Hachi

Gem Version Build Status Coverage Status CodeFactor

Hachi() is a dead simple TheHive API wrapper for Ruby.

Installation

gem install hachi

Usage

require "hachi"

# when given nothing, it tries to load your API key from ENV["THEHIVE_API_KEY"] & API endpoint from ENV["THEHIVE_API_ENDPOINT"]
api = Hachi::API.new
# or you can set them manually
api = Hachi::API.new(api_endpoint: "http://your_api_endpoint", api_key: "yoru_api_key")

# list alerts
api.alert.list

# search atrifacts
api.artifact.search(data: "1.1.1.1", data_type: "ip")
# you can do a bulk search by giving an array as an input
api.artifact.search(data: %w(1.1.1.1 8.8.8.8 github.com))

See samples for more.

Implemented methods

Alert

HTTP Method URI Action API method
GET /api/alert List alerts #api.alert.list
POST /api/alert/_search Find alerts #api.alert.search(attributes, range: "all")
PATCH /api/alert/_bulk Update alerts in bulk N/A
POST /api/alert/_stats Compute stats on alerts N/A
POST /api/alert Create an alert #api.alert.create(title:, description:, severity: nil, date: nil, tags: nil, tlp: nil, status: nil, type:, source:, source_ref: nil, artifacts: nil, follow: nil)
GET /api/alert/:alertId Get an alert #api.alert.get_by_id(id)
PATCH /api/alert/:alertId Update an alert #api.alert.update(id, title:, description:, severity: nil, tags: nil, tlp: nil, artifacts: nil)
DELETE /api/alert/:alertId Delete an alert #api.alert.delete_by_id(id)
POST /api/alert/:alertId/markAsRead Mark an alert as read #api.alert.mark_as_read(id)
POST /api/alert/:alertId/markAsUnread Mark an alert as unread #api.alert.mark_as_unread(id)
POST /api/alert/:alertId/createCase Create a case from an alert #api.alert.promote_to_case(id)
POST /api/alert/:alertId/follow Follow an alert N/A
POST /api/alert/:alertId/unfollow Unfollow an alert N/A
POST /api/alert/:alertId/merge/:caseId Merge an alert in a case #api.alert.merge_into_case(*ids, case_id)

Artifact(Observable)

HTTP Method URI Action API method
POST /api/case/artifact/_search Find observables #api.artifact.search(attributes, range: "all")
POST /api/case/artifact/_stats Compute stats on observables N/A
POST /api/case/:caseId/artifact Create an observable #api.artifact.create(case_id, data:, data_type:, message: nil, tlp: nil, tags: nil)
GET /api/case/artifact/:artifactId Get an observable #api.artifact.get_by_id(id)
DELETE /api/case/artifact/:artifactId Remove an observable #api.artifact.delete_by_id(id)
PATCH /api/case/artifact/:artifactId Update an observable N/A
GET /api/case/artifact/:artifactId/similar Get list of similar observables #api.artifact.similar(id)
PATCH /api/case/artifact/_bulk Update observables in bulk N/A

Case

HTTP Method URI Action API method
GET /api/case List cases #api.case.list
POST /api/case/_search Find cases #api.case.search(attributes, range: "all")
PATCH /api/case/_bulk Update cases in bulk N/A
POST /api/case/_stats Compute stats on cases N/A
POST /api/case Create a case #api.case.create(title:, description:, severity: nil, start_date: nil, owner: nil, flag: nil, tlp: nil, tags: nil)
GET /api/case/:caseId Get a case #api.case.get_by_id(id)
PATCH /api/case/:caseId Update a case N/A
DELETE /api/case/:caseId Remove a case #api.case.delete_by_id(id)
GET /api/case/:caseId/links Get list of cases linked to this case #api.case.links(id)
POST /api/case/:caseId1/_merge/:caseId2 Merge two cases #api.case.merge(id1, id2)

User

HTTP Method URI Action API method
GET /api/logout Logout N/A
POST /api/login User login N/A
GET /api/user/current Get current user #api.user.current
POST /api/user/_search Find user N/A
POST /api/user Create a user #api.user.create(login:, name:, roles:, password:)
GET /api/user/:userId Get a user #api.user.get_by_id(id)
DELETE /api/user/:userId Delete a case #api.user.delete_by_id(id)
PATCH /api/user/:userId Update user details N/A
POST /api/user/:userId/password/set Set password N/A
POST /api/user/:userId/password/change Change password N/A

License

The gem is available as open source under the terms of the MIT License.