password or more separated by a comma. |
| file | string(binary) | false | none | The binary file stream |
DownloadFileResponse
"string"
The binary file stream
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string(binary) | false | none | The binary file stream |
CDCQueryResponse
{
"sort": [
{
"fieldName": "string",
"desc": true
}
],
"limit": 20,
"skip": 0,
"items": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"summaryType": "alert",
"incidentId": "string"
}
],
"total": 32
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| sort | [object] | true | none | none |
| » fieldName | string | false | none | Field name used for sorting query results |
| » desc | boolean | false | none | DESC/ASC value |
| limit | integer | true | none | none |
| skip | integer | true | none | none |
| items | [oneOf] | true | none | Array of either Alerts, Incidents, Observables or Messages (Please note, resulting documents property list are controlled by contents of include field in request) |
oneOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | CQLAlertSummary | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | CQLIncidentSummary | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | CQLObservableSummary | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | CQLMessageSummary | false | none | none |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| total | number | false | none | Total count of query results. Note Field is returned only when includeTotal in request is sent as true |
CQLAlertSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"summaryType": "alert",
"incidentId": "string"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | BaseAlertSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » summaryType | string | true | none | Discriminator property to distinguish between different responses |
| » incidentId | string | false | none | Id of related incident |
Enumerated Values
| Property | Value |
|---|---|
| summaryType | alert |
CQLIncidentSummary
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z",
"summaryType": "incident"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | BaseIncidentSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » summaryType | string | true | none | Discriminator property to distinguish between different responses |
Enumerated Values
| Property | Value |
|---|---|
| summaryType | incident |
CQLObservableSummary
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"rawData": {
"data": {
"prop1": "blah",
"prop2": 3,
"prop3": false
}
}
}
],
"summaryType": "observable"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | BaseObservableSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » enrichments | [allOf] | false | none | The recent and valid enrichments associated with this observable |
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »» anonymous | EnrichmentSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »» anonymous | object | false | none | none |
| »»» rawData | object¦null | false | none | Raw data for enrichment. |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » summaryType | string | true | none | Discriminator property to distinguish between different responses |
Enumerated Values
| Property | Value |
|---|---|
| summaryType | observable |
CQLMessageSummary
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
},
"summaryType": "messsage"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | BaseMessageSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » summaryType | string | true | none | Discriminator property to distinguish between different responses |
Enumerated Values
| Property | Value |
|---|---|
| summaryType | messsage |
BaseAlertSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | false | none | A unique, machine-oriented ID identifying this alert. |
| source | string | false | none | The name of the source system |
| sourceId | string | false | none | The ID of the alert in the source system |
| score | number(double)¦null | false | none | The score of the alert This field is Nullable. Null value meaning: Not enough data to calculate score, could be updated later. |
| name | string | false | none | The name of the alert |
| description | string | false | none | The description of the alert |
| severity | string | false | none | The severity of the alert |
| created | string(date-time) | false | none | Alert creation timestamp |
| modified | string(date-time) | false | none | Last modification timestamp |
| detected | string(date-time) | false | none | Alert detection timestamp |
| status | string | false | none | Alert status |
| sourceUrl | string(uri) | false | none | A URI of this alert pointing to the source system |
| company | string | false | none | The company with which the alert is associated |
| useCase | string | false | none | Alert use case |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| classification | string | false | none | Classification category that the alert falls into. |
| observableTags | [string] | false | none | List of tags of alert observables |
| categories | Categories | false | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert |
| killChain | KillChain | false | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
| mitreAttacks | MitreAttacks | false | none | MitreAttack Ids List |
| alertType | string | false | none | The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General. |
| threatType | string | false | none | The threat type with which this alert is associated. |
Enumerated Values
| Property | Value |
|---|---|
| alertType | CTI-Landscape |
| alertType | CTI-Assetbased |
| alertType | General |
BaseIncidentSummary
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"endSlaDate": "2019-08-23T14:15:22Z"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | false | none | A unique, machine-oriented ID identifying this incident |
| key | string | false | none | A unique, human-oriented key identifying this incident |
| name | string | false | none | The name of the incident. Included only if the client specified it explicitly in the "include" parameter |
| description | string | false | none | The incident description. Included only if the client specified it explicitly in the "include" parameter |
| created | string(date-time) | false | none | The time when the incident was created |
| updated | string(date-time) | false | none | The time when the incident was last updated |
| type | string | false | none | Incident type |
| status | string | false | none | The status of the incident |
| priority | string | false | none | The priority of the incident |
| group | string | false | none | The group to which this incident is currently assigned |
| externalIds | ExternalIds | false | none | Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems. |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which this incident is associated |
| pendingForGroup | string | false | none | If this incident was redirected to a different group this will contain the name of the target group |
| redirectionReason | string | false | none | If this incident was redirected to a different group this will contain the user comment provided with redirection request |
| endSlaDate | string(date-time)¦null | false | none | Service level agreement end date |
BaseObservableSummary
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | false | none | The unique identifier of this observable |
| type | string | false | none | The type of the observable |
| isIoc | boolean | false | none | is this observable an indicator of compromise? |
| value | string | false | none | The value of the observable |
| created | string(date-time) | false | none | The time when the observable was created |
| updated | string(date-time) | false | none | The time when the observable was last updated, including changes to the observable and association to incidents. |
| suspiciousRate | number(double)¦null | false | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 This field is Nullable. Null value meaning: Not enough data to calculate suspiciousRate, could be updated later. |
| tags | [string] | false | none | The tags associated with this observable |
| enrichments | [EnrichmentSummary] | false | none | The recent and valid enrichments associated with this observable |
BaseMessageSummary
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | false | none | ID of the message as saved in the system |
| externalId | string | false | none | The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId. |
| scope | EntityScope | false | none | entities in the system can have a scope defining their assosication with a bussiness object |
| parentMessageId | string | false | none | If present, this message was posted in another message's thread |
| attachmentIds | [string] | false | none | IDs of file attached to this message |
| content | any | false | none | The content of the message |
oneOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | TextMessageContent | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | AdaptiveCardMessageContent | false | none | none |
AutocompleteSearchResponse
{
"limit": 10,
"items": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| limit | number | false | none | none |
| items | [string] | false | none | none |
CustomFieldSchemaResponse
{
"id": "string",
"label": "string",
"fieldName": "string",
"entityType": "ALERT",
"classifications": [
"string"
],
"type": "TEXT",
"scope": "ADDITIONAL_INFO",
"order": 0,
"visible": true,
"deleted": true,
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The db`s document identifier |
| label | string | true | none | The display name of the field i.e Some label |
| fieldName | string | true | none | The internal field name i.e incident_some_label_rich_text |
| entityType | EntityTypes | true | none | Enum values for the type of entity i.e INCIDENT |
| classifications | [string] | true | none | List of classifications i.e DDOS, MALWARE This field is mandatory if entityType is ALERT |
| type | CustomFieldsSchemaTypesEnum | true | none | Enum values for the available data types i.e TEXT, RICH_TEXT, NUMBER |
| scope | EntityScopes | true | none | Enum values for the available scopes i.e SUMMARY, ADDITIONAL_INFO |
| order | number | false | none | This field controls the order of appearance. has an effect if entityType is INCIDENT |
| visible | boolean | false | none | This field controls the visibility for UI consumers. |
| deleted | boolean | false | none | none |
| createdAt | string(date-time) | true | none | none |
| updatedAt | string(date-time) | true | none | none |
QueryCustomFieldSchemaResponse
{
"total": 0,
"results": [
{
"id": "string",
"label": "string",
"fieldName": "string",
"entityType": "ALERT",
"classifications": [
"string"
],
"type": "TEXT",
"scope": "ADDITIONAL_INFO",
"order": 0,
"visible": true,
"deleted": true,
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}
],
"nextMarker": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| total | number | true | none | The total documents available for the query. (usage for pagination) |
| results | [CustomFieldSchemaResponse] | true | none | none |
| nextMarker | string | true | none | none |
QueryCustomFieldResponse
{
"results": [
{
"id": "string",
"entityId": "string",
"entityType": "ALERT",
"name": "string",
"value": {},
"createdAt": "string",
"updatedAt": "string",
"createdBy": "string",
"updatedBy": "string"
}
],
"nextMarker": "string",
"total": 0
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [CustomField] | true | none | none |
| nextMarker | string | true | none | none |
| total | number | true | none | none |
CustomField
{
"id": "string",
"entityId": "string",
"entityType": "ALERT",
"name": "string",
"value": {},
"createdAt": "string",
"updatedAt": "string",
"createdBy": "string",
"updatedBy": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | none |
| entityId | string | true | none | none |
| entityType | string | true | none | none |
| name | string | true | none | none |
| value | object | true | none | none |
| createdAt | string | true | none | none |
| updatedAt | string | true | none | none |
| createdBy | string | false | none | none |
| updatedBy | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| entityType | ALERT |
| entityType | INCIDENT |
CreateManyCustomFieldRequest
{
"request": [
{
"entityId": "string",
"entityType": "ALERT",
"name": "string",
"value": {}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| request | [CreateCustomFieldRequest] | true | none | none |
CreateCustomFieldRequest
{
"entityId": "string",
"entityType": "ALERT",
"name": "string",
"value": {}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| entityId | string | true | none | none |
| entityType | string | false | none | none |
| name | string | true | none | none |
| value | object | true | none | none |
Enumerated Values
| Property | Value |
|---|---|
| entityType | ALERT |
| entityType | INCIDENT |
CreateCustomFieldResponse
{
"results": [
{
"id": "string",
"entityId": "string",
"entityType": "ALERT",
"name": "string",
"value": {},
"createdAt": "string",
"updatedAt": "string",
"createdBy": "string",
"updatedBy": "string"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [CustomField] | true | none | none |
CustomFieldsSchemaTypesEnum
"TEXT"
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | TEXT |
| anonymous | RICH_TEXT |
| anonymous | |
| anonymous | NUMBER |
| anonymous | IPV4 |
| anonymous | IPV6 |
| anonymous | DATETIME |
| anonymous | TEXT_LIST |
| anonymous | BOOLEAN_RADIO |
EntityScopes
"ADDITIONAL_INFO"
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | ADDITIONAL_INFO |
| anonymous | SUMMARY |
EntityTypes
"ALERT"
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | ALERT |
| anonymous | INCIDENT |
AlertExtendedPropertiesResponse
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The internal field name of the custom-field schema |
| value | object | false | none | The actual field`s value, can be any data type or nullable |
| id | string | true | none | The db`s document identifier |
| createdBy | string | true | none | The user who created the resource |
| updatedBy | string | true | none | The user who updated the resource |
| createdAt | string | true | none | none |
| updatedAt | string | true | none | none |
AlertSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"classification": "Authentication",
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this alert. |
| source | string | true | none | The name of the source system |
| sourceId | string | true | none | The ID of the alert in the source system |
| score | number(double)¦null | false | none | The score of the alert This field is Nullable. Null value meaning: Not enough data to calculate score, could be updated later. |
| name | string | true | none | The name of the alert |
| description | string | true | none | The description of the alert |
| severity | string | true | none | The severity of the alert |
| created | string(date-time) | true | none | Alert creation timestamp |
| modified | string(date-time) | true | none | Last modification timestamp |
| detected | string(date-time) | true | none | Alert detection timestamp |
| status | string | true | none | Alert status |
| sourceUrl | string(uri) | false | none | A URI of this alert pointing to the source system |
| company | string | false | none | The company with which the alert is associated |
| useCase | string | false | none | Alert use case |
| tags | Tags | true | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, "-", "_", ".", "#", "@", and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| classification | string | false | none | Classification category that the alert falls into. |
| observableTags | [string] | true | none | List of tags of alert observables |
| categories | Categories | true | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert |
| killChain | KillChain | true | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
| mitreAttacks | MitreAttacks | false | none | MitreAttack Ids List |
| alertType | string | true | none | The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General. |
| threatType | string | false | none | The threat type with which this alert is associated. |
Enumerated Values
| Property | Value |
|---|---|
| alertType | CTI-Landscape |
| alertType | CTI-Assetbased |
| alertType | General |
CreateAlertExtendedPropertiesRequest
{
"name": "string",
"value": {}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The internal field name of the custom-field schema |
| value | object | false | none | The actual field`s value, can be any data type or nullable |
CreateAlertExtendedPropertiesResponse
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [AlertExtendedPropertiesResponse] | true | none | none |
CreateAlertsExtendedPropertiesRequest
{
"request": [
{
"name": "string",
"value": {}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| request | [CreateAlertExtendedPropertiesRequest] | true | none | none |
CreateIncidentsSummaryRequest
{
"request": [
{
"name": "string",
"value": {}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| request | [CreateIncidentSummaryRequest] | true | none | none |
CreateIncidentSummaryRequest
{
"name": "string",
"value": {}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The internal field name of the custom-field schema |
| value | object | false | none | The actual field`s value, can be any data type or nullable |
CreateIncidentSummaryResponse
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [IncidentSummaryResponse] | true | none | none |
IncidentSummaryResponse
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The internal field name of the custom-field schema |
| value | object | false | none | The actual field`s value, can be any data type or nullable |
| id | string | true | none | The db`s document identifier |
| createdBy | string | true | none | The user who created the resource |
| updatedBy | string | true | none | The user who updated the resource |
| createdAt | string | true | none | none |
| updatedAt | string | true | none | none |
QueryAlertExtendedPropertiesResponse
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
],
"nextMarker": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [AlertExtendedPropertiesResponse] | true | none | none |
| nextMarker | string | false | none | none |
QueryIncidentSummaryResponse
{
"results": [
{
"name": "string",
"value": {},
"id": "string",
"createdBy": "string",
"updatedBy": "string",
"createdAt": "string",
"updatedAt": "string"
}
],
"nextMarker": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| results | [IncidentSummaryResponse] | true | none | none |
| nextMarker | string | false | none | none |
General API Guidelines
- In case of an API endpoint that is a query endpoint (e.g. queryAlerts, queryObservableAlertIds), and the query yielded no results, an empty list will be returned:
[].
Concurrency
CyberProof supports consistency related concerns by leveraging HTTP constructs to enable an optimistic concurrency control. Specifically, the mechanism is provided by the combination of entity tags and conditional requests.
An entity tag, specified by the ETag HTTP header, is an opaque token that the server associates with a particular state of a resource. When the resource changes, the entity tag should be modified as well. This allows parties to determine if a request on a resource references an up-to-date repreesentation of that resource. Typically, if there's a mismatch, the request is not performed and the client should refresh its copy of the resource to bring it up to date.
A conditional request is a request that may be executed differently depending on the value of specific HTTP headers. These headers define the precondition that must be true before the server should execute the request. Regarding entity tags, generally there are two options for making requests conditional:
If-Match: The request will continue if the ETag of the current resource is equal to the one listed in this headerIf-None-Match: The request will continue if the ETag of the current resource is different to each tag listed in this header
Take the following scenario as an example:
- Client calls
getIncidentwith a certain incident id - Client receives the incident response along with the
ETagresponse header - Client needs to update the incident
- Client updates its incident's entity state
- Client calls
updateIncidentand includes aIf-Matchheader with the value of theETagit received before
- Server operation
- Server compares current
ETagwith the one specified in theIf-Matchheader - When matched, the operation is performed and the response to the client includes the updated incident's entity tag in the
ETagresponse header - When unmatched, the operation is not performed and the server responds with a status code of Precondition Failed (412)
- Server compares current
What's New
GET /alerts/{alertId}/extended-properties
Query alert extended properties
POST /alerts/{alertId}/extended-properties
Set alert extended properties
GET /incidents/{incidentId}/summary
Query incident summary
POST /incidents/{incidentId}/summary
Set incident summary
GET /custom-fields/settings
Read custom fields setting/schemas