basePath: /api consumes: - application/json definitions: Artifact: properties: enrichments: additionalProperties: $ref: '#/definitions/Enrichment' type: object kind: type: string name: example: 2.2.2.2 type: string status: example: Unknown type: string type: type: string required: - name type: object ArtifactOrigin: properties: artifact: type: string ticket_id: format: int64 type: integer required: - ticket_id - artifact type: object Automation: properties: image: type: string schema: example: '{}' type: string script: type: string type: items: enum: - artifact - playbook - global type: string type: array required: - image - script - type type: object AutomationForm: properties: id: type: string image: type: string schema: example: '{}' type: string script: type: string type: items: enum: - artifact - playbook - global type: string type: array required: - id - image - script - type type: object AutomationResponse: properties: id: type: string image: type: string schema: example: '{}' type: string script: type: string type: items: enum: - artifact - playbook - global type: string type: array required: - id - image - script - type type: object Comment: properties: created: format: date-time type: string creator: type: string message: type: string required: - creator - created - message type: object CommentForm: properties: created: format: date-time type: string creator: type: string message: type: string required: - message type: object Context: properties: artifact: $ref: '#/definitions/Artifact' playbook: $ref: '#/definitions/PlaybookResponse' task: $ref: '#/definitions/TaskResponse' ticket: $ref: '#/definitions/TicketResponse' type: object Dashboard: properties: name: type: string widgets: items: $ref: '#/definitions/Widget' type: array required: - name - widgets type: object DashboardResponse: properties: id: type: string name: type: string widgets: items: $ref: '#/definitions/Widget' type: array required: - id - name - widgets type: object Enrichment: properties: created: example: 1985-04-12T23:20:50.52Z format: date-time type: string data: example: hash: b7a067a742c20d07a7456646de89bc2d408a1153 type: object name: example: hash.sha1 type: string required: - name - data - created type: object EnrichmentForm: properties: data: example: hash: b7a067a742c20d07a7456646de89bc2d408a1153 type: object name: example: hash.sha1 type: string required: - name - data type: object File: properties: key: example: myfile type: string name: example: notes.docx type: string required: - key - name type: object Job: properties: automation: type: string container: type: string log: type: string origin: $ref: '#/definitions/Origin' output: type: object payload: {} running: type: boolean status: type: string required: - automation - running - status type: object JobForm: properties: automation: type: string origin: $ref: '#/definitions/Origin' payload: {} required: - automation type: object JobResponse: properties: automation: type: string container: type: string id: type: string log: type: string origin: $ref: '#/definitions/Origin' output: type: object payload: {} status: type: string required: - id - automation - status type: object JobUpdate: properties: container: type: string log: type: string output: type: object running: type: boolean status: type: string required: - running - status type: object LogEntry: properties: created: format: date-time type: string creator: type: string message: type: string reference: type: string type: type: string required: - type - reference - creator - created - message type: object Message: properties: context: $ref: '#/definitions/Context' payload: {} secrets: additionalProperties: type: string type: object type: object NewUserResponse: properties: blocked: type: boolean id: type: string roles: items: type: string type: array secret: type: string required: - id - blocked - roles type: object Origin: properties: artifact_origin: $ref: '#/definitions/ArtifactOrigin' task_origin: $ref: '#/definitions/TaskOrigin' type: object Playbook: properties: name: example: Phishing type: string tasks: additionalProperties: $ref: '#/definitions/Task' type: object required: - name - tasks type: object PlaybookResponse: properties: name: example: Phishing type: string tasks: additionalProperties: $ref: '#/definitions/TaskResponse' type: object required: - name - tasks type: object PlaybookTemplate: properties: name: type: string yaml: type: string required: - name - yaml type: object PlaybookTemplateForm: properties: id: type: string yaml: type: string required: - yaml type: object PlaybookTemplateResponse: properties: id: type: string name: type: string yaml: type: string required: - id - name - yaml type: object Reference: properties: href: example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144 type: string name: example: CVE-2017-0144 type: string required: - name - href type: object ReferenceArray: items: $ref: '#/definitions/Reference' type: array Settings: properties: artifactKinds: items: $ref: '#/definitions/Type' title: Artifact Kinds type: array artifactStates: items: $ref: '#/definitions/Type' title: Artifact States type: array timeformat: title: Time Format type: string required: - timeformat - artifactKinds - artifactStates type: object SettingsResponse: properties: artifactKinds: items: $ref: '#/definitions/Type' title: Artifact Kinds type: array artifactStates: items: $ref: '#/definitions/Type' title: Artifact States type: array roles: items: type: string title: Roles type: array ticketTypes: items: $ref: '#/definitions/TicketTypeResponse' title: Ticket Types type: array tier: enum: - community - enterprise title: Tier type: string timeformat: title: Time Format type: string version: title: Version type: string required: - version - tier - timeformat - ticketTypes - artifactKinds - artifactStates type: object Statistics: properties: open_tickets_per_user: additionalProperties: type: integer type: object tickets_per_type: additionalProperties: type: integer type: object tickets_per_week: additionalProperties: type: integer type: object unassigned: type: integer required: - unassigned - open_tickets_per_user - tickets_per_week - tickets_per_type type: object Task: properties: automation: type: string closed: example: 1985-04-12T23:20:50.52Z format: date-time type: string created: example: 1985-04-12T23:20:50.52Z format: date-time type: string data: type: object done: type: boolean join: example: false type: boolean name: example: Inform user type: string next: additionalProperties: type: string type: object owner: type: string payload: additionalProperties: type: string type: object schema: type: object type: enum: - task - input - automation example: task type: string required: - name - type - done - created type: object TaskOrigin: properties: playbook_id: type: string task_id: type: string ticket_id: format: int64 type: integer required: - ticket_id - playbook_id - task_id type: object TaskResponse: properties: active: example: false type: boolean automation: type: string closed: example: 1985-04-12T23:20:50.52Z format: date-time type: string created: example: 1985-04-12T23:20:50.52Z format: date-time type: string data: type: object done: type: boolean join: example: false type: boolean name: example: Inform user type: string next: additionalProperties: type: string type: object order: example: 2 format: int64 type: number owner: type: string payload: additionalProperties: type: string type: object schema: type: object type: enum: - task - input - automation example: task type: string required: - name - type - done - created - order - active type: object TaskWithContext: properties: playbook_id: type: string playbook_name: type: string task: $ref: '#/definitions/TaskResponse' task_id: type: string ticket_id: format: int64 type: number ticket_name: type: string required: - ticket_id - ticket_name - playbook_id - playbook_name - task_id - task type: object Ticket: properties: artifacts: items: $ref: '#/definitions/Artifact' type: array comments: items: $ref: '#/definitions/Comment' type: array created: example: 1985-04-12T23:20:50.52Z format: date-time type: string details: example: description: my little incident type: object files: items: $ref: '#/definitions/File' type: array modified: example: 1985-04-12T23:20:50.52Z format: date-time type: string name: example: WannyCry type: string owner: example: bob type: string playbooks: additionalProperties: $ref: '#/definitions/Playbook' type: object read: example: - bob items: type: string type: array references: items: $ref: '#/definitions/Reference' type: array schema: example: '{}' type: string status: example: open type: string type: example: incident type: string write: example: - alice items: type: string type: array required: - name - type - status - created - modified - schema type: object TicketForm: properties: artifacts: items: $ref: '#/definitions/Artifact' type: array comments: items: $ref: '#/definitions/Comment' type: array created: example: 1985-04-12T23:20:50.52Z format: date-time type: string details: example: description: my little incident type: object files: items: $ref: '#/definitions/File' type: array id: example: 123 format: int64 type: integer modified: example: 1985-04-12T23:20:50.52Z format: date-time type: string name: example: WannyCry type: string owner: example: bob type: string playbooks: items: $ref: '#/definitions/PlaybookTemplateForm' type: array read: example: - bob items: type: string type: array references: items: $ref: '#/definitions/Reference' type: array schema: example: '{}' type: string status: example: open type: string type: example: incident type: string write: example: - alice items: type: string type: array required: - name - type - status type: object TicketFormArray: items: $ref: '#/definitions/TicketForm' type: array TicketList: properties: count: example: 3 type: number tickets: items: $ref: '#/definitions/TicketSimpleResponse' type: array required: - tickets - count type: object TicketResponse: properties: artifacts: items: $ref: '#/definitions/Artifact' type: array comments: items: $ref: '#/definitions/Comment' type: array created: example: 1985-04-12T23:20:50.52Z format: date-time type: string details: example: description: my little incident type: object files: items: $ref: '#/definitions/File' type: array id: example: 123 format: int64 type: integer modified: example: 1985-04-12T23:20:50.52Z format: date-time type: string name: example: WannyCry type: string owner: example: bob type: string playbooks: additionalProperties: $ref: '#/definitions/PlaybookResponse' type: object read: example: - bob items: type: string type: array references: items: $ref: '#/definitions/Reference' type: array schema: example: '{}' type: string status: example: open type: string type: example: incident type: string write: example: - alice items: type: string type: array required: - id - name - type - status - created - modified - schema type: object TicketSimpleResponse: properties: artifacts: items: $ref: '#/definitions/Artifact' type: array comments: items: $ref: '#/definitions/Comment' type: array created: example: 1985-04-12T23:20:50.52Z format: date-time type: string details: example: description: my little incident type: object files: items: $ref: '#/definitions/File' type: array id: example: 123 format: int64 type: integer modified: example: 1985-04-12T23:20:50.52Z format: date-time type: string name: example: WannyCry type: string owner: example: bob type: string playbooks: additionalProperties: $ref: '#/definitions/Playbook' type: object read: example: - bob items: type: string type: array references: items: $ref: '#/definitions/Reference' type: array schema: example: '{}' type: string status: example: open type: string type: example: incident type: string write: example: - alice items: type: string type: array required: - id - name - type - status - created - modified - schema type: object TicketTemplate: properties: name: type: string schema: type: string required: - name - schema type: object TicketTemplateForm: properties: id: type: string name: type: string schema: type: string required: - name - schema type: object TicketTemplateResponse: properties: id: type: string name: type: string schema: type: string required: - id - name - schema type: object TicketType: properties: default_groups: items: type: string type: array default_playbooks: items: type: string type: array default_template: type: string icon: type: string name: type: string required: - name - icon - default_template - default_playbooks type: object TicketTypeForm: properties: default_groups: items: type: string type: array default_playbooks: items: type: string type: array default_template: type: string icon: type: string id: type: string name: type: string required: - name - icon - default_template - default_playbooks type: object TicketTypeResponse: properties: default_groups: items: type: string type: array default_playbooks: items: type: string type: array default_template: type: string icon: type: string id: type: string name: type: string required: - id - name - icon - default_template - default_playbooks type: object TicketWithTickets: properties: artifacts: items: $ref: '#/definitions/Artifact' type: array comments: items: $ref: '#/definitions/Comment' type: array created: example: 1985-04-12T23:20:50.52Z format: date-time type: string details: example: description: my little incident type: object files: items: $ref: '#/definitions/File' type: array id: example: 123 format: int64 type: integer logs: items: $ref: '#/definitions/LogEntry' type: array modified: example: 1985-04-12T23:20:50.52Z format: date-time type: string name: example: WannyCry type: string owner: example: bob type: string playbooks: additionalProperties: $ref: '#/definitions/PlaybookResponse' type: object read: example: - bob items: type: string type: array references: items: $ref: '#/definitions/Reference' type: array schema: example: '{}' type: string status: example: open type: string tickets: items: $ref: '#/definitions/TicketSimpleResponse' type: array type: example: incident type: string write: example: - alice items: type: string type: array required: - id - name - type - status - created - modified - schema type: object Type: properties: color: enum: - error - info - success - warning title: Color type: string x-cols: 3 icon: title: Icon (https://materialdesignicons.com) type: string x-class: pr-2 x-cols: 3 id: title: ID type: string x-class: pr-2 x-cols: 3 name: title: Name type: string x-class: pr-2 x-cols: 3 required: - id - name - icon type: object User: properties: apikey: type: boolean blocked: type: boolean roles: items: type: string type: array sha256: type: string required: - blocked - apikey - roles type: object UserData: properties: email: type: string x-example: bob@example.org image: type: string x-display: custom-avatar name: type: string x-example: Robert Smith timeformat: title: Time Format (https://moment.github.io/luxon/docs/manual/formatting.html#table-of-tokens) type: string type: object UserDataResponse: properties: email: type: string x-example: bob@example.org id: type: string image: type: string x-display: custom-avatar name: type: string x-example: Robert Smith timeformat: title: Time Format (https://moment.github.io/luxon/docs/manual/formatting.html#table-of-tokens) type: string required: - id type: object UserForm: properties: apikey: type: boolean blocked: type: boolean id: type: string roles: items: type: string type: array required: - id - blocked - roles - apikey type: object UserResponse: properties: apikey: type: boolean blocked: type: boolean id: type: string roles: items: type: string type: array required: - id - blocked - roles - apikey type: object Widget: properties: aggregation: type: string filter: type: string name: type: string type: enum: - bar - line - pie type: string width: maximum: 12 minimum: 1 type: integer required: - name - type - aggregation - width type: object host: . info: description: API for the catalyst incident response platform. title: "" version: "" paths: /automations: get: operationId: listAutomations responses: "200": description: successful operation examples: test: - id: comment image: docker.io/python:3 script: "" type: - playbook - id: hash.sha1 image: docker.io/python:3 schema: '{"title":"Input","type":"object","properties":{"default":{"type":"string","title":"Value"}},"required":["default"]}' script: "" type: - global - artifact - playbook - id: vt.hash image: docker.io/python:3 schema: '{"title":"Input","type":"object","properties":{"default":{"type":"string","title":"Value"}},"required":["default"]}' script: "" type: - global - artifact - playbook schema: items: $ref: '#/definitions/AutomationResponse' type: array security: - roles: - automation:read summary: List automations tags: - automations post: operationId: createAutomation parameters: - description: New automation in: body name: automation required: true schema: $ref: '#/definitions/AutomationForm' x-example: id: hash-sha-256 image: docker.io/python:3 script: | import sys import json import hashlib def run(msg): sha256 = hashlib.sha256(msg['payload']['default'].encode('utf-8')) return {'hash': sha256.hexdigest()} print(json.dumps(run(json.loads(sys.argv[1])))) type: - global responses: "200": description: successful operation examples: test: id: hash-sha-256 image: docker.io/python:3 script: | import sys import json import hashlib def run(msg): sha256 = hashlib.sha256(msg['payload']['default'].encode('utf-8')) return {'hash': sha256.hexdigest()} print(json.dumps(run(json.loads(sys.argv[1])))) type: - global schema: $ref: '#/definitions/AutomationResponse' security: - roles: - automation:write summary: Create a new automation tags: - automations /automations/{id}: delete: operationId: deleteAutomation parameters: - description: Automation ID in: path name: id required: true type: string x-example: hash.sha1 responses: "204": description: successful operation security: - roles: - automation:write summary: Delete a automation tags: - automations get: operationId: getAutomation parameters: - description: Automation ID in: path name: id required: true type: string x-example: hash.sha1 responses: "200": description: successful operation examples: test: id: hash.sha1 image: docker.io/python:3 schema: '{"title":"Input","type":"object","properties":{"default":{"type":"string","title":"Value"}},"required":["default"]}' script: | #!/usr/bin/env python import sys import json import hashlib def run(msg): sha1 = hashlib.sha1(msg['payload']['default'].encode('utf-8')) return {"hash": sha1.hexdigest()} print(json.dumps(run(json.loads(sys.argv[1])))) type: - global - artifact - playbook schema: $ref: '#/definitions/AutomationResponse' security: - roles: - automation:read summary: Get a single automation tags: - automations put: operationId: updateAutomation parameters: - description: Automation ID in: path name: id required: true type: string x-example: hash.sha1 - description: Automation object that needs to be added in: body name: automation required: true schema: $ref: '#/definitions/AutomationForm' x-example: id: hash.sha1 image: docker.io/python:3 script: | import sys import json import hashlib def run(msg): sha1 = hashlib.sha1(msg['payload'].encode('utf-8')) return {'hash': sha1.hexdigest()} print(json.dumps(run(json.loads(sys.argv[1])))) type: - global - artifact - playbook responses: "200": description: successful operation examples: test: id: hash.sha1 image: docker.io/python:3 script: | import sys import json import hashlib def run(msg): sha1 = hashlib.sha1(msg['payload'].encode('utf-8')) return {'hash': sha1.hexdigest()} print(json.dumps(run(json.loads(sys.argv[1])))) type: - global - artifact - playbook schema: $ref: '#/definitions/AutomationResponse' security: - roles: - automation:write summary: Update an existing automation tags: - automations /currentuser: get: operationId: currentUser responses: "200": description: successful operation examples: test: apikey: false blocked: false id: bob roles: - admin:backup:read - admin:backup:restore - admin:dashboard:write - admin:group:write - admin:job:read - admin:job:write - admin:log:read - admin:settings:write - admin:ticket:delete - admin:user:write - admin:userdata:read - admin:userdata:write - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write schema: $ref: '#/definitions/UserResponse' security: - roles: - currentuser:read summary: Get current user tags: - users /currentuserdata: get: operationId: currentUserData responses: "200": description: successful operation examples: test: email: bob@example.org id: bob name: Bob Bad schema: $ref: '#/definitions/UserDataResponse' security: - roles: - currentuserdata:read summary: Get current user data tags: - userdata put: operationId: updateCurrentUserData parameters: - description: User data object that needs to be added in: body name: userdata required: true schema: $ref: '#/definitions/UserData' x-example: email: bob@example.org name: Bob Bad responses: "200": description: successful operation examples: test: email: bob@example.org id: bob name: Bob Bad schema: $ref: '#/definitions/UserDataResponse' security: - roles: - currentuserdata:write summary: Update current user data tags: - userdata /dashboard/data: get: operationId: dashboardData parameters: - description: Aggregation in: query name: aggregation required: true type: string x-example: type - description: Filter in: query name: filter type: string x-example: status == "closed" responses: "200": description: successful operation examples: test: alert: 2 incident: 1 schema: type: object security: - roles: - dashboard:read summary: Get widget data tags: - dashboards /dashboards: get: operationId: listDashboards responses: "200": description: successful operation examples: test: - id: simple name: Simple widgets: - aggregation: owner filter: status == "open" name: open_tickets_per_user type: bar width: 4 - aggregation: 'CONCAT(DATE_YEAR(created), "-", DATE_ISOWEEK(created) < 10 ? "0" : "", DATE_ISOWEEK(created))' name: tickets_per_week type: line width: 8 schema: items: $ref: '#/definitions/DashboardResponse' type: array security: - roles: - dashboard:read summary: List dashboards tags: - dashboards post: operationId: createDashboard parameters: - description: New template in: body name: template required: true schema: $ref: '#/definitions/Dashboard' x-example: name: My Dashboard widgets: [] responses: "200": description: successful operation examples: test: id: my-dashboard name: My Dashboard widgets: [] schema: $ref: '#/definitions/DashboardResponse' security: - roles: - dashboard:write summary: Create a new dashboard tags: - dashboards /dashboards/{id}: delete: operationId: deleteDashboard parameters: - description: Dashboard ID in: path name: id required: true type: string x-example: simple responses: "204": description: successful operation security: - roles: - dashboard:write summary: Delete a dashboard tags: - dashboards get: operationId: getDashboard parameters: - description: Dashboard ID in: path name: id required: true type: string x-example: simple responses: "200": description: successful operation examples: test: id: simple name: Simple widgets: - aggregation: owner filter: status == "open" name: open_tickets_per_user type: bar width: 4 - aggregation: 'CONCAT(DATE_YEAR(created), "-", DATE_ISOWEEK(created) < 10 ? "0" : "", DATE_ISOWEEK(created))' name: tickets_per_week type: line width: 8 schema: $ref: '#/definitions/DashboardResponse' security: - roles: - dashboard:read summary: Get a single dashboard tags: - dashboards put: operationId: updateDashboard parameters: - description: Dashboard ID in: path name: id required: true type: string x-example: simple - description: Dashboard object that needs to be added in: body name: dashboard required: true schema: $ref: '#/definitions/Dashboard' x-example: name: Simple widgets: [] responses: "200": description: successful operation examples: test: id: simple name: Simple widgets: [] schema: $ref: '#/definitions/DashboardResponse' security: - roles: - dashboard:write summary: Update an existing dashboard tags: - dashboards /jobs: get: operationId: listJobs responses: "200": description: successful operation examples: test: - automation: hash.sha1 id: b81c2366-ea37-43d2-b61b-03afdc21d985 payload: test status: created schema: items: $ref: '#/definitions/JobResponse' type: array security: - roles: - job:read summary: List jobs tags: - jobs post: operationId: runJob parameters: - description: New job in: body name: job required: true schema: $ref: '#/definitions/JobForm' x-example: automation: hash.sha1 payload: test responses: "200": description: successful operation examples: test: automation: hash.sha1 id: 87390749-2125-4a87-91c5-da7e3f9bebf1 payload: test status: created schema: $ref: '#/definitions/JobResponse' security: - roles: - job:write summary: Start a new job tags: - jobs /jobs/{id}: get: operationId: getJob parameters: - description: Job ID in: path name: id required: true type: string x-example: b81c2366-ea37-43d2-b61b-03afdc21d985 responses: "200": description: successful operation examples: test: automation: hash.sha1 id: b81c2366-ea37-43d2-b61b-03afdc21d985 payload: test status: created schema: $ref: '#/definitions/JobResponse' security: - roles: - job:read summary: Get a single job tags: - jobs put: operationId: updateJob parameters: - description: Job ID in: path name: id required: true type: string x-example: b81c2366-ea37-43d2-b61b-03afdc21d985 - description: Job object that needs to be added in: body name: job required: true schema: $ref: '#/definitions/JobUpdate' x-example: running: false status: failed responses: "200": description: successful operation examples: test: automation: hash.sha1 id: b81c2366-ea37-43d2-b61b-03afdc21d985 payload: test status: failed schema: $ref: '#/definitions/JobResponse' security: - roles: - job:write summary: Update an existing job tags: - jobs /logs/{reference}: get: operationId: getLogs parameters: - description: Reference in: path name: reference required: true type: string x-example: tickets%2F294511 responses: "200": description: successful operation examples: test: - created: 2021-12-12T12:12:12.000000012Z creator: bob message: Fail run account resist lend solve incident centre priority temperature. Cause change distribution examine location technique shape partner milk customer. Rail tea plate soil report cook railway interpretation breath action. Exercise dream accept park conclusion addition shoot assistance may answer. Gold writer link stop combine hear power name commitment operation. Determine lifespan support grow degree henry exclude detail set religion. Direct library policy convention chain retain discover ride walk student. Gather proposal select march aspect play noise avoid encourage employ. Assessment preserve transport combine wish influence income guess run stand. Charge limit crime ignore statement foundation study issue stop claim. reference: tickets/294511 type: manual schema: items: $ref: '#/definitions/LogEntry' type: array security: - roles: - log:read summary: Get log entries tags: - logs /playbooks: get: operationId: listPlaybooks responses: "200": description: successful operation examples: test: - id: malware name: Malware yaml: | name: Malware tasks: file-or-hash: name: Do you have the file or the hash? type: input schema: title: Malware type: object properties: file: type: string title: "I have the" enum: [ "File", "Hash" ] next: enter-hash: "file == 'Hash'" upload: "file == 'File'" enter-hash: name: Please enter the hash type: input schema: title: Malware type: object properties: hash: type: string title: Please enter the hash value minlength: 32 next: virustotal: "hash != ''" upload: name: Upload the malware type: input schema: title: Malware type: object properties: malware: type: object x-display: file title: Please upload the malware next: hash: "malware" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['upload'].data['malware']" next: virustotal: virustotal: name: Send hash to VirusTotal type: automation automation: vt.hash args: hash: "playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']" # next: # known-malware: "score > 5" # sandbox: "score < 6" # unknown-malware - id: phishing name: Phishing yaml: | name: Phishing tasks: board: name: Board Involvement? description: Is a board member involved? type: input schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object next: escalate: "boardInvolved == true" mail-available: "boardInvolved == false" escalate: name: Escalate to CISO description: Please escalate the task to the CISO type: task mail-available: name: Mail available type: input schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: 'yes' type: string required: - mail title: 'Yes' - properties: schemaKey: const: 'no' type: string title: 'No' title: Mail available type: object next: block-sender: "schemaKey == 'yes'" extract-iocs: "schemaKey == 'yes'" search-email-gateway: "schemaKey == 'no'" search-email-gateway: name: Search email gateway description: Please search email-gateway for the phishing mail. type: task next: extract-iocs: block-sender: name: Block sender type: task next: extract-iocs: extract-iocs: name: Extract IOCs description: Please insert the IOCs type: input schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object next: block-iocs: block-iocs: name: Block IOCs type: task - id: simple name: Simple yaml: | name: Simple tasks: input: name: Enter something to hash type: input schema: title: Something type: object properties: something: type: string title: Something default: "" next: hash: "something != ''" hash: name: Hash the something type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['something']" next: comment: "hash != ''" comment: name: Comment the hash type: automation automation: comment payload: default: "playbook.tasks['hash'].data['hash']" next: done: "done" done: name: You can close this case now type: task schema: items: $ref: '#/definitions/PlaybookTemplateResponse' type: array security: - roles: - playbook:read summary: List playbooks tags: - playbooks post: operationId: createPlaybook parameters: - description: New playbook in: body name: playbook required: true schema: $ref: '#/definitions/PlaybookTemplateForm' x-example: yaml: | name: Simple2 tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task responses: "200": description: successful operation examples: test: id: simple-2 name: Simple2 yaml: | name: Simple2 tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task schema: $ref: '#/definitions/PlaybookTemplateResponse' security: - roles: - playbook:write summary: Create a playbook tags: - playbooks /playbooks/{id}: delete: operationId: deletePlaybook parameters: - description: Playbook name in: path name: id required: true type: string x-example: simple responses: "204": description: successful operation security: - roles: - playbook:write summary: Delete a playbook tags: - playbooks get: operationId: getPlaybook parameters: - description: Playbook name in: path name: id required: true type: string x-example: simple responses: "200": description: successful operation examples: test: id: simple name: Simple yaml: | name: Simple tasks: input: name: Enter something to hash type: input schema: title: Something type: object properties: something: type: string title: Something default: "" next: hash: "something != ''" hash: name: Hash the something type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['something']" next: comment: "hash != ''" comment: name: Comment the hash type: automation automation: comment payload: default: "playbook.tasks['hash'].data['hash']" next: done: "done" done: name: You can close this case now type: task schema: $ref: '#/definitions/PlaybookTemplateResponse' security: - roles: - playbook:read summary: Get a single playbook tags: - playbooks put: operationId: updatePlaybook parameters: - description: Playbook ID in: path name: id required: true type: string x-example: simple - description: Updated playbook in: body name: playbook required: true schema: $ref: '#/definitions/PlaybookTemplateForm' x-example: yaml: | name: Simple tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task responses: "200": description: successful operation examples: test: id: simple name: Simple yaml: | name: Simple tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task schema: $ref: '#/definitions/PlaybookTemplateResponse' security: - roles: - playbook:write summary: Update an existing ticket playbook tags: - playbooks /settings: get: operationId: getSettings responses: "200": description: successful operation examples: test: artifactKinds: - icon: mdi-server id: asset name: Asset - icon: mdi-bullseye id: ioc name: IOC artifactStates: - color: info icon: mdi-help-circle-outline id: unknown name: Unknown - color: error icon: mdi-skull id: malicious name: Malicious - color: success icon: mdi-check id: clean name: Clean roles: - admin:backup:read - admin:backup:restore - admin:dashboard:write - admin:group:write - admin:job:read - admin:job:write - admin:log:read - admin:settings:write - admin:ticket:delete - admin:user:write - admin:userdata:read - admin:userdata:write - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write ticketTypes: - default_playbooks: [] default_template: default icon: mdi-alert id: alert name: Alerts - default_playbooks: [] default_template: default icon: mdi-radioactive id: incident name: Incidents - default_playbooks: [] default_template: default icon: mdi-fingerprint id: investigation name: Forensic Investigations - default_playbooks: [] default_template: default icon: mdi-target id: hunt name: Threat Hunting tier: community timeformat: yyyy-MM-dd hh:mm:ss version: 0.0.0-test schema: $ref: '#/definitions/SettingsResponse' security: - roles: - settings:read summary: Get settings tags: - settings post: operationId: saveSettings parameters: - description: Save settings in: body name: settings required: true schema: $ref: '#/definitions/Settings' x-example: artifactKinds: - icon: mdi-server id: asset name: Asset - icon: mdi-bullseye id: ioc name: IOC artifactStates: - color: info icon: mdi-help-circle-outline id: unknown name: Unknown - color: error icon: mdi-skull id: malicious name: Malicious - color: success icon: mdi-check id: clean name: Clean timeformat: yyyy-MM-dd hh:mm:ss responses: "200": description: successful operation examples: test: artifactKinds: - icon: mdi-server id: asset name: Asset - icon: mdi-bullseye id: ioc name: IOC artifactStates: - color: info icon: mdi-help-circle-outline id: unknown name: Unknown - color: error icon: mdi-skull id: malicious name: Malicious - color: success icon: mdi-check id: clean name: Clean roles: - admin:backup:read - admin:backup:restore - admin:dashboard:write - admin:group:write - admin:job:read - admin:job:write - admin:log:read - admin:settings:write - admin:ticket:delete - admin:user:write - admin:userdata:read - admin:userdata:write - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write ticketTypes: - default_playbooks: [] default_template: default icon: mdi-alert id: alert name: Alerts - default_playbooks: [] default_template: default icon: mdi-radioactive id: incident name: Incidents - default_playbooks: [] default_template: default icon: mdi-fingerprint id: investigation name: Forensic Investigations - default_playbooks: [] default_template: default icon: mdi-target id: hunt name: Threat Hunting tier: community timeformat: yyyy-MM-dd hh:mm:ss version: 0.0.0-test schema: $ref: '#/definitions/SettingsResponse' security: - roles: - settings:write summary: Save settings tags: - settings /statistics: get: operationId: getStatistics responses: "200": description: successful operation examples: test: open_tickets_per_user: {} tickets_per_type: alert: 2 incident: 1 tickets_per_week: 2021-39: 3 unassigned: 0 schema: $ref: '#/definitions/Statistics' security: - roles: - ticket:read summary: Get statistics tags: - statistics /tasks: get: operationId: listTasks responses: "200": description: successful operation examples: test: [] schema: items: $ref: '#/definitions/TaskWithContext' type: array security: - roles: - ticket:read summary: List tasks tags: - tasks /templates: get: operationId: listTemplates responses: "200": description: successful operation examples: test: - id: default name: Default schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Default", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } schema: items: $ref: '#/definitions/TicketTemplateResponse' type: array security: - roles: - template:read summary: List templates tags: - templates post: operationId: createTemplate parameters: - description: New template in: body name: template required: true schema: $ref: '#/definitions/TicketTemplateForm' x-example: name: My Template schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } responses: "200": description: successful operation examples: test: id: my-template name: My Template schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } schema: $ref: '#/definitions/TicketTemplateResponse' security: - roles: - template:write summary: Create a new template tags: - templates /templates/{id}: delete: operationId: deleteTemplate parameters: - description: Template ID in: path name: id required: true type: string x-example: default responses: "204": description: successful operation security: - roles: - template:write summary: Delete a template tags: - templates get: operationId: getTemplate parameters: - description: Template ID in: path name: id required: true type: string x-example: default responses: "200": description: successful operation examples: test: id: default name: Default schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Default", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } schema: $ref: '#/definitions/TicketTemplateResponse' security: - roles: - template:read summary: Get a single template tags: - templates put: operationId: updateTemplate parameters: - description: Template ID in: path name: id required: true type: string x-example: default - description: Template object that needs to be added in: body name: template required: true schema: $ref: '#/definitions/TicketTemplateForm' x-example: name: My Template schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } responses: "200": description: successful operation examples: test: id: default name: My Template schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } schema: $ref: '#/definitions/TicketTemplateResponse' security: - roles: - template:write summary: Update an existing template tags: - templates /tickets: get: operationId: listTickets parameters: - description: Ticket Type in: query name: type type: string - default: 0 description: Offset of the list in: query name: offset type: integer - default: 25 description: Number of tickets in: query maximum: 100 name: count type: integer - description: Sort columns in: query items: type: string name: sort type: array - description: Sort descending in: query items: type: boolean name: desc type: array - description: Search query in: query name: query type: string responses: "200": description: successful operation examples: test: count: 3 tickets: - artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-10-02T16:04:59.078206Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs type: task block-sender: created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" type: task board: created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO type: task extract-iocs: created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident - created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-10-02T16:04:59.078186Z name: phishing from selenafadel@von.com detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed type: alert - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert schema: $ref: '#/definitions/TicketList' security: - roles: - ticket:read summary: List tickets tags: - tickets post: operationId: createTicket parameters: - description: New ticket in: body name: ticket required: true schema: $ref: '#/definitions/TicketForm' x-example: id: 123 name: Wannacry infection owner: bob status: open type: incident responses: "200": description: successful operation examples: test: created: 2021-12-12T12:12:12.000000012Z id: 123 modified: 2021-12-12T12:12:12.000000012Z name: Wannacry infection owner: bob schema: '{}' status: open type: incident schema: $ref: '#/definitions/TicketResponse' security: - roles: - ticket:write summary: Create a new ticket tags: - tickets /tickets/{id}: delete: operationId: deleteTicket parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 responses: "204": description: successful operation security: - roles: - ticket:delete summary: Delete an ticket tags: - tickets get: operationId: getTicket parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-10-02T16:04:59.078186Z name: phishing from selenafadel@von.com detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:read summary: Get a single ticket tags: - tickets put: operationId: updateTicket parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 - description: Updated ticket in: body name: ticket required: true schema: $ref: '#/definitions/Ticket' x-example: created: 2021-12-12T12:12:12.000000012Z modified: 2021-12-12T12:12:12.000000012Z name: phishing from selenafadel@von.org detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed type: alert responses: "200": description: successful operation examples: test: created: 2021-12-12T12:12:12.000000012Z id: 8125 modified: 2021-12-12T12:12:12.000000012Z name: phishing from selenafadel@von.org detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Update an existing ticket tags: - tickets /tickets/{id}/artifacts: post: operationId: addArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Artifact object that needs to be added in: body name: artifact required: true schema: $ref: '#/definitions/Artifact' x-example: name: 2.2.2.2 responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious - name: 2.2.2.2 status: unknown type: ip created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Add a single artifact tags: - tickets /tickets/{id}/artifacts/{name}: delete: operationId: removeArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - in: path name: name required: true type: string x-example: leadreintermediate.io responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Remove an artifact tags: - tickets get: operationId: getArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - in: path name: name required: true type: string x-example: leadreintermediate.io responses: "200": description: successful operation examples: test: name: leadreintermediate.io status: malicious schema: $ref: '#/definitions/Artifact' security: - roles: - ticket:write summary: Get a single artifact tags: - tickets put: operationId: setArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - in: path name: name required: true type: string x-example: leadreintermediate.io - in: body name: artifact required: true schema: $ref: '#/definitions/Artifact' x-example: name: leadreintermediate.io status: clean responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: clean created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-10-02T16:04:59.078206Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Set a single artifact tags: - tickets /tickets/{id}/artifacts/{name}/enrich: post: operationId: enrichArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - in: path name: name required: true type: string x-example: leadreintermediate.io - in: body name: data required: true schema: $ref: '#/definitions/EnrichmentForm' x-example: data: hash: b7a067a742c20d07a7456646de89bc2d408a1153 name: hash.sha1 responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - enrichments: hash.sha1: created: 2021-12-12T12:12:12.000000012Z data: hash: b7a067a742c20d07a7456646de89bc2d408a1153 name: hash.sha1 name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-10-02T16:04:59.078206Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Enrich a single artifact tags: - tickets /tickets/{id}/artifacts/{name}/run/{automation}: post: operationId: runArtifact parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - in: path name: name required: true type: string x-example: leadreintermediate.io - in: path name: automation required: true type: string x-example: hash.sha1 responses: "204": description: successful operation security: - roles: - ticket:write summary: Run automation on a single artifact tags: - tickets /tickets/{id}/comments: post: operationId: addComment parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 - description: Ticket comment in: body name: comment required: true schema: $ref: '#/definitions/CommentForm' x-example: message: My first comment responses: "200": description: successful operation examples: test: comments: - created: 2021-12-12T12:12:12.000000012Z creator: bob message: My first comment created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-12-12T12:12:12.000000012Z name: phishing from selenafadel@von.com detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Add ticket comment tags: - tickets /tickets/{id}/comments/{commentID}: delete: description: Comment will be removed from the ticket. operationId: removeComment parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Comment ID to remove in: path name: commentID required: true type: integer x-example: 0 responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Remove an comment from an ticket tags: - tickets /tickets/{id}/playbooks: post: operationId: addTicketPlaybook parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 - description: Ticket playbook object that needs to be added in: body name: playbook required: true schema: $ref: '#/definitions/PlaybookTemplateForm' x-example: yaml: | name: Simple tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-12-12T12:12:12.000000012Z name: phishing from selenafadel@von.com detected owner: demo playbooks: simple: name: Simple tasks: escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to malware team order: 2 type: task hash: active: false automation: hash.sha1 created: 2021-12-12T12:12:12.000000012Z done: false name: Hash the malware next: escalate: "" order: 1 payload: default: playbook.tasks['input'].data['malware'] type: automation input: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Upload malware if possible next: hash: malware != '' order: 0 schema: properties: malware: default: "" title: Select malware type: string title: Malware type: object type: input references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Add a new ticket playbook tags: - tickets /tickets/{id}/playbooks/{playbookID}: delete: operationId: removeTicketPlaybook parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Playbook ID in: path name: playbookID required: true type: string x-example: phishing responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Remove an ticket playbook tags: - tickets /tickets/{id}/playbooks/{playbookID}/task/{taskID}: put: operationId: setTaskData parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Playbook ID in: path name: playbookID required: true type: string x-example: phishing - description: Task ID in: path name: taskID required: true type: string x-example: board - description: Task data in: body name: data required: true schema: type: object x-example: boardInvolved: true responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z data: boardInvolved: true done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Set a ticket playbook task data tags: - tickets /tickets/{id}/playbooks/{playbookID}/task/{taskID}/complete: put: operationId: completeTask parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Playbook ID in: path name: playbookID required: true type: string x-example: phishing - description: Task ID in: path name: taskID required: true type: string x-example: board - description: Ticket playbook object that needs to be added in: body name: data required: true schema: type: object x-example: boardInvolved: true responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: false closed: 2021-12-12T12:12:12.000000012Z created: 2021-12-12T12:12:12.000000012Z data: boardInvolved: true done: true name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Complete ticket playbook task tags: - tickets /tickets/{id}/playbooks/{playbookID}/task/{taskID}/owner: put: operationId: setTaskOwner parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Playbook ID in: path name: playbookID required: true type: string x-example: phishing - description: Task ID in: path name: taskID required: true type: string x-example: board - description: Task owner in: body name: owner required: true schema: type: string x-example: eve responses: "200": description: successful operation examples: test: artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-12-12T12:12:12.000000012Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs order: 6 type: task block-sender: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" order: 3 type: task board: active: true created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false order: 0 owner: eve schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO order: 1 type: task extract-iocs: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" order: 5 schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' order: 2 schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: active: false created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" order: 4 type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Set a ticket playbook task owner tags: - tickets /tickets/{id}/playbooks/{playbookID}/task/{taskID}/run: post: operationId: runTask parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8123 - description: Playbook ID in: path name: playbookID required: true type: string x-example: phishing - description: Task ID in: path name: taskID required: true type: string x-example: board responses: "204": description: successful operation security: - roles: - ticket:write summary: Run ticket playbook task tags: - tickets /tickets/{id}/references: put: operationId: setReferences parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 - description: All ticket references in: body name: references required: true schema: $ref: '#/definitions/ReferenceArray' x-example: - href: http://www.leadscalable.biz/envisioneer name: fund responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-12-12T12:12:12.000000012Z name: phishing from selenafadel@von.com detected owner: demo references: - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Set ticket references tags: - tickets /tickets/{id}/schema: put: operationId: setSchema parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8125 - description: New ticket schema in: body name: schema required: true schema: type: string x-example: '{}' responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-10-02T16:04:59.078186Z name: phishing from selenafadel@von.com detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed tickets: - created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Set ticket schema tags: - tickets /tickets/{id}/tickets: delete: operationId: unlinkTicket parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8126 - description: Added ticket ID in: body name: linkedID required: true schema: format: int64 type: integer x-example: 8125 responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Unlink an ticket to an ticket tags: - tickets patch: operationId: linkTicket parameters: - description: Ticket ID format: int64 in: path name: id required: true type: integer x-example: 8126 - description: Added ticket ID in: body name: linkedID required: true schema: format: int64 type: integer x-example: 8123 responses: "200": description: successful operation examples: test: created: 2021-10-02T16:04:59.078186Z id: 8126 modified: 2021-10-02T16:04:59.078186Z name: Surfaceintroduce virus detected owner: demo references: - href: http://www.centralworld-class.io/synthesize name: university - href: https://www.futurevirtual.org/supply-chains/markets/sticky/iterate name: goal - href: http://www.chiefsyndicate.io/action-items name: unemployment schema: '{}' status: closed tickets: - artifacts: - name: 94d5cab6f5fe3422a447ab15436e7a672bc0c09a status: unknown - name: http://www.customerviral.io/scalable/vertical/killer status: clean - name: leadreintermediate.io status: malicious created: 2021-10-02T16:04:59.078206Z id: 8123 modified: 2021-10-02T16:04:59.078206Z name: live zebra owner: demo playbooks: phishing: name: Phishing tasks: block-iocs: created: 2021-12-12T12:12:12.000000012Z done: false name: Block IOCs type: task block-sender: created: 2021-12-12T12:12:12.000000012Z done: false name: Block sender next: extract-iocs: "" type: task board: created: 2021-12-12T12:12:12.000000012Z done: false name: Board Involvement? next: escalate: boardInvolved == true mail-available: boardInvolved == false schema: properties: boardInvolved: default: false title: A board member is involved. type: boolean required: - boardInvolved title: Board Involvement? type: object type: input escalate: created: 2021-12-12T12:12:12.000000012Z done: false name: Escalate to CISO type: task extract-iocs: created: 2021-12-12T12:12:12.000000012Z done: false name: Extract IOCs next: block-iocs: "" schema: properties: iocs: items: type: string title: IOCs type: array title: Extract IOCs type: object type: input mail-available: created: 2021-12-12T12:12:12.000000012Z done: false name: Mail available next: block-sender: schemaKey == 'yes' extract-iocs: schemaKey == 'yes' search-email-gateway: schemaKey == 'no' schema: oneOf: - properties: mail: title: Mail type: string x-display: textarea schemaKey: const: "yes" type: string required: - mail title: "Yes" - properties: schemaKey: const: "no" type: string title: "No" title: Mail available type: object type: input search-email-gateway: created: 2021-12-12T12:12:12.000000012Z done: false name: Search email gateway next: extract-iocs: "" type: task references: - href: https://www.leadmaximize.net/e-services/back-end name: performance - href: http://www.corporateinteractive.name/rich name: autumn - href: https://www.corporateintuitive.org/intuitive/platforms/integrate name: suggest schema: | { "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://example.com/object1618746510.json", "title": "Event", "type": "object", "required": [ "severity", "description", "tlp" ], "properties": { "severity": { "$id": "#root/severity", "title": "Severity", "type": "string", "default": "Medium", "nx-enum": [ "Low", "Medium", "High" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "Low", "title": "Low", "icon": "mdi-chevron-up" }, { "const": "Medium", "title": "Medium", "icon": "mdi-chevron-double-up" }, { "const": "High", "title": "High", "icon": "mdi-chevron-triple-up" } ] }, "tlp": { "$id": "#root/tlp", "title": "TLP", "type": "string", "nx-enum": [ "White", "Green", "Amber", "Red" ], "x-cols": 6, "x-class": "pr-2", "x-display": "icon", "x-itemIcon": "icon", "oneOf": [ { "const": "White", "title": "White", "icon": "mdi-alpha-w" }, { "const": "Green", "title": "Green", "icon": "mdi-alpha-g" }, { "const": "Amber", "title": "Amber", "icon": "mdi-alpha-a" }, { "const": "Red", "title": "Red", "icon": "mdi-alpha-r" } ] }, "description": { "$id": "#root/description", "title": "Description", "type": "string", "x-display": "textarea", "x-class": "pr-2" } } } status: closed type: incident - created: 2021-10-02T16:04:59.078186Z id: 8125 modified: 2021-10-02T16:04:59.078186Z name: phishing from selenafadel@von.com detected owner: demo references: - href: https://www.seniorleading-edge.name/users/efficient name: recovery - href: http://www.dynamicseamless.com/clicks-and-mortar name: force - href: http://www.leadscalable.biz/envisioneer name: fund schema: '{}' status: closed type: alert type: alert schema: $ref: '#/definitions/TicketWithTickets' security: - roles: - ticket:write summary: Link an ticket to an ticket tags: - tickets /tickets/batch: post: operationId: createTicketBatch parameters: - description: New ticket in: body name: ticket required: true schema: $ref: '#/definitions/TicketFormArray' x-example: - id: 123 name: Wannacry infection owner: bob status: open type: incident responses: "204": description: successful operation security: - roles: - ticket:write summary: Create a new tickets in batch tags: - tickets /tickettypes: get: operationId: listTicketTypes responses: "200": description: successful operation examples: test: - default_playbooks: [] default_template: default icon: mdi-alert id: alert name: Alerts - default_playbooks: [] default_template: default icon: mdi-radioactive id: incident name: Incidents - default_playbooks: [] default_template: default icon: mdi-fingerprint id: investigation name: Forensic Investigations - default_playbooks: [] default_template: default icon: mdi-target id: hunt name: Threat Hunting schema: items: $ref: '#/definitions/TicketTypeResponse' type: array security: - roles: - tickettype:read summary: List tickettypes tags: - tickettypes post: operationId: createTicketType parameters: - description: New tickettype in: body name: tickettype required: true schema: $ref: '#/definitions/TicketTypeForm' x-example: default_playbooks: [] default_template: default icon: mdi-newspaper-variant-outline name: TI Tickets responses: "200": description: successful operation examples: test: default_playbooks: [] default_template: default icon: mdi-newspaper-variant-outline id: ti-tickets name: TI Tickets schema: $ref: '#/definitions/TicketTypeResponse' security: - roles: - tickettype:write summary: Create a new tickettype tags: - tickettypes /tickettypes/{id}: delete: operationId: deleteTicketType parameters: - description: TicketType ID in: path name: id required: true type: string x-example: alert responses: "204": description: successful operation security: - roles: - tickettype:write summary: Delete a tickettype tags: - tickettypes get: operationId: getTicketType parameters: - description: TicketType ID in: path name: id required: true type: string x-example: alert responses: "200": description: successful operation examples: test: default_playbooks: [] default_template: default icon: mdi-alert id: alert name: Alerts schema: $ref: '#/definitions/TicketTypeResponse' security: - roles: - tickettype:read summary: Get a single tickettype tags: - tickettypes put: operationId: updateTicketType parameters: - description: TicketType ID in: path name: id required: true type: string x-example: alert - description: TicketType object that needs to be added in: body name: tickettype required: true schema: $ref: '#/definitions/TicketTypeForm' x-example: default_playbooks: [] default_template: default icon: mdi-bell id: alert name: Alerts responses: "200": description: successful operation examples: test: default_playbooks: [] default_template: default icon: mdi-bell id: alert name: Alerts schema: $ref: '#/definitions/TicketTypeResponse' security: - roles: - tickettype:write summary: Update an existing tickettype tags: - tickettypes /userdata: get: operationId: listUserData responses: "200": description: successful operation examples: test: - email: bob@example.org id: bob name: Bob Bad schema: items: $ref: '#/definitions/UserDataResponse' type: array security: - roles: - userdata:read summary: List userdata tags: - userdata /userdata/{id}: get: operationId: getUserData parameters: - description: User Data ID in: path name: id required: true type: string x-example: bob responses: "200": description: successful operation examples: test: email: bob@example.org id: bob name: Bob Bad schema: $ref: '#/definitions/UserDataResponse' security: - roles: - userdata:read summary: Get a single user data tags: - userdata put: operationId: updateUserData parameters: - description: User Data ID in: path name: id required: true type: string x-example: bob - description: User data object that needs to be added in: body name: userdata required: true schema: $ref: '#/definitions/UserData' x-example: blocked: false email: bob@example.org name: Bob Bad responses: "200": description: successful operation examples: test: email: bob@example.org id: bob name: Bob Bad schema: $ref: '#/definitions/UserDataResponse' security: - roles: - userdata:write summary: Update an existing user data tags: - userdata /users: get: operationId: listUsers responses: "200": description: successful operation examples: test: - apikey: false blocked: false id: bob roles: - admin:backup:read - admin:backup:restore - admin:dashboard:write - admin:group:write - admin:job:read - admin:job:write - admin:log:read - admin:settings:write - admin:ticket:delete - admin:user:write - admin:userdata:read - admin:userdata:write - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write - apikey: true blocked: false id: script roles: - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write schema: items: $ref: '#/definitions/UserResponse' type: array security: - roles: - user:read summary: List users tags: - users post: operationId: createUser parameters: - description: user object that needs to be added in: body name: user required: true schema: $ref: '#/definitions/UserForm' x-example: apikey: true blocked: false id: syncscript roles: - analyst responses: "200": description: successful operation examples: test: blocked: false id: syncscript roles: - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read secret: v39bOuobnlEljfWzjAgoKzhmnh1xSMxH schema: $ref: '#/definitions/NewUserResponse' security: - roles: - user:write summary: Create user tags: - users /users/{id}: delete: operationId: deleteUser parameters: - description: user ID in: path name: id required: true type: string x-example: script responses: "204": description: successful operation security: - roles: - user:write summary: Delete user tags: - users get: operationId: getUser parameters: - description: user ID in: path name: id required: true type: string x-example: script responses: "200": description: successful operation examples: test: apikey: true blocked: false id: script roles: - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write schema: $ref: '#/definitions/UserResponse' security: - roles: - user:read summary: Get a single user tags: - users put: operationId: updateUser parameters: - description: Template ID in: path name: id required: true type: string x-example: bob - description: user object that needs to be added in: body name: user required: true schema: $ref: '#/definitions/UserForm' x-example: apikey: false blocked: false id: syncscript roles: - analyst - admin responses: "200": description: successful operation examples: test: apikey: false blocked: false id: bob roles: - admin:backup:read - admin:backup:restore - admin:dashboard:write - admin:group:write - admin:job:read - admin:job:write - admin:log:read - admin:settings:write - admin:ticket:delete - admin:user:write - admin:userdata:read - admin:userdata:write - analyst:automation:read - analyst:currentsettings:write - analyst:currentuser:read - analyst:currentuserdata:read - analyst:dashboard:read - analyst:file - analyst:group:read - analyst:playbook:read - analyst:rule:read - analyst:settings:read - analyst:template:read - analyst:ticket:read - analyst:ticket:write - analyst:tickettype:read - analyst:user:read - engineer:automation:write - engineer:playbook:write - engineer:rule:write - engineer:template:write - engineer:tickettype:write schema: $ref: '#/definitions/UserResponse' security: - roles: - user:write summary: Update user tags: - users produces: - application/json schemes: - http swagger: "2.0"