Latest Updates: CB Predictive Security Cloud

Feed Manager API for CB ThreatHunter

WARNING: This is a legacy document, please view the latest version here.

Feed API Definition
Note: <psc-hostname> is the parent URL for your PSC instance.

Healthcheck

Successful response indicates service reachability.

Request

GET <psc-hostname>/threathunter/feedmgr/healthcheck

Responses

Code Description Content-Type Content
204 service is available . None

Create a new feed

Create new feed. Unique feed ID will be assigned by the service.
All IOCs will be converted to IOC_V2. This feed will be owned by the caller. If feedinfo.access is public the feed will be available to all organizations.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/feed
Content-Type Content
application/json Feed Object

Responses

Code Description Content-Type Content
200 Feed created application/json FeedInfo
400 Invalid Feed Request : None

Get all feeds

Retrieve all feeds owned by the caller. Provide include_public=true parameter to also include public community feeds.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed

Responses

Code Description Content-Type Content
200 Array of Feeds application/json {“results”: [Feed]}

Get Specific Feed

Retrieve feed with feed_id. This feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)

Responses

Code Description Content-Type Content
200 Feed application/json Feed

Delete Feed

Delete feed with feed_id. This feed must be owned by the caller.

Request

DELETE <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)

Responses

Code Description Content-Type Content
204 Feed Deleted : None
400 Unknown feed : None

Get Feed Info

Retrieve feed info metadata for feed with feed_id. This feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo

Responses

Code Description Content-Type Content
200 Feed Info application/json FeedInfo

Update Feed Info

Update feed info metadata for feed with feed_id. This feed must be owned by the caller.

Request

PUT <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Content-Type Content
application/json FeedInfo

Responses

Code Description Content-Type Content
200 Feed Info Updated application/json FeedInfo
400 Invalid Feed Request : None

Get Threat Reports

Retrieve all the reports for feed with feed_id. Feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report

Responses

Code Description Content-Type Content
200 Reports array application/json {“results”: [Report]}

Replace Reports

Replace reports for feed ID. All IOCs will be converted to IOC_V2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Content-Type Content
application/json {“reports”: [Report]}

Responses

Code Description Content-Type Content
200 Success application/json {“success”: boolean*}

Get Report

Return report with report_id for feed. Feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)

Responses

Code Description Content-Type Content
200 Report application/json [Report]

Update Report

Update report with report_id for feed. All IOCs will be converted to IOC_V2. Feed must be owned by the caller.

Request

PUT <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Content-Type Content
application/json [Report]

Responses

Code Description Content-Type Content
200 Report application/json Report

Delete report

Delete report with report_id for feed . Feed must be owned by the caller.

Request

DELETE <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)

Responses

Code Description Content-Type Content
204 report deleted : None

Convert Legacy Query

Convert CB Reponse query to ThreatHunter query. This will adjust field names and other syntax to match ThreatHunter Solr requirements.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/query/translate
Legacy query
content-type content
application/json {"query": str*}

Responses

Code Description Content-Type Content
200 Translated query application/json {“query”: str*}
400 Unable to convert query due to incompatible fields : None

Definitions

NOTE: fields with a * are required

FeedInfo

{"name": str*,
 "owner": str*,
 "provider_url": str*,
 "summary": str*,
 "category": str*,
 "access": str*,
 "id": str}

QueryIOC

{"index_type": str,
 "search_query": str*}

IOCs

{"md5": [str],
 "ipv4": [str],
 "ipv6": [str],
 "dns": [str],
 "query": [QueryIOC]}

IOC_V2

{"id": str*,
 "match_type": str*,
 "values": [str]*,
 "field": str,
 "link": str}

Report

{"id": str*,
 "timestamp": int*,
 "title": str*,
 "description": str*,
 "severity": int*,
 "link": str,
 "tags": [str],
 "iocs": IOCs,
 "iocs_v2": [IOC_V2],
 "visibility": str}

Feed

{"feedinfo": FeedInfo*,
 "reports": [Report]*}
Last modified on December 7, 2018