v0.0.0-...-b3df9b4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Nov 7, 2018 License: MIT Imports: 11 Imported by: 0




This section is empty.


This section is empty.


This section is empty.


type Attachment

type Attachment struct {
	Name        string `json:"name"`
	Type        string `json:"type"`
	Path        string `json:"path"`
	Description string `json:"description"`

Attachment ...

type Client

type Client struct {
	// contains filtered or unexported fields

Client implements a client for the Demisto server

func New

func New(username, password, server string) (*Client, error)

New client that does not do anything yet before the login

func (*Client) AddEntryToInvestigation

func (c *Client) AddEntryToInvestigation(investigationID string, entryData interface{}, format string) (*Entry, error)

AddEntryToInvestigation adds a formatted entry to the investigation

func (*Client) CreateIncident

func (c *Client) CreateIncident(inc *Incident, account string) (*Incident, error)

CreateIncident in Demisto

func (*Client) IncidentAddAttachment

func (c *Client) IncidentAddAttachment(inc *Incident, file io.Reader, name, comment string, account string) (*Incident, error)

IncidentAddAttachment adds an attachment to a given incident

func (*Client) Incidents

func (c *Client) Incidents(filter *IncidentFilter) (*IncidentSearchResponse, error)

Incidents search based on provided filter

func (*Client) Investigate

func (c *Client) Investigate(incidentID string, incidentVersion int64) (*Investigation, error)

Investigate a given incident, returns ID and version of invetigation created.

func (*Client) Login

func (c *Client) Login() (*User, error)

Login to the Demisto server , and returns statues code

func (*Client) Logout

func (c *Client) Logout() error

Logout from the Demisto server

type CustomFields

type CustomFields map[string]interface{}

CustomFields ...

type Entry

type Entry struct {
	// ID ...
	ID string `json:"id"`
	// Version ...
	Version int64 `json:"version"`
	// Modified timestamp
	Modified time.Time `json:"modified"`
	// The type of entry - can be a combination (i.e. note + mention)
	Type int `json:"type"`
	// When it was taken
	Created time.Time `json:"created"`
	// The user who created  the entry
	User string `json:"user"`
	// The contents of the entry
	Contents interface{} `json:"contents"`
	// Holds information on how content is formatted
	ContentsFormat string `json:"format"`
	// The id of the investigation it's belongs to
	InvestigationID string `json:"investigationId"`
	// Filename of associated content
	File string `json:"file"`
	// ParentId the ID of the parent entry
	ParentID string `json:"parentId"`
	// Mark entry as pinned
	Pinned int `json:"pinned"`
	// PinnedID - the ID of the insight for the pinned entry
	PinnedID string `json:"pinnedID"`
	// FileMetadata meta data
	FileMetadata *FileMetadata `json:"fileMetadata"`
	// ParentEntry content - for reference
	ParentEntryContent interface{} `json:"parentContent"`
	// The name of the system associated with this entry
	SystemName string `json:"system"`
	// EntryReputations the reputations calculated by regex match
	EntryReputations []*EntryReputation `json:"reputations"`
	// Category
	Category string `json:"category"`

Entry holds a single entry in an investigation. Entries entered at close times by the same user will be combined

type EntryReputation

type EntryReputation struct {
	ReputationsData []*ReputationData           `json:"reputationsData"`
	Highlights      search.FieldTermLocationMap `json:"highlights"`

EntryReputation holds the entry reputations and the highlights

type FileMetadata

type FileMetadata struct {
	Type   string `json:"type"`
	Size   int64  `json:"size"`
	MD5    string `json:"md5"`
	SHA1   string `json:"sha1"`
	SHA256 string `json:"sha256"`
	SHA512 string `json:"sha512"`
	SSDeep string `json:"ssdeep"`

FileMetadata ...

type Incident

type Incident struct {
	// ID of the incident
	ID string `json:"id"`
	// Version ...
	Version int64 `json:"version"`
	// Modified timestamp
	Modified time.Time `json:"modified"`
	// Type of the incident
	Type string `json:"type"`
	// Name of the incident
	Name string `json:"name"`
	// Status ...
	Status int `json:"status"`
	// Reason for the resolve
	Reason string `json:"reason"`
	// When was this created
	Created time.Time `json:"created"`
	// When this incident has really occurred
	Occurred time.Time `json:"occurred"`
	// When was this closed
	Closed time.Time `json:"closed"`
	// The severity of the incident
	Level int `json:"severity"`
	// Investigation that was opened as a result of the incoming event
	Investigation string `json:"investigationId"`
	// The targets involved
	Labels []Label `json:"labels"`
	// Attachments
	Attachments []Attachment `json:"attachment"`
	// The details of the incident - reason, etc.
	Details string `json:"details"`
	//Duration incident was open
	OpenDuration int64 `json:"openDuration"`
	//The user ID that closed this investigation
	ClosingUserID string `json:"closingUserId"`
	// The user that activated this investigation
	ActivatingUserID string `json:"activatingingUserId,omitempty"`
	//The user who owns this incident
	OwnerID string `json:"owner"`
	// When was this activated
	Activated time.Time `json:"activated,omitempty"`
	// The reason for archiving the incident
	ArchiveReason string `json:"archiveReason"`
	// The associated playbook for this incident
	PlaybookID string `json:"playbookId"`
	// When was this activated
	DueDate time.Time `json:"dueDate,omitempty"`
	// Should we automagically create the investigation
	CreateInvestigation bool `json:"createInvestigation"`
	// This field must have empty json key
	CustomFields `json:""`

Incident details. An incident can be opened by us algorithmically or arrive from an external source like SIEM. If you add fields, make sure to add them to the mapping as well

type IncidentFilter

type IncidentFilter struct {
	Page              int       `json:"page,omitempty"`
	Size              int       `json:"size,omitempty"`
	Sort              []Order   `json:"sort,omitempty"`
	ID                []string  `json:"id,omitempty"`                // list of IDs to filter by
	Type              []string  `json:"type,omitempty"`              // list of sources
	Name              []string  `json:"name,omitempty"`              // list of sources
	Status            []int     `json:"status,omitempty"`            // list of statuses we are interested in
	NotStatus         []int     `json:"notStatus,omitempty"`         // list of statuses we are not interested in
	Reason            []string  `json:"reason,omitempty"`            // The reason for resolve
	FromDate          time.Time `json:"fromDate,omitempty"`          // filter from date
	ToDate            time.Time `json:"toDate,omitempty"`            // filter to date
	FromClosedDate    time.Time `json:"fromClosedDate,omitempty"`    // filter from date
	ToClosedDate      time.Time `json:"toClosedDate,omitempty"`      // filter to date
	FromActivatedDate time.Time `json:"fromActivatedDate,omitempty"` // filter from date
	ToActivatedDate   time.Time `json:"toActivatedDate,omitempty"`   // filter to date
	FromDueDate       time.Time `json:"fromDueDate,omitempty"`       // filter from date
	ToDueDate         time.Time `json:"toDueDate,omitempty"`         // filter to date
	Level             []int     `json:"level,omitempty"`             // filter based on severity
	Investigation     []string  `json:"investigation,omitempty"`     // list of investigations we would like to filter by
	Systems           []string  `json:"systems,omitempty"`           // list of systems affected
	Files             []string  `json:"files,omitempty"`             // list of files affected
	Urls              []string  `json:"urls,omitempty"`              // list of urls affected
	Users             []string  `json:"users,omitempty"`             // list of users affected
	Details           string    `json:"details,omitempty"`           // details for the query
	AndOp             bool      `json:"andOp,omitempty"`             // should all fields match or at least one
	Query             string    `json:"query,omitempty"`             // free query string
	TotalOnly         bool      `json:"totalOnly"`                   // should return only total with no body

IncidentFilter allows for very simple filtering.

type IncidentSearchResponse

type IncidentSearchResponse struct {
	Total int64      `json:"total"`
	Data  []Incident `json:"data"`

IncidentSearchResponse is the response from the search

type Investigation

type Investigation struct {
	// ID ...
	ID string `json:"id"`
	// Version ...
	Version int64 `json:"version"`
	// Modified timestamp
	Modified time.Time `json:"modified"`
	// The name of the investigation, which is unique to the project
	Name string `json:"name"`
	// The users who share this investigation
	Users []string `json:"users"`
	// The status of the investigation
	Status int `json:"status"`
	// The type of the investigation
	Type int `json:"type"`
	// The reason for the status (resolve)
	Reason map[string]string `json:"reason"`
	// When was this created
	Created time.Time `json:"created"`
	// When was this closed
	Closed time.Time `json:"closed,omitempty"`
	//The user ID that closed this investigation
	ClosingUserID string `json:"closingUserId,omitempty"`
	//duration from open to close time
	OpenDuration int64 `json:"openDuration,omitempty"`
	//The user ID that created this investigation
	CreatingUserID string `json:"creatingUserId,omitempty"`
	//User defined free text details
	Details string `json:"details"`
	// The systems involved
	Systems []System `json:"systems"`

Investigation contains the investigation of a particular incident.

type Label

type Label struct {
	Value string `json:"value"`
	Type  string `json:"type"`

Target ...

type Order

type Order struct {
	Field string `json:"field"`
	Asc   bool   `json:"asc"`

Order struct holds a sort field and the direction of sorting

type ReputationData

type ReputationData struct {
	Reputation   int    `json:"reputation"`
	ReputationID string `json:"reputationId"`
	Term         string `json:"term"`

ReputationData holds the reputation data (reputation, regex, highlights result)

type SearchIncidentsData

type SearchIncidentsData struct {
	Filter       IncidentFilter `json:"filter"`
	FilterByUser bool           `json:"userFilter"`
	FetchInsight bool           `json:"fetchInsights"`

type System

type System struct {
	Name string `json:"name"`
	Host string `json:"host"`
	OS   string `json:"os"`
	Arch string `json:"arch,omitempty"`

System ...

type User

type User struct {
	ID             string                 `json:"id"`
	Username       string                 `json:"username"`
	Email          string                 `json:"email"`
	Phone          string                 `json:"phone"`
	Name           string                 `json:"name"`
	Roles          map[string][]string    `json:"roles"`
	IsDefaultAdmin bool                   `json:"defaultAdmin"`
	PlaygroundID   string                 `json:"playgroundId"`
	Preferences    map[string]interface{} `json:"preferences"`
	LastLogin      time.Time              `json:"lastLogin"`
	Permissions    map[string][]string    `json:"permissions,omitempty"`
	Homepage       string                 `json:"homepage"`
	Notify         []string               `json:"notify"`
	Image          string                 `json:"image,omitempty"`

User - user data

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL