From 0d3881961c267c313f7007c3f05d24d976c0aa38 Mon Sep 17 00:00:00 2001 From: Iglocska Date: Thu, 28 Jul 2016 23:58:45 +0200 Subject: [PATCH] Added index filtering for events via the automation --- automation/README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/automation/README.md b/automation/README.md index 6e9b3fe..37bdca5 100644 --- a/automation/README.md +++ b/automation/README.md @@ -652,6 +652,46 @@ sigOnly is an optional flag that will block all attributes from being exported t https:///attributes/returnAttributes/download/25/md5&&sha256&&!filename/true ~~~~ +## Filtering event metadata + +As described in the REST section, it is possible to retrieve a list of events along with their metadata by sending a GET request to the /events API. However, this API in particular is a bit more versatile. You can pass search parameters along to search among the events on various fields and retrieve a list of matching events (along with their metadata). Use the following URL: + +~~~~ +https:///events/index +~~~~ + +POST a JSON object with the desired lookup fields and values to receive a JSON back. +An example for a valid lookup: + +~~~~ +Authorization: +Accept: application/json +Content-type: application/json +~~~~ + +Body: + +~~~~json +{"searchinfo":"Locky", "searchpublished":1, "searchdistribution":!0} +~~~~ + + +The list of valid parameters: +
+
searchpublished:
/n
Filters on published or unpulished events [0,1] - negatable
+
searchinfo:
Filters on strings found in the event info - negatable
+
searchtag:
Filters on attached tag names - negatable
+
searcheventid:
Filters on specific event IDs - negatable
+
searchthreatlevel:
Filters on a given event threat level [1,2,3,4] - negatable
+
searchdistribution:
Filters on the distribution level [0,1,2,3] - negatable
+
searchanalysis:
Filters on the given analysis phase of the event [0,1,2,3] - negatable
+
searchattribute:
Filters on a contained attribute value - negatable
+
searchorg:
Filters on the creator organisation - negatable
+
searchemail:
Filters on the creator user's email address (admin only) - negatable
+
searchDatefrom:
Filters on the date, anything newer than the given date in YYYY-MM-DD format is taken - non-negatable
+
searchDateuntil:
Filters on the date, anything older than the given date in YYYY-MM-DD format is taken - non-negatable
+
+ ## Download attachment or malware sample If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax: