CyberProof Platform API v1.0.0
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
The CyberProof Platform public API, enabling integration with customer systems.
Base URLs:
-
https://{tenant}.api.cyberproof.io/api/v1
- tenant - The name of the tenant Default: demo
Email: CyberProof API Support
Authentication
-
API Key (ApiKeyHeader)
- Parameter Name: X-API-KEY, in: header.
-
API Key (ApiKeyQuery)
- Parameter Name: apiKey, in: query.
alerts
Alerts APIs
createAlert
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"name":"Email messages containing malware removed after delivery","sourceId":"345ffe9a","severity":"High","description":"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.","sourceUrl":"http://10.0.0.90/MySIEM/api/alerts/345ffe9a","raw":{"attributeInitializationInProgress":false,"createdTime":{"day":{"numberInt":"18"},"hour":{"numberInt":"16"},"milliSecond":{"numberInt":"711"},"minute":{"numberInt":"10"},"month":{"numberInt":"6"},"second":{"numberInt":"47"},"timezoneID":"Israel","year":{"numberInt":"2017"}},"createdTimestamp":{"numberDouble":"1500383447711"},"deprecated":false,"description":"ACME","disabled":false,"inCache":true,"inactive":false,"initialized":true,"isAdditionalLoaded":false,"localID":{"numberDouble":"30064798760"},"modificationCount":{"numberInt":"1"}},"observables":[{"type":"IPv4 Address","value":"192.168.40.45"}],"useCase":"UC216 - EPP - Persistent Malware","company":"ACME","tags":["Cloud-Computing","Virus","Phishing"],"categories":["Ransomware","Phishing"],"detectionRule":"WRONG_PASSWORD_3_ATTEMPTS","killChain":["Reconnaissance","Weaponization","Delivery"]}'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\"}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\"}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
payload := strings.NewReader("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\"}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\"}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\"}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
.asString();POST /alerts
Creates a new alert
Creates a new alert in CDC.
This operation is idempotent: if the client provides a sourceId which already exists in CDC, then the operation should succeed with UPSERT semantics.br/> NOTE: The maximum request size is 2 MB.
Body parameter
{
"name": "Email messages containing malware removed after delivery",
"sourceId": "345ffe9a",
"severity": "High",
"description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
"sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"observables": [
{
"type": "IPv4 Address",
"value": "192.168.40.45"
}
],
"useCase": "UC216 - EPP - Persistent Malware",
"company": "ACME",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | object | true | none |
| » name | body | string | true | The name of the alert |
| » sourceId | body | string | true | The identifier of the alert, as it appears in the source system. In most cases this would be the ID as it appears in the SIEM. It cannot exceed 400 characters. |
| » severity | body | string | true | The severity of the alert. Must be one of the severities defined in CDC. |
| » description | body | string | true | The description of the alert. It cannot exceed 256 characters. |
| » sourceUrl | body | string(uri) | false | The source URL of the alert in the SIEM or in the origin system |
| » raw | body | object | false | Alert raw data, as provided by the SIEM or source system. NOTE: object's keys cannot start with $ nor contain . characters. |
| » observables | body | [object] | false | The observables associated with this alert |
| »» type | body | string | true | The type of the observable |
| »» value | body | string | true | The value of the observable |
| » useCase | body | string | false | Alert use case |
| » company | body | string | false | The company with which this alert is associated |
| » tags | body | [string] | false | Array of tags. A tag's name should be a single word and cannot include spaces. |
| » categories | body | [string] | false | Mapping of alert to specific category in SIEM |
| » detectionRule | body | string | false | Name of detection rule from SIEM that triggered the generation of alert. It cannot exceed 256 characters. |
| » killChain | body | [string] | false | Mapping of alert to specific Kill Chain phases. |
Detailed descriptions
» tags: Array of tags. A tag's name should be a single word and cannot include spaces.
Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
» killChain: Mapping of alert to specific Kill Chain phases. The case of the names will be ignored, as well as spaces and duplicate values. All values will be normalized accroding to the provided enum. See in Wikipedia
This field accepts any value; the provided enum shows the recommended values.
Enumerated Values
| Parameter | Value |
|---|---|
| » killChain | Reconnaissance |
| » killChain | Weaponization |
| » killChain | Delivery |
| » killChain | Exploitation |
| » killChain | Installation |
| » killChain | Command and Control |
| » killChain | Actions on Objective |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The alert has been created | AlertSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts
*Queries alerts based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| detectedBefore | query | string(date-time) | false | Include only those which were detected before the specified timestamp (exclusive) |
| detectedAfter | query | string(date-time) | false | Include only those which were detected after the specified timestamp (inclusive) |
| status | query | array[string] | false | Filter alerts by status |
| severity | query | array[string] | false | Filter alerts by severity |
| company | query | string | false | Filter alerts by company |
| source | query | string | false | Filters alerts by their source system. |
| sourceId | query | string | false | When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). |
| useCase | query | string | false | Filters alerts by their use case. |
| observableType | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| observableValue | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| tags | query | array[string] | false | Filters alerts by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
Detailed descriptions
source: Filters alerts by their source system. Often combined with the sourceId parameter, in order to find an alert by its external ID.`
sourceId: When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). If sourceId is specified but source is not specified, the query will fail and return 400 (Bad Request).
observableType: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's type, and it must be combined with the observableValue parameter.
observableValue: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's value, and it must be combined with the observableType parameter.
tags: Filters alerts by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
Enumerated Values
| Parameter | Value |
|---|---|
| tagsCondition | any |
| tagsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| » results | [AlertSummary] | true | none | none |
| »» id | string | true | none | A unique, machine-oriented ID identifying this alert. |
| »» source | string | true | none | The name of the source system |
| »» sourceId | string | true | none | The ID of the alert in the source system |
| »» score | number(double) | false | none | The score of the alert |
| »» name | string | true | none | The name of the alert |
| »» description | string | true | none | The description of the alert |
| »» severity | string | true | none | The severity of the alert |
| »» created | string(date-time) | true | none | Alert creation timestamp |
| »» modified | string(date-time) | true | none | Last modification timestamp |
| »» detected | string(date-time) | true | none | Alert detection timestamp |
| »» status | string | true | none | Alert status |
| »» sourceUrl | string(uri) | true | none | A URI of this alert pointing to the source system |
| »» company | string | false | none | The company with which the alert is associated |
| »» useCase | string | false | none | Alert use case |
| »» cdcUrl | string(uri) | false | none | The URL of this alert in the CDC application. |
| »» tags | [string] | false | none | Array of tags. A tag's name should be a single word and cannot include spaces. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| »» categories | [string] | false | none | Mapping of alert to specific category in SIEM |
| »» detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert |
| »» killChain | [string] | false | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
Enumerated Values
| Property | Value |
|---|---|
| killChain | Reconnaissance |
| killChain | Weaponization |
| killChain | Delivery |
| killChain | Exploitation |
| killChain | Installation |
| killChain | Command and Control |
| killChain | Actions on Objective |
getAlert
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alert_id}
Returns a single alert
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alert_id | path | string | true | The unique ID of the alert, as defined by CDC |
Example responses
200 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
}
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Alert |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
addToAlertKillChain
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"phases":["Reconnaissance","Weaponization","Delivery"]}'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"phases\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"phases\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain"
payload := strings.NewReader("{\"phases\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"phases\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/killChain")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"phases\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"]}")
.asString();POST /alerts/{alert_id}/killChain
Add phases to alert Kill Chain
Add phases to alert Kill Chain. This operation is idempotent (upsert)
Body parameter
{
"phases": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alert_id | path | string | true | The unique ID of the alert, as defined by CDC |
| body | body | AddToAlertKillChainRequest | true | none |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"modified": "2019-08-24T14:15:22Z",
"modifiedBy": "9e7b6af34b632a7718f191ad",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The phases are successfully added to alert KillChain. | AlertKillChainUpdateResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
incidents
Incidents APIs
queryIncidents
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents
*Queries incidents based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| externalId | query | string | false | Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. |
| externalSystem | query | string | false | Identifies the external system to which the filter refers. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
| status | query | array[string] | false | Filter incidents by status |
| pendingForGroup | query | string | false | Return only incidents that are pending redirection to the specified group. |
| group | query | string | false | filter incidents by the group (tier) which currently owns them (L1, L2, Customer) |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| tags | query | array[string] | false | Filters incidents by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
Detailed descriptions
externalId: Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. If specified, then externalSystem MUST be specified as well.
externalSystem: Identifies the external system to which the filter refers. Used in conjuction with the externalId parameter:
- If
externalIdis also specified, the filter will return only items which have the specifiedexternalIdat the specifiedexternalSystem. - If
externalIdis not specified, the filter will return all items which have some external ID at the specifiedexternalSystem
include: Specifies which additional fields to include in the query results:
name: includes the incident name.description: includes the incident description.tags: includes the incident tags.externalIds: includes the external IDs associated with the incident, which the caller has permission to access.company: includes the company associated with the incident.url: includes the CDC application URL of the incident
tags: Filters incidents by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
Enumerated Values
| Parameter | Value |
|---|---|
| include | name |
| include | description |
| include | tags |
| include | externalIds |
| include | company |
| include | redirectionReason |
| include | url |
| tagsCondition | any |
| tagsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | IncidentsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
getIncident
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}
Returns a single incident
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
updateIncident
Code samples
curl --request PATCH \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"priority":"Low","tags":["Cloud-Computing","Virus","Phishing"],"company":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "PATCH",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("PATCH", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
payload := strings.NewReader("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
req, _ := http.NewRequest("PATCH", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Patch,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.patch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
.asString();PATCH /incidents/{incident_id}
Updates an incident
A JSON object with details of the incident.
NOTE: The maximum request size is 100 KB.
NOTE: If tags is included, existing incident's tags are replaced with the specified ones.
Body parameter
{
"priority": "Low",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| body | body | object | true | none |
| » priority | body | string | false | The priority of the incident |
| » tags | body | [string] | false | Array of tags. A tag's name should be a single word and cannot include spaces. |
| » company | body | string | false | The company with which the incident is associated |
Detailed descriptions
» tags: Array of tags. A tag's name should be a single word and cannot include spaces.
Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | The incident was updated | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
createIncidentMessage
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"externalId":"345ffe9a","contentType":"text","content":"Requires further investigation","evidence":{"caption":"Severity changed","reported":"2019-08-24T14:15:22Z","description":"System Admin has changed severity from Low to Medium"}}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"
payload := strings.NewReader("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
.asString();POST /incidents/{incident_id}/messages
Creates a new incident message
Creates a new incident message in CDC.
This operation is idempotent: if the client provides an external id which already exists in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 512 KB.
Body parameter
{
"externalId": "345ffe9a",
"contentType": "text",
"content": "Requires further investigation",
"evidence": {
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium"
}
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| body | body | object | true | none |
| » externalId | body | string | true | The identifier of the message, as it appears in external systems, mostly used to achieve idempotence |
| » contentType | body | string | true | The type of the content, currently only 'text' is supported |
| » content | body | string | true | The content of the message |
| » evidence | body | object | false | When specified, the message is marked as evidence |
| »» caption | body | string | true | The caption of the evidence |
| »» reported | body | string(date-time) | false | The time when this evidence was supposed to be reported |
| »» description | body | string | false | The description of this evidence |
Enumerated Values
| Parameter | Value |
|---|---|
| » contentType | text |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The message has been created | MessageSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
closeIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"closingComment":"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"
payload := strings.NewReader("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
.asString();POST /incidents/{incident_id}/close
Closes an incident
A JSON object with details of the incident
Body parameter
{
"closingComment": "Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
| body | body | object | true | none |
| » closingComment | body | string | true | The closing comment for this incident |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The incident was closed successfully | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
redirectIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"targetGroup":"string","reason":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"
payload := strings.NewReader("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
.asString();POST /incidents/{incident_id}/redirect
initiate a redirection
Body parameter
{
"targetGroup": "string",
"reason": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
| body | body | object | true | none |
| » targetGroup | body | string | true | The group to which the incident is being redirected |
| » reason | body | string | true | a user-provided reason for redirection |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been issued | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
acceptIncidentRedirection
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", {
"method": "POST",
"headers": {
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"
req, _ := http.NewRequest("POST", url, nil)
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();POST /incidents/{incident_id}/accept
accepts a redirection request
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been successfully accepted | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | There currently isn't any pending redirection for this incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
queryIncidentAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/alerts
Returns information about the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
raw: includes the raw alert data.company: includes the company field.url: includes the CDC application URL of the alert
Enumerated Values
| Parameter | Value |
|---|---|
| include | raw |
| include | company |
| include | url |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentAlertsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentAlertIds
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/alert-ids
Returns the IDs of the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| » results | [string] | true | none | alert IDs associated with this incident |
queryIncidentObservables
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/observables
Returns information about the observables associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentObservablesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createIncidentObservable
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"type":"IPv4 Address","value":"192.168.40.45","tags":["Critical-Infrastructure"]}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
payload := strings.NewReader("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
.asString();POST /incidents/{incident_id}/observables
Creates a new incident observable
Creates a new incident observable in CDC
This operation is idempotent: if the client provides a type and value which already exist in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 100 KB.
Body parameter
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Critical-Infrastructure"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| body | body | object | true | none |
| » type | body | string | true | The type of the observable |
| » value | body | string | true | The value of the observable |
| » tags | body | [string] | false | Array of tags. A tag's name should be a single word and cannot include spaces |
Example responses
201 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The observable has been created | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentEvidence
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/evidence
Returns information about the evidence associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "string",
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentEvidenceQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
observables
Observables APIs
getObservable
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables
*Gets the specified observable based on its type and value. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
Example responses
200 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the observable | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryObservableAlertIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/alert-ids
*Queries alert IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| » results | [string] | true | none | alert IDs associated with this observable |
queryObservableIncidentIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/incident-ids
*Queries incident IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | Inline |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| » results | [string] | true | none | incident IDs associated with this observable |
Schemas
AlertSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this alert. |
| source | string | true | none | The name of the source system |
| sourceId | string | true | none | The ID of the alert in the source system |
| score | number(double) | false | none | The score of the alert |
| name | string | true | none | The name of the alert |
| description | string | true | none | The description of the alert |
| severity | string | true | none | The severity of the alert |
| created | string(date-time) | true | none | Alert creation timestamp |
| modified | string(date-time) | true | none | Last modification timestamp |
| detected | string(date-time) | true | none | Alert detection timestamp |
| status | string | true | none | Alert status |
| sourceUrl | string(uri) | true | none | A URI of this alert pointing to the source system |
| company | string | false | none | The company with which the alert is associated |
| useCase | string | false | none | Alert use case |
| cdcUrl | string(uri) | false | none | The URL of this alert in the CDC application. |
| tags | Tags | false | none | Array of tags. A tag's name should be a single word and cannot include spaces. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| categories | Categories | false | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert |
| killChain | KillChain | false | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
IncidentSummary
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this incident |
| key | string | true | none | A unique, human-oriented key identifying this incident |
| name | string | false | none | The name of the incident. Included only if the client specified it explicitly in the "include" parameter |
| description | string | false | none | The incident description. Included only if the client specified it explicitly in the "include" parameter |
| created | string(date-time) | true | none | The time when the incident was created |
| updated | string(date-time) | true | none | The time when the incident was last updated |
| type | string | true | none | Incident type |
| status | string | true | none | The status of the incident |
| priority | string | true | none | The priority of the incident |
| group | string | false | none | The group to which this incident is currently assigned |
| externalIds | ExternalIds | false | none | Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems. |
| tags | Tags | false | none | Array of tags. A tag's name should be a single word and cannot include spaces. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which this incident is associated |
| pendingForGroup | string | false | none | If this incident was redirected to a different group this will contain the name of the target group |
| redirectionReason | string | false | none | If this incident was redirected to a different group this will contain the user comment provided with redirection request |
MessageSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this message |
| text | string | true | none | The text of the message |
| processedText | string | false | none | The processed text of the message |
ExternalIds
[
{
"system": "ServiceNow",
"id": "40385fee"
}
]
Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| system | string | true | none | none |
| id | string | true | none | none |
Tags
[
"Cloud-Computing",
"Virus",
"Phishing"
]
Array of tags. A tag's name should be a single word and cannot include spaces.
Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
Properties
None
Categories
[
"Ransomware",
"Phishing"
]
Mapping of alert to specific category in SIEM
Properties
None
Alert
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
}
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | AlertSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » raw | object | false | none | The alert raw data. Included only if the client specified it explicitly in the "include" parameter |
Incident
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | IncidentSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » closingComment | string | false | none | The specified comment when it was closed. Only present if the incident was closed. |
| » closed | string(date-time) | false | none | Timestamp specifying when the incident was closed. |
| » cdcUrl | string(uri) | false | none | The URL of this incident in the CDC application. |
IncidentsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [IncidentSummary] | true | none | none |
IncidentAlertsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Alert] | true | none | none |
IncidentObservablesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [ObservableSummary] | true | none | none |
IncidentEvidenceQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "string",
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Evidence] | true | none | none |
ObservableSummary
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this observable |
| type | string | true | none | The type of the observable |
| value | string | true | none | The value of the observable |
| created | string(date-time) | true | none | The time when the observable was created |
| updated | string(date-time) | true | none | The time when the observable was last updated, including changes to the observable and association to incidents. |
| suspiciousRate | number(double) | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 |
| tags | [string] | false | none | The tags associated with this observable |
| enrichments | [EnrichmentSummary] | false | none | The recent and valid enrichments associated with this observable |
EnrichmentSummary
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this enrichment |
| name | string | true | none | The name of the enrichment |
| reported | string(date-time) | true | none | The time when this enrichment was reported |
| suspiciousRate | number(double) | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 |
Evidence
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "string",
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this evidence. |
| type | string | true | none | The type of evidence |
| caption | string | true | none | The caption of the evidence |
| reported | string(date-time) | true | none | The time when this evidence was reported |
| created | string(date-time) | true | none | The time when this evidence was created |
| description | string | false | none | The description of this evidence |
| messageCdcUrl | string | false | none | The URL of the message in the CDC application that this evidence was created from. |
KillChain
[
"Reconnaissance",
"Weaponization",
"Delivery"
]
Mapping of alert to specific Kill Chain phases. See in Wikipedia
Properties
None
AlertKillChainUpdateResponse
{
"id": "5e7c6cf54b832e0018f191ad",
"modified": "2019-08-24T14:15:22Z",
"modifiedBy": "9e7b6af34b632a7718f191ad",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | false | none | A unique, machine-oriented ID identifying this alert. |
| modified | string(date-time) | false | none | Last modification timestamp |
| modifiedBy | string | false | none | The Id of the user responsible for last alert update. |
| killChain | KillChain | false | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
AddToAlertKillChainRequest
{
"phases": [
"Reconnaissance",
"Weaponization",
"Delivery"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| phases | [string] | true | none | Mapping of alert to specific Kill Chain phases. The case of the names will be ignored, as well as spaces and duplicate values. All values will be normalized accroding to the provided enum. See in Wikipedia Validations: * Each phase name cannot exceed 256 characters. * The added phases array, must be a sub-set of values in the provided enum. * The maximum number of added items is 7 since its the number of possible phases. |
Enumerated Values
| Property | Value |
|---|---|
| phases | Reconnaissance |
| phases | Weaponization |
| phases | Delivery |
| phases | Exploitation |
| phases | Installation |
| phases | Command and Control |
| phases | Actions on Objective |
General API Guidelines
- In case of an API endpoint that is a query endpoint (e.g. queryAlerts, queryObservableAlertIds), and the query yielded no results, an empty list will be returned:
[].
Concurrency
CyberProof supports consistency related concerns by leveraging HTTP constructs to enable an optimistic concurrency control. Specifically, the mechanism is provided by the combination of entity tags and conditional requests.
An entity tag, specified by the ETag HTTP header, is an opaque token that the server associates with a particular state of a resource. When the resource changes, the entity tag should be modified as well. This allows parties to determine if a request on a resource references an up-to-date repreesentation of that resource. Typically, if there's a mismatch, the request is not performed and the client should refresh its copy of the resource to bring it up to date.
A conditional request is a request that may be executed differently depending on the value of specific HTTP headers. These headers define the precondition that must be true before the server should execute the request. Regarding entity tags, generally there are two options for making requests conditional:
If-Match: The request will continue if the ETag of the current resource is equal to the one listed in this headerIf-None-Match: The request will continue if the ETag of the current resource is different to each tag listed in this header
Take the following scenario as an example:
- Client calls
getIncidentwith a certain incident id - Client receives the incident response along with the
ETagresponse header - Client needs to update the incident
- Client updates its incident's entity state
- Client calls
updateIncidentand includes aIf-Matchheader with the value of theETagit received before
- Server operation
- Server compares current
ETagwith the one specified in theIf-Matchheader - When matched, the operation is performed and the response to the client includes the updated incident's entity tag in the
ETagresponse header - When unmatched, the operation is not performed and the server responds with a status code of Precondition Failed (412)
- Server compares current