Case

class dfir_iris_client.case.Case(session: ClientSession, case_id: int | None = None)

Handles the case methods

add_asset(name: str, asset_type: str | int, analysis_status: str | int, compromise_status: str | int | None = None, tags: List[str] | None = None, description: str | None = None, domain: str | None = None, ip: str | None = None, additional_info: str | None = None, ioc_links: List[int] | None = None, custom_attributes: dict | None = None, cid: int | None = None, **kwargs) ApiResponse

Adds an asset to the target case id.

If they are strings, asset_types and analysis_status are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • name – Name of the asset to add

  • asset_type – Name or ID of the asset type

  • description – Description of the asset

  • compromise_status – Compromise status of the asset

  • domain – Domain of the asset

  • ip – IP of the asset

  • additional_info – Additional information,

  • analysis_status – Status of the analysis

  • tags – List of tags

  • ioc_links – List of IOC to link to this asset

  • custom_attributes – Custom attributes of the asset

  • kwargs – Additional arguments to pass to the API

  • cid – int - Case ID

Returns:

APIResponse

add_asset_comment(asset_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to an asset.

Parameters:
  • asset_id – int - Asset ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_case(case_name: str, case_description: str, case_customer: str | int, case_classification: str | int, soc_id: str, custom_attributes: dict | None = None, create_customer=False) ApiResponse

Creates a new case. If create_customer is set to true and the customer doesn’t exist, it is created. Otherwise an error is returned.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • case_name – case_name

  • case_classification – Classification of the case

  • case_description – Description of the case

  • case_customer – Name or ID of the customer

  • soc_id – SOC Number

  • custom_attributes – Custom attributes of the case

  • create_customer – Set to true to create the customer is doesn’t exists. (Default value = False)

Returns:

ApiResponse object

add_ds_file(parent_id: int, file_stream: BinaryIO, filename: str, file_description: str, file_is_ioc: bool = False, file_is_evidence: bool = False, file_password: str | None = None, file_tags: list[str] | None = None, cid: int | None = None) ApiResponse

Adds a file to the Datastore.

Parameters:
  • file_stream – BinaryIO - File stream to upload

  • filename – str - File name

  • file_description – str - File description

  • file_is_ioc – bool - Is the file an IOC

  • file_is_evidence – bool - Is the file an evidence

  • parent_id – int - Parent ID

  • file_password – str - File password

  • file_tags – str - File tags

  • cid – int - Case ID

Returns:

APIResponse object

add_ds_folder(parent_id: int, folder_name: str, cid: int | None = None) ApiResponse

Adds a folder to the Datastore.

Parameters:
  • parent_id – int - Parent ID

  • folder_name – str - Folder name

  • cid – int - Case ID

Returns:

APIResponse object

add_event(title: str, date_time: <module 'datetime' from '/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/datetime.py'>, content: str | None = None, raw_content: str | None = None, source: str | None = None, linked_assets: list | None = None, linked_iocs: list | None = None, category: str | int | None = None, tags: list | None = None, color: str | None = None, display_in_graph: bool | None = None, display_in_summary: bool | None = None, custom_attributes: str | None = None, timezone_string: str | None = None, sync_ioc_with_assets: bool = False, cid: int | None = None) ApiResponse

Adds a new event to the timeline.

If it is a string, category is lookup-ed up before the addition request is issued. it can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • title – Title of the event

  • date_time – Datetime of the event, including timezone

  • content – Content of the event (displayed in timeline on GUI)

  • raw_content – Raw content of the event (displayed in detailed event on GUI)

  • source – Source of the event

  • linked_assets – List of assets to link with this event

  • linked_iocs – List of IOCs to link with this event

  • category – Category of the event (MITRE ATT@CK)

  • color – Left border of the event in the timeline

  • display_in_graph – Set to true to display in graph page - Default to true

  • display_in_summary – Set to true to display in Summary - Default to false

  • tags – A list of strings to add as tags

  • custom_attributes – Custom attributes of the event

  • timezone_string – Timezone in format +XX:XX or -XX:XX. If none, +00:00 is used

  • sync_ioc_with_assets – Set to true to sync the IOC with the assets

  • cid – Case ID

Returns:

APIResponse object

add_event_comment(event_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to an event.

Parameters:
  • event_id – int - Event ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_evidence(filename: str, file_size: int, description: str | None = None, file_hash: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Adds a new evidence to the target case.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • filename – name of the evidence

  • file_size – Size of the file

  • description – Description of the evidence

  • file_hash – hash of the evidence

  • custom_attributes – Custom attributes of the evidences

  • cid – Case ID

Returns:

APIResponse object

add_evidence_comment(evidence_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to an evidence.

Parameters:
  • evidence_id – int - Evidence ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_global_task(title: str, status: str | int, assignee: str | int, description: str | None = None, tags: list | None = None) ApiResponse

Adds a new task.

If set as strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.

Parameters:
  • title – Title of the task

  • description – Description of the task

  • assignee – Assignee ID or username

  • tags – Tags of the task

  • status – String or status ID, need to be a valid status

Returns:

APIResponse object

add_ioc(value: str, ioc_type: str | int, description: str | None = None, ioc_tlp: str | int | None = None, ioc_tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Adds an ioc to the target case id.

If they are strings, ioc_tlp and ioc_type are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • value – Value of the IOC

  • ioc_type – Type of IOC, either name or type ID

  • description – Optional - Description of the IOC

  • ioc_tlp – TLP name or tlp ID. Default is orange

  • ioc_tags – List of tags to add

  • custom_attributes – Custom attributes of the ioc

  • cid – Case ID

Returns:

APIResponse

add_ioc_comment(ioc_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to an ioc.

Parameters:
  • ioc_id – int - IOC ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_note(note_title: str, note_content: str, group_id: int, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Creates a new note. Case ID and group note ID need to match the case in which the note is stored.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • cid – Case ID

  • note_title – Title of the note

  • note_content – Content of the note

  • group_id – Target group to attach the note to

  • custom_attributes – Custom attributes of the note

Returns:

APIResponse object

add_note_comment(note_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to a note.

Parameters:
  • note_id – int - Note ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_notes_group(group_title: str | None = None, cid: int | None = None) ApiResponse

Creates a new notes group in the target cid case. Group_title can be an existing group, there is no uniqueness.

Parameters:
  • cid – Case ID

  • group_title – Name of the group to add

Returns:

APIResponse object

add_task(title: str, status: str | int, assignees: List[str | int], description: str | None = None, tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Adds a new task to the target case.

If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • title – Title of the task

  • description – Description of the task

  • assignees – List of assignees ID or username

  • cid – Case ID

  • tags – Tags of the task

  • status – String or status ID, need to be a valid status

  • custom_attributes – Custom attributes of the task

Returns:

APIResponse object

add_task_comment(task_id: int, comment: str, cid: int | None = None) ApiResponse

Adds a comment to a task.

Parameters:
  • task_id – int - Task ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

add_task_log(message: str, cid: int | None = None) ApiResponse

Adds a new task log that will appear under activities

Parameters:
  • message – Message to log

  • cid – Case ID

Returns:

ApiResponse

asset_exists(asset_id: int, cid: int | None = None) bool

Returns true if asset_id exists in the context of the current case or cid. This method is an overlay of get_asset and thus not performant.

Parameters:
  • asset_id – Asset to lookup

  • cid – Case ID

Returns:

True if exists else false

case_id_exists(cid: int) bool

Checks if a case id is valid by probing the summary endpoint. This method returns true if the probe was successful. If False is returned it might not indicate the case doesn’t exist but might be the result of a request malfunction (server down, invalid API token, etc).

Parameters:

cid – Case ID to check

Returns:

True if case ID exists otherwise false

close_case(case_id: int | None = None) ApiResponse

Closes a case based on its ID

Parameters:

case_id – Case ID to close

Returns:

ApiResponse

delete_asset(asset_id: int, cid: int | None = None) ApiResponse

Deletes an asset identified by asset_id. CID must match the case in which the asset is stored.

Parameters:
  • asset_id – ID of the asset to delete

  • cid – Case ID

Returns:

APIResponse object

delete_asset_comment(asset_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of an asset.

Parameters:
  • asset_id – int - Asset ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_case(cid: int | None = None) ApiResponse
Deletes a case based on its ID. All objects associated to the case are deleted. This includes :
  • assets,

  • iocs that are only referenced in this case

  • notes

  • summary

  • events

  • evidences

  • tasklogs

Parameters:

cid – Case to delete

Returns:

ApiResponse

delete_ds_file(file_id: int, cid: int | None = None) ApiResponse

Deletes a file from the Datastore.

Parameters:
  • file_id – int - File ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_ds_folder(folder_id: int, cid: int | None = None) ApiResponse

Deletes a folder from the Datastore.

Parameters:
  • folder_id – int - Folder ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_event(event_id: int, cid: int | None = None) ApiResponse

Deletes an event from its ID. CID must match the case in which the event is stored

Parameters:
  • event_id – Event to delete

  • cid – Case ID

Returns:

APIResponse object

delete_event_comment(event_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of an event.

Parameters:
  • event_id – int - Event ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_evidence(evidence_id: int, cid: int | None = None)

Deletes an evidence from its ID. evidence_id needs to be an existing evidence in the target case.

Parameters:
  • evidence_id – int - Evidence to delete

  • cid – int - Case ID

Returns:

APIResponse object

delete_evidence_comment(evidence_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of an evidence.

Parameters:
  • evidence_id – int - Evidence ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_global_task(task_id: int) ApiResponse

Deletes a global task from its ID. task_id needs to be an existing task in the database.

Parameters:

task_id – int - Task to delete

Returns:

APIResponse object

delete_ioc(ioc_id: int, cid: int | None = None) ApiResponse

Deletes an IOC from its ID. CID must match the case in which the ioc is stored.

Parameters:
  • ioc_id – ID of the ioc

  • cid – Case ID

Returns:

APIResponse object

delete_ioc_comment(ioc_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of an ioc.

Parameters:
  • ioc_id – int - IOC ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_note(note_id: int, cid: int | None = None) ApiResponse

Deletes a note. note_id needs to be a valid existing note in the target case.

Parameters:
  • cid – Case ID

  • note_id – Name of the note to delete

Returns:

APIResponse object

delete_note_comment(note_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of a note.

Parameters:
  • note_id – int - Note ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

delete_notes_group(group_id: int, cid: int | None = None) ApiResponse
Deletes a notes group. All notes in the target groups are deleted ! There is not way to get the notes back.

Case ID needs to match the case where the group is stored.

Parameters:
  • cid – Case ID

  • group_id – ID of the group

Returns:

APIResponse object

delete_task(task_id: int, cid: int | None = None) ApiResponse

Deletes a task from its ID. CID must match the case in which the task is stored.

Parameters:
  • task_id – Task to delete

  • cid – Case ID

Returns:

APIResponse object

delete_task_comment(task_id: int, comment_id: int, cid: int | None = None) ApiResponse

Deletes a comment of a task.

Parameters:
  • task_id – int - Task ID

  • comment_id – int - Comment ID

  • cid – int - Case ID

Returns:

APIResponse object

download_activity_report(report_id: int, cid: int | None = None) Response

Download an activity report.

Parameters:
  • report_id – int - ID of the template report

  • cid – int - Case ID

Returns:

Flask Response object

download_ds_file(file_id: int, cid: int | None = None) Response

Downloads a file from the Datastore.

Parameters:
  • file_id – int - File ID

  • cid – int - Case ID

Returns:

APIResponse object

download_investigation_report(report_id: int, cid: int | None = None) Response

Download an investigation report.

Parameters:
  • report_id – int - ID of the template report

  • cid – int - Case ID

Returns:

Flask Response object

filter_events(filter_str: dict | None = None, cid: int | None = None) ApiResponse

Returns a list of events from the timeline, filtered with the same query types used in the UI.

Parameters:
  • filter_str – Filter the timeline as in the UI

  • cid – Case ID

Returns:

APIResponse object

get_asset(asset_id: int, cid: int | None = None) ApiResponse

Returns an asset information from its ID.

Parameters:
  • asset_id – ID of the asset to fetch

  • cid – Case ID

Returns:

APIResponse object

get_case(cid: int) ApiResponse

Gets an existing case from its ID

Parameters:

cid – CaseID to fetch

Returns:

ApiResponse object

get_ds_file_info(file_id: int, cid: int | None = None) ApiResponse

Returns information from file of the Datastore.

Parameters:
  • file_id – int - File ID

  • cid – int - Case ID

Returns:

APIResponse object

get_event(event_id: int, cid: int | None = None) ApiResponse

Returns an event from the timeline

Parameters:
  • event_id – ID of the event to fetch

  • cid – Case ID

Returns:

APIResponse object

get_evidence(evidence_id: int, cid: int | None = None) ApiResponse

Returns an evidence from its ID. evidence_id needs to be an existing evidence in the target case.

Parameters:
  • evidence_id – Evidence ID to lookup

  • cid – Case ID

Returns:

APIResponse object

get_global_task(task_id: int) ApiResponse

Returns a global task from its ID.

Parameters:

task_id – Task ID to lookup

Returns:

APIResponse object

get_ioc(ioc_id: int, cid: int | None = None) ApiResponse

Returns an IOC. ioc_id needs to be an existing ioc in the provided case ID.

Parameters:
  • ioc_id – IOC ID

  • cid – Case ID

Returns:

APIResponse object

get_note(note_id: int, cid: int | None = None) ApiResponse

Fetches a note. note_id needs to be a valid existing note in the target case.

Parameters:
  • cid – Case ID

  • note_id – ID of the note to fetch

Returns:

APIResponse object

get_notes_group(group_id: int, cid: int | None = None) ApiResponse

Returns a notes group based on its ID. The group ID needs to match the CID where it is stored.

Parameters:
  • group_id – Group ID to fetch

  • cid – Case ID (Default value = None)

Returns:

APIResponse object

get_summary(cid: int | None = None) ApiResponse

Returns the summary of the specified case id.

Parameters:

cid – Case ID (Default value = None)

Returns:

APIResponse object

get_task(task_id: int, cid: int | None = None) ApiResponse

Returns a task from its ID. task_id needs to be a valid task in the target case.

Parameters:
  • task_id – Task ID to lookup

  • cid – Case ID

Returns:

APIResponse object

list_asset_comments(asset_id: int, cid: int | None = None) ApiResponse

List comments of an asset.

Parameters:
  • asset_id – int - Asset ID

  • cid – int - Case ID

Returns:

APIResponse object

list_assets(cid: int | None = None) ApiResponse

Returns a list of all assets of the target case.

Parameters:

cid – int - Case ID

Returns:

APIResponse

list_cases() ApiResponse

Returns a list of all the cases

Returns:

ApiResponse

Args:

Returns:

list_ds_tree(cid: int | None = None) ApiResponse

Returns the tree of the Datastore

Parameters:

cid – Case ID

Returns:

APIResponse object

list_event_comments(event_id: int, cid: int | None = None) ApiResponse

List comments of an event.

Parameters:
  • event_id – int - Event ID

  • cid – int - Case ID

Returns:

APIResponse object

list_events(filter_by_asset: int = 0, cid: int | None = None) ApiResponse

Returns a list of events from the timeline. filter_by_asset can be used to return only the events linked to a specific asset. In case the asset doesn’t exist, an empty timeline is returned.

Parameters:
  • filter_by_asset – Select the timeline of a specific asset by setting an existing asset ID

  • cid – Case ID

Returns:

APIResponse object

list_evidence_comments(evidence_id: int, cid: int | None = None) ApiResponse

List comments of an evidence.

Parameters:
  • evidence_id – int - Evidence ID

  • cid – int - Case ID

Returns:

APIResponse object

list_evidences(cid: int | None = None) ApiResponse

Returns a list of evidences.

Parameters:

cid – Case ID

Returns:

ApiResponse object

list_global_tasks() ApiResponse

Args:

Returns:

return: ApiResponse object

list_ioc_comments(ioc_id: int, cid: int | None = None) ApiResponse

List comments of an ioc.

Parameters:
  • ioc_id – int - IOC ID

  • cid – int - Case ID

Returns:

APIResponse object

list_iocs(cid: int | None = None) ApiResponse

Returns a list of all iocs of the target case.

Parameters:

cid – Case ID

Returns:

APIResponse

list_note_comments(note_id: int, cid: int | None = None) ApiResponse

List comments of a note.

Parameters:
  • note_id – int - Note ID

  • cid – int - Case ID

Returns:

APIResponse object

list_notes_groups(cid: int | None = None) ApiResponse

Returns a list of notes groups of the target cid case

Parameters:

cid – Case ID (Default value = None)

Returns:

APIResponse object

list_task_comments(task_id: int, cid: int | None = None) ApiResponse

List comments of a task.

Parameters:
  • task_id – int - Task ID

  • cid – int - Case ID

Returns:

APIResponse object

list_tasks(cid: int | None = None) ApiResponse

Returns a list of tasks linked to the provided case.

Parameters:

cid – Case ID

Returns:

ApiResponse object

move_ds_file(file_id: int, parent_id: int, cid: int | None = None) ApiResponse

Moves a file from a folder to another.

Parameters:
  • file_id – int - File ID

  • parent_id – int - New parent ID

  • cid – int - Case ID

Returns:

APIResponse object

move_ds_folder(folder_id: int, parent_id: int, cid: int | None = None) ApiResponse

Moves a folder from a folder to another.

Parameters:
  • folder_id – int - Folder ID

  • parent_id – int - New parent ID

  • cid – int - Case ID

Returns:

APIResponse object

rename_ds_folder(folder_id: int, new_name: str, cid: int | None = None) ApiResponse

Renames a folder in the Datastore.

Parameters:
  • folder_id – int - Folder ID

  • new_name – str - New name

  • cid – int - Case ID

Returns:

APIResponse object

reopen_case(case_id: int | None = None) ApiResponse

Reopens a case based on its ID

Parameters:

case_id – Case ID to open

Returns:

ApiResponse

search_notes(search_term: str, cid: int | None = None) ApiResponse
Searches in notes. Case ID and group note ID need to match the case in which the notes are stored.

Only the titles and notes ID of the matching notes are return, not the actual content. Use % for wildcard.

Parameters:
  • cid – int - Case ID

  • search_term – str - Term to search in notes

Returns:

APIResponse object

set_case_outcome_status(outcome_status: str | int, case_id: int | None = None) ApiResponse

Sets the outcome status of a case

Parameters:
  • case_id – ID of the case to update

  • outcome_status – Outcome status to set

Returns:

ApiResponse object

set_cid(cid: int) bool

Sets the current cid for the Case instance. It can be override be setting the cid of each method though not recommended to keep consistency.

Parameters:

cid – Case ID

Returns:

Always true

set_summary(summary_content: str | None = None, cid: int | None = None) ApiResponse

Sets the summary of the specified case id.

!!! warning

This completely replace the current content of the summary. Any co-worker working on the summary will receive an overwrite order from the server. The order is immediately received by web socket. This method should probably be only used when setting a new case.

Parameters:
  • summary_content – Content of the summary to push. This will completely replace the current content (Default value = None)

  • cid – Case ID (Default value = None)

Returns:

APIResponse object

trigger_manual_hook(hook_ui_name: str, module_name: str, targets: list, target_type: str, cid: int | None = None) ApiResponse

Triggers a module hook call. These can only be used with manual hooks. The request is sent to the target module and processed asynchronously. The server replies immediately after queuing the task. Success feedback from this endpoint does not implies the hook processing was successful.

Parameters:
  • hook_ui_name – Hook name, as defined by the module on the UI

  • module_name – Module associated with the hook name

  • targets – List of IDs of objects to be processed

  • target_type – Target type of targets

  • cid – Case ID

Returns:

ApiResponse object

update_asset(asset_id: int, name: str | None = None, asset_type: str | int | None = None, tags: List[str] | None = None, analysis_status: str | int | None = None, description: str | None = None, domain: str | None = None, ip: str | None = None, additional_info: str | None = None, ioc_links: List[int] | None = None, compromise_status: str | int | None = None, custom_attributes: dict | None = None, cid: int | None = None, no_sync=False, **kwargs) ApiResponse

Updates an asset. asset_id needs to be an existing asset in the target case cid.

If they are strings, asset_types and analysis_status are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • asset_id – ID of the asset to update

  • name – Name of the asset

  • asset_type – Name or ID of the asset type

  • tags – List of tags

  • description – Description of the asset

  • domain – Domain of the asset

  • ip – IP of the asset

  • additional_info – Additional information,

  • analysis_status – Status of the analysis

  • ioc_links – List of IOC to link to this asset

  • compromise_status – Status of the compromise

  • custom_attributes – Custom attributes of the asset

  • cid – Case ID

Returns:

APIResponse

update_asset_comment(asset_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of an asset.

Parameters:
  • asset_id – int - Asset ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

update_case(case_id: int | None = None, case_name: str | None = None, case_description: str | None = None, case_classification: str | int | None = None, case_owner: str | int | None = None, soc_id: str | None = None, case_tags: List[str] | None = None, custom_attributes: dict | None = None) ApiResponse

Updates an existing case. If create_customer is set to true and the customer doesn’t exist, it is created. Otherwise, an error is returned.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

If a value is not provided, it is not updated.

Parameters:
  • case_id – ID of the case to update

  • case_name – case_name

  • case_description – Description of the case

  • case_classification – Classification of the case

  • case_tags – List of tags to add to the case

  • case_owner – Name or ID of the owner

  • soc_id – SOC Number

  • custom_attributes – Custom attributes of the case

Returns:

ApiResponse object

update_ds_file(file_id: int, file_name: str | None = None, file_description: str | None = None, file_is_ioc: bool = False, file_is_evidence: bool = False, file_password: str | None = None, file_tags: list[str] | None = None, cid: int | None = None) ApiResponse

Updates a file in the Datastore.

Parameters:
  • file_id – int - File ID

  • file_name – str - File name

  • file_description – str - File description

  • file_is_ioc – bool - Is the file an IOC

  • file_is_evidence – bool - Is the file an evidence

  • file_password – str - File password

  • file_tags – str - File tags

  • cid – int - Case ID

Returns:

APIResponse object

update_event(event_id: int, title: str = None, date_time: <module 'datetime' from '/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/datetime.py'> = None, content: str = None, raw_content: str = None, source: str = None, linked_assets: list = None, linked_iocs: list = None, category: int | str = None, tags: list = None, color: str = None, display_in_graph: bool = None, display_in_summary: bool = None, custom_attributes: dict = None, cid: int = None, timezone_string: str = None, sync_ioc_with_assets: bool = False) ApiResponse

Updates an event of the timeline. event_id needs to be an existing event in the target case.

If it is a string, category is lookup-ed up before the addition request is issued. it can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • event_id – Event ID to update

  • title – Title of the event

  • date_time – Datetime of the event, including timezone

  • content – Content of the event (displayed in timeline on GUI)

  • raw_content – Raw content of the event (displayed in detailed event on GUI)

  • source – Source of the event

  • linked_assets – List of assets to link with this event

  • linked_iocs – List of IOCs to link with this event

  • category – Category of the event (MITRE ATT@CK)

  • color – Left border of the event in the timeline

  • display_in_graph – Set to true to display in graph page - Default to true

  • display_in_summary – Set to true to display in Summary - Default to false

  • tags – A list of strings to add as tags

  • custom_attributes – Custom attributes of the event

  • timezone_string – Timezone in format +XX:XX or -XX:XX. If none, +00:00 is used

  • sync_ioc_with_assets – Set to true to sync the IOC with the assets

  • cid – Case ID

Returns:

APIResponse object

update_event_comment(event_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of an event.

Parameters:
  • event_id – int - Event ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

update_evidence(evidence_id: int, filename: str | None = None, file_size: int | None = None, description: str | None = None, file_hash: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Updates an evidence of the matching case. evidence_id needs to be an existing evidence in the target case.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • evidence_id – ID of the evidence

  • filename – name of the evidence

  • file_size – Size of the file

  • description – Description of the evidence

  • file_hash – hash of the evidence

  • custom_attributes – custom attributes of the evidences

  • cid – Case ID

Returns:

APIResponse object

update_evidence_comment(evidence_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of an evidence.

Parameters:
  • evidence_id – int - Evidence ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

update_global_task(task_id: int, title: str | None = None, status: str | int | None = None, assignee: str | int | None = None, description: str | None = None, tags: list | None = None) ApiResponse

Updates a task. task_id needs to be an existing task in the database.

If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Parameters:
  • task_id – ID of the task to update

  • title – Title of the task

  • description – Description of the task

  • assignee – Assignee ID or assignee username

  • tags – Tags of the task

  • status – String status, need to be a valid status

Returns:

APIResponse object

update_ioc(ioc_id: int, value: str | None = None, ioc_type: str | int | None = None, description: str | None = None, ioc_tlp: str | int | None = None, ioc_tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Updates an existing IOC. ioc_id needs to be an existing ioc in the provided case ID.

If they are strings, ioc_tlp and ioc_type are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • ioc_id – IOC ID to update

  • value – Value of the IOC

  • ioc_type – Type of IOC, either name or type ID

  • description – Description of the IOC

  • ioc_tlp – TLP name or tlp ID. Default is orange

  • ioc_tags – List of tags to add,

  • custom_attributes – Custom attributes of the IOC

  • cid – Case ID

Returns:

APIResponse object

update_ioc_comment(ioc_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of an ioc.

Parameters:
  • ioc_id – int - IOC ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

update_note(note_id: int, note_title: str | None = None, note_content: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Updates a note. note_id needs to be a valid existing note in the target case. Only the content of the set fields is replaced.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • cid – Case ID

  • note_id – Name of the note to update

  • note_content – Content of the note

  • note_title – Title of the note

  • custom_attributes – Custom attributes of the note

Returns:

APIResponse object

update_note_comment(note_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of a note.

Parameters:
  • note_id – int - Note ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object

update_notes_group(group_id: int, group_title: str, cid: int | None = None) ApiResponse

Updates a notes group in the target cid case. group_id need to be an existing group in the target case. group_title can be an existing group, there is no uniqueness.

Parameters:
  • cid – Case ID

  • group_id – Group ID to update

  • group_title – Name of the group

Returns:

APIResponse object

update_task(task_id: int, title: str | None = None, status: str | int | None = None, assignees: List[str | int] | None = None, description: str | None = None, tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse

Updates a task. task_id needs to be a valid task in the target case.

If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.

Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.

Parameters:
  • task_id – ID of the task to update

  • title – Title of the task

  • description – Description of the task

  • assignees – List of assignee ID or assignee username

  • cid – Case ID

  • tags – Tags of the task

  • status – String status, need to be a valid status

  • custom_attributes – Custom attributes of the task

Returns:

APIResponse object

update_task_comment(task_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse

Updates a comment of a task.

Parameters:
  • task_id – int - Task ID

  • comment_id – int - Comment ID

  • comment – str - Comment

  • cid – int - Case ID

Returns:

APIResponse object