CyberProof Platform API v2.6.2
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
The CyberProof Platform public API, enabling integration with customer systems.
Base URLs:
-
https://{tenant}.api.cyberproof.io/api/v1
- tenant - The name of the tenant Default: demo
Email: CyberProof API Support
Authentication
-
API Key (ApiKeyHeader)
- Parameter Name: X-API-KEY, in: header.
-
API Key (ApiKeyQuery)
- Parameter Name: apiKey, in: query.
alerts
Alerts APIs
createAlert
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"name":"Email messages containing malware removed after delivery","sourceId":"345ffe9a","severity":"High","description":"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.","sourceUrl":"http://10.0.0.90/MySIEM/api/alerts/345ffe9a","raw":{"attributeInitializationInProgress":false,"createdTime":{"day":{"numberInt":"18"},"hour":{"numberInt":"16"},"milliSecond":{"numberInt":"711"},"minute":{"numberInt":"10"},"month":{"numberInt":"6"},"second":{"numberInt":"47"},"timezoneID":"Israel","year":{"numberInt":"2017"}},"createdTimestamp":{"numberDouble":"1500383447711"},"deprecated":false,"description":"ACME","disabled":false,"inCache":true,"inactive":false,"initialized":true,"isAdditionalLoaded":false,"localID":{"numberDouble":"30064798760"},"modificationCount":{"numberInt":"1"}},"observables":[{"type":"IPv4 Address","value":"192.168.40.45","tags":["Cloud-Computing","Virus","Phishing"],"extraProperties":{"property1":{"value":"aaa-bbcc","type":"WeakIdentifier"},"property2":{"value":"aaa-bbcc","type":"WeakIdentifier"}},"relatedExtraProperties":{"property1":{"sha":256,"type":"WeakIdentifier"},"property2":{"sha":256,"type":"WeakIdentifier"}}}],"useCase":"UC216 - EPP - Persistent Malware","company":"ACME","tags":["Cloud-Computing","Virus","Phishing"],"categories":["Ransomware","Phishing"],"detectionRule":"WRONG_PASSWORD_3_ATTEMPTS","alertType":"CTI-Landscape","threatType":"Phishing","threatActors":["Cyber Criminals","Anonymous"],"malwareTools":["TrickBot","IcedID","Cobalt Strike"],"ctiSourceUrls":["https://blog.malwarebytes.com/someTopic"],"recommendations":"Implement the attached IOCs in your security systems.","killChain":["Reconnaissance","Weaponization","Delivery"],"mitreAttacks":["T1003","T1001","T1595.001"]}'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
payload := strings.NewReader("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"name\":\"Email messages containing malware removed after delivery\",\"sourceId\":\"345ffe9a\",\"severity\":\"High\",\"description\":\"message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.\",\"sourceUrl\":\"http://10.0.0.90/MySIEM/api/alerts/345ffe9a\",\"raw\":{\"attributeInitializationInProgress\":false,\"createdTime\":{\"day\":{\"numberInt\":\"18\"},\"hour\":{\"numberInt\":\"16\"},\"milliSecond\":{\"numberInt\":\"711\"},\"minute\":{\"numberInt\":\"10\"},\"month\":{\"numberInt\":\"6\"},\"second\":{\"numberInt\":\"47\"},\"timezoneID\":\"Israel\",\"year\":{\"numberInt\":\"2017\"}},\"createdTimestamp\":{\"numberDouble\":\"1500383447711\"},\"deprecated\":false,\"description\":\"ACME\",\"disabled\":false,\"inCache\":true,\"inactive\":false,\"initialized\":true,\"isAdditionalLoaded\":false,\"localID\":{\"numberDouble\":\"30064798760\"},\"modificationCount\":{\"numberInt\":\"1\"}},\"observables\":[{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"extraProperties\":{\"property1\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"},\"property2\":{\"value\":\"aaa-bbcc\",\"type\":\"WeakIdentifier\"}},\"relatedExtraProperties\":{\"property1\":{\"sha\":256,\"type\":\"WeakIdentifier\"},\"property2\":{\"sha\":256,\"type\":\"WeakIdentifier\"}}}],\"useCase\":\"UC216 - EPP - Persistent Malware\",\"company\":\"ACME\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"categories\":[\"Ransomware\",\"Phishing\"],\"detectionRule\":\"WRONG_PASSWORD_3_ATTEMPTS\",\"alertType\":\"CTI-Landscape\",\"threatType\":\"Phishing\",\"threatActors\":[\"Cyber Criminals\",\"Anonymous\"],\"malwareTools\":[\"TrickBot\",\"IcedID\",\"Cobalt Strike\"],\"ctiSourceUrls\":[\"https://blog.malwarebytes.com/someTopic\"],\"recommendations\":\"Implement the attached IOCs in your security systems.\",\"killChain\":[\"Reconnaissance\",\"Weaponization\",\"Delivery\"],\"mitreAttacks\":[\"T1003\",\"T1001\",\"T1595.001\"]}")
.asString();POST /alerts
Creates a new alert
Creates a new alert in CDC.
This operation is idempotent: if the client provides a sourceId which already exists in CDC, then the operation should succeed with UPSERT semantics.br/> NOTE: The maximum request size is 2 MB.
Body parameter
{
"name": "Email messages containing malware removed after delivery",
"sourceId": "345ffe9a",
"severity": "High",
"description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
"sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"observables": [
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"extraProperties": {
"property1": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
},
"property2": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
}
},
"relatedExtraProperties": {
"property1": {
"sha": 256,
"type": "WeakIdentifier"
},
"property2": {
"sha": 256,
"type": "WeakIdentifier"
}
}
}
],
"useCase": "UC216 - EPP - Persistent Malware",
"company": "ACME",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems.",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | CreateAlertRequest | true | none |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The alert has been created | AlertSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts
*Queries alerts based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| detectedBefore | query | string(date-time) | false | Include only those which were detected before the specified timestamp (exclusive) |
| detectedAfter | query | string(date-time) | false | Include only those which were detected after the specified timestamp (inclusive) |
| status | query | array[string] | false | Filter alerts by status |
| severity | query | array[string] | false | Filter alerts by severity |
| company | query | string | false | Filter alerts by company |
| source | query | string | false | Filters alerts by their source system. |
| sourceId | query | string | false | When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). |
| useCase | query | string | false | Filters alerts by their use case. |
| observableType | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| observableValue | query | string | false | Filters alerts by observable: only alerts linked to the specified observable will be returned. |
| alertType | query | array[string] | false | Filter alerts by their type |
| threatType | query | array[string] | false | Filter alerts by threat types |
| tags | query | array[string] | false | Filters alerts by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
| observableTags | query | array[string] | false | Filters alerts by observable tags. |
| observableTagsCondition | query | string | false | If observableTags contains multiple items, determines the query predicate: |
| threatActors | query | array[string] | false | Filters alerts by threat actors. |
| threatActorsCondition | query | string | false | If threatActors contains multiple items, determines the query predicate: |
| malwareTools | query | array[string] | false | Filters alerts by maleware and tools. |
| malwareToolsCondition | query | string | false | If malwareTools contains multiple items, determines the query predicate: |
Detailed descriptions
source: Filters alerts by their source system. Often combined with the sourceId parameter, in order to find an alert by its external ID.`
sourceId: When combined with the source parameter - finds an alert by its source ID (the ID as defined by the SIEM). If sourceId is specified but source is not specified, the query will fail and return 400 (Bad Request).
observableType: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's type, and it must be combined with the observableValue parameter.
observableValue: Filters alerts by observable: only alerts linked to the specified observable will be returned.
This parameter specifies the observable's value, and it must be combined with the observableType parameter.
tags: Filters alerts by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
observableTags: Filters alerts by observable tags.
Note: if more than one tag is specified, the client must specify the observableTagsCondition (otherwise: the server will return 400 Bad Request)
observableTagsCondition: If observableTags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
threatActors: Filters alerts by threat actors. Note: if more than one value is specified, the client must specify the threatActorsCondition (otherwise: the server will return 400 Bad Request)
threatActorsCondition: If threatActors contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified valuesall: returns results which contain all of the specified values
malwareTools: Filters alerts by maleware and tools. Note: if more than one value is specified, the client must specify the malwareToolsCondition (otherwise: the server will return 400 Bad Request)
malwareToolsCondition: If malwareTools contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified valuesall: returns results which contain all of the specified values
Enumerated Values
| Parameter | Value |
|---|---|
| tagsCondition | any |
| tagsCondition | all |
| observableTagsCondition | any |
| observableTagsCondition | all |
| threatActorsCondition | any |
| threatActorsCondition | all |
| malwareToolsCondition | any |
| malwareToolsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | AlertsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
getAlert
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alert_id}
Returns a single alert
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alert_id | path | string | true | The unique ID of the alert, as defined by CDC |
Example responses
200 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Alert |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
queryAlertEvidence
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /alerts/{alert_id}/evidence
Returns information about the evidence associated with this alert.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alert_id | path | string | true | The unique ID of the alert, as defined by CDC |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
data: includes the evidence metadata.
Enumerated Values
| Parameter | Value |
|---|---|
| include | data |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | EvidenceQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createAlertEvidence
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"reported":"2019-08-24T14:15:22Z","caption":"Severity changed","messageId":"string","description":"System Admin has changed severity from Low to Medium","externalId":"345ffe9a"}'fetch("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"
payload := strings.NewReader("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/alerts/5a9e19eebdee5a000a8fe060/evidence")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
.asString();POST /alerts/{alert_id}/evidence
Creates a new alert evidence
Body parameter
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alert_id | path | string | true | The unique ID of the alert, as defined by CDC |
| body | body | CreateEvidenceRequest | true | none |
Example responses
201 Response
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The evidence has been created | Evidence |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
incidents
Incidents APIs
queryIncidents
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents
*Queries incidents based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| externalId | query | string | false | Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. |
| externalSystem | query | string | false | Identifies the external system to which the filter refers. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
| status | query | array[string] | false | Filter incidents by status |
| pendingForGroup | query | string | false | Return only incidents that are pending redirection to the specified group. |
| group | query | string | false | filter incidents by the group (tier) which currently owns them (L1, L2, Customer) |
| updatedBefore | query | string(date-time) | false | Include only those which were updated before the specified timestamp (exclusive) |
| updatedAfter | query | string(date-time) | false | Include only those which were updated after or at the specified timestamp (inclusive) |
| observableType | query | string | false | Filters incidents by observable: only incidents linked to the specified observable will be returned. |
| observableValue | query | string | false | Filters incidents by observable: only incidents linked to the specified observable will be returned. |
| tags | query | array[string] | false | Filters incidents by tags. |
| tagsCondition | query | string | false | If tags contains multiple items, determines the query predicate: |
Detailed descriptions
externalId: Filters according to the specified external ID. Used in conjuction with the externalSystem parameter. If specified, then externalSystem MUST be specified as well.
externalSystem: Identifies the external system to which the filter refers. Used in conjuction with the externalId parameter:
- If
externalIdis also specified, the filter will return only items which have the specifiedexternalIdat the specifiedexternalSystem. - If
externalIdis not specified, the filter will return all items which have some external ID at the specifiedexternalSystem
include: Specifies which additional fields to include in the query results:
name: includes the incident name.description: includes the incident description.tags: includes the incident tags.externalIds: includes the external IDs associated with the incident, which the caller has permission to access.company: includes the company associated with the incident.
observableType: Filters incidents by observable: only incidents linked to the specified observable will be returned. This parameter specifies the observable's type, and it must be combined with the observableValue parameter.
observableValue: Filters incidents by observable: only incidents linked to the specified observable will be returned. This parameter specifies the observable's value, and it must be combined with the observableType parameter.
tags: Filters incidents by tags.
Note: if more than one tag is specified, the client must specify the tagsCondition (otherwise: the server will return 400 Bad Request)
tagsCondition: If tags contains multiple items, determines the query predicate:
any: returns results which contain at least one of the specified tagsall: returns results which contain all of the specified tags
Enumerated Values
| Parameter | Value |
|---|---|
| include | name |
| include | description |
| include | tags |
| include | externalIds |
| include | company |
| include | redirectionReason |
| tagsCondition | any |
| tagsCondition | all |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | IncidentsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
getIncident
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}
Returns a single incident
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
updateIncident
Code samples
curl --request PATCH \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060 \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"priority":"Low","tags":["Cloud-Computing","Virus","Phishing"],"company":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060", {
"method": "PATCH",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("PATCH", "/api/v1/incidents/5a9e19eebdee5a000a8fe060", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"
payload := strings.NewReader("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
req, _ := http.NewRequest("PATCH", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Patch,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060"),
Headers =
{
{ "Accept", "application/json" },
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.patch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"priority\":\"Low\",\"tags\":[\"Cloud-Computing\",\"Virus\",\"Phishing\"],\"company\":\"string\"}")
.asString();PATCH /incidents/{incident_id}
Updates an incident
A JSON object with details of the incident.
NOTE: The maximum request size is 100 KB.
NOTE: If tags is included, existing incident's tags are replaced with the specified ones.
Body parameter
{
"priority": "Low",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| body | body | UpdateIncidentRequest | true | none |
Example responses
200 Response
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | The incident was updated | Incident |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 200 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
createIncidentMessage
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"externalId":"345ffe9a","contentType":"text","content":"Requires further investigation","evidence":{"caption":"Severity changed","reported":"2019-08-24T14:15:22Z","description":"System Admin has changed severity from Low to Medium"}}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"
payload := strings.NewReader("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/messages")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"externalId\":\"345ffe9a\",\"contentType\":\"text\",\"content\":\"Requires further investigation\",\"evidence\":{\"caption\":\"Severity changed\",\"reported\":\"2019-08-24T14:15:22Z\",\"description\":\"System Admin has changed severity from Low to Medium\"}}")
.asString();POST /incidents/{incident_id}/messages
Creates a new incident message
Creates a new incident message in CDC.
This operation is idempotent: if the client provides an external id which already exists in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 512 KB.
Body parameter
{
"externalId": "345ffe9a",
"contentType": "text",
"content": "Requires further investigation",
"evidence": {
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium"
}
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| body | body | CreateIncidentMessageRequest | true | none |
Example responses
201 Response
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The message has been created | IncidentMessageSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
closeIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"closingComment":"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/close", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"
payload := strings.NewReader("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/close")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"closingComment\":\"Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached\"}")
.asString();POST /incidents/{incident_id}/close
Closes an incident
A JSON object with details of the incident
Body parameter
{
"closingComment": "Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
| body | body | CloseIncidentRequest | true | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The incident was closed successfully | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
redirectIncident
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect \
--header 'Content-Type: application/json' \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"targetGroup":"string","reason":"string"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"targetGroup\":\"string\",\"reason\":\"string\"}"
headers = {
'Content-Type': "application/json",
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"
payload := strings.NewReader("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/redirect")
.header("Content-Type", "application/json")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"targetGroup\":\"string\",\"reason\":\"string\"}")
.asString();POST /incidents/{incident_id}/redirect
initiate a redirection
Body parameter
{
"targetGroup": "string",
"reason": "string"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
| body | body | RedirectIncidentRequest | true | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been issued | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | The attempted operation conflicts with the current state of the incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
acceptIncidentRedirection
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept \
--header 'If-Match: string' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", {
"method": "POST",
"headers": {
"If-Match": "string",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'If-Match': "string",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"
req, _ := http.NewRequest("POST", url, nil)
req.Header.Add("If-Match", "string")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept"),
Headers =
{
{ "If-Match", "string" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/accept")
.header("If-Match", "string")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();POST /incidents/{incident_id}/accept
accepts a redirection request
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| If-Match | header | string | false | Enables conditional modification - the resource will be modified only if its current etag matches the value specified in this header, otherwise - 412 "Precondition Failed" will be returned to the client |
| incident_id | path | string | true | The unique ID of the incident |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | The redirection has been successfully accepted | None |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The specified incident was not found | None |
| 409 | Conflict | There currently isn't any pending redirection for this incident | None |
| 412 | Precondition Failed | A precondition specified by the client was not met. This occurs if an etag was specified in an If-Match header, which doesn't match the etag found in the underlying data store | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Response Headers
| Status | Header | Type | Format | Description |
|---|---|---|---|---|
| 204 | ETag | string | Includes an identifier for a specific version of a resource. Commonly used as the basis for conditional gets and conditional updates. |
queryIncidentAlerts
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alerts")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/alerts
Returns information about the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
raw: includes the raw alert data.company: includes the company field.
Enumerated Values
| Parameter | Value |
|---|---|
| include | raw |
| include | company |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentAlertsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentAlertIds
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/alert-ids")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/alert-ids
Returns the IDs of the alerts associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentAlertIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentObservables
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/observables
Returns information about the observables associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | IncidentObservablesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createIncidentObservable
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"type":"IPv4 Address","value":"192.168.40.45","tags":["Critical-Infrastructure"]}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"
payload := strings.NewReader("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/observables")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"type\":\"IPv4 Address\",\"value\":\"192.168.40.45\",\"tags\":[\"Critical-Infrastructure\"]}")
.asString();POST /incidents/{incident_id}/observables
Creates a new incident observable
Creates a new incident observable in CDC
This operation is idempotent: if the client provides a type and value which already exist in CDC, then the operation should succeed with UPSERT semantics.
NOTE: The maximum request size is 100 KB.
Body parameter
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Critical-Infrastructure"
]
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| body | body | CreateIncidentObservableRequest | true | none |
Example responses
201 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The observable has been created | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryIncidentEvidence
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /incidents/{incident_id}/evidence
Returns information about the evidence associated with this incident.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| include | query | array[string] | false | Specifies which additional fields to include in the query results: |
Detailed descriptions
include: Specifies which additional fields to include in the query results:
data: includes the evidence metadata.
Enumerated Values
| Parameter | Value |
|---|---|
| include | data |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | success | EvidenceQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
createIncidentEvidence
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"reported":"2019-08-24T14:15:22Z","caption":"Severity changed","messageId":"string","description":"System Admin has changed severity from Low to Medium","externalId":"345ffe9a"}'fetch("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"
payload := strings.NewReader("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/incidents/5a9e19eebdee5a000a8fe060/evidence")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"reported\":\"2019-08-24T14:15:22Z\",\"caption\":\"Severity changed\",\"messageId\":\"string\",\"description\":\"System Admin has changed severity from Low to Medium\",\"externalId\":\"345ffe9a\"}")
.asString();POST /incidents/{incident_id}/evidence
Creates a new incident evidence
Body parameter
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| incident_id | path | string | true | The unique ID of the incident |
| body | body | CreateEvidenceRequest | true | none |
Example responses
201 Response
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | The evidence has been created | Evidence |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
observables
Observables APIs
getObservable
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables
*Gets the specified observable based on its type and value. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
Example responses
200 Response
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the observable | ObservableSummary |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryObservableAlertIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/alert-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/alert-ids
*Queries alert IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | ObservableAlertIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryObservableIncidentIds
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/observables/incident-ids?observable_type=IPv4%20Address&observable_value=192.168.40.45")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /observables/incident-ids
*Queries incident IDs associated with the observable. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| observable_type | query | string | true | The type of the observable |
| observable_value | query | string | true | The value of the observable |
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
"string"
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | ObservableIncidentIdsQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
files
Files APIs
uploadFile
Code samples
curl --request POST \
--url 'https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert' \
--header 'Accept: application/json' \
--header 'Content-Type: multipart/form-data; boundary=---011000010111000001101001' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--form 'relations=[{"type": "vega", "id": "5e7c6cf54b832e0018f191ad"}]' \
--form password=test123 \
--form file=stringconst form = new FormData();
form.append("relations", "[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]");
form.append("password", "test123");
form.append("file", "string");
fetch("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert", {
"method": "POST",
"headers": {
"Content-Type": "multipart/form-data; boundary=---011000010111000001101001",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n"
headers = {
'Content-Type': "multipart/form-data; boundary=---011000010111000001101001",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert"
payload := strings.NewReader("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "multipart/form-data; boundary=---011000010111000001101001")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new MultipartFormDataContent
{
new StringContent("[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "relations",
}
}
},
new StringContent("test123")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "password",
}
}
},
new StringContent("string")
{
Headers =
{
ContentDisposition = new ContentDispositionHeaderValue("form-data")
{
Name = "file",
}
}
},
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/files/upload?scopeId=5e7c6cf54b832e0018f191ad&scopeType=alert")
.header("Content-Type", "multipart/form-data; boundary=---011000010111000001101001")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"relations\"\r\n\r\n[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\ntest123\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"file\"\r\n\r\nstring\r\n-----011000010111000001101001--\r\n")
.asString();POST /files/upload
Upload a new file
Securely upload a new file to CDC.
Maximum file size = 12 Mb (12,582,912 bytes)
Body parameter
relations: '[{"type": "vega", "id": "5e7c6cf54b832e0018f191ad"}]'
password: test123
file: string
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| scopeId | query | string | true | A unique, machine-oriented ID identifying this scope. must be provided together with scopeType. e.g. if scopeType = alert, then scopeId = [the alert ID] |
| scopeType | query | string | true | The type of the entity ( alert / incident / channel / visualization...) |
| body | body | UploadFileRequest | true | none |
Detailed descriptions
scopeId: A unique, machine-oriented ID identifying this scope. must be provided together with scopeType. e.g. if scopeType = alert, then scopeId = [the alert ID]
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
| scopeType | visualization |
Example responses
201 Response
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | Listing information for the uploaded file | FileInfo |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
downloadFile
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download \
--header 'Accept: application/octet-stream' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download", {
"method": "GET",
"headers": {
"Accept": "application/octet-stream",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/octet-stream",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/files/5e7c6cf54b832e0018f191ad/download", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/octet-stream")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download"),
Headers =
{
{ "Accept", "application/octet-stream" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/files/5e7c6cf54b832e0018f191ad/download")
.header("Accept", "application/octet-stream")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /files/{file_id}/download
Download a file
Download a file by id
Errors:
- File is still uploading - Expected error code 409 (Conflict)
- File had malicious content so it is not avaliable - Expected error code 410 (Gone)
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| file_id | path | string | true | A unique, machine-oriented ID identifying this file. |
| thumbnail | query | boolean | false | Download thumbnail image if exists |
Detailed descriptions
thumbnail: Download thumbnail image if exists A thumbnail is a small image representation of a larger image or a video.
Example responses
200 Response
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Binary file stream with file contents | DownloadFileResponse |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 404 | Not Found | The requested resource was not found | None |
| 409 | Conflict | The request conflicts with the current state of the resource. | None |
| 410 | Gone | The resource requested is no longer available and will not be available again. The resource could have been intentionally removed and should be purged. The client should not request the resource in the future. | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryFiles
Code samples
curl --request GET \
--url https://test-api.cyberproof.io/api/v1/files \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/files", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/files", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/files"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/files"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/files")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /files
Query files
Query files (files metatata) by different prarms (i.e. scope, id, filenames etc...) Sorting and pagination supported using marker.
- Logic between the filters : AND - i.e All conditions should be satisfied
- Default sorting - Creation time ASC
- Items per page: 30
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| ids | query | array[string] | false | Filter files by id |
| status | query | array[string] | false | Filter files by status |
| fileName | query | string | false | Filter files by fileName |
| scopeType | query | string | false | Filter files by entity scope type. |
| scopeId | query | string | false | Filter files by Entity scope ID. |
Detailed descriptions
fileName: Filter files by fileName Partial filename can be provided. i.e. givven filename param = 'ample', the file 'sample.txt' will be found assuming it exists in the system and all other filtes apply.
scopeType: Filter files by entity scope type. This filter is related to scopeId. i.e. if scopeType is provided then scopeId should be provided as well.
scopeId: Filter files by Entity scope ID. e.g. query files only associated with alert with ID 5a9e19eebdee5a000a8fe060. This filter is related to scopeType. i.e. if scopeId is provided then scopeType should be provided as well.
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
| scopeType | visualization |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | FilesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
messages
createMessage
Code samples
curl --request POST \
--url https://test-api.cyberproof.io/api/v1/messages \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a' \
--data '{"externalId":"111e3cf9-da0e-46a1-b099-3fd2e653ecbd","scope":{"id":"616ea579f2631c8d4c68a1b7","type":"alert"},"parentMessageId":"616ea579f2631c8d4c68a1b7","attachmentIds":["616ea579f2631c8d4c68a1b7"],"content":{"message":"some text <b>bold</b> message","contentType":"text"}}'fetch("https://test-api.cyberproof.io/api/v1/messages", {
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
},
"body": "{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}"
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
payload = "{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}"
headers = {
'Content-Type': "application/json",
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("POST", "/api/v1/messages", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/messages"
payload := strings.NewReader("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/messages"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
Content = new StringContent("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
{
Headers =
{
ContentType = new MediaTypeHeaderValue("application/json")
}
}
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.post("https://test-api.cyberproof.io/api/v1/messages")
.header("Content-Type", "application/json")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.body("{\"externalId\":\"111e3cf9-da0e-46a1-b099-3fd2e653ecbd\",\"scope\":{\"id\":\"616ea579f2631c8d4c68a1b7\",\"type\":\"alert\"},\"parentMessageId\":\"616ea579f2631c8d4c68a1b7\",\"attachmentIds\":[\"616ea579f2631c8d4c68a1b7\"],\"content\":{\"message\":\"some text <b>bold</b> message\",\"contentType\":\"text\"}}")
.asString();POST /messages
Create a new message
Body parameter
{
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | MessageCreateRequest | true | none |
Example responses
201 Response
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
},
"attachments": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | A JSON object containing the results and additional information | Message |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
queryMessages
Code samples
curl --request GET \
--url 'https://test-api.cyberproof.io/api/v1/messages?scopeType=alert' \
--header 'Accept: application/json' \
--header 'X-API-KEY: 30c050f7fdfe466b9442570ae77dbc8a'fetch("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert", {
"method": "GET",
"headers": {
"Accept": "application/json",
"X-API-KEY": "30c050f7fdfe466b9442570ae77dbc8a"
}
})
.then(response => {
console.log(response);
})
.catch(err => {
console.error(err);
});import http.client
conn = http.client.HTTPSConnection("test-api.cyberproof.io")
headers = {
'Accept': "application/json",
'X-API-KEY': "30c050f7fdfe466b9442570ae77dbc8a"
}
conn.request("GET", "/api/v1/messages?scopeType=alert", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://test-api.cyberproof.io/api/v1/messages?scopeType=alert"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("Accept", "application/json")
req.Header.Add("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var client = new HttpClient();
var request = new HttpRequestMessage
{
Method = HttpMethod.Get,
RequestUri = new Uri("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert"),
Headers =
{
{ "Accept", "application/json" },
{ "X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a" },
},
};
using (var response = await client.SendAsync(request))
{
response.EnsureSuccessStatusCode();
var body = await response.Content.ReadAsStringAsync();
Console.WriteLine(body);
}HttpResponse<String> response = Unirest.get("https://test-api.cyberproof.io/api/v1/messages?scopeType=alert")
.header("Accept", "application/json")
.header("X-API-KEY", "30c050f7fdfe466b9442570ae77dbc8a")
.asString();GET /messages
*Queries messages based on filters provided by the client. For synchronization purposes, the updatedAfter filter option should be used. *
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| marker | query | string(byte) | false | A continuation token, used to retrieve the next results page. |
| scopeType | query | string | true | The type of the entity ( alert / incident / channel ...) |
| scopeId | query | string | false | filter by id of the entity as saved in the system must be supplied with scopeType. |
| fileNames | query | array[string] | false | filter by messages that include a file by this name as attachment note- if "fileIds" is supplied this field is ignored |
| fileIds | query | array[string] | false | filter by files that include a file by this id as attachment note- this takes precedent over "fileNames" |
| hasAttachments | query | boolean | false | filter by either with or wihtout attachments |
| createdBy | query | string | false | Include only those which were created by a specific user ID |
| createdBefore | query | string(date-time) | false | Include only those which were created before the specified timestamp (exclusive) |
| createdAfter | query | string(date-time) | false | Include only those which were created after or at the specified timestamp (inclusive) |
Enumerated Values
| Parameter | Value |
|---|---|
| scopeType | alert |
| scopeType | incident |
| scopeType | channel |
Example responses
200 Response
{
"nextMarker": "string",
"results": [
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
]
}Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object containing the results and additional information | MessagesQueryResults |
| 400 | Bad Request | The request is invalid | None |
| 401 | Unauthorized | Authentication failure | None |
| 403 | Forbidden | The client does not have sufficient priviliges to access the requested resource or perform the requested operation | None |
| 413 | Payload Too Large | The payload sent by the client exceeds the size limits imposed by the server | None |
| 429 | Too Many Requests | Too many requests (throttled). The client should backoff and retry later on, in accordance to the rate limiting policy of the server. | None |
| 500 | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request | None |
| 502 | Bad Gateway | The API server, acting as a gateway, got an invalid response from the underlying data store | None |
| 503 | Service Unavailable | The server cannot handle the request at the moment | None |
| 504 | Gateway Time-out | The API server, acting as a gateway, could not get a response from the underlying data store in due time | None |
Schemas
AlertSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this alert. |
| source | string | true | none | The name of the source system |
| sourceId | string | true | none | The ID of the alert in the source system |
| score | number(double)¦null | false | none | The score of the alert This field is Nullable. Null value meaning: Not enough data to calculate score, could be updated later. |
| name | string | true | none | The name of the alert |
| description | string | true | none | The description of the alert |
| severity | string | true | none | The severity of the alert |
| created | string(date-time) | true | none | Alert creation timestamp |
| modified | string(date-time) | true | none | Last modification timestamp |
| detected | string(date-time) | true | none | Alert detection timestamp |
| status | string | true | none | Alert status |
| sourceUrl | string(uri) | false | none | A URI of this alert pointing to the source system |
| company | string | false | none | The company with which the alert is associated |
| useCase | string | false | none | Alert use case |
| tags | Tags | true | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| observableTags | [string] | true | none | List of tags of alert observables |
| categories | Categories | true | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert |
| killChain | KillChain | true | none | Mapping of alert to specific Kill Chain phases. See in Wikipedia |
| mitreAttacks | MitreAttacks | false | none | MitreAttack Ids List |
| alertType | string | true | none | The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General. |
| threatType | string | false | none | The threat type with which this alert is associated. |
Enumerated Values
| Property | Value |
|---|---|
| alertType | CTI-Landscape |
| alertType | CTI-Assetbased |
| alertType | General |
CreateAlertRequest
{
"name": "Email messages containing malware removed after delivery",
"sourceId": "345ffe9a",
"severity": "High",
"description": "message containing malware are delivered to mailboxes in your organization. Office 365 removed the infected messages from Exchange Online mailboxes.",
"sourceUrl": "http://10.0.0.90/MySIEM/api/alerts/345ffe9a",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"observables": [
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"extraProperties": {
"property1": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
},
"property2": {
"value": "aaa-bbcc",
"type": "WeakIdentifier"
}
},
"relatedExtraProperties": {
"property1": {
"sha": 256,
"type": "WeakIdentifier"
},
"property2": {
"sha": 256,
"type": "WeakIdentifier"
}
}
}
],
"useCase": "UC216 - EPP - Persistent Malware",
"company": "ACME",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems.",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| name | string | true | none | The name of the alert |
| sourceId | string | true | none | The identifier of the alert, as it appears in the source system. In most cases this would be the ID as it appears in the SIEM. It cannot exceed 400 characters. |
| severity | string | true | none | The severity of the alert. Must be one of the severities defined in CDC. |
| description | string | true | none | The description of the alert. It cannot exceed 5000 characters when exceeds, the request will not fail but description will be truncated. |
| sourceUrl | string(uri) | false | none | The source URL of the alert in the SIEM or in the origin system |
| raw | object | false | none | Alert raw data, as provided by the SIEM or source system. NOTE: object's keys cannot start with $ nor contain . characters. |
| observables | [object] | false | none | The observables associated with this alert |
| » type | string | true | none | The type of the observable |
| » value | string | true | none | The value of the observable |
| » tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| » extraProperties | object | false | none | observable additional properties |
| »» additionalProperties | object | false | none | none |
| »»» value | any | true | none | none |
anyOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | string | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | number | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | boolean | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [string] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [number] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [boolean] | false | none | none |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»» type | string | false | none | none |
| » relatedExtraProperties | object | false | none | additional properties of observable alert relation |
| »» additionalProperties | object | false | none | none |
| »»» value | any | true | none | none |
anyOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | string | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | number | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | boolean | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [string] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [number] | false | none | none |
or
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»»» anonymous | [boolean] | false | none | none |
continued
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| »»» type | string | false | none | none |
| useCase | string | false | none | Alert use case |
| company | string | false | none | The company with which this alert is associated |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| categories | Categories | false | none | Mapping of alert to specific category in SIEM |
| detectionRule | string | false | none | Name of detection rule from SIEM that triggered the generation of alert. It cannot exceed 256 characters. |
| alertType | string | false | none | The type of the alert. Must be one of the alert types defined in CDC - see Enumerated values. When not provided or invalid value, alertType will be set to General. |
| threatType | string | false | none | The threat type with which this alert is associated. |
| threatActors | [string] | false | none | The attacker, whoever launched the attack/campaign/malware. |
| malwareTools | [string] | false | none | The Malware/Tools that were used in the attack. |
| ctiSourceUrls | [string] | false | none | The data source that was used for opening the alert. |
| recommendations | string | false | none | Instruction how to handle alert. |
| killChain | [string] | false | none | Mapping of alert to specific Kill Chain phases. The case of the names will be ignored, as well as spaces and duplicate values. All values will be normalized accroding to the provided enum. See in Wikipedia This field accepts any value; the provided enum shows the recommended values. |
| mitreAttacks | MitreAttacks | false | none | MitreAttack Ids List |
Enumerated Values
| Property | Value |
|---|---|
| alertType | CTI-Landscape |
| alertType | CTI-Assetbased |
| alertType | General |
| killChain | Reconnaissance |
| killChain | Weaponization |
| killChain | Delivery |
| killChain | Exploitation |
| killChain | Installation |
| killChain | Command and Control |
| killChain | Actions on Objective |
AlertsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [AlertSummary] | true | none | none |
IncidentSummary
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this incident |
| key | string | true | none | A unique, human-oriented key identifying this incident |
| name | string | false | none | The name of the incident. Included only if the client specified it explicitly in the "include" parameter |
| description | string | false | none | The incident description. Included only if the client specified it explicitly in the "include" parameter |
| created | string(date-time) | true | none | The time when the incident was created |
| updated | string(date-time) | true | none | The time when the incident was last updated |
| type | string | true | none | Incident type |
| status | string | true | none | The status of the incident |
| priority | string | true | none | The priority of the incident |
| group | string | false | none | The group to which this incident is currently assigned |
| externalIds | ExternalIds | false | none | Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems. |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which this incident is associated |
| pendingForGroup | string | false | none | If this incident was redirected to a different group this will contain the name of the target group |
| redirectionReason | string | false | none | If this incident was redirected to a different group this will contain the user comment provided with redirection request |
ExternalIds
[
{
"system": "ServiceNow",
"id": "40385fee"
}
]
Array of external identifiers of the entity. Clients will only receive identifiers they have permission for, and won't be able to see identifiers of other systems.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| system | string | true | none | none |
| id | string | true | none | none |
Tags
[
"Cloud-Computing",
"Virus",
"Phishing"
]
Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.
Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
Properties
None
Categories
[
"Ransomware",
"Phishing"
]
Mapping of alert to specific category in SIEM
Properties
None
Alert
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | AlertSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » raw | object | false | none | The alert raw data. Included only if the client specified it explicitly in the "include" parameter |
| » cdcUrl | string(uri) | true | none | The URL of this alert in the CDC application. |
| » threatActors | [string] | false | none | The attacker, whoever launched the attack/campaign/malware. |
| » malwareTools | [string] | false | none | The Malware/Tools that were used in the attack. |
| » ctiSourceUrls | [string] | false | none | The data source that was used for opening the alert. |
| » recommendations | string | false | none | Instruction how to handle alert. |
Incident
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string",
"closingComment": "string",
"closed": "2019-08-24T14:15:22Z",
"cdcUrl": "https://acme.cyberproof.io/home/incidents/incident/5ea71bb363f6c6001707663b"
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | IncidentSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » closingComment | string | false | none | The specified comment when it was closed. Only present if the incident was closed. |
| » closed | string(date-time) | false | none | Timestamp specifying when the incident was closed. |
| » cdcUrl | string(uri) | true | none | The URL of this incident in the CDC application. |
IncidentsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "string",
"key": "CDC-20191208-00046",
"name": "Web Proxy - Execution file download",
"description": "Customer Name - ACME Inc<br>Alert Name - Web Proxy - Execution file download<br>Device Product - Web Gateway<br>Category Outcome - /Failure<br>\n",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"type": "DDOS",
"status": "Closed",
"priority": "Low",
"group": "L1",
"externalIds": [
{
"system": "ServiceNow",
"id": "40385fee"
}
],
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "ACME Europe",
"pendingForGroup": "string",
"redirectionReason": "string"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [IncidentSummary] | true | none | none |
IncidentAlertsQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e7c6cf54b832e0018f191ad",
"source": "QRadar",
"sourceId": 296,
"score": 33.2,
"name": "Windows - Multiple failed logins same user same host",
"description": "Customer Name - AcmeCo\nAlert Name - Windows - Multiple failed logins same user same host\nDevice Vendor - Microsoft\nDevice Product - Microsoft Windows\nDevice Event Class Id - rule:105\n",
"severity": "Medium",
"created": "2019-08-24T14:15:22Z",
"modified": "2019-08-24T14:15:22Z",
"detected": "2019-08-24T14:15:22Z",
"status": "In Incident",
"sourceUrl": "https://192.168.41.164/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=296",
"company": "ACME Europe",
"useCase": "UC216 - EPP - Persistent Malware",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"observableTags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"categories": [
"Ransomware",
"Phishing"
],
"detectionRule": "WRONG_PASSWORD_3_ATTEMPTS",
"killChain": [
"Reconnaissance",
"Weaponization",
"Delivery"
],
"mitreAttacks": [
"T1003",
"T1001",
"T1595.001"
],
"alertType": "CTI-Landscape",
"threatType": "Phishing",
"raw": {
"attributeInitializationInProgress": false,
"createdTime": {
"day": {
"numberInt": "18"
},
"hour": {
"numberInt": "16"
},
"milliSecond": {
"numberInt": "711"
},
"minute": {
"numberInt": "10"
},
"month": {
"numberInt": "6"
},
"second": {
"numberInt": "47"
},
"timezoneID": "Israel",
"year": {
"numberInt": "2017"
}
},
"createdTimestamp": {
"numberDouble": "1500383447711"
},
"deprecated": false,
"description": "ACME",
"disabled": false,
"inCache": true,
"inactive": false,
"initialized": true,
"isAdditionalLoaded": false,
"localID": {
"numberDouble": "30064798760"
},
"modificationCount": {
"numberInt": "1"
}
},
"cdcUrl": "https://acme.cyberproof.io/home/alerts/alert/5e7c6cf54b832e0018f191ad",
"threatActors": [
"Cyber Criminals",
"Anonymous"
],
"malwareTools": [
"TrickBot",
"IcedID",
"Cobalt Strike"
],
"ctiSourceUrls": [
"https://blog.malwarebytes.com/someTopic"
],
"recommendations": "Implement the attached IOCs in your security systems."
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Alert] | true | none | none |
IncidentAlertIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | alert IDs associated with this incident |
IncidentObservablesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [ObservableSummary] | true | none | none |
EvidenceQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [Evidence] | true | none | none |
CreateIncidentMessageRequest
{
"externalId": "345ffe9a",
"contentType": "text",
"content": "Requires further investigation",
"evidence": {
"caption": "Severity changed",
"reported": "2019-08-24T14:15:22Z",
"description": "System Admin has changed severity from Low to Medium"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| externalId | string | true | none | The identifier of the message, as it appears in external systems, mostly used to achieve idempotence |
| contentType | string | true | none | The type of the content, currently only 'text' is supported |
| content | string | true | none | The content of the message |
| evidence | object | false | none | When specified, the message is marked as evidence |
| » caption | string | true | none | The caption of the evidence |
| » reported | string(date-time) | false | none | The time when this evidence was supposed to be reported |
| » description | string | false | none | The description of this evidence |
Enumerated Values
| Property | Value |
|---|---|
| contentType | text |
IncidentMessageSummary
{
"id": "5e7c6cf54b832e0018f191ad",
"text": "Requires further investigation",
"processedText": "Requires further investigation"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this message |
| text | string | true | none | The text of the message |
| processedText | string | false | none | The processed text of the message |
CreateIncidentObservableRequest
{
"type": "IPv4 Address",
"value": "192.168.40.45",
"tags": [
"Critical-Infrastructure"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| type | string | true | none | The type of the observable |
| value | string | true | none | The value of the observable |
| tags | [string] | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. |
CloseIncidentRequest
{
"closingComment": "Virus removed, performed AntiVirus software update, ensured the AntiVirus detects and quarantines emails with the virus attached"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| closingComment | string | true | none | The closing comment for this incident |
UpdateIncidentRequest
{
"priority": "Low",
"tags": [
"Cloud-Computing",
"Virus",
"Phishing"
],
"company": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| priority | string | false | none | The priority of the incident |
| tags | Tags | false | none | Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric. Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive. |
| company | string | false | none | The company with which the incident is associated |
RedirectIncidentRequest
{
"targetGroup": "string",
"reason": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| targetGroup | string | true | none | The group to which the incident is being redirected |
| reason | string | true | none | a user-provided reason for redirection |
ObservableSummary
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this observable |
| type | string | true | none | The type of the observable |
| isIoc | boolean | true | none | is this observable an indicator of compromise? |
| value | string | true | none | The value of the observable |
| created | string(date-time) | true | none | The time when the observable was created |
| updated | string(date-time) | true | none | The time when the observable was last updated, including changes to the observable and association to incidents. |
| suspiciousRate | number(double)¦null | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 This field is Nullable. Null value meaning: Not enough data to calculate suspiciousRate, could be updated later. |
| tags | [string] | true | none | The tags associated with this observable |
| enrichments | [EnrichmentSummary] | true | none | The recent and valid enrichments associated with this observable |
ObservablesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "5e13b88122c957000787db06",
"type": "IPv4 Address",
"isIoc": false,
"value": "192.168.40.45",
"created": "2019-08-24T14:15:22Z",
"updated": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2,
"tags": [
"Critical-Infrastructure"
],
"enrichments": [
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | A continuation token. Empty if there are no further results |
| results | [ObservableSummary] | true | none | none |
ObservableAlertIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | alert IDs associated with this observable |
ObservableIncidentIdsQueryResults
{
"nextMarker": "string",
"results": [
"string"
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [string] | true | none | incident IDs associated with this observable |
EnrichmentSummary
{
"id": "5e13b88122c957000787db06",
"name": "VirusTotal",
"reported": "2019-08-24T14:15:22Z",
"suspiciousRate": 3.2
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | The unique identifier of this enrichment |
| name | string | true | none | The name of the enrichment |
| reported | string(date-time) | true | none | The time when this enrichment was reported |
| suspiciousRate | number(double)¦null | true | none | The suspicious rate of the observable (higher is more suspicious), between 0 and 100 This field is Nullable. Null value meaning: Not enough data to calculate suspiciousRate, could be updated later. |
Evidence
{
"id": "5aa4d8fcbdee5a000a911882",
"type": "MITRE_ATTACK_ADDED",
"reported": "2019-08-24T14:15:22Z",
"created": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"description": "System Admin has changed severity from Low to Medium",
"messageId": "string",
"messageCdcUrl": "https://acme.cyberproof.io/home/incidents/5ea71bb363f6c6001707663b/evidence/5ea71bb363f6c6001707254a",
"externalId": "345ffe9a",
"data": {}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | A unique, machine-oriented ID identifying this evidence. |
| type | string | true | none | The type of evidence |
| reported | string(date-time) | true | none | The time when this evidence was reported |
| created | string(date-time) | true | none | The time when this evidence was created |
| caption | string | false | none | The caption of the evidence |
| description | string | false | none | The description of this evidence |
| messageId | string | false | none | The ID of the message this evidence was created from |
| messageCdcUrl | string | false | none | The URL of the message in the CDC application that this evidence was created from. |
| externalId | string | false | none | The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence |
| data | object | false | none | Additional evidence metadata |
Enumerated Values
| Property | Value |
|---|---|
| type | TEXT |
| type | ALERT_OWNER_ASSIGNED |
| type | ALERT_OWNER_REMOVED |
| type | ALERT_STATUS_CHANGED |
| type | ALERT_ATTACHED_TO_INCIDENT |
| type | ALERT_AUTOMATION_JOB_ENDED |
| type | ALERT_AUTOMATION_JOB_STARTED |
| type | ALERT_CLOSED |
| type | ALERT_DETACHED_FROM_INCIDENT |
| type | ALERT_DETECTED |
| type | ALERT_RESOLVED |
| type | ALERT_INCIDENT_CREATED |
| type | ALERT_PLAYBOOK_STEP_COMPLETED |
| type | ALERT_REOPENED |
| type | MITRE_ATTACK_ADDED |
| type | MITRE_ATTACK_REMOVED |
| type | INCIDENT_ALERT_ADDED |
| type | INCIDENT_ALERT_REMOVED |
| type | INCIDENT_CREATED |
| type | INCIDENT_CLOSED |
| type | INCIDENT_REOPENED |
| type | INCIDENT_STATUS_CHANGED |
| type | INCIDENT_COMPANY_CHANGED |
| type | INCIDENT_SEVERITY_CHANGED |
| type | INCIDENT_PRIORITY_CHANGED |
| type | INCIDENT_TYPE_CHANGED |
| type | INCIDENT_OWNER_CHANGED |
| type | INCIDENT_ESCALATED |
| type | INCIDENT_ESCALATION_REVOKED |
| type | INCIDENT_ESCALATION_ACCEPTED |
| type | INCIDENT_ESCALATION_REMINDER_SENT |
| type | PLAYBOOK_ADDED |
| type | PLAYBOOK_STEP_COMPLETED |
| type | PLAYBOOK_USER_INPUT_REQUIRED |
| type | PLAYBOOK_EVIDENCES_PROVIDED |
| type | PLAYBOOK_TERMINATED |
CreateEvidenceRequest
{
"reported": "2019-08-24T14:15:22Z",
"caption": "Severity changed",
"messageId": "string",
"description": "System Admin has changed severity from Low to Medium",
"externalId": "345ffe9a"
}
Validations:
- At least one of the following fields should be provided: messageId, description.
- Only one of the following fields can be provided: messageId, externalId.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| reported | string(date-time) | true | none | The time when this evidence was reported |
| caption | string | true | none | The caption of the evidence |
| messageId | string | false | none | The ID of the message this evidence was created from. |
| description | string | false | none | The description of this evidence |
| externalId | string | false | none | The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence |
KillChain
[
"Reconnaissance",
"Weaponization",
"Delivery"
]
Mapping of alert to specific Kill Chain phases. See in Wikipedia
Properties
None
MitreAttacks
[
"T1003",
"T1001",
"T1595.001"
]
MitreAttack Ids List
Properties
None
EntityScope
{
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
}
entities in the system can have a scope defining their assosication with a bussiness object
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | id of the entity as saved in the system |
| type | string | true | none | The type of the entity ( alert / incident / channel ...) |
Enumerated Values
| Property | Value |
|---|---|
| type | alert |
| type | incident |
| type | channel |
FileScope
{
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
}
entities in the system can have a scope defining their assosication with a bussiness object
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | id of the entity as saved in the system |
| type | string | true | none | The type of the entity ( alert / incident / channel ...) |
Enumerated Values
| Property | Value |
|---|---|
| type | alert |
| type | incident |
| type | channel |
| type | visualization |
TextMessageContent
{
"message": "some text <b>bold</b> message",
"contentType": "text"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| message | string | true | none | the text of the message. can be simple text or rich text |
| contentType | string | true | none | Specifies the type of the Message content (Text messages) |
Enumerated Values
| Property | Value |
|---|---|
| contentType | text |
AdaptiveCardMessageContent
{
"json": {},
"contentType": "adaptiveCard"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| json | object | true | none | the raw data attached for the porpuse of populating the card |
| contentType | string | true | none | Specifies the type of the Message content (Adaptive Card messages) |
Enumerated Values
| Property | Value |
|---|---|
| contentType | adaptiveCard |
MessageCreateRequest
{
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| externalId | string | true | none | The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId. |
| scope | EntityScope | true | none | Scope provides association data for this message |
| parentMessageId | string | false | none | If provided, the new message will be posted as a child of another message as the last message in it's thread |
| attachmentIds | [string] | false | none | IDs of file attached to this message |
| content | TextMessageContent | true | none | The content of the message |
MessageSummary
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| id | string | true | none | ID of the message as saved in the system |
| externalId | string | true | none | The identifier of the message, as it appears in external systems. Only one message can be linked to each unique externalId. |
| scope | EntityScope | true | none | entities in the system can have a scope defining their assosication with a bussiness object |
| parentMessageId | string | false | none | If present, this message was posted in another message's thread |
| attachmentIds | [string] | false | none | IDs of file attached to this message |
| content | any | true | none | The content of the message |
oneOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | TextMessageContent | false | none | none |
xor
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » anonymous | AdaptiveCardMessageContent | false | none | none |
Message
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
},
"attachments": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}
Properties
allOf
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | MessageSummary | false | none | none |
and
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | object | false | none | none |
| » attachments | [FileInfo] | false | none | file info objects for attachments. note - empty array means no attachments. |
MessagesQueryResults
{
"nextMarker": "string",
"results": [
{
"id": "616ea579f2631c8d4c68a1b7",
"externalId": "111e3cf9-da0e-46a1-b099-3fd2e653ecbd",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"parentMessageId": "616ea579f2631c8d4c68a1b7",
"attachmentIds": [
"616ea579f2631c8d4c68a1b7"
],
"content": {
"message": "some text <b>bold</b> message",
"contentType": "text"
}
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [MessageSummary] | true | none | none |
FileStatus
"uploaded"
The status of the file, respecting the upload and sanitaion process. Every file should have a status
uploaded- uploaded but not ready yet, requires additional processingprocessing- being processed by the system, i.e. pending sanitationverified- completed sanitation processes, needs to move to final storage locationready- completed and made availablefailed- the file upload process has failed, such as when sanitation can't be appliedblocked- the file sanitation process failed ( i.e. file has malicious content )
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string | false | none | The status of the file, respecting the upload and sanitaion process. Every file should have a status * uploaded - uploaded but not ready yet, requires additional processing* processing - being processed by the system, i.e. pending sanitation* verified - completed sanitation processes, needs to move to final storage location* ready - completed and made available* failed - the file upload process has failed, such as when sanitation can't be applied* blocked - the file sanitation process failed ( i.e. file has malicious content ) |
Enumerated Values
| Property | Value |
|---|---|
| anonymous | uploaded |
| anonymous | processing |
| anonymous | verified |
| anonymous | ready |
| anonymous | failed |
| anonymous | blocked |
FileInfo
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| status | FileStatus | true | none | The status of the file, respecting the upload and sanitaion process. Every file should have a status * uploaded - uploaded but not ready yet, requires additional processing* processing - being processed by the system, i.e. pending sanitation* verified - completed sanitation processes, needs to move to final storage location* ready - completed and made available* failed - the file upload process has failed, such as when sanitation can't be applied* blocked - the file sanitation process failed ( i.e. file has malicious content ) |
| id | string | true | none | A unique, machine-oriented ID identifying this file. |
| name | string | true | none | The file name |
| scope | FileScope | true | none | entities in the system can have a scope defining their assosication with a bussiness object |
| size | number | true | none | the file size in bytes |
| mimeType | string | true | none | The MIME (Multipurpose Internet Mail Extensions) type of the file. A two-part identifier for file formats and format contents transmitted on the Internet. see more: https://en.wikipedia.org/wiki/Media_type |
| extension | string | false | none | An identifier specified as a suffix to the name of a file |
| createdAt | string(date-time) | true | none | File creation timestamp |
| createdBy | string | true | none | The ID of the user who created this file. |
| relations | [object] | false | none | The relations of the file |
| » id | string | false | none | none |
| » type | string | false | none | none |
Enumerated Values
| Property | Value |
|---|---|
| type | vega |
FilesQueryResults
{
"nextMarker": "string",
"results": [
{
"status": "uploaded",
"id": "5e7c6cf54b832e0018f191ad",
"name": "attachment.txt",
"scope": {
"id": "616ea579f2631c8d4c68a1b7",
"type": "alert"
},
"size": 2680000,
"mimeType": "text/plain",
"extension": "txt",
"createdAt": "2019-08-24T14:15:22Z",
"createdBy": "8e2c4cf54b832e0018f191ad",
"relations": [
{
"type": "vega",
"id": "8e2c4cf54b832e0018f191ad"
}
]
}
]
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| nextMarker | string(byte) | false | none | a continuation token. Empty if there are no further results |
| results | [FileInfo] | true | none | none |
UploadFileRequest
{
"relations": "[{\"type\": \"vega\", \"id\": \"5e7c6cf54b832e0018f191ad\"}]",
"password": "test123",
"file": "string"
}
Form data containing relations, password and file fields.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| relations | string | false | none | A string representing array of json object where type = relation type, e.g. vega and id = template file id. |
| password | string | false | none | A single password or more separated by a comma. |
| file | string(binary) | false | none | The binary file stream |
DownloadFileResponse
"string"
The binary file stream
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | string(binary) | false | none | The binary file stream |
General API Guidelines
- In case of an API endpoint that is a query endpoint (e.g. queryAlerts, queryObservableAlertIds), and the query yielded no results, an empty list will be returned:
[].
Concurrency
CyberProof supports consistency related concerns by leveraging HTTP constructs to enable an optimistic concurrency control. Specifically, the mechanism is provided by the combination of entity tags and conditional requests.
An entity tag, specified by the ETag HTTP header, is an opaque token that the server associates with a particular state of a resource. When the resource changes, the entity tag should be modified as well. This allows parties to determine if a request on a resource references an up-to-date repreesentation of that resource. Typically, if there's a mismatch, the request is not performed and the client should refresh its copy of the resource to bring it up to date.
A conditional request is a request that may be executed differently depending on the value of specific HTTP headers. These headers define the precondition that must be true before the server should execute the request. Regarding entity tags, generally there are two options for making requests conditional:
If-Match: The request will continue if the ETag of the current resource is equal to the one listed in this headerIf-None-Match: The request will continue if the ETag of the current resource is different to each tag listed in this header
Take the following scenario as an example:
- Client calls
getIncidentwith a certain incident id - Client receives the incident response along with the
ETagresponse header - Client needs to update the incident
- Client updates its incident's entity state
- Client calls
updateIncidentand includes aIf-Matchheader with the value of theETagit received before
- Server operation
- Server compares current
ETagwith the one specified in theIf-Matchheader - When matched, the operation is performed and the response to the client includes the updated incident's entity tag in the
ETagresponse header - When unmatched, the operation is not performed and the server responds with a status code of Precondition Failed (412)
- Server compares current
What's New
GET /alerts/{alert_id}/evidence
Returns information about the evidence associated with this alert.
POST /alerts/{alert_id}/evidence
Creates a new alert evidence
POST /incidents/{incident_id}/evidence
Creates a new incident evidence
What's Changed
POST /files/upload
Parameters:
Changed: scopeType in query The type of the entity ( alert / incident / channel / visualization...)
Request:
Changed content type : multipart/form-data
-
Added property
relations(string) A string representing array of json object where type = relation type, e.g. vega and id = template file id. -
Added property
password(string) A single password or more separated by a comma.
Return Type:
Changed response : 201 Created Listing information for the uploaded file
- Changed content type :
application/json
GET /alerts/{alert_id}
Return Type:
Changed response : 200 OK success
-
Changed content type :
application/json-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
GET /incidents/{incident_id}
Return Type:
Changed response : 200 OK success
-
Changed content type :
application/json-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
PATCH /incidents/{incident_id}
Request:
Changed content type : application/json
-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
Return Type:
Changed response : 200 OK The incident was updated
-
Changed content type :
application/json-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
GET /incidents/{incident_id}/evidence
Parameters:
Added: include in query Specifies which additional fields to include in the query results:
data: includes the evidence metadata.
Return Type:
Changed response : 200 OK success
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object):
New optional properties:
caption
-
Added property
messageId(string) The ID of the message this evidence was created from -
Added property
externalId(string) The identifier of the evidence, as it appears in external systems, mostly used to achieve idempotence -
Added property
data(object) Additional evidence metadata -
Changed property
type(string) The type of evidenceAdded enum values:
TEXTALERT_OWNER_ASSIGNEDALERT_OWNER_REMOVEDALERT_STATUS_CHANGEDALERT_ATTACHED_TO_INCIDENTALERT_AUTOMATION_JOB_ENDEDALERT_AUTOMATION_JOB_STARTEDALERT_CLOSEDALERT_DETACHED_FROM_INCIDENTALERT_DETECTEDALERT_RESOLVEDALERT_INCIDENT_CREATEDALERT_PLAYBOOK_STEP_COMPLETEDALERT_REOPENEDMITRE_ATTACK_ADDEDMITRE_ATTACK_REMOVEDINCIDENT_ALERT_ADDEDINCIDENT_ALERT_REMOVEDINCIDENT_CREATEDINCIDENT_CLOSEDINCIDENT_REOPENEDINCIDENT_STATUS_CHANGEDINCIDENT_COMPANY_CHANGEDINCIDENT_SEVERITY_CHANGEDINCIDENT_PRIORITY_CHANGEDINCIDENT_TYPE_CHANGEDINCIDENT_OWNER_CHANGEDINCIDENT_ESCALATEDINCIDENT_ESCALATION_REVOKEDINCIDENT_ESCALATION_ACCEPTEDINCIDENT_ESCALATION_REMINDER_SENTPLAYBOOK_ADDEDPLAYBOOK_STEP_COMPLETEDPLAYBOOK_USER_INPUT_REQUIREDPLAYBOOK_EVIDENCES_PROVIDEDPLAYBOOK_TERMINATED
-
POST /alerts
Request:
Changed content type : application/json
-
Changed property
observables(array) The observables associated with this alertChanged items (object):
-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
Return Type:
Changed response : 201 Created The alert has been created
-
Changed content type :
application/json-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
GET /alerts
Return Type:
Changed response : 200 OK A JSON object containing the results and additional information
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object):
-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
-
GET /incidents
Return Type:
Changed response : 200 OK A JSON object containing the results and additional information
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object):
-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
-
GET /incidents/{incident_id}/alerts
Return Type:
Changed response : 200 OK success
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object):
-
Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.Tags are case-reserving on insertion: if a tag doesn't already exist with a different casing style, the tag will be saved with the casing specified. When used as query filters, tags are treated as case-insensitive.
-
-
POST /incidents/{incident_id}/observables
Request:
Changed content type : application/json
- Changed property
tags(array) Array of tags. A tag's name can contain only the next symbols: alphabetic, -, _ , #, and numeric.
GET /files
Parameters:
Changed: scopeType in query Filter files by entity scope type. This filter is related to scopeId. i.e. if scopeType is provided then scopeId should be provided as well.
Return Type:
Changed response : 200 OK A JSON object containing the results and additional information
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object):
-
Changed property
scope(object) entities in the system can have a scope defining their assosication with a bussiness object-
Changed property
type(string) The type of the entity ( alert / incident / channel ...)Added enum value:
visualization
-
-
-