Case
- class dfir_iris_client.case.Case(session: ClientSession, case_id: int | None = None)
Handles the case methods
- add_asset(name: str, asset_type: str | int, analysis_status: str | int, compromise_status: str | int | None = None, tags: List[str] | None = None, description: str | None = None, domain: str | None = None, ip: str | None = None, additional_info: str | None = None, ioc_links: List[int] | None = None, custom_attributes: dict | None = None, cid: int | None = None, **kwargs) ApiResponse
Adds an asset to the target case id.
If they are strings, asset_types and analysis_status are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
name – Name of the asset to add
asset_type – Name or ID of the asset type
description – Description of the asset
compromise_status – Compromise status of the asset
domain – Domain of the asset
ip – IP of the asset
additional_info – Additional information,
analysis_status – Status of the analysis
tags – List of tags
ioc_links – List of IOC to link to this asset
custom_attributes – Custom attributes of the asset
kwargs – Additional arguments to pass to the API
cid – int - Case ID
- Returns:
APIResponse
- add_asset_comment(asset_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to an asset.
- Parameters:
asset_id – int - Asset ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_case(case_name: str, case_description: str, case_customer: str | int, case_classification: str | int, soc_id: str, custom_attributes: dict | None = None, create_customer=False) ApiResponse
Creates a new case. If create_customer is set to true and the customer doesn’t exist, it is created. Otherwise an error is returned.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
case_name – case_name
case_classification – Classification of the case
case_description – Description of the case
case_customer – Name or ID of the customer
soc_id – SOC Number
custom_attributes – Custom attributes of the case
create_customer – Set to true to create the customer is doesn’t exists. (Default value = False)
- Returns:
ApiResponse object
- add_ds_file(parent_id: int, file_stream: BinaryIO, filename: str, file_description: str, file_is_ioc: bool = False, file_is_evidence: bool = False, file_password: str | None = None, file_tags: list[str] | None = None, cid: int | None = None) ApiResponse
Adds a file to the Datastore.
- Parameters:
file_stream – BinaryIO - File stream to upload
filename – str - File name
file_description – str - File description
file_is_ioc – bool - Is the file an IOC
file_is_evidence – bool - Is the file an evidence
parent_id – int - Parent ID
file_password – str - File password
file_tags – str - File tags
cid – int - Case ID
- Returns:
APIResponse object
- add_ds_folder(parent_id: int, folder_name: str, cid: int | None = None) ApiResponse
Adds a folder to the Datastore.
- Parameters:
parent_id – int - Parent ID
folder_name – str - Folder name
cid – int - Case ID
- Returns:
APIResponse object
- add_event(title: str, date_time: <module 'datetime' from '/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/datetime.py'>, content: str | None = None, raw_content: str | None = None, source: str | None = None, linked_assets: list | None = None, linked_iocs: list | None = None, category: str | int | None = None, tags: list | None = None, color: str | None = None, display_in_graph: bool | None = None, display_in_summary: bool | None = None, custom_attributes: str | None = None, timezone_string: str | None = None, sync_ioc_with_assets: bool = False, cid: int | None = None) ApiResponse
Adds a new event to the timeline.
If it is a string, category is lookup-ed up before the addition request is issued. it can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
title – Title of the event
date_time – Datetime of the event, including timezone
content – Content of the event (displayed in timeline on GUI)
raw_content – Raw content of the event (displayed in detailed event on GUI)
source – Source of the event
linked_assets – List of assets to link with this event
linked_iocs – List of IOCs to link with this event
category – Category of the event (MITRE ATT@CK)
color – Left border of the event in the timeline
display_in_graph – Set to true to display in graph page - Default to true
display_in_summary – Set to true to display in Summary - Default to false
tags – A list of strings to add as tags
custom_attributes – Custom attributes of the event
timezone_string – Timezone in format +XX:XX or -XX:XX. If none, +00:00 is used
sync_ioc_with_assets – Set to true to sync the IOC with the assets
cid – Case ID
- Returns:
APIResponse object
- add_event_comment(event_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to an event.
- Parameters:
event_id – int - Event ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_evidence(filename: str, file_size: int, description: str | None = None, file_hash: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Adds a new evidence to the target case.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
filename – name of the evidence
file_size – Size of the file
description – Description of the evidence
file_hash – hash of the evidence
custom_attributes – Custom attributes of the evidences
cid – Case ID
- Returns:
APIResponse object
- add_evidence_comment(evidence_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to an evidence.
- Parameters:
evidence_id – int - Evidence ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_global_task(title: str, status: str | int, assignee: str | int, description: str | None = None, tags: list | None = None) ApiResponse
Adds a new task.
If set as strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.
- Parameters:
title – Title of the task
description – Description of the task
assignee – Assignee ID or username
tags – Tags of the task
status – String or status ID, need to be a valid status
- Returns:
APIResponse object
- add_ioc(value: str, ioc_type: str | int, description: str | None = None, ioc_tlp: str | int | None = None, ioc_tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Adds an ioc to the target case id.
If they are strings, ioc_tlp and ioc_type are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
value – Value of the IOC
ioc_type – Type of IOC, either name or type ID
description – Optional - Description of the IOC
ioc_tlp – TLP name or tlp ID. Default is orange
ioc_tags – List of tags to add
custom_attributes – Custom attributes of the ioc
cid – Case ID
- Returns:
APIResponse
- add_ioc_comment(ioc_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to an ioc.
- Parameters:
ioc_id – int - IOC ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_note(note_title: str, note_content: str, group_id: int, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Creates a new note. Case ID and group note ID need to match the case in which the note is stored.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
cid – Case ID
note_title – Title of the note
note_content – Content of the note
group_id – Target group to attach the note to
custom_attributes – Custom attributes of the note
- Returns:
APIResponse object
- add_note_comment(note_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to a note.
- Parameters:
note_id – int - Note ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_notes_group(group_title: str | None = None, cid: int | None = None) ApiResponse
Creates a new notes group in the target cid case. Group_title can be an existing group, there is no uniqueness.
- Parameters:
cid – Case ID
group_title – Name of the group to add
- Returns:
APIResponse object
- add_task(title: str, status: str | int, assignees: List[str | int], description: str | None = None, tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Adds a new task to the target case.
If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
title – Title of the task
description – Description of the task
assignees – List of assignees ID or username
cid – Case ID
tags – Tags of the task
status – String or status ID, need to be a valid status
custom_attributes – Custom attributes of the task
- Returns:
APIResponse object
- add_task_comment(task_id: int, comment: str, cid: int | None = None) ApiResponse
Adds a comment to a task.
- Parameters:
task_id – int - Task ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- add_task_log(message: str, cid: int | None = None) ApiResponse
Adds a new task log that will appear under activities
- Parameters:
message – Message to log
cid – Case ID
- Returns:
ApiResponse
- asset_exists(asset_id: int, cid: int | None = None) bool
Returns true if asset_id exists in the context of the current case or cid. This method is an overlay of get_asset and thus not performant.
- Parameters:
asset_id – Asset to lookup
cid – Case ID
- Returns:
True if exists else false
- case_id_exists(cid: int) bool
Checks if a case id is valid by probing the summary endpoint. This method returns true if the probe was successful. If False is returned it might not indicate the case doesn’t exist but might be the result of a request malfunction (server down, invalid API token, etc).
- Parameters:
cid – Case ID to check
- Returns:
True if case ID exists otherwise false
- close_case(case_id: int | None = None) ApiResponse
Closes a case based on its ID
- Parameters:
case_id – Case ID to close
- Returns:
ApiResponse
- delete_asset(asset_id: int, cid: int | None = None) ApiResponse
Deletes an asset identified by asset_id. CID must match the case in which the asset is stored.
- Parameters:
asset_id – ID of the asset to delete
cid – Case ID
- Returns:
APIResponse object
- delete_asset_comment(asset_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of an asset.
- Parameters:
asset_id – int - Asset ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_case(cid: int | None = None) ApiResponse
- Deletes a case based on its ID. All objects associated to the case are deleted. This includes :
assets,
iocs that are only referenced in this case
notes
summary
events
evidences
tasklogs
- Parameters:
cid – Case to delete
- Returns:
ApiResponse
- delete_ds_file(file_id: int, cid: int | None = None) ApiResponse
Deletes a file from the Datastore.
- Parameters:
file_id – int - File ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_ds_folder(folder_id: int, cid: int | None = None) ApiResponse
Deletes a folder from the Datastore.
- Parameters:
folder_id – int - Folder ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_event(event_id: int, cid: int | None = None) ApiResponse
Deletes an event from its ID. CID must match the case in which the event is stored
- Parameters:
event_id – Event to delete
cid – Case ID
- Returns:
APIResponse object
- delete_event_comment(event_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of an event.
- Parameters:
event_id – int - Event ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_evidence(evidence_id: int, cid: int | None = None)
Deletes an evidence from its ID. evidence_id needs to be an existing evidence in the target case.
- Parameters:
evidence_id – int - Evidence to delete
cid – int - Case ID
- Returns:
APIResponse object
- delete_evidence_comment(evidence_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of an evidence.
- Parameters:
evidence_id – int - Evidence ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_global_task(task_id: int) ApiResponse
Deletes a global task from its ID. task_id needs to be an existing task in the database.
- Parameters:
task_id – int - Task to delete
- Returns:
APIResponse object
- delete_ioc(ioc_id: int, cid: int | None = None) ApiResponse
Deletes an IOC from its ID. CID must match the case in which the ioc is stored.
- Parameters:
ioc_id – ID of the ioc
cid – Case ID
- Returns:
APIResponse object
- delete_ioc_comment(ioc_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of an ioc.
- Parameters:
ioc_id – int - IOC ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_note(note_id: int, cid: int | None = None) ApiResponse
Deletes a note. note_id needs to be a valid existing note in the target case.
- Parameters:
cid – Case ID
note_id – Name of the note to delete
- Returns:
APIResponse object
- delete_note_comment(note_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of a note.
- Parameters:
note_id – int - Note ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- delete_notes_group(group_id: int, cid: int | None = None) ApiResponse
- Deletes a notes group. All notes in the target groups are deleted ! There is not way to get the notes back.
Case ID needs to match the case where the group is stored.
- Parameters:
cid – Case ID
group_id – ID of the group
- Returns:
APIResponse object
- delete_task(task_id: int, cid: int | None = None) ApiResponse
Deletes a task from its ID. CID must match the case in which the task is stored.
- Parameters:
task_id – Task to delete
cid – Case ID
- Returns:
APIResponse object
- delete_task_comment(task_id: int, comment_id: int, cid: int | None = None) ApiResponse
Deletes a comment of a task.
- Parameters:
task_id – int - Task ID
comment_id – int - Comment ID
cid – int - Case ID
- Returns:
APIResponse object
- download_activity_report(report_id: int, cid: int | None = None) Response
Download an activity report.
- Parameters:
report_id – int - ID of the template report
cid – int - Case ID
- Returns:
Flask Response object
- download_ds_file(file_id: int, cid: int | None = None) Response
Downloads a file from the Datastore.
- Parameters:
file_id – int - File ID
cid – int - Case ID
- Returns:
APIResponse object
- download_investigation_report(report_id: int, cid: int | None = None) Response
Download an investigation report.
- Parameters:
report_id – int - ID of the template report
cid – int - Case ID
- Returns:
Flask Response object
- filter_events(filter_str: dict | None = None, cid: int | None = None) ApiResponse
Returns a list of events from the timeline, filtered with the same query types used in the UI.
- Parameters:
filter_str – Filter the timeline as in the UI
cid – Case ID
- Returns:
APIResponse object
- get_asset(asset_id: int, cid: int | None = None) ApiResponse
Returns an asset information from its ID.
- Parameters:
asset_id – ID of the asset to fetch
cid – Case ID
- Returns:
APIResponse object
- get_case(cid: int) ApiResponse
Gets an existing case from its ID
- Parameters:
cid – CaseID to fetch
- Returns:
ApiResponse object
- get_ds_file_info(file_id: int, cid: int | None = None) ApiResponse
Returns information from file of the Datastore.
- Parameters:
file_id – int - File ID
cid – int - Case ID
- Returns:
APIResponse object
- get_event(event_id: int, cid: int | None = None) ApiResponse
Returns an event from the timeline
- Parameters:
event_id – ID of the event to fetch
cid – Case ID
- Returns:
APIResponse object
- get_evidence(evidence_id: int, cid: int | None = None) ApiResponse
Returns an evidence from its ID. evidence_id needs to be an existing evidence in the target case.
- Parameters:
evidence_id – Evidence ID to lookup
cid – Case ID
- Returns:
APIResponse object
- get_global_task(task_id: int) ApiResponse
Returns a global task from its ID.
- Parameters:
task_id – Task ID to lookup
- Returns:
APIResponse object
- get_ioc(ioc_id: int, cid: int | None = None) ApiResponse
Returns an IOC. ioc_id needs to be an existing ioc in the provided case ID.
- Parameters:
ioc_id – IOC ID
cid – Case ID
- Returns:
APIResponse object
- get_note(note_id: int, cid: int | None = None) ApiResponse
Fetches a note. note_id needs to be a valid existing note in the target case.
- Parameters:
cid – Case ID
note_id – ID of the note to fetch
- Returns:
APIResponse object
- get_notes_group(group_id: int, cid: int | None = None) ApiResponse
Returns a notes group based on its ID. The group ID needs to match the CID where it is stored.
- Parameters:
group_id – Group ID to fetch
cid – Case ID (Default value = None)
- Returns:
APIResponse object
- get_summary(cid: int | None = None) ApiResponse
Returns the summary of the specified case id.
- Parameters:
cid – Case ID (Default value = None)
- Returns:
APIResponse object
- get_task(task_id: int, cid: int | None = None) ApiResponse
Returns a task from its ID. task_id needs to be a valid task in the target case.
- Parameters:
task_id – Task ID to lookup
cid – Case ID
- Returns:
APIResponse object
- list_asset_comments(asset_id: int, cid: int | None = None) ApiResponse
List comments of an asset.
- Parameters:
asset_id – int - Asset ID
cid – int - Case ID
- Returns:
APIResponse object
- list_assets(cid: int | None = None) ApiResponse
Returns a list of all assets of the target case.
- Parameters:
cid – int - Case ID
- Returns:
APIResponse
- list_cases() ApiResponse
Returns a list of all the cases
- Returns:
ApiResponse
Args:
Returns:
- list_ds_tree(cid: int | None = None) ApiResponse
Returns the tree of the Datastore
- Parameters:
cid – Case ID
- Returns:
APIResponse object
- list_event_comments(event_id: int, cid: int | None = None) ApiResponse
List comments of an event.
- Parameters:
event_id – int - Event ID
cid – int - Case ID
- Returns:
APIResponse object
- list_events(filter_by_asset: int = 0, cid: int | None = None) ApiResponse
Returns a list of events from the timeline. filter_by_asset can be used to return only the events linked to a specific asset. In case the asset doesn’t exist, an empty timeline is returned.
- Parameters:
filter_by_asset – Select the timeline of a specific asset by setting an existing asset ID
cid – Case ID
- Returns:
APIResponse object
- list_evidence_comments(evidence_id: int, cid: int | None = None) ApiResponse
List comments of an evidence.
- Parameters:
evidence_id – int - Evidence ID
cid – int - Case ID
- Returns:
APIResponse object
- list_evidences(cid: int | None = None) ApiResponse
Returns a list of evidences.
- Parameters:
cid – Case ID
- Returns:
ApiResponse object
- list_global_tasks() ApiResponse
Args:
- Returns:
return: ApiResponse object
- list_ioc_comments(ioc_id: int, cid: int | None = None) ApiResponse
List comments of an ioc.
- Parameters:
ioc_id – int - IOC ID
cid – int - Case ID
- Returns:
APIResponse object
- list_iocs(cid: int | None = None) ApiResponse
Returns a list of all iocs of the target case.
- Parameters:
cid – Case ID
- Returns:
APIResponse
- list_note_comments(note_id: int, cid: int | None = None) ApiResponse
List comments of a note.
- Parameters:
note_id – int - Note ID
cid – int - Case ID
- Returns:
APIResponse object
- list_notes_groups(cid: int | None = None) ApiResponse
Returns a list of notes groups of the target cid case
- Parameters:
cid – Case ID (Default value = None)
- Returns:
APIResponse object
- list_task_comments(task_id: int, cid: int | None = None) ApiResponse
List comments of a task.
- Parameters:
task_id – int - Task ID
cid – int - Case ID
- Returns:
APIResponse object
- list_tasks(cid: int | None = None) ApiResponse
Returns a list of tasks linked to the provided case.
- Parameters:
cid – Case ID
- Returns:
ApiResponse object
- move_ds_file(file_id: int, parent_id: int, cid: int | None = None) ApiResponse
Moves a file from a folder to another.
- Parameters:
file_id – int - File ID
parent_id – int - New parent ID
cid – int - Case ID
- Returns:
APIResponse object
- move_ds_folder(folder_id: int, parent_id: int, cid: int | None = None) ApiResponse
Moves a folder from a folder to another.
- Parameters:
folder_id – int - Folder ID
parent_id – int - New parent ID
cid – int - Case ID
- Returns:
APIResponse object
- rename_ds_folder(folder_id: int, new_name: str, cid: int | None = None) ApiResponse
Renames a folder in the Datastore.
- Parameters:
folder_id – int - Folder ID
new_name – str - New name
cid – int - Case ID
- Returns:
APIResponse object
- reopen_case(case_id: int | None = None) ApiResponse
Reopens a case based on its ID
- Parameters:
case_id – Case ID to open
- Returns:
ApiResponse
- search_notes(search_term: str, cid: int | None = None) ApiResponse
- Searches in notes. Case ID and group note ID need to match the case in which the notes are stored.
Only the titles and notes ID of the matching notes are return, not the actual content. Use % for wildcard.
- Parameters:
cid – int - Case ID
search_term – str - Term to search in notes
- Returns:
APIResponse object
- set_case_outcome_status(outcome_status: str | int, case_id: int | None = None) ApiResponse
Sets the outcome status of a case
- Parameters:
case_id – ID of the case to update
outcome_status – Outcome status to set
- Returns:
ApiResponse object
- set_cid(cid: int) bool
Sets the current cid for the Case instance. It can be override be setting the cid of each method though not recommended to keep consistency.
- Parameters:
cid – Case ID
- Returns:
Always true
- set_summary(summary_content: str | None = None, cid: int | None = None) ApiResponse
Sets the summary of the specified case id.
- !!! warning
This completely replace the current content of the summary. Any co-worker working on the summary will receive an overwrite order from the server. The order is immediately received by web socket. This method should probably be only used when setting a new case.
- Parameters:
summary_content – Content of the summary to push. This will completely replace the current content (Default value = None)
cid – Case ID (Default value = None)
- Returns:
APIResponse object
- trigger_manual_hook(hook_ui_name: str, module_name: str, targets: list, target_type: str, cid: int | None = None) ApiResponse
Triggers a module hook call. These can only be used with manual hooks. The request is sent to the target module and processed asynchronously. The server replies immediately after queuing the task. Success feedback from this endpoint does not implies the hook processing was successful.
- Parameters:
hook_ui_name – Hook name, as defined by the module on the UI
module_name – Module associated with the hook name
targets – List of IDs of objects to be processed
target_type – Target type of targets
cid – Case ID
- Returns:
ApiResponse object
- update_asset(asset_id: int, name: str | None = None, asset_type: str | int | None = None, tags: List[str] | None = None, analysis_status: str | int | None = None, description: str | None = None, domain: str | None = None, ip: str | None = None, additional_info: str | None = None, ioc_links: List[int] | None = None, compromise_status: str | int | None = None, custom_attributes: dict | None = None, cid: int | None = None, no_sync=False, **kwargs) ApiResponse
Updates an asset. asset_id needs to be an existing asset in the target case cid.
If they are strings, asset_types and analysis_status are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
asset_id – ID of the asset to update
name – Name of the asset
asset_type – Name or ID of the asset type
tags – List of tags
description – Description of the asset
domain – Domain of the asset
ip – IP of the asset
additional_info – Additional information,
analysis_status – Status of the analysis
ioc_links – List of IOC to link to this asset
compromise_status – Status of the compromise
custom_attributes – Custom attributes of the asset
cid – Case ID
- Returns:
APIResponse
- update_asset_comment(asset_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of an asset.
- Parameters:
asset_id – int - Asset ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- update_case(case_id: int | None = None, case_name: str | None = None, case_description: str | None = None, case_classification: str | int | None = None, case_owner: str | int | None = None, soc_id: str | None = None, case_tags: List[str] | None = None, custom_attributes: dict | None = None) ApiResponse
Updates an existing case. If create_customer is set to true and the customer doesn’t exist, it is created. Otherwise, an error is returned.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
If a value is not provided, it is not updated.
- Parameters:
case_id – ID of the case to update
case_name – case_name
case_description – Description of the case
case_classification – Classification of the case
case_tags – List of tags to add to the case
case_owner – Name or ID of the owner
soc_id – SOC Number
custom_attributes – Custom attributes of the case
- Returns:
ApiResponse object
- update_ds_file(file_id: int, file_name: str | None = None, file_description: str | None = None, file_is_ioc: bool = False, file_is_evidence: bool = False, file_password: str | None = None, file_tags: list[str] | None = None, cid: int | None = None) ApiResponse
Updates a file in the Datastore.
- Parameters:
file_id – int - File ID
file_name – str - File name
file_description – str - File description
file_is_ioc – bool - Is the file an IOC
file_is_evidence – bool - Is the file an evidence
file_password – str - File password
file_tags – str - File tags
cid – int - Case ID
- Returns:
APIResponse object
- update_event(event_id: int, title: str = None, date_time: <module 'datetime' from '/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/datetime.py'> = None, content: str = None, raw_content: str = None, source: str = None, linked_assets: list = None, linked_iocs: list = None, category: int | str = None, tags: list = None, color: str = None, display_in_graph: bool = None, display_in_summary: bool = None, custom_attributes: dict = None, cid: int = None, timezone_string: str = None, sync_ioc_with_assets: bool = False) ApiResponse
Updates an event of the timeline. event_id needs to be an existing event in the target case.
If it is a string, category is lookup-ed up before the addition request is issued. it can be either a name or an ID. For performances prefer an ID as it is used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
event_id – Event ID to update
title – Title of the event
date_time – Datetime of the event, including timezone
content – Content of the event (displayed in timeline on GUI)
raw_content – Raw content of the event (displayed in detailed event on GUI)
source – Source of the event
linked_assets – List of assets to link with this event
linked_iocs – List of IOCs to link with this event
category – Category of the event (MITRE ATT@CK)
color – Left border of the event in the timeline
display_in_graph – Set to true to display in graph page - Default to true
display_in_summary – Set to true to display in Summary - Default to false
tags – A list of strings to add as tags
custom_attributes – Custom attributes of the event
timezone_string – Timezone in format +XX:XX or -XX:XX. If none, +00:00 is used
sync_ioc_with_assets – Set to true to sync the IOC with the assets
cid – Case ID
- Returns:
APIResponse object
- update_event_comment(event_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of an event.
- Parameters:
event_id – int - Event ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- update_evidence(evidence_id: int, filename: str | None = None, file_size: int | None = None, description: str | None = None, file_hash: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Updates an evidence of the matching case. evidence_id needs to be an existing evidence in the target case.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
evidence_id – ID of the evidence
filename – name of the evidence
file_size – Size of the file
description – Description of the evidence
file_hash – hash of the evidence
custom_attributes – custom attributes of the evidences
cid – Case ID
- Returns:
APIResponse object
- update_evidence_comment(evidence_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of an evidence.
- Parameters:
evidence_id – int - Evidence ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- update_global_task(task_id: int, title: str | None = None, status: str | int | None = None, assignee: str | int | None = None, description: str | None = None, tags: list | None = None) ApiResponse
Updates a task. task_id needs to be an existing task in the database.
If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
- Parameters:
task_id – ID of the task to update
title – Title of the task
description – Description of the task
assignee – Assignee ID or assignee username
tags – Tags of the task
status – String status, need to be a valid status
- Returns:
APIResponse object
- update_ioc(ioc_id: int, value: str | None = None, ioc_type: str | int | None = None, description: str | None = None, ioc_tlp: str | int | None = None, ioc_tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Updates an existing IOC. ioc_id needs to be an existing ioc in the provided case ID.
If they are strings, ioc_tlp and ioc_type are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
ioc_id – IOC ID to update
value – Value of the IOC
ioc_type – Type of IOC, either name or type ID
description – Description of the IOC
ioc_tlp – TLP name or tlp ID. Default is orange
ioc_tags – List of tags to add,
custom_attributes – Custom attributes of the IOC
cid – Case ID
- Returns:
APIResponse object
- update_ioc_comment(ioc_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of an ioc.
- Parameters:
ioc_id – int - IOC ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- update_note(note_id: int, note_title: str | None = None, note_content: str | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Updates a note. note_id needs to be a valid existing note in the target case. Only the content of the set fields is replaced.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
cid – Case ID
note_id – Name of the note to update
note_content – Content of the note
note_title – Title of the note
custom_attributes – Custom attributes of the note
- Returns:
APIResponse object
- update_note_comment(note_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of a note.
- Parameters:
note_id – int - Note ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object
- update_notes_group(group_id: int, group_title: str, cid: int | None = None) ApiResponse
Updates a notes group in the target cid case. group_id need to be an existing group in the target case. group_title can be an existing group, there is no uniqueness.
- Parameters:
cid – Case ID
group_id – Group ID to update
group_title – Name of the group
- Returns:
APIResponse object
- update_task(task_id: int, title: str | None = None, status: str | int | None = None, assignees: List[str | int] | None = None, description: str | None = None, tags: list | None = None, custom_attributes: dict | None = None, cid: int | None = None) ApiResponse
Updates a task. task_id needs to be a valid task in the target case.
If they are strings, status and assignee are lookup-ed up before the addition request is issued. Both can be either a name or an ID. For performances prefer an ID as they’re used directly in the request without prior lookup.
Custom_attributes is an undefined structure when the call is made. This method does not allow to push a new attribute structure. The submitted structure must follow the one defined by administrators in the UI otherwise it is ignored.
- Parameters:
task_id – ID of the task to update
title – Title of the task
description – Description of the task
assignees – List of assignee ID or assignee username
cid – Case ID
tags – Tags of the task
status – String status, need to be a valid status
custom_attributes – Custom attributes of the task
- Returns:
APIResponse object
- update_task_comment(task_id: int, comment_id: int, comment: str, cid: int | None = None) ApiResponse
Updates a comment of a task.
- Parameters:
task_id – int - Task ID
comment_id – int - Comment ID
comment – str - Comment
cid – int - Case ID
- Returns:
APIResponse object