diff --git a/docs/thehive/api/case/.pages b/docs/thehive/api/case/.pages index 6b808cac..8ef36493 100644 --- a/docs/thehive/api/case/.pages +++ b/docs/thehive/api/case/.pages @@ -1,6 +1,12 @@ nav: - - 'Overview': index.md + - "Overview": index.md - create.md - update.md + - delete.md - merge.md - - delete.md \ No newline at end of file + - export.md + - related-cases.md + - related-alerts.md + - attachments.md + - run-responder.md + - responder-jobs.md diff --git a/docs/thehive/api/case/delete.md b/docs/thehive/api/case/delete.md index 927824cb..64e6f78b 100644 --- a/docs/thehive/api/case/delete.md +++ b/docs/thehive/api/case/delete.md @@ -1,21 +1,21 @@ # Delete -## Query +Permanently delete a *Case*. -``` +## Query +```plain +DELETE /api/case/{id}?force=1 ``` +With: -## Request Body Example - -```json - -``` - +- `id`: id of the *Case* -## ResponseBody Example +## Response -```json +### Status codes -``` \ No newline at end of file +- `204`: if *Case* is deleted successfully +- `401`: Authentication error +- `404`: if *Case* is not found diff --git a/docs/thehive/api/case/export.md b/docs/thehive/api/case/export.md index e69de29b..fd442d4c 100644 --- a/docs/thehive/api/case/export.md +++ b/docs/thehive/api/case/export.md @@ -0,0 +1,26 @@ +# Export Case to MISP + +Export *Case* to a MISP server to create an event including the *Case* observables marked as IOC. + +## Query + +```plain +POST /api/connector/misp/export/{id}/{misp-server} +``` + +With: + +- `id`: id of the *Case* +- `misp-server`: name of the MISP server as defined in the configuration + +!!! note + + Only MISP servers with `purpose` equals to `ExportOnly` or `ImportAndExport` can recieve *Case* exports + +## Response + +### Status codes + +- `204`: if *Case* is successfully exported +- `401`: Authentication error +- `404`: if *Case* or MISP server is not found. diff --git a/docs/thehive/api/case/index.md b/docs/thehive/api/case/index.md index f02667f9..68bf86f6 100644 --- a/docs/thehive/api/case/index.md +++ b/docs/thehive/api/case/index.md @@ -9,4 +9,4 @@ - [List related alerts](related-alerts.md) - [List attachments](attachments.md) - [Run responder](run-responder.md) -- [List responder jobs](responder-jobs.md) \ No newline at end of file +- [List responder jobs](responder-jobs.md) diff --git a/docs/thehive/api/case/related-alerts.md b/docs/thehive/api/case/related-alerts.md index e69de29b..b8e713e9 100644 --- a/docs/thehive/api/case/related-alerts.md +++ b/docs/thehive/api/case/related-alerts.md @@ -0,0 +1,99 @@ +# List related Alerts + +List alerts merged in a *Case*. + +## Query + +```plain +POST /api/v0/query +``` + +## Request Body Example + +!!! Example "" + + List last 5 merged alerts in a *Case* identified by `{id}`: + + ```json + { + "query": [ + { + "_name": "getCase", + "idOrName": "{id}" + }, + { + "_name": "alerts" + }, + { + "_name": "sort", + "_fields": [ + { + "startDate": "desc" + } + ] + }, + { + "_name": "page", + "from": 0, + "to": 5 + } + ] + } + ``` + + With: + + - `id`: id of the *Case* + +## Response + +### Status codes + +- `200`: if query is run successfully +- `401`: Authentication error + +### ResponseBody Example + +!!! Example "" + + ```json + [ + ... + [ + { + "_id": "~43618512", + "id": "~43618512", + "createdBy": "demo@thehive.local", + "updatedBy": null, + "createdAt": 1618344277475, + "updatedAt": null, + "_type": "alert", + "type": "testing", + "source": "create-alert.py", + "sourceRef": "85a766ec", + "externalLink": null, + "case": "~122884120", + "title": "Alert 85a766ec-060a-49a0-bc82-c672b6e51e6c", + "description": "N/A", + "severity": 1, + "date": 1618344277000, + "tags": [ + "sample" + ], + "tlp": 3, + "pap": 2, + "status": "Imported", + "follow": true, + "customFields": { + "company": { + "string": "Customer 1" + } + }, + "caseTemplate": null, + "artifacts": [], + "similarCases": [] + } + ] + ... + ] + ``` \ No newline at end of file diff --git a/docs/thehive/api/case/related-cases.md b/docs/thehive/api/case/related-cases.md index e69de29b..867884a4 100644 --- a/docs/thehive/api/case/related-cases.md +++ b/docs/thehive/api/case/related-cases.md @@ -0,0 +1,95 @@ +# List related Cases + +List similar *Cases* of a given *Case*. This API uses observable based similarity to find related *Cases* + +## Query + +```plain +GET /api/case/{id}/links +``` + +With: + +- `id`: id of the *Case* + +## Response + +### Status codes + +- `200`: if query is run successfully +- `401`: Authentication error +- `404`: if the case doesn't exist + +### ResponseBody Example + +!!! Example "" + + ```json + [ + { + "_id": "~48144448", + "_type": "case", + "caseId": 66, + "createdAt": 1618344529302, + "createdBy": "user@thehive.local", + "customFields": {}, + "description": "N/A", + "endDate": null, + "flag": false, + "id": "~48144448", + "impactStatus": null, + "linkedWith": [ + { + "_id": "~122888216", + "_type": "case_artifact", + "createdAt": 1632114988895, + "createdBy": "user@strangebee.com", + "data": "google.com", + "dataType": "domain", + "id": "~122888216", + "ignoreSimilarity": false, + "ioc": false, + "message": "test", + "reports": {}, + "sighted": false, + "startDate": 1632114988895, + "stats": {}, + "tags": [], + "tlp": 2 + } + ], + "linksCount": 1, + "owner": "nabil@thehive.local", + "pap": 1, + "permissions": [ + "manageShare", + "manageAnalyse", + "manageTask", + "manageCaseTemplate", + "manageCase", + "manageUser", + "manageProcedure", + "managePage", + "manageObservable", + "manageTag", + "manageConfig", + "manageAlert", + "accessTheHiveFS", + "manageAction" + ], + "resolutionStatus": null, + "severity": 4, + "startDate": 1618344529000, + "stats": {}, + "status": "Open", + "summary": null, + "tags": [ + "sample" + ], + "title": "Case a31acfad-8368-4395-bf1d-6d5c1675c0ba", + "tlp": 1, + "updatedAt": null, + "updatedBy": null + } + ] + ``` \ No newline at end of file