Automatic Incident

[ghost]

Request Type

Question

Problem Description

Hello, I wanted to know if there was a way (via a script or via an API) to automatically generate incidents.

Cordially

[nadouani]

Hi @CommiAI,

From a technical point of view, the answer is YES: all the actions that could be made from the UI are backed by REST APIs. We "just" need to document them.

What are your use cases?

[To-om]

Hi @CommiAI,

The API documentation is still in draft but it should give you enough information to create a case.
You should also consider the authentication section.

[ghost]

Thank you for your answers.
When I try the command "curl -u mylogin:mypassword http://127.0.0.1:9000/api/cases" ,the terminal returns to me : "A client error occurred (/api / /api : Ressource not found by Assets controller"

Any idea ?

[To-om]

There are two errors:

• The correct URL is http://127.0.0.1:9000/api/case (without "s").
• The content type must be specified (I've just updated the documentation) by adding the "-H" parameters to curl command.

The command is:

curl -XPOST -u myuser:mypassword -H 'Content-Type: application/json' http://127.0.0.1:9000/api/case -d '{
  "title": "My first case",
  "description": "This case have been created by my custom script"
}'

[ghost]

Indeed, this was indeed the error.
Thanks a lot for your help.

Ps: You should also change here: "https://github.com/CERT-BDF/TheHive/wiki/API-Documentation----Draft#authentication " (Remove 's' at cases)

Thanks again

[To-om]

You don't need to specify the content type on requests that don't contain body.

[ghost]

I have another question about api, how to add a task to a case ?

[To-om]

The request for creating a task is not yet documented but is pretty similar as the previous, with the URL /api/case/task:

curl -XPOST -u myuser:mypassword -H 'Content-Type: application/json' http://127.0.0.1:9000/api/case/task -d '{
  "title": "My first task"
}'

The documentation describes available fields for case and for task entities.

[ghost]

Thank you for your reply.
I have two errors and one question :

When I issue your order, it returns the error "A client error occurred".
In graphic mode, if I type http://127.0.0.1:9000/api/case/task I have the following error "Not Authenticated" while if I replace 127.0.0.1 by localhost I have the error " Case task not found ".
So much for the mistakes.
The question is: Where to create this task? Is there no case number?

[nadouani]

Yes, the URL should include the case id: "/api/case/:caseId/task"

[ghost]

For example, my case #4, his url is /api/case/4 ?
Because i've the error "case 4 not found" whatever the case

[nadouani]

Ok my bad.

When you create a case, the API response contains the details of the created case, for example

{
    "severity": 3,
    "owner": "nabil",
    "startDate": 1484736092465,
    "createdBy": "nabil",
    "title": "My first case",
    "status": "Open",
    "caseId": 17,
    "user": "nabil",
    "description": "This case have been created by my custom script",
    "tlp": -1,
    "createdAt": 1484736091815,
    "flag": false,
    "id": "AVmxKtk-n1k5qFRLIDqG",
    "type": "case"
}

In this case, the case ID is

AVmxKtk-n1k5qFRLIDqG

To create a task for this case, you can call

curl -XPOST -u myuser:mypassword -H 'Content-Type: application/json' http://127.0.0.1:9000/api/case/AVmxKtk-n1k5qFRLIDqG/task -d '{
  "title": "My first task"
}'

Notice the case's ID in the URL

[ghost]

Oh ok ! I understand and my order works!
Thank you very much

[nadouani]

Note that you can provide the tasks when you create the case:

curl -XPOST -u user:password -H 'Content-Type: application/json' http://127.0.0.1:9000/api/case -d '{
  "title": "My first case",
  "description": "This case have been created by my custom script",
  "tasks": [
    {
      "title": "My first task"
    },
    {
      "title": "My second task"
    }
  ]
}'

As we said, the API documentation is not yet complete, so we are trying to help as much as we can until the full documentation is released

[ghost]

Convenient !
As long as we are on this, I imagine that one can create observables through the API ?
With the url http://127.0.0.1:9000/api/case/caseid/observable ?

Is it possible to create a case from a template using curl?

[To-om]

The internal name for observable is artifact. The URL is http://127.0.0.1:9000/api/case/:caseid/artifact
The request looks like:

curl -XPOST -u user:password -H 'Content-Type: application/json' http://127.0.0.1:9000/api/case/:caseId/artifact -d '{
  "data": "8.8.8.8",
  "dataType": "ip",
  "description": "Google DNS server"
}'

Available attributes of artifact can be found here

All back-end URLs are listed in the routes files.

[To-om]

Currently, case template is handled by front-end. You can retrieve content of a case template (curl -u user:password http://127.0.0.1:9000/api/case/template/:caseTemplateId), populate attribute and create a case.

[ghost]

Thanks thanks !
Just a correction : is not "description" but "message" otherwise there is an error

[ghost]

And so, I imagine it is possible, in a command, to create a case, create a task and create an observable.
I am wrong ?

[nadouani]

No I don't think that the case creation API allows providing observables, because we cannot mix file observables (which require multipart) and non file observables.

[ghost]

Never mind.
Do you know the attribute for the rights when creating a user ?

PS: it's not possible to removed a user with api ?

[nadouani]

Sorry I don't get the question. What do you mean by "the attribute for the rights", you mean the roles and permissions?

[ghost]

Yes, that's it !
The : "????": "write"

[nadouani]

OK, you can create the user with the following body:

{
    "roles": ["read", "write"],
    "login": "THE_USERNAME",
    "name": "THE_FULLENAME",
    "password": "THE_PASSWORD"
}

[ghost]

Ok thanks, but not possible to removed ?

[nadouani]

Not currently, but you can "lock" a user by doing a PATCH with the following body

{status: "Locked"}

on the following URL

/api/user/<USER_LOGIN>

[ghost]

Okay ! And where can we find the :caseTemplateId ?

[To-om]

You can list case templates using the following command:

curl -u user:password -XPOST http://127.0.0.1:9000/api/case/template/_search

[ghost]

Hello !

When I issue a _search command, the response appears as a large block with information everywhere, except for users where the information is tidy. Is there a parameter to fill in?

Thank you

[nadouani]

Hi @CommiAI, what are you trying to do with the APIs? what's your use case?
I think that this "issue" is turning into a "How to" thread, which is not its goal :)

_search APIs are search apis that support a certain syntax for filtering, sorting etc... so it depends on what you are searching for.

IMHO, there are three options:

• Lets continue this discussion on the user forum
• Use the UI and check the APIs calls made by the front end
• Wait for a more complete API documentation :)

I personally think that the second option is the best one

[ghost]

So, i chose the 3rd option ;)

[nadouani]

That means that you have a lot to do with TheHive :)