#10 update and format

TheHive-Project · Aug 31, 2021 · 3ca8a65 · 3ca8a65
1 parent a83a976
commit 3ca8a65
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 57 deletions.
diff --git a/docs/thehive/api/alert/add-observable.md b/docs/thehive/api/alert/add-observable.md
@@ -0,0 +1,38 @@
+# Add observables
+
+Add *Observable* to an *Alert*.
+
+## Query
+
+```plain
+POST /api/alert/{id}/artifact
+```
+
+With:
+
+- `id`: Alert identifier
+
+##  Request Body Example
+
+!!! Example "" 
+
+    ```json
+
+    ```
+
+
+
+##  Response 
+
+### Status codes
+
+- `201`: if *Alert* is created successfully
+- `401`: Authentication error
+
+### Response Body Example
+
+!!! Example ""
+
+    ```json
+
+    ```
diff --git a/docs/thehive/api/alert/delete-observable.md b/docs/thehive/api/alert/delete-observable.md
@@ -0,0 +1,20 @@
+# Add observables
+
+Delete an *Observable* from an *Alert*.
+
+## Query
+
+```plain
+DELETE /api/alert/artifact/{id}
+```
+
+With:
+
+- `id`: Observable identifier
+
+##  Response 
+
+### Status codes
+
+- `204`: if *Observable* is deleted successfully
+- `401`: Authentication error
diff --git a/docs/thehive/api/alert/merge.md b/docs/thehive/api/alert/merge.md
@@ -25,62 +25,62 @@ With:
 !!! Example ""
 
     ```json
-{
-  "_id": "~6658533455",
-  "id": "~6658533455",
-  "createdBy": "florian@strangebee.com",
-  "updatedBy": "florian@strangebee.com",
-  "createdAt": 1620397519028,
-  "updatedAt": 1624373852175,
-  "_type": "case",
-  "caseId": 114,
-  "title": "User connected to known malicious IP over Telnet / Malicious payload detected",
-  "description": "EDR automated alert: the user robb@training.org has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n  \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user robb@training.org has posted information on a known phishing url",
-  "severity": 2,
-  "startDate": 1620396059728,
-  "endDate": null,
-  "impactStatus": null,
-  "resolutionStatus": null,
-  "tags": [
-    "log-source:proxy",
-    "source:edr",
-    "log-source:endpoint-protection",
-    "source:siem",
-    "protocol: telnet",
-    "ex2"
-  ],
-  "flag": false,
-  "tlp": 3,
-  "pap": 2,
-  "status": "Open",
-  "summary": null,
-  "owner": "florian@strangebee.com",
-  "customFields": {
-    "businessUnit": {
-      "string": "Finance",
-      "order": 0
-    },
-    "location": {
-      "string": "Sydney",
-      "order": 1
+    {
+      "_id": "~6658533455",
+      "id": "~6658533455",
+      "createdBy": "florian@strangebee.com",
+      "updatedBy": "florian@strangebee.com",
+      "createdAt": 1620397519028,
+      "updatedAt": 1624373852175,
+      "_type": "case",
+      "caseId": 114,
+      "title": "User connected to known malicious IP over Telnet / Malicious payload detected",
+      "description": "EDR automated alert: the user robb@training.org has connected to known malicious IP over Telnet\n\nEDR automated alert: malicious payload detected on computer PC-Robb\n  \n#### Merged with alert #90e044 User posted information on known phishing URL\n\nSIEM automated alert: the user robb@training.org has posted information on a known phishing url",
+      "severity": 2,
+      "startDate": 1620396059728,
+      "endDate": null,
+      "impactStatus": null,
+      "resolutionStatus": null,
+      "tags": [
+        "log-source:proxy",
+        "source:edr",
+        "log-source:endpoint-protection",
+        "source:siem",
+        "protocol: telnet",
+        "ex2"
+      ],
+      "flag": false,
+      "tlp": 3,
+      "pap": 2,
+      "status": "Open",
+      "summary": null,
+      "owner": "florian@strangebee.com",
+      "customFields": {
+        "businessUnit": {
+          "string": "Finance",
+          "order": 0
+        },
+        "location": {
+          "string": "Sydney",
+          "order": 1
+        }
+      },
+      "stats": {},
+      "permissions": [
+        "manageShare",
+        "manageAnalyse",
+        "manageTask",
+        "manageCaseTemplate",
+        "manageCase",
+        "manageUser",
+        "manageProcedure",
+        "managePage",
+        "manageObservable",
+        "manageTag",
+        "manageConfig",
+        "manageAlert",
+        "accessTheHiveFS",
+        "manageAction"
+      ]
     }
-  },
-  "stats": {},
-  "permissions": [
-    "manageShare",
-    "manageAnalyse",
-    "manageTask",
-    "manageCaseTemplate",
-    "manageCase",
-    "manageUser",
-    "manageProcedure",
-    "managePage",
-    "manageObservable",
-    "manageTag",
-    "manageConfig",
-    "manageAlert",
-    "accessTheHiveFS",
-    "manageAction"
-  ]
-}
     ```
diff --git a/docs/thehive/api/alert/run-responder.md b/docs/thehive/api/alert/run-responder.md
@@ -0,0 +1,55 @@
+# Run Responder
+
+Run a Responder on an *Alert*.
+
+## Query
+
+```plain
+POST /api/connector/cortex/action
+```
+
+
+##  Request Body Example
+
+!!! Example "" 
+
+    ```json
+    {
+      "responderId": "05521ec727f75d69e828604dc5ae4c03",
+      "objectType": "alert",
+      "objectId": "~947478656"
+    }
+    ```
+
+The following fields are required: 
+
+- `responderId`: (String)
+- `objectType`: "alert"
+- `objectId`:  (String)
+
+##  Response 
+
+### Status codes
+
+- `200`: if *Responder* is run successfully
+- `401`: Authentication error
+
+### Response Body Example
+
+!!! Example ""
+
+    ```json
+{
+  "responderId": "05521ec727f75d69e828604dc5ae4bed",
+  "responderName": "JIRA_Create_Ticket_1_0",
+  "responderDefinition": "JIRA_Create_Ticket_1_0",
+  "cortexId": "CORTEX_INTERNAL",
+  "cortexJobId": "_v2EnHsB8Pn57ilsukA3",
+  "objectType": "Alert",
+  "objectId": "~947478656",
+  "status": "Waiting",
+  "startDate": 1630418550145,
+  "operations": "[]",
+  "report": "{}"
+}
+    ```