Hachi
Hachi(蜂
) is a dead simple TheHive API wrapper for Ruby.
Installation
gem install hachi
Usage
require "hachi"
# when given nothing, it tries to load your API key from ENV["THEHIVE_API_KEY"] & API endpoint from ENV["THEHIVE_API_ENDPOINT"]
api = Hachi::API.new
# or you can set them manually
api = Hachi::API.new(api_endpoint: "http://your_api_endpoint", api_key: "yoru_api_key")
# list alerts
api.alert.list
# search atrifacts
api.artifact.search(data: "1.1.1.1", data_type: "ip")
# you can do a bulk search by giving an array as an input
api.artifact.search(data: %w(1.1.1.1 8.8.8.8 github.com))
See samples
for more.
Implemented methods
Alert
HTTP Method | URI | Action | API method |
---|---|---|---|
GET | /api/alert | List alerts | #api.alert.list |
POST | /api/alert/_search | Find alerts | #api.alert.search(attributes:, range: "all") |
PATCH | /api/alert/_bulk | Update alerts in bulk | N/A |
POST | /api/alert/_stats | Compute stats on alerts | N/A |
POST | /api/alert | Create an alert | #api.alert.create(title:, description:, severity: nil, date: nil, tags: nil, tlp: nil, status: nil, type:, source:, source_ref: nil, artifacts: nil, follow: nil) |
GET | /api/alert/:alertId | Get an alert | #api.alert.get_by_id(id) |
PATCH | /api/alert/:alertId | Update an alert | N/A |
DELETE | /api/alert/:alertId | Delete an alert | #api.alert.delete_by_id(id) |
POST | /api/alert/:alertId/markAsRead | Mark an alert as read | N/A |
POST | /api/alert/:alertId/markAsUnread | Mark an alert as unread | N/A |
POST | /api/alert/:alertId/createCase | Create a case from an alert | N/A |
POST | /api/alert/:alertId/follow | Follow an alert | N/A |
POST | /api/alert/:alertId/unfollow | Unfollow an alert | N/A |
POST | /api/alert/:alertId/merge/:caseId | Merge an alert in a case | N/A |
Artifact(Observable)
HTTP Method | URI | Action | API method |
---|---|---|---|
POST | /api/case/artifact/_search | Find observables | #api.artifact.search(attributes, range: "all") |
POST | /api/case/artifact/_stats | Compute stats on observables | N/A |
POST | /api/case/:caseId/artifact | Create an observable | #api.artifact.create(case_id, data:, data_type:, message: nil, tlp: nil, tags: nil) |
GET | /api/case/artifact/:artifactId | Get an observable | #api.artifact.get_by_id(id) |
DELETE | /api/case/artifact/:artifactId | Remove an observable | #api.artifact.delete_by_id(id) |
PATCH | /api/case/artifact/:artifactId | Update an observable | N/A |
GET | /api/case/artifact/:artifactId/similar | Get list of similar observables | #api.artifact.similar(id) |
PATCH | /api/case/artifact/_bulk | Update observables in bulk | N/A |
Case
HTTP Method | URI | Action | API method |
---|---|---|---|
GET | /api/case | List cases | #api.case.list |
POST | /api/case/_search | Find cases | #api.case.search(attributes, range: "all") |
PATCH | /api/case/_bulk | Update cases in bulk | N/A |
POST | /api/case/_stats | Compute stats on cases | N/A |
POST | /api/case | Create a case | #api.case.create(title:, description:, severity: nil, start_date: nil, owner: nil, flag: nil, tlp: nil, tags: nil) |
GET | /api/case/:caseId | Get a case | #api.case.get_by_id(id) |
PATCH | /api/case/:caseId | Update a case | N/A |
DELETE | /api/case/:caseId | Remove a case | #api.case.delete_by_id(id) |
GET | /api/case/:caseId/links | Get list of cases linked to this case | #api.case.links(id) |
POST | /api/case/:caseId1/_merge/:caseId2 | Merge two cases | N/A |
License
The gem is available as open source under the terms of the MIT License.