swagger: "2.0" info: { version: "", title: "" } paths: /playbooks: get: tags: [ "playbooks" ] summary: "List playbooks" operationId: "listPlaybooks" responses: "200": description: "successful operation" schema: { type: array, items: { $ref: "#/definitions/PlaybookTemplateResponse" } } examples: test: - id: malware name: Malware yaml: "name: Malware\ntasks:\n file-or-hash:\n name: Do you have the file or the hash?\n type: input\n schema:\n title: Malware\n type: object\n properties:\n file:\n type: string\n title: \"I have the\"\n enum: [ \"File\", \"Hash\" ]\n next:\n enter-hash: \"file == 'Hash'\"\n upload: \"file == 'File'\"\n\n enter-hash:\n name: Please enter the hash\n type: input\n schema:\n title: Malware\n type: object\n properties:\n hash:\n type: string\n title: Please enter the hash value\n minlength: 32\n next:\n virustotal: \"hash != ''\"\n\n upload:\n name: Upload the malware\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: object\n x-display: file\n title: Please upload the malware\n next:\n hash: \"malware\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['upload'].data['malware']\"\n next:\n virustotal:\n\n virustotal:\n name: Send hash to VirusTotal\n type: automation\n automation: vt.hash\n args:\n hash: \"playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']\"\n # next:\n # known-malware: \"score > 5\"\n # sandbox: \"score < 6\" # unknown-malware\n" - id: phishing name: Phishing yaml: "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n" - id: simple name: Simple yaml: "name: Simple\ntasks:\n input:\n name: Enter something to hash\n type: input\n schema:\n title: Something\n type: object\n properties:\n something:\n type: string\n title: Something\n default: \"\"\n next:\n hash: \"something != ''\"\n\n hash:\n name: Hash the something\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['input'].data['something']\"\n next:\n comment: \"hash != ''\"\n\n comment:\n name: Comment the hash\n type: automation\n automation: comment\n payload:\n default: \"playbook.tasks['hash'].data['hash']\"\n next:\n done: \"done\"\n\n done:\n name: You can close this case now\n type: task\n" security: [ { roles: [ "playbook:read" ] } ] post: tags: [ "playbooks" ] summary: "Create a playbook" operationId: "createPlaybook" parameters: - { name: "playbook", in: "body", description: "New playbook", required: true, schema: { $ref: "#/definitions/PlaybookTemplateForm" }, x-example: { yaml: "name: Simple2\ntasks:\n input:\n name: Upload malware if possible\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: string\n title: Select malware\n default: \"\"\n next:\n hash: \"malware != ''\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['input'].data['malware']\"\n next:\n escalate:\n\n escalate:\n name: Escalate to malware team\n type: task\n" } } responses: "200": description: "successful operation" schema: { $ref: "#/definitions/PlaybookTemplateResponse" } examples: test: id: simple-2 name: Simple2 yaml: | name: Simple2 tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task security: [ { roles: [ "playbook:write" ] } ] /playbooks/{id}: get: tags: [ "playbooks" ] summary: "Get a single playbook" operationId: "getPlaybook" parameters: - { name: "id", in: "path", description: "Playbook name", required: true, type: string, x-example: "simple" } responses: "200": description: "successful operation" schema: { $ref: "#/definitions/PlaybookTemplateResponse" } examples: test: id: simple name: Simple yaml: | name: Simple tasks: input: name: Enter something to hash type: input schema: title: Something type: object properties: something: type: string title: Something default: "" next: hash: "something != ''" hash: name: Hash the something type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['something']" next: comment: "hash != ''" comment: name: Comment the hash type: automation automation: comment payload: default: "playbook.tasks['hash'].data['hash']" next: done: "done" done: name: You can close this case now type: task security: [ { roles: [ "playbook:read" ] } ] put: tags: [ "playbooks" ] summary: "Update an existing ticket playbook" operationId: "updatePlaybook" parameters: - { name: "id", in: "path", description: "Playbook ID", required: true, type: string, x-example: "simple" } - { name: "playbook", in: "body", description: "Updated playbook", required: true, schema: { $ref: "#/definitions/PlaybookTemplateForm" }, x-example: { yaml: "name: Simple\ntasks:\n input:\n name: Upload malware if possible\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: string\n title: Select malware\n default: \"\"\n next:\n hash: \"malware != ''\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['input'].data['malware']\"\n next:\n escalate:\n\n escalate:\n name: Escalate to malware team\n type: task\n" } } responses: "200": description: "successful operation" schema: { $ref: "#/definitions/PlaybookTemplateResponse" } examples: test: id: simple name: Simple yaml: | name: Simple tasks: input: name: Upload malware if possible type: input schema: title: Malware type: object properties: malware: type: string title: Select malware default: "" next: hash: "malware != ''" hash: name: Hash the malware type: automation automation: hash.sha1 payload: default: "playbook.tasks['input'].data['malware']" next: escalate: escalate: name: Escalate to malware team type: task security: [ { roles: [ "playbook:write" ] } ] delete: tags: [ "playbooks" ] summary: "Delete a playbook" operationId: "deletePlaybook" parameters: - { name: "id", in: "path", description: "Playbook name", required: true, type: string, x-example: "simple" } responses: "204": { description: "successful operation" } security: [ { roles: [ "playbook:write" ] } ] definitions: PlaybookTemplateForm: type: object required: [ yaml ] properties: id: { type: string } yaml: { type: string } PlaybookTemplate: type: object required: [ name, yaml ] properties: name: { type: string } yaml: { type: string } PlaybookTemplateResponse: type: object required: [ id, name, yaml ] properties: id: { type: string } name: { type: string } yaml: { type: string }