From db13fd32b3ab9fbee2a19bb9b263be6d9c3c799d Mon Sep 17 00:00:00 2001 From: Finlay Shepherd Date: Thu, 21 May 2020 14:38:47 +0100 Subject: [PATCH 1/2] Add IRIS docs --- almdrlib/apis/iris/iris.v3.yaml | 341 ++++++++++++++++++++++++++++++++ 1 file changed, 341 insertions(+) create mode 100644 almdrlib/apis/iris/iris.v3.yaml diff --git a/almdrlib/apis/iris/iris.v3.yaml b/almdrlib/apis/iris/iris.v3.yaml new file mode 100644 index 0000000..e262680 --- /dev/null +++ b/almdrlib/apis/iris/iris.v3.yaml @@ -0,0 +1,341 @@ +openapi: 3.0.2 +info: + title: IRIS service + version: '3.0' + description: Incident service + contact: + email: support@alertlogic.com + name: Alert Logic support +servers: + - url: 'https://api.cloudinsight.alertlogic.com' + description: production + x-alertlogic-session-endpoint: true + - url: 'https://api.product.dev.alertlogic.com' + description: integration + x-alertlogic-session-endpoint: true +paths: + '/iris/v3/{account_id}/{incident_id}': + get: + summary: Get incident + tags: + - Incident operations + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Incident' + examples: {} + '401': + description: Unauthorized + '403': + description: Forbidden + '404': + description: Not Found + operationId: get_incident + description: Get incident + security: + - X-AIMS-Auth-Token: [] + x-code-samples: + - lang: Request Sample + source: | + curl -X GET "https://api.cloudinsight.alerlogic.com/iris/v3/12345678/e12345678" + parameters: + - schema: + type: string + name: account_id + in: path + required: true + description: AIMS Account ID + - schema: + type: string + name: incident_id + in: path + required: true + description: Incident ID + - schema: + type: string + name: return_value + in: query + description: Comma delimted list of dot-notation string names of desired properties in the result set. Use if you want a subset of attributes from the incident + '/iris/v3/{account_id}/friendly/{friendly_id}': + get: + summary: Get incident ID by friendly ID + tags: + - Incident operations + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/FriendlyResponse' + '401': + description: Unauthorized + '403': + description: Forbidden + '404': + description: Not Found + operationId: get_incident_id_by_friendly + description: Get incident ID by friendly ID + security: + - X-AIMS-Auth-Token: [] + x-code-samples: + - lang: Request Sample + source: | + curl -X GET "https://api.cloudinsight.alerlogic.com/iris/v3/12345678/friendly/k9abcd" + parameters: + - schema: + type: string + name: account_id + in: path + required: true + description: AIMS Account ID + - schema: + type: string + name: friendly_id + in: path + required: true + description: Human friendly ID + '/iris/v3/{account_id}/{incident_id}/elaborations/associated': + get: + summary: Get associated logs/events for incident + tags: + - Incident operations + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AssociatedElaborations' + '401': + description: Unauthorized + '400': + description: Bad request + '404': + description: Not found + operationId: get_associated_elaborations + description: Get associated logs/events for incident + security: + - X-AIMS-Auth-Token: [] + x-code-samples: + - lang: Request Sample + source: | + curl -X GET "https://api.cloudinsight.alerlogic.com/iris/v3/12345678/e12345678/elaborations/associated" + parameters: + - schema: + type: string + name: account_id + in: path + required: true + description: AIMS Account ID + - schema: + type: string + name: incident_id + in: path + required: true + description: Incident ID + - schema: + type: string + name: returnSource + in: query + description: To filter by source type. Allowed values - log, event + - schema: + type: string + name: return_value + in: query + description: Comma delimted list of 'dot-notation' string names of desired properties in the result set. Use if you want only a subset of attributes from results + '/iris/v3/{account_id}/incidents_by_time': + 'get': + summary: Get incidents in a timespan for account + tags: + - Incident operations + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/IncidentsByTime' + '400': + description: Bad request + '401': + description: Not authorized + '403': + description: Forbidden + operationId: incidents_by_time + description: Get incidents in a timespan for an account + security: + - X-AIMS-Auth-Token: [] + x-code-samples: + - lang: Request Sample + source: | + curl -X GET "https://api.cloudinsight.alerlogic.com/iris/v3/12345678/incidents_by_time?start_time=1577836800&end_time=1577923200" + parameters: + - schema: + type: string + name: account_id + in: path + required: true + description: AIMS Account ID + - schema: + type: string + name: start_time + in: query + required: true + description: Time to begin span, either epoch timestamp or an ISO string + - schema: + type: string + name: end_time + in: query + required: true + description: Time to end span, either epoch timestamp or an ISO string + - schema: + type: string + name: return_value + in: query + description: Comma delimited list of dot-notation string names of desired properties in the result set. Use if you only want a subset of attributes from each incident +components: + schemas: + Incident: + title: Incident + type: object + description: IRIS incident + x-examples: + Incident Example: null + properties: + accountId: + type: string + description: AIMS Account Id + all_assets: + type: array + items: + type: object + assets: + type: object + properties: + __asset: + type: object + __source: + type: string + al__deployment: + type: string + createTime: + type: number + description: Incident creation time + createtime_str: + type: string + description: Incident creation time in ISO format + customer: + type: string + description: Customer name + customer_status: + type: object + properties: + status: + type: string + status_change_time: + type: string + desc: + type: string + humanFriendlyId: + type: string + incident: + type: object + properties: + description: + type: string + summary: + type: string + threatRating: + type: string + incidentId: + type: string + description: Incident ID + incident_attack_class: + type: string + incident_class: + type: string + incident_type: + type: string + snooze_status: + type: object + properties: + period_ms: + type: number + reason_code: + type: string + snoozed: + type: boolean + summary: + type: string + updateTime: + type: number + updatetime_str: + type: string + required: + - accountId + - incidentId + - incident + - humanFriendlyId + - desc + - customer_status + - createTime + - createtime_str + - updateTime + - updatetime_str + - customer + IncidentKey: + title: IncidentKey + type: object + description: Incident key object + properties: + incidentId: + type: string + humanFriendlyId: + type: string + accountId: + type: string + FriendlyResponse: + title: FriendlyResponse + type: array + items: + $ref: '#/components/schemas/IncidentKey' + description: FriendlyResponse list + x-examples: + FriendlyResponse Example: null + required: + - response + AssociatedElaborations: + title: AssociatedElaborations + type: object + description: AssociatedElaborations object + x-examples: + AssociatedElaborations Example: null + properties: + filter: + type: object + returnVals: + type: array + items: + type: object + description: Values returned by the query + stats: + type: object + IncidentsByTime: + title: IncidentsByTime + type: array + items: + $ref: '#/components/schemas/Incident' + description: IncidentsByTime list + securitySchemes: + X-AIMS-Auth-Token: + name: X-AIMS-Auth-Token + type: apiKey + in: header + description: AIMS Authentication Token +tags: + - name: Incident operations + description: IRIS incident operations From 36330d19521048f04b34408ef946fbd21afaa1c3 Mon Sep 17 00:00:00 2001 From: Finlay Shepherd Date: Thu, 21 May 2020 17:32:04 +0100 Subject: [PATCH 2/2] Improve IRIS example responses --- almdrlib/apis/iris/iris.v3.yaml | 171 +++++++++++++++++++++++++++++++- 1 file changed, 170 insertions(+), 1 deletion(-) diff --git a/almdrlib/apis/iris/iris.v3.yaml b/almdrlib/apis/iris/iris.v3.yaml index e262680..6c51ef7 100644 --- a/almdrlib/apis/iris/iris.v3.yaml +++ b/almdrlib/apis/iris/iris.v3.yaml @@ -26,7 +26,64 @@ paths: application/json: schema: $ref: '#/components/schemas/Incident' - examples: {} + examples: + Get Incident response example: + value: + accountId: number + all_assets: + - object + asset_deployment_type: string + asset_host_name: string + asset_native_account_id: string + assets: + __asset: object + __contentType: string + __messageId: string + __normalizedTime: string + __relatedOrAssociated: string + __source: string + __uuid: string + al__deployment: string + al__subnet: string + al__vpc: string + attacker: + ip: string + attacker_lset: + - object + createTime: number + createtimeStr: string + customer: string + customer_status: + status: string + status_change_time: string + defaultThreatRating: string + has_assets: boolean + humanFriendlyId: string + incident: + attackClassId: number + attackClassId_str: string + subType: string + summary: string + threatRating: string + type: string + incidentId: string + incident_attack_class: string + incident_escalated: string + incident_sub_type: string + iris_incident_version: number + iris_notifications: boolean + snooze_status: + period_ms: number + reason_code: string + snoozed: boolean + sources: + - string + updateTime: number + updatetime_str: string + victim: + ip: string + victim_lset: + - object '401': description: Unauthorized '403': @@ -71,6 +128,14 @@ paths: application/json: schema: $ref: '#/components/schemas/FriendlyResponse' + examples: + Friendly response example: + value: + - { + accountId: number, + humanFriendlyId: string, + incidentId: string + } '401': description: Unauthorized '403': @@ -110,6 +175,52 @@ paths: application/json: schema: $ref: '#/components/schemas/AssociatedElaborations' + examples: + Get asspcoated logs/events response example: + value: + filter: + eq: + property: string + value: string + returnVals: + - __appliance_name: string + __content_type: string + __datacenter: string + __hostUUID: string + __host_id: string + __host_name: string + __irisType: string + __messageId: string + __normalizedTime: string + __relatedOrAssociated: string + __source: string + __sourceName: string + __sourceType: string + __source_host_ip: string + __uuid: string + facility: string + header: string + host_name: string + id: object + ingest_id: string + ingest_ts: number + message: string + metadata: object + priority: number + source_id: string + time_recv: number + stats: + matchCounts: array + numItemsInDataSource: number + numberOfMatchingElaborations: number + queryExecutionTime: + Aggregation: string + Filter: string + Hydration: string + Match Counts: string + Results: string + TimeSlice: string + Total Query: string '401': description: Unauthorized '400': @@ -159,6 +270,64 @@ paths: application/json: schema: $ref: '#/components/schemas/IncidentsByTime' + examples: + Incidents by time response example: + value: + - accountId: number + all_assets: + - object + asset_deployment_type: string + asset_host_name: string + asset_native_account_id: string + assets: + __asset: object + __contentType: string + __messageId: string + __normalizedTime: string + __relatedOrAssociated: string + __source: string + __uuid: string + al__deployment: string + al__subnet: string + al__vpc: string + attacker: + ip: string + attacker_lset: + - object + createTime: number + createtimeStr: string + customer: string + customer_status: + status: string + status_change_time: string + defaultThreatRating: string + has_assets: boolean + humanFriendlyId: string + incident: + attackClassId: number + attackClassId_str: string + subType: string + summary: string + threatRating: string + type: string + incidentId: string + incident_attack_class: string + incident_escalated: string + incident_sub_type: string + iris_incident_version: number + iris_notifications: boolean + snooze_status: + period_ms: number + reason_code: string + snoozed: boolean + sources: + - string + updateTime: number + updatetime_str: string + victim: + ip: string + victim_lset: + - object '400': description: Bad request '401':